[Info-vax] ossec

Sat Apr 8 13:52:26 EDT 2023

On Saturday, April 8, 2023 at 9:55:49 AM UTC-7, Arne Vajhøj wrote:
> On 4/7/2023 8:37 PM, plugh wrote: 
> > On Friday, April 7, 2023 at 3:32:31 PM UTC-7, Arne Vajhøj wrote: 
> >> On 4/7/2023 10:01 AM, plugh wrote: 
> >>> I don't see any attempts for VMS. 
> >>> 
> >>> I like working with it on Linux. What are some VMS alternatives? 
> >> You mean https://github.com/ossec/ossec-hids ? 
> > Yes. 
> > 
> >> For VMS itself then I suspect most people just use the 
> >> audit log directly. 
> > 
> > ... which probably doesn't include the "active response" component. 
> > Without automation, issuing such responses manually is probably a 
> > non-starter. ossec's response subsystem is what I'm looking at for 
> > VMS.
> So ossec does not just detect intrusion but take action? 
> 
> What would the actions be? 
> 
> (I don't know the product) 
> 
> VMS already block access if its intrusion detection get triggered.

Agreed. I'd forgotten about VMS intrusion detection and response; which works for login sessions and is one aspect. You can probably work out other intrusions: email, web... There's also file monitoring which is probably there as well. You'd mentioned them earlier.
The ossec actions include the equivalent blocking of unauthorized login attempts (via nft or iptables) as well as blocks for unauthorized URL access and unauthorized email access. The list of intrusions and responses is limited by what you can log and your imagination.
> > I think all that's necessary for the "hids" subsystem is to 
> > mount a VMS log directory in *nix. The parser is available now under 
> > the ossec server subsystem.
> I am not sure that NFS mounting the directories where the critical 
> log files on VMS reside would be improving security.

I disagree. I'm sure there's a way to safely mount disks R/O remotely even under VMS; which techniques depend on your definition of "secure". If that's what you're proposing for not researching porting the server architecture, fine. If VMS is too spavined to handle connections from a  *nix server than this topic isn't worth discussing.