Empathy List Archives

oval_developer@lists.cisecurity.org

A list for people interested in developing the OVAL language.

Mac pwpolicy test includes 'password' in the clear?

Ulmer, John R CIV USN SPAWARSYSCEN LANT SC (US)

Wed, Aug 17, 2016 2:41 PM

If this has been discussed/settled, please just point me to the discussion. I searched and did not find anything addressing this directly.

In the Mac OSX pwpolicy59 object, the schema requires a 'userpass' that is used to authenticate to a non-local node. I not would think the storing of a valid username and password in an open XML document would be a good idea. There is the option of using the 'xsi:nil' attribute to leave the username and userpass elements empty. But, in that case, no authentication is performed against a non-local node.

So, we either have a password in the open or we cannot authenticate to a non-local node?

Thanks

John R. Ulmer
SPAWAR Systems Center Atlantic
john.r.ulmer6.civ@mail.mil
843.218.5953

...

If this has been discussed/settled, please just point me to the discussion. I searched and did not find anything addressing this directly. In the Mac OSX pwpolicy59 object, the schema requires a 'userpass' that is used to authenticate to a non-local node. I not would think the storing of a valid username and password in an open XML document would be a good idea. There is the option of using the 'xsi:nil' attribute to leave the username and userpass elements empty. But, in that case, no authentication is performed against a non-local node. So, we either have a password in the open or we cannot authenticate to a non-local node? Thanks ----------------------------------------- John R. Ulmer SPAWAR Systems Center Atlantic john.r.ulmer6.civ@mail.mil 843.218.5953 ...

David Solin

Thu, Sep 1, 2016 2:11 PM

Otherwise, you’re right, it’s certainly not ideal!

Best regards,
—David A. Solin

On Aug 17, 2016, at 9:41 AM, Ulmer, John R CIV USN SPAWARSYSCEN LANT SC (US) john.r.ulmer6.civ@mail.mil wrote:

If this has been discussed/settled, please just point me to the discussion. I searched and did not find anything addressing this directly.

So, we either have a password in the open or we cannot authenticate to a non-local node?

Thanks

John R. Ulmer
SPAWAR Systems Center Atlantic
john.r.ulmer6.civ@mail.mil
843.218.5953

...

OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

...

If this is coming from an XCCDF checklist, I’d use an external variable and set the mask attribute for the userpass object entity. The password could then “live” in a tailoring, which need not necessarily be persisted anywhere as a file. Otherwise, you’re right, it’s certainly not ideal! Best regards, —David A. Solin > On Aug 17, 2016, at 9:41 AM, Ulmer, John R CIV USN SPAWARSYSCEN LANT SC (US) <john.r.ulmer6.civ@mail.mil> wrote: > > If this has been discussed/settled, please just point me to the discussion. I searched and did not find anything addressing this directly. > > In the Mac OSX pwpolicy59 object, the schema requires a 'userpass' that is used to authenticate to a non-local node. I not would think the storing of a valid username and password in an open XML document would be a good idea. There is the option of using the 'xsi:nil' attribute to leave the username and userpass elements empty. But, in that case, no authentication is performed against a non-local node. > > So, we either have a password in the open or we cannot authenticate to a non-local node? > > Thanks > ----------------------------------------- > John R. Ulmer > SPAWAR Systems Center Atlantic > john.r.ulmer6.civ@mail.mil > 843.218.5953 > > ... > > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org ...