Our security auditor is an idiot, how do I give him the information he wants? - Server Fault
A security auditor for our servers has demanded the following within two weeks:
– A list of current usernames and plain-text passwords for all user accounts on all servers
– A list of all password changes for the past six months, again in plain-text
– A list of “every file added to the server from remote devices” in the past six months
– The public and private keys of any SSH keys
– An email sent to him every time a user changes their password, containing the plain text password
We’re running Red Hat Linux 5/6 and CentOS 5 boxes with LDAP authentication.
As far as I’m aware, everything on that list is ether impossible or incredibly difficult to get, but if I don’t provide this information we lose access to our payments platform, and any income we might have got while we move away. Any suggestions for how I can solve or fake this information?