(off-topic) Broadly accepted standards for (not?) logging credentials

Christopher J. Ruwe cjr at mail.cruwe.de
Wed Aug 21 13:38:22 UTC 2019


sorry for being severely off-topic. However, the freebsd-*@s are
always my last resort when I simply do not know who to ask.

>From my understanding (and several colleagues I asked concur) it is
absolutely verboten / tabu / you name it to ever log credentials in
clear-text, even with debug-flags on etc. The specific case is logging
the credentials of a remote storage filer in a console session, but
that should not matter.

Debug sessions may be shared with non-privileged personnel, are
switched on for just this one time, I promise, and then forgotten, and
slowly, but certainly and irrevocably, credentials leak unto the
point when a secret is no secret anymore, but essentially public

I have a support call open with a vendor where the other side does not
agree. If it is not I who is too conservative (which I hope), does
anybody know of any well-known and battle-proven document from an
authoritative source (RFCs, IEEE, ...) with which to beat people
until they promise not to log secrets?

Thanks and cheers,
Christopher J. Ruwe

More information about the freebsd-questions mailing list