[Info-vax] OpenVMS Security enhancement ? Log all commands / activity

IanD iloveopenvms at gmail.com
Tue Jan 5 02:17:24 EST 2016 

On Tuesday, January 5, 2016 at 4:16:28 PM UTC+11, David Froble wrote:
> IanD wrote:

 <snip>

> 
> Somebody give Network Dynamics (I think that's the name) this guy's contact info.
> 
> :-)

I see they don't actually have an Itanium version of KEYcapture out, if their web page is up to date that is. VMS on Itanium has been out a very long time now (2005 wasn't it?). At the current rate, they might not produce an x86-64 version until say 2027 approximately? ;-)

The point I was making was that if VMS is going to claim itself as a security based OS, then this seems to be a glaring omission if it's security offerings doesn't include the inbuilt ability to audit it's users fully (and I'll now add, without having to buy a package)

On Tuesday, January 5, 2016 at 12:00:50 PM UTC+11, Craig A. Berry wrote:
> On 1/4/16 6:42 PM, IanD wrote:
> > Since we are going to be pitching security as a strong point for VMS
> > going forward how about having command logging for all commands executed
> > by a process on a VMS system?
> 
> There are ways to do it.  See:
> 
> <http://community.hpe.com/t5/System-Management/How-to-Log-DCL-Access/td-p/4773391>
> 
> Something more integrated might be nice.

>From what I gleaned from that linked conversation, they were basically advocating a set host/log?

I'm not interested in capturing all the output, just listing the commands executed. The later would / could be extensive (but as an option to have turned on might be useful in certain circumstances)

Part of what you could do, is then move VMS beyond being just another dump audit system that has a log of things after the event, you might be able to use it as an entry to develop a security reactive system, that scans commands in real time, clobbering certain commands on a barred list for example or if the command attempts to work on a barred resource, stops it from executing, as a form of ultimate protection from an non-sanctioned process. A bit like a firewall that scans url strings for key words for example. Doesn't VMs do this in part now for Captive accounts? If it see's it executing DCL is logs it out?

We have ACL's to fine tune resource access, why not have something to fine tune command access as well?

I just think if security is a key point on which VMS hopes to create sales on, then the glaring shortfall of having the ability to audit exactly what a user did on a system is needed (without having to buy something else to make VMS complete)

More information about the Info-vax mailing list