[Info-vax] VMS Privileges Versus Linux Capabilities
Kerry Main
kemain.nospam at gmail.com
Thu Jun 16 20:57:34 EDT 2016
> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at info-vax.com] On Behalf Of
> Stephen Hoffman via Info-vax
> Sent: 16-Jun-16 8:07 PM
> To: info-vax at info-vax.com
> Cc: Stephen Hoffman <seaohveh at hoffmanlabs.invalid>
> Subject: Re: [New Info-vax] VMS Privileges Versus Linux Capabilities
>
> On 2016-06-16 23:03:46 +0000, mailto:lawrencedo99 at gmail.com said:
>
> > On Friday, June 17, 2016 at 8:53:18 AM UTC+12, Simon Clubley wrote:
> >
> >> The difference between the models is that in VMS there's no such
> thing
> >> as a fully privileged image or fully privileged user at least in the
> >> sense that is meant under Unix so you don't have to worry about
> >> emulating a root account or suid binaries under VMS.
>
> Any user or installed image with an all-class privilege or any
> user-written system service or user-written system service, or any
> privileged server application, or any device driver or any execlet, or
> any hunk invoked from that context — which can potentially include a
> group-writable LOGIN.COM procedure of a privileged user, for instance
> —
> or ... whatever... is still a target, and the associated security needs
> to be reviewed. UWSS and drivers and execlets and ACPs, and images
> installed with any ALL-class privilege — and other such constructs —
> are already or can become fully privileged, with complete system
> access. Any code in any inner-mode is fully privileged. Etc.
>
> > Linux also has security options like SELinux or AppArmor. With one of
> > these enabled, even running as root will not give you unchecked access
> > to the system.
>
> SEVMS was the mandatory access control variant of OpenVMS:
> http://h71000.www7.hp.com/openvms/products/sevms/info.html
>
> OpenVMS lacks sandboxes or jails or a BSD-style pledge() mechanism,
> among other constructs.
>
> What OpenVMS calls a subsystem identifier — an ACL-based entitlement
> for executables — can be quite useful.
>
There is also a native third party tool from PointSecure that adds additional
security features and capabilities to OpenVMS - System Detective.
http://pointsecure.com/products/system-detective/
- Safeguard systems from potential misuse by elevated users
- Produce logs of session activity
- Proactively respond to security events
- Alert on session activity and policy violations
- Enhance protection of sensitive information
- Recover from operation errors with audit trails
- Review recorded session log files
- Create reports of session activity
I like the capability to create security rules specific to your environment
and encryption of log files.
Regards,
Kerry Main
Kerry dot main at starkgaming dot com
More information about the Info-vax
mailing list