[Info-vax] ossec

[plugh]

On Friday, April 7, 2023 at 3:32:31 PM UTC-7, Arne Vajhøj wrote:
> On 4/7/2023 10:01 AM, plugh wrote: 
> > I don't see any attempts for VMS. 
> > 
> > I like working with it on Linux. What are some VMS alternatives?
> You mean https://github.com/ossec/ossec-hids ? 
Yes.

> For VMS itself then I suspect most people just use the 
> audit log directly. 
... which probably doesn't include the "active response" component. Without automation, issuing such responses manually is probably a non-starter. ossec's response subsystem is what I'm looking at for VMS. I think all that's necessary for the "hids" subsystem is to mount a VMS log directory in *nix. The parser is available now under the ossec server subsystem.

> It would probably be interesting to integrate that (audit log) 
> into ossec, because ossec already know how to process some 
> log files that are not VMS specific but may exist on VMS 
> like Apache logs and combining information could be 
> valuable. 
I'm not going to underestimate the work to build an ossec agent. I'd like think it would mesh well with VMS customer needs. It would involve the usual pain porting *nix code to VMS; which would be the ossec agent code.

The server/agent model works in that architecture's favor. The spin-offs from ossec-hids seem well on their way, but basically iterations on the same theme. I don't see an advantage to porting anything but the agent; which /should/ work with the various forks,

Right now, I'm just poking around. I saw some FT notice; which milestone piqued my interest.