[Info-vax] VMS and security

Arne Vajhøj arne at vajhoej.dk
Wed Nov 9 15:22:00 EST 2022 

On 11/9/2022 1:30 PM, Simon Clubley wrote:
> On 2022-11-09, Dave Froble <davef at tsoft-inc.com> wrote:
>> On 11/3/2022 9:42 AM, Simon Clubley wrote:
>>> On 2022-11-02, IanD <iloveopenvms at gmail.com> wrote:
>>>>
>>>> I would have thought VMS could leverage it's historical reputation in security to give it an advantage against Linux at least, but I'm not convinced it has done enough to ensure it's up to date in the modern security landscape and it really needs to make sure it has it's ducks all in a row and then some because any failure in the security arena could/would end VMS chances of making a comeback
>>>
>>> Unfortunately, the idea of VMS security somehow being comparable to
>>> today's expected security standards is utterly delusional.
>>
>> Who's expectations?
> 
> Everyone in the industry outside of those who write DEC Basic code for
> a living ?

Lots of people has or still does live from writing Basic code.

>>> There's nothing like the Unix chroot jails on VMS.
>>
>> Is this the only method?
>>
> 
> If you could come up with something that provides the same level of
> isolation, that could be acceptable as well. What would be your
> suggested VMS alternative to a Unix chroot jail ?

>> It is understood that VMS has been neglected by it's owners for some time.
>> However, the question of how far behind could be interesting.
>>
>> Simon, you throw out things used elsewhere and claim that that is the only way
>> to provide security.  I don't think that is quite accurate.
> 
> Ok, so what are the VMS equivalents of the above functionality that
> can be used to address the same security issues ?
> 
> I am especially interested in your plans for implementing MAC security
> on VMS to the same level of functionality and fine-grained levels of
> control seen in SELinux.

MAC for VMS should be relative well understood. That was what
SEVMS provided.

For isolation I am thinking that VMS got group isolation
on global sections, logicals, file access and process
access. Adding group isolation to disk mount and
network definition plus adding a group based
scheduler may start to look like a foundation for
something.

Arne

More information about the Info-vax mailing list