Our security auditor is an idiot

Note translator : this is an article (or rather, a question on serverfault.com) of the system administrator of one electronic trading platform that has undergone a security audit for the right to use a certain bank card processing system.



The security auditor of our servers has requested the following things within two weeks:

• List of all users with their passwords in clear text
• The history of changing the passwords of all users in the last 6 months (again, in the clear)
• List of all files on our servers that have been uploaded to them from the outside in the last 6 months
• Public and private parts of all SSH keys
• The mechanism that sends him an email every time when any user changes his password (a clear password must be written in the letter in clear text)

Our servers run on Red Hat Linux 5/6 and CentOS 5 with LDAP authentication. As far as I know, all of the above is either not possible at all, or it is very difficult to get on this platform. But if I do not provide information in time - we will lose access to the payment platform and all potential profits during the migration to another. Any thoughts on how to get out?
')
The only way to get all the passwords in clear text is to reset them and set them to some specific ones. But this does not solve the problem of password and file information for the last 6 months.

Obtaining pairs of SSH-keys is possible, but the procedure is long and tedious - many users, many computers. Is it possible to automate this somehow?

I have repeatedly explained to the auditor the impossibility of fulfilling his requests. He answered with this letter:

I have been working in the field of computer security auditing for more than 10 years and have a complete understanding of the security system of RedHat OS, so I advise you to update your knowledge of what is possible and what is not in this system. You say that your company is not able to provide the required information. But I have already conducted hundreds of similar audits and in each of them such information was provided. All clients of our processing company must comply with our new security policies and this audit is designed to verify this compliance.

These “new security policies” were introduced 2 weeks ago, and the information on passwords and downloaded files is required in the last 6 months - cool, right?

In short, I need to:

• A way to fake a history of password changes in the last 6 months, so that it looks believable
• A way to fake file download history
• A simple way to collect SSH keys from a large number of computers

If we fail this audit, we will lose the processing platform and take a good two weeks to move somewhere else. What to do?

Update 1

Thanks to everyone for the answers, I regained the belief that I am not a complete idiot and the required information is not a standard in such audits.

I plan to write to the auditor another letter explaining the situation: many of you have indicated that according to the PCI rules ( note of the translator: payment card security committee, which includes Visa, MasterCard and others), passwords should never be stored or transmitted in the open the form. Not really, however, hoping for common sense, we begin to shake up the skis to go to PayPal.

Update 2

Draft letter:

Hi, [name],
Unfortunately, there is no way to provide you with some of the information requested. We are talking about clear passwords, password change history, SSH keys and file upload logs. This is not only technically impossible, but also contradicts the PCI standards that explicitly prohibit the storage and transmission of such data in open form (Section 8.4 - “All passwords should be transmitted and stored only in encrypted form using strong cryptography”).

I can provide you with a list of logins and hashed passwords of our users, public SSH keys and a list of authorized hosts. (This will give you information on the number of unique users and the encryption algorithms used), information on our password security requirements and LDAP server configs. I strongly advise you to review your security policy, as there is no way to pass a security audit, following both its and personal data protection legislation together with the PCI requirements.

Respectfully,
I.

I will try to reach out not only to the auditor, but also to his management, as well as to inform the staff responsible for security of the PCI staff about the current situation.

Update 3

Here is his reply to my letter:

As I already wrote, the required information should be easily accessible on any normally configured system to any competent administrator. Your recognition of the impossibility of obtaining such information makes me think about disregarding the security standards on your servers and not being ready for real threats. Our requirements are in full compliance with the PCI standards and they can be fully implemented together. “Strong cryptography” means only that the password should be encrypted as it is entered by the user, but then it needs to be transferred and saved in an open format, as it may be needed later.
I do not see any security threats in the required behavior - password protection by cryptography applies only to users of the system, not the administration, which means that it should be possible to provide this information for auditing.

I will repeat once again:

“Strong cryptography” means only that the password should be encrypted as it is entered by the user, but then it needs to be transferred and saved in an open format, as it may be needed later.

I plan to print this expression and hang it in a frame on the wall.

I decided not to bother myself with more excessive diplomacy and gave him a link to this topic:

Providing the information you require is DIRECTLY CONTRACTING to the laws and requirements of PCI - I quoted the rules section. In addition, I started a discussion on ServerFault.com (an online community of professional system administrators), which received a huge response, generally resulting, again, to the fact that this information cannot be provided. You can somehow read at your leisure:

Our idiot security auditor, how do I provide him with the required information?

We have completed the transition of our billing system to a new platform and terminate the contract with your company from tomorrow. But just for the sake of the triumph of common sense, I would like to let you understand how ridiculous and ridiculous your demands are. No company can provide you with this information without violating the requirements of PCI. I strongly advise you to think over your security policy once more, because with the current one you simply lose all customers.

(Honestly, I somehow missed the fact that I called him an idiot in the title of the article, but it was already deeply sideways - we already moved out)

But he answered me anyway. I think readers will be interested to know that they are boobies who do not understand what they are talking about:

I read your post and responses to it. Well - all answered are wrong. I work in this industry longer than anyone on this site - getting a list of users and their passwords is a basic skill, this is one of the first things that a system administrator should learn and an integral part of the security of any reliable server. If you really don't have enough minds for such elementary, I think you do not have PCI installed on your system, since such a possibility is a necessary requirement of this software). And generally speaking, when working with such things as server security, you should not ask questions in public forums without understanding the basic principles of its operation.

I would also like to inform you that any attempt to disclose my real name or company name will entail taking all the necessary legal measures against you.

I’ll emphasize key idiocy if you missed them:

• He works as an auditor for the longest here (He either reads thoughts or spies on everyone here)
• Getting a list of passwords in clear text in UNIX is a “basic feature”
• PCI is now software
• People should not ask questions on the forum if they do not know something about what is being asked
• Posting facts confirmed by letters is slander

Sumptuously.

The PCI organization has responded adequately and is now closely researching this auditor, his company and their rules. Our system successfully moved to PayPal. I will be waiting for information from PCI about the results of this auditor’s audit - but that’s what worries me. If that company had such external requirements, it means that they had internal ones in the same spirit. So, all payments of all our clients can be stored quite openly somewhere without any encryption and protection. I hope the PCI investigation will dot the i's and action will be taken.

I’ll clarify with our lawyer the possibility of publishing the auditor’s name and company name, and you can all talk to them in person and explain why you don’t understand such basic Linux features as getting a list of passwords in clear text.

Small update

Our lawyer advised not to run up. Well, without naming specific names, I will only say that it is not a large processing center, it has about 100 clients and is located in Birmingham, UK.