[Info-vax] ossec

[Arne Vajhøj]

On 4/7/2023 8:37 PM, plugh wrote:
> On Friday, April 7, 2023 at 3:32:31 PM UTC-7, Arne Vajhøj wrote:
>> On 4/7/2023 10:01 AM, plugh wrote:
>>> I don't see any attempts for VMS.
>>>
>>> I like working with it on Linux. What are some VMS alternatives?
>> You mean https://github.com/ossec/ossec-hids ?
> Yes.
> 
>> For VMS itself then I suspect most people just use the
>> audit log directly.
 >
> ... which probably doesn't include the "active response" component.
> Without automation, issuing such responses manually is probably a
> non-starter. ossec's response subsystem is what I'm looking at for
> VMS.

So ossec does not just detect intrusion but take action?

What would the actions be?

(I don't know the product)

VMS already block access if its intrusion detection get triggered.

>      I think all that's necessary for the "hids" subsystem is to
> mount a VMS log directory in *nix. The parser is available now under
> the ossec server subsystem.
I am not sure that NFS mounting the directories where the critical
log files on VMS reside would be improving security.

>> It would probably be interesting to integrate that (audit log)
>> into ossec, because ossec already know how to process some
>> log files that are not VMS specific but may exist on VMS
>> like Apache logs and combining information could be
>> valuable.

> I'm not going to underestimate the work to build an ossec agent. I'd
> like think it would mesh well with VMS customer needs. It would
> involve the usual pain porting *nix code to VMS; which would be the
> ossec agent code.
> 
> The server/agent model works in that architecture's favor. The
> spin-offs from ossec-hids seem well on their way, but basically
> iterations on the same theme. I don't see an advantage to porting
> anything but the agent; which /should/ work with the various forks,
As usual with open source in the end it will depend on whether
there are people willing to put in some hours.

Arne