[Info-vax] OpenVMS Security enhancement ? Log all commands / activity

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Jan 5 13:50:26 EST 2016 

On 2016-01-05 00:42:29 +0000, IanD said:

> Since we are going to be pitching security as a strong point for VMS 
> going forward  how about having command logging for all commands 
> executed by a process on a VMS system?

Creating a bigger haystack to search for needles, and one that's 
trivially bypassed?

$
$ EDIT BUILD.COM
      $! you won't see these in an environment that logs commands:
      $ COBOL :== $NEFARIOUS_COMMAND
      $ LINK :== $REALLY_EVIL_COMMAND
      $ DEFINE /NOLOG X SYS$SYSTEM:SYSUAF.DAT
      ^Z
$! you will see this entirely-innocent-looking stuff:
$ @BULD
$ COBOL x
$ LINK x
$

Add audits and alarms configured appropriately for your site, and — for 
faster responses — get an audit listener going, and centralized 
collection of logs and audits.

The old VMS FAQ has pointers to tools that collect more data — Peek and 
Spy among them — for those folks that have teams of auditors ready and 
able to sift through the textual tsunami.

http://labs.hoffmanlabs.com/vmsfaq

But as for more recent security and beyond these older ACLs and the 
NSA-style collect-it-all logging...   After you have gotten done 
configuring a private root certificate and signing some certificates, 
and also getting the commercial certificate authority root certificates 
working on OpenVMS, and particularly getting SSL, SSL1, ssh and Apache 
mod_ssl, and with client and server application connection security 
running at Mozilla's "modern" security configuration, then maybe then 
we can discuss some marketing folks pitching OpenVMS for its security.

Or maybe you'll better understand why at least some marketeers might 
not want to make security a central feature of the marketing quite yet.

Then we can discuss what's missing from ACLs and audits and the rest of 
VMS security.

And before the VSI folks get around to using "security" as a central 
feature of their marketing, there's more than a little and arguably 
"lower-hanging fruit" for VSI marketing to work on, if and when they 
get some time away from their apparent current strategy of calls and 
confabs with larger customers; of direct sales.    Of getting ready for 
the biggest announcement that they've ever done with the upcoming 
V8.4-2 release, too.   Maybe like getting the V8.4-1H1 release 
documentation posted and online license purchases, for instance.   Of 
VSI developers getting the time to replacing the 
unsupported-by-ISC-since-2009 version of the ISC BIND 9 DNS server, too.



-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list