Our security auditor is an idiot. How do I give him the information he wants?

Definitely seems less like a auditor (I believe asking for some of that is flat out illegal) and more like a hacker posing as a auditor, trying to get passwords/creditcard #'s.

This is a case of social engineering, not of a security auditor, but of the poster. The poster wants to know an easy way to collect public and private SSH keys and fake 6 months of inbound traffic. There is no auditor.<p>Maybe the poster is writing a book on cracking systems? Who knows. But it smells like a hoax.

This is suspicious:<p><pre><code> *The "new security policies" were introduced two weeks before our audit, and the six months historical logging was not required before the policy changes. </code></pre> These "policies" were introduced by whom? His payment processor or by his company on the advice of this "auditor"? Or did the OP make this up?<p><pre><code> In short, I need; A way to 'fake' six months worth of password changes and make it look valid A way to 'fake' six months of inbound file transfers </code></pre> Why is the poster requesting help generating plausible fake data? Is he naive? Afraid of losing his job? Unaware of the legal implications?

Am I the only one who thinks the story is a little too perfect and ridiculous? It is much more likely that the author simply fabricated the story.<p>He did manage to start a very popular thread, and get a ton of people with really high rep to respond AND get a link on HN. He just threw out some bait, and the community swarmed like starving fish.

Everyone so far has focused on the auditor, but I want to know why the OP thinks faking the requested data is an acceptable response. That disturbs me and nobody else commented on it!

Perhaps the auditor is smarter than everyone thinks and is expecting the sysadmin to come to him empty handed and with an explanation as to why the requirements aren't reasonable.

I flagged this. The likely explanation is that this is just a troll -- 2-day-old account, this is the only question that's been asked on it. There's no way that somebody that's been doing audits for 10 years would ask for this stuff, and there's no way any server admin would even consider providing the information. ...At least, any server admin that shouldn't be yoinked back down to making patch cables.

Please post the name of the company that the security auditor works for.

I wonder if, when confronted about how ridiculous the requests were, the auditor will claim to have been testing how well the admins resisted social engineering?

That "auditor" is an idiot as some of the posters have mentioned already. I was like "No" and then I got to the "both private and public keys" and I was like "Hell no!".