[Info-vax] ossec

[plugh]

On Saturday, April 8, 2023 at 12:28:04 PM UTC-7, plugh wrote:
> On Saturday, April 8, 2023 at 11:35:17 AM UTC-7, Arne Vajhøj wrote: 
> > On 4/8/2023 1:52 PM, plugh wrote: 
> > > On Saturday, April 8, 2023 at 9:55:49 AM UTC-7, Arne Vajhøj wrote: 
> > >> On 4/7/2023 8:37 PM, plugh wrote: 
> > >>> I think all that's necessary for the "hids" subsystem is to 
> > >>> mount a VMS log directory in *nix. The parser is available now under 
> > >>> the ossec server subsystem. 
> > >> I am not sure that NFS mounting the directories where the critical 
> > >> log files on VMS reside would be improving security. 
> > > 
> > > I disagree. I'm sure there's a way to safely mount disks R/O remotely 
> > > even under VMS; which techniques depend on your definition of 
> > > "secure". If that's what you're proposing for not researching porting 
> > > the server architecture, fine. If VMS is too spavined to handle 
> > > connections from a *nix server than this topic isn't worth 
> > > discussing. 
> > security.audit$journal, accountng.dat and various log files 
> > are in sys$manager. RDB put a log file in SYS$SYSTEM. 
> > Apache log files are in APACHE$SPECIFIC:[LOGS], which is 
> > disk:[SYS0.SYSCOMMON.APACHE.SPECIFIC.node.LOGS]. 
> > 
> > I do not like the idea of NFS mounting those directories 
> > not even readonly with appropriate access control - too risky 
> > that some critical information could leak out that way. 
> > 
> > Another way to to get information over to ossec has to be found. 
> > IMHO. 
> > 
> > Arne
> Can we limn that fear?

I retract that question. I have a misunderstanding of the architecture.
The server does not need access to the agent's alert sources.