[Info-vax] OpenVMS Security enhancement ? Log all commands / activity

Tue Jan 5 14:31:13 EST 2016

On Tuesday, 5 January 2016 07:17:27 UTC, IanD  wrote:
> On Tuesday, January 5, 2016 at 4:16:28 PM UTC+11, David Froble wrote:
> > IanD wrote:
> 
>  <snip>
> 
> > 
> > Somebody give Network Dynamics (I think that's the name) this guy's contact info.
> > 
> > :-)
> 
> I see they don't actually have an Itanium version of KEYcapture out, if their web page is up to date that is. VMS on Itanium has been out a very long time now (2005 wasn't it?). At the current rate, they might not produce an x86-64 version until say 2027 approximately? ;-)
> 
> The point I was making was that if VMS is going to claim itself as a security based OS, then this seems to be a glaring omission if it's security offerings doesn't include the inbuilt ability to audit it's users fully (and I'll now add, without having to buy a package)
> 
> On Tuesday, January 5, 2016 at 12:00:50 PM UTC+11, Craig A. Berry wrote:
> > On 1/4/16 6:42 PM, IanD wrote:
> > > Since we are going to be pitching security as a strong point for VMS
> > > going forward how about having command logging for all commands executed
> > > by a process on a VMS system?
> > 
> > There are ways to do it.  See:
> > 
> > <http://community.hpe.com/t5/System-Management/How-to-Log-DCL-Access/td-p/4773391>
> > 
> > Something more integrated might be nice.
> 
> From what I gleaned from that linked conversation, they were basically advocating a set host/log?
> 
> I'm not interested in capturing all the output, just listing the commands executed. The later would / could be extensive (but as an option to have turned on might be useful in certain circumstances)
> 
> Part of what you could do, is then move VMS beyond being just another dump audit system that has a log of things after the event, you might be able to use it as an entry to develop a security reactive system, that scans commands in real time, clobbering certain commands on a barred list for example or if the command attempts to work on a barred resource, stops it from executing, as a form of ultimate protection from an non-sanctioned process. A bit like a firewall that scans url strings for key words for example. Doesn't VMs do this in part now for Captive accounts? If it see's it executing DCL is logs it out?
> 
> We have ACL's to fine tune resource access, why not have something to fine tune command access as well?
> 
> I just think if security is a key point on which VMS hopes to create sales on, then the glaring shortfall of having the ability to audit exactly what a user did on a system is needed (without having to buy something else to make VMS complete)

This kind of keyboard-input logging capability may fool some auditors
some of the time, but anyone with an actual clue will know that (as
per Hoff's recent post) there is no inherent connection between the
commands typed and what actually results on the system.

On the other hand if someone wants a largely trustworthy facility
for auditing what happens to selected objects under certain
specific circumstances, it's there, and has been for years. But it's
not shiny and modern, and not usually familiar and probably not
explainable to auditors with a tick sheet in less than thirty seconds
(unless they're moderately familiar with VMS and its security
facilities). And like everything else, it has room for improvement.

If putting a layer of admin-friendliness on top is sufficient, then
tools like System Detective may bring something to the table. They
don't come for free, and if VSI were to bundle a zero-cost replacement
all that would happen is it would upset the existing ISVs