A security auditor for our servers has demanded the following within two weeks:
* A list of current usernames and plain-text passwords for all user accounts on all servers
* A list of all password changes for the past six months, again in plain-text
* A list of "every file added to the server from remote devices" in the past six months
* An email sent to him every time a user changes their password, containing the plain text password
An email sent to him every time a user changes their password, containing the plain text password
We're running Red Hat Linux 5/6 and CentOS 5 boxes with LDAP authentication.
ps... Если это провокация, возможна ли ее легальность?