topic Re: Security Audit on OpenVMS in Operating System - OpenVMS

Security Audit on OpenVMS

Ed Welsh — Thu, 28 Apr 2005 09:00:16 GMT

Hi all,

I am researching products such as Pedestal-Security Expressions<> for semi-automated security audit of various systems.

For those that are not interested in wading through the marketing bull: Security Expressions use a remote login via ssh/telnet to audit supported systems. Essentially, it has a batch of scripts that check for security problems by logging in remotely and running the sh scripts and then builds a nice report out of the findings.

Security Expressions does not have a module for OpenVMS and I need to find a tool similar in nature to use on OpenVMS.

Any suggestions?

Thanks
EW

Re: Security Audit on OpenVMS

Wim Van den Wyngaert — Thu, 28 Apr 2005 09:13:36 GMT

http://www.windowsitpro.com/Windows/Article/ArticleID/209/209.html

was once used by audit over here.

Wim

Re: Security Audit on OpenVMS

Wim Van den Wyngaert — Thu, 28 Apr 2005 09:20:33 GMT

Here are my findings/notes from 1998 (or was it 97).

Wim

Re: Security Audit on OpenVMS

Ian Miller. — Fri, 29 Apr 2005 03:39:37 GMT

I've not tried it but there is
http://www.pointsecure.com/products/pointaudit.asp

HP sell a security sevice.

CA ePCM has some support for a few versions of VMS.

Re: Security Audit on OpenVMS

Robert Gezelter — Fri, 29 Apr 2005 05:08:04 GMT

Ed,

Many products in the *XIX world check for a list of vulnerabilities. Unfortunately (or fortunately, depending on one's perspective I suppose), many of these problems are specific to *XIX implementations. OpenVMS systems have a fairly different potential set of problems, so I would be VERY surprised if the sh scripts written for a *XIX were of any real use on an OpenVMS platform (e.g., *XIX systems typically use sendmail, which has had numerous vulnerabilities, see the applicable CERT warnings available through http://www.cert.org).

That said, the checklists in the back of the Guide to System Security are a good place to start a security audit. The Pointsecure products are certainly a good start.

Having been involved on both sides of security audits, the tools can only tell you the "What", documenting the "Why" is often more important when the security audit is part of the ongoing package designed to increase the integrity of corporate processes.

- Bob Gezelter, http://www.rlgsc.com

Re: Security Audit on OpenVMS

Ed Welsh — Fri, 29 Apr 2005 08:53:24 GMT

Bob,

You are completely correct in the matching of business case with system configuration. A thorough security policy should always be used as a guide to system setup.

My task is to find a tool that automates the checking of common issues in OpenVMS the same way that Security Expressions does for AIX/Linux.

I would expect the tool to be specific enough to not check an OpenVMS system for sendmail type configurations. My familiarity is with linux and Solaris making this task more challenging. Hence my post to this forum.

Thanks
EW