Well, if the auditor wants to play willy-measuring tactics: I've been using Unix since 1982 (Bell Labs Version 7, since you asked), and I rather suspect that I've more experience than he has.
UNIX and derived/lookalike systems like Linux have _always_ stored passwords one-way encrypted. I have precisely no idea how he expects the sysadmin to provide a list of plaintext passwords, short of replacing the passwd utility with a hacked one that stores the pre-crypt version somewhere for retrieval, or asking staff to email their plaintext passwords to the poor sap he's badgering.
Either way, a massive security breach. The whole point of one-way encryption is that there is no persistent trace left of the original plaintext password. This guy's way of auditing security recalls the Spanish Inquisition's way of auditing witchcraft. Damned if you do; damned if you don't.
His company's far better off using a payments provider with a clue - and a competent auditor.
I see responses like this from developers, and -- no offense -- it really doesn't advance the conversation.
The guy asking these questions is a bureaucrat, he's running his game book. Just telling him he's dumb and you're smart won't get you the certification your company needs.
In this case, yes I think these questions are insane. But you could respond like:
> A list of current usernames and plain-text passwords for all user accounts on all servers
We use Linux servers that store passwords using a one-way encryption. If we show you how we validate that all passwords are 16 characters long, contain special characters, are not passwords previously used, and are changed every 30 day, would that suffice for the password complexity scan we assume you are trying to perform with this password data you requested?
> A list of all password changes for the past six months, again in plain-text
See answer 1, we require all users to change their password every 30 days; passwords older than 30 days expire and can not be used.
> A list of "every file added to the server from remote devices" in the past six months
We use XYZ System for change management. Here are the change logs. We monitor log ins using ABC System. Here are the logs.
> The public and private keys of any SSH keys
Providing this information would violate our security policies. Our policies can be found in the attached PDF. Please let us know what compliance issue you are attempting to verify here so we can brainstorm alternate methods of providing the details. We change keys yearly.
> An email sent to him every time a user changes their password, containing the plain text password
See previous response, giving this would violate our security policies. We programmatically ensure complex passwords, and that passwords expire every 30 days. We can show you how the server is configured if you'd like.
End with, "For next steps, can we get someone from your technical team on the phone with one Security Lead to discuss these responses?" If they aren't game, just find another service provider. These questions are batshit, but they strike me as "first pass" questions sent over by someone junior. Find a way to get up the ladder a bit and everyone will be happier.
There are other service providers. Sorry I didn't read the comments in the StackExchange post.
There are other vendors. I think that'd be my next step -- go to my legal team or C-team, explain that answering these questions would put the company in danger, and suggest we consult with another vendor from the approved PCI list.
(Sorry I don't know if this is actually the list to go off of -- scans vs. audits, just my point is that there are public lists of approved companies to choose from.)
I had a client who just had some random dude telling them he could certify them as PCI Compliant... he was in no way authorized to do that. Was fairly hilarious how it played out; he'd been "certifying them" for years and even went so far as to give them a graphic they could display on their website. There are people who pray on ignorant businesses, but with a little research it's not terribly hard to educate yourself on what's real and what's BS.
EDIT: Just read the StackExchange post... Yeah, run. Guy is a nut job, like the random dude who had been advising one of my old clients. That call with him -- around how he wasn't really someone who could certify PCI Compliance -- was one of my favorite calls ever. He basically melted into a rant about, "I know good security, I have never had any of my servers hacked... well only like 2 but those weren't my fault!" Then said he'd get off the phone to do some research... and never called again, didn't even bother sending my client a bill for his services. Wish I had recorded it.
BUT... just because there are nut jobs out there, doesn't mean this is something companies should ignore. PCI Compliance is important.
UNIX and derived/lookalike systems like Linux have _always_ stored passwords one-way encrypted. I have precisely no idea how he expects the sysadmin to provide a list of plaintext passwords, short of replacing the passwd utility with a hacked one that stores the pre-crypt version somewhere for retrieval, or asking staff to email their plaintext passwords to the poor sap he's badgering.
Either way, a massive security breach. The whole point of one-way encryption is that there is no persistent trace left of the original plaintext password. This guy's way of auditing security recalls the Spanish Inquisition's way of auditing witchcraft. Damned if you do; damned if you don't.
His company's far better off using a payments provider with a clue - and a competent auditor.