Terry, Creating your own test would be much like asking the FOX to count the Chickens. This is serious auditing issue that should be solved by the auditor. They should suppy test data and you should supply the resulting file. You could supplement the file with a trace (network, TCP trace, Byte count,translastion, etc..)
Put the requirement back onto the auditor. After all this is IBM's product not yours. Kevin Clark -------------- Original message -------------- > The organization we service is suffering through an audit at the moment. > One of the things the auditors looked at was the secure file transfer proces > I > had setup for that organization (OpenSSH based). They explained it > sufficiently, but the auditor had one last requirement. She wanted proof that > the data was actually being encrypted. ???? > It is my understanding that OpenSSH encrypts the file in transit and does > not leave an encrypted copy of the data file lying around anywhere. So, I > cannot show them a copy of the encrypted file. I ran a transfer using the > most verbose debug level and it does not say anything like "now encrypting > file". > So, to satisfy the auditor (and my own curiosity), does anyone know how > to prove that OpenSSH is really encrypting the file? Of course one could hang > a sniffer on the network and sniff the datastream, but I did not want to go > that far. Thanks. > > [xposting to IBMTCP-L and MVS-OE lists] > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
