[Info-vax] ossec
Arne Vajhøj
arne at vajhoej.dk
Sat Apr 8 14:35:10 EDT 2023
On 4/8/2023 1:52 PM, plugh wrote:
> On Saturday, April 8, 2023 at 9:55:49 AM UTC-7, Arne Vajhøj wrote:
>> On 4/7/2023 8:37 PM, plugh wrote:
>>> I think all that's necessary for the "hids" subsystem is to
>>> mount a VMS log directory in *nix. The parser is available now under
>>> the ossec server subsystem.
>> I am not sure that NFS mounting the directories where the critical
>> log files on VMS reside would be improving security.
>
> I disagree. I'm sure there's a way to safely mount disks R/O remotely
> even under VMS; which techniques depend on your definition of
> "secure". If that's what you're proposing for not researching porting
> the server architecture, fine. If VMS is too spavined to handle
> connections from a *nix server than this topic isn't worth
> discussing.
security.audit$journal, accountng.dat and various log files
are in sys$manager. RDB put a log file in SYS$SYSTEM.
Apache log files are in APACHE$SPECIFIC:[LOGS], which is
disk:[SYS0.SYSCOMMON.APACHE.SPECIFIC.node.LOGS].
I do not like the idea of NFS mounting those directories
not even readonly with appropriate access control - too risky
that some critical information could leak out that way.
Another way to to get information over to ossec has to be found.
IMHO.
Arne
More information about the Info-vax
mailing list