IdentityMinder is fantastic about it’s auditing of actions. If you scratch your nose in the product, there’s a record of it. However, by default it is recording EVERYTHING and the details.
I was showing off my test environment and a peer was going through the View Submitted Tasks section looking at all the events. When he drilled down into the Password Reset task and then clicked on the details of the ResetPasswordEvent for the administrator there was something we didn’t expect to see. IdM was recording not only the old password but the new one as well when it was changed. So it was back to the documentation to look for a statement anywhere “Oh by the way, we record in clear text all password changes, old and new values”. I didn’t find one or any good explanation on the audit settings.
How to stop it from recording the password changes
- In the IdentityMinder Management Console, go into the IME you are working in.
- Click on Advanced Settings then Auditing.
- Export the audit settings.
Like the directory config you need to export the XML, edit it, then re-import it.
By default the first < Audit > tag is set to false. Set it to true and make the subsequent AuditProfileAttributes are set to NONE. This will not audit these attributes, %PASSWORD% should be in the mix, if not add it.
As your implementation matures and you figure out what information you want or don’t want you can add/remove audit capabilities here.
After you change it, save it, re-import, and restart the IME.
Now go change your password and check the details of the task. In the details of the ResetPasswordEvent you should not see any values under Attributes Changed on the page, only that the user reset the password.
As an extra measure, run a task to purge out the Submitted tasks that have all the password reset records in it.
Wide open until you lock it down.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.