<div dir="ltr">Preventing access to passwords for the purpose of preventing unauthorized access to data as another way I look at it.</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><font><div style="font-family:arial;font-size:small">
<b><i><br>Adam Lawson</i></b></div><div><font><font color="#666666" size="1"><div style="font-family:arial;font-size:small">AQORN, Inc.</div><div style="font-family:arial;font-size:small">427 North Tatnall Street</div><div style="font-family:arial;font-size:small">
Ste. 58461</div><div style="font-family:arial;font-size:small">Wilmington, Delaware 19801-2230</div><div style="font-family:arial;font-size:small">Toll-free: (844) 4-AQORN-NOW</div><div style="font-family:arial;font-size:small">
Direct: +1 (302) 268-6914</div></font></font></div></font></div><div style="font-family:arial;font-size:small"><img src="http://www.aqorn.com/images/logo.png" width="96" height="39"><br></div></div></div>
<br><br><div class="gmail_quote">On Mon, Apr 21, 2014 at 4:46 PM, Adam Lawson <span dir="ltr"><<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">My initial concern is specific to Swift and gaining global access to all data by virtue of having access to a single proxy node. It seems more than access to system resources but a flaw in how data is controlled (and passwords are controlled).</div>
<div class="gmail_extra"><div class=""><br clear="all"><div><div dir="ltr"><div><font><div style="font-family:arial;font-size:small"><b><i><br>Adam Lawson</i></b></div><div><font><font color="#666666" size="1"><div style="font-family:arial;font-size:small">
AQORN, Inc.</div><div style="font-family:arial;font-size:small">427 North Tatnall Street</div><div style="font-family:arial;font-size:small">Ste. 58461</div><div style="font-family:arial;font-size:small">Wilmington, Delaware 19801-2230</div>
<div style="font-family:arial;font-size:small">Toll-free: (844) 4-AQORN-NOW</div><div style="font-family:arial;font-size:small">Direct: <a href="tel:%2B1%20%28302%29%20268-6914" value="+13022686914" target="_blank">+1 (302) 268-6914</a></div>
</font></font></div></font></div><div style="font-family:arial;font-size:small">
<img src="http://www.aqorn.com/images/logo.png" width="96" height="39"><br></div></div></div>
<br><br></div><div><div class="h5"><div class="gmail_quote">On Mon, Apr 21, 2014 at 4:41 PM, Bryan D. Payne <span dir="ltr"><<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">This would be a nice hardening step, but if you have sudo on the box there's a lot of things you can do see. This is just the tip of the iceberg. For example, access to the backend db? Access to traffic on the network / unix sockets / etc? Access to logs.<div>
<br></div><div>I am not aware of any current efforts to mask this information from the config files. But that doesn't mean it's not happening. If someone is aware of such an effort, I'd certainly be interested in learning more about it.</div>
<div><br></div><div>Cheers,</div><div>-bryan</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <span dir="ltr"><<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Have .conf files containing credentials and tokens been addressed or being addressed? Seems there are a lot of keys to the kingdom clearly visible to staff who have access to systems for day-to-day admin work but don't/shouldn't be able to view them. If they have sudo access, they have everything they need to get where they don't belong. Really strikes me as an obvious audit issue...<span><font color="#888888"><div>
<div><br clear="all"><div><div dir="ltr"><div><font><div style="font-family:arial;font-size:small"><b><i><br>Adam Lawson</i></b></div><div><font><font color="#666666" size="1"><div style="font-family:arial;font-size:small">
AQORN, Inc.</div><div style="font-family:arial;font-size:small">427 North Tatnall Street</div><div style="font-family:arial;font-size:small">Ste. 58461</div><div style="font-family:arial;font-size:small">Wilmington, Delaware 19801-2230</div>
<div style="font-family:arial;font-size:small">Toll-free: (844) 4-AQORN-NOW</div><div style="font-family:arial;font-size:small">Direct: <a href="tel:%2B1%20%28302%29%20268-6914" value="+13022686914" target="_blank">+1 (302) 268-6914</a></div>
</font></font></div></font></div><div style="font-family:arial;font-size:small">
<img src="http://www.aqorn.com/images/logo.png" width="96" height="39"><br></div></div></div>
</div></div></font></span></div>
<br></div></div>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>