[tac_plus] TAC+ and Solarwinds Orion NCM don't play well together
Alan McKinnon
alan.mckinnon at gmail.com
Fri Oct 23 11:52:39 UTC 2015
On 23/10/2015 09:46, Matt Almgren wrote:
> "make sure .cloginrc has proper/strict permissions"
>
> This is the one that our auditor says goes against PCI rules. The file itself has passwords in clear text. If an attacker gets root on that box, your network devices can be compromised. I don't want to argue the risks involved here, as they are high, but very low probability. The idea is to limit the attackers ability to compromise more than just one system. But still passwords in the clear is failing PCI requirements.
I've had the same argument with auditors myself, and none has ever
provided a workable acceptable alternative that doesn't involve $MAGIC
auth systems that use AI.
I've successfully gotten around the objection by using locked-down
password-less accounts that can only do show run etc, or using
unencrypted host keys. The irony is not noticed with this.
--
Alan McKinnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list