Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Need something to scan for SSNs & CCNs

 
SOLVED
Go to solution
Victor Semaska_3
Esteemed Contributor

Need something to scan for SSNs & CCNs

Greetings,

Management wants IT to scan all servers for sensitive data. Right now sensitive data is defined as any file with Social Security No.s or Credit Card No.s in it. I've been able to find scripts for our *nix servers but haven't found anything for our one remaining VMS server (VAXstation 4000-90 running OpenVMS V6.2). I'm pretty sure it doesn't have sensitive data on it but for the auditors I need to do a scan somehow to make them happy.

Has anyone heard of such a thing for VMS?

Thanks,
Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
17 REPLIES 17
Hoff
Honored Contributor

Re: Need something to scan for SSNs & CCNs

I've not seen nor heard of such a tool.

You could use the same "magic pixie dust" scanner used on Unix, either invoked under bash/GNV on OpenVMS, or after a quick port over of the core of the logic -- which is probably awk or grep or such -- and this port can use one of the existing ports of awk or grep.

I use "magic pixie dust" here as it is certain that the social security number scanner could miss these (no check digit), and it's certainly feasible for a credit card number to mis-fire due to the various formats and encodings that are feasible. Though a check digit is usually available, the exact formats can and do differ.

http://www.merriampark.com/anatomycc.htm

You could cover a fair amount of territory with little more than one of the available grep ports and a little time spent on the regular expressions needed. (The patterns are probably already in your "magic pixie dust" scanner, too.)

The basic command is grep -R -i "pattern"

And you can find grep ports on the Freeware.

http://mvb.saic.com/freeware/

http://www.google.com/search?hl=en&q=site%3Amvb.saic.com+grep&btnG=Google+Search


Robert Gezelter
Honored Contributor

Re: Need something to scan for SSNs & CCNs

Vic,

I would agree with Hoff. If for no other reason, the auditors have blessed the patterns being used on the *IX platforms. The precise patterns that were scanned for can often be important in these situations.

Even if you are manually using GREP on OpenVMS, please use precisely the sanctioned patterns. It will save the effort of re-doing the scan.

- Bob Gezelter, http://www.rlgsc.com
John Gillings
Honored Contributor

Re: Need something to scan for SSNs & CCNs

Vic,

Do you really expect to find any on an ancient VAX?

I don't know about SSNs, but credit card numbers are a fairly specific pattern, with predictable leading numbers, and there are fairly simple sanity check algorithms which you should be able to find using Google.

Use someting like grep to look for suspects, then apply the check algorithm to filter further.
A crucible of informative mistakes
Victor Semaska_3
Esteemed Contributor

Re: Need something to scan for SSNs & CCNs

Well it looks like I'll have to write something of my own. I would like to install grep & awk so I could use the same Extended Regular Expressions that are used in the *nix scripts.

Hoff, I followed the link to freeware that you provided but didn't see any index on where grep & awk would be located. So what I did is go here:

http://www.openvms.compaq.com/openvms/freeware/

and download the CDs. So far I've tried installing grep but it fails when I ran @VMSMAKE.COM. I get this several times:

if (our_path == NULL && !gopher_setup)
.............................^
%CC-E-UNDECLARED, In this statement, "gopher_setup" is not declared.
At line number 393 in DKA200:[SEMASKA.FREE.1.GREP.UNZIP]SHELL_MUNG.C;1.

Never programmed in C so I don't know how to fix it. Any ideas? It has been such a long time since I've worked on VMS.

Does anyone have executables of grep & awk that I can get a copy of?

John,

I don't expect to find SSNs or CCNs on the VAXstation but the auditors said that all servers have to be scanned. They want evidence of this being done so I have no choice.


There are 10 kinds of people, one that understands binary and one that doesn't.
Hoff
Honored Contributor

Re: Need something to scan for SSNs & CCNs

The Google "site:" keyword helps target the search, and particularly to a site that contains massive quantities of Freeware -- that is centrally why I provided two URLs:
http://www.google.com/search?hl=en&q=site%3Amvb.saic.com+grep&btnG=Google+
Search

The fourth hit in that Google search is this:

http://mvb.saic.com/freeware/freewarev40/grep/vax/

The HP site (compaq.com or otherwise) doesn't have a particularly good nor complete collection of Freeware for OpenVMS, which is centrally why I pointed you to what I consider a better and far more extensive site.

The other current option is the gnv kit, but I have no idea if gnv has made it as far back as OpenVMS VAX V6.2. (I'd guess not.) You are far enough back to have access to the POSIX kit however, and POSIX has many of these commands. POSIX was a POSIX Unix C shell for OpenVMS, and has many typical commands; it's the forerunner of the gnv
stuff.

Hunter has copies of both grep and gawk posted at the Process server, too.

http://vms.process.com/fileserv-software.html

I've posted up pointers to various tools in the OpenVMS Frequently Asked Questions (FAQ), which is available at:

http://www.hoffmanlabs.com/vmsfaq

The FAQ has a whole section on finding Unix tools. (I'm not pointing you at the copy of the FAQ over at the HP site here because that version is comparatively stale.)

Or you can fix the source code. Which particular grep did you try? This looks to be a fairly straightforward C syntax error.

Stephen Hoffman
HoffmanLabs LLC

--

NB: The "Need something to search for SSNs & CCNs" question here was is also cross-posted out into comp.os.vms.
Steven Schweda
Honored Contributor

Re: Need something to scan for SSNs & CCNs

> [...] POSIX [...]

Ooh. There's a stroll down memory lane.

psx> man grep

grep
The grep utility searches for and matches patterns in a text
file.
[...]

Even the fancy ones:

psx> man egrep

egrep
The egrep and fgrep utilities search for and match patterns in a
text file.
[...]

psx> uname -a
POSIX_for_OpenVMS_VAX GIMP V2.0(V2.0) V6.2 VAX_4000-200 VAX

And the price is right, too, as I recall.
John Gillings
Honored Contributor

Re: Need something to scan for SSNs & CCNs

Vic,
Semi serious suggestion...

$ CREATE SCAN_FOR_SSN_CCN.COM
$ DECK
$ WRITE SYS$OUTPUT "Scanning for SSN's and CCN's at ",F$TIME()
$ SEARCH disk1:[000000...]*.* "CCN's in Standard Format","SSN's in Standard Format"
$ WRITE SYS$OUTPUT "Scan complete at ",F$TIME()
$ EOD

Repeat for each disk. Take a log of the run and submit it as a report to your auditors.

It's probably as accurate as anything other simple minded test, and you can honestly say you've performed a scan of all files on the system.

A crucible of informative mistakes
Wim Van den Wyngaert
Honored Contributor

Re: Need something to scan for SSNs & CCNs

You will need to read the files as backup /ign=interlock is doing or you will miss the exclusive open files.

And what if the data is split between lines or blocks ? Or with abnormal formatting ?

Wim
Wim
labadie_1
Honored Contributor

Re: Need something to scan for SSNs & CCNs

Hello

I guess this is not your data, as if it was, you would know what files are on the various disks, and how the data is organised.
May be a merge of companies ?

If the sensitive data is (more or less) crypted, using just a compression tool or something more serious, various search or grep will find nothing.
Victor Semaska_3
Esteemed Contributor

Re: Need something to scan for SSNs & CCNs

Thanks everyone for your advice and help.

Hoff, I wasn't familiar with how Google could search a specific site. Learn something new every day. I was able to download grep from that site and run it. Problem is that it sometimes aborts with an access violation so I couldn't do full disk scans. One of the reasons it aborts is if it tries to scan an open file. I made sure all app.s are stopped so there weren't any files open on the disks but it still aborts.

It did prove useful in that it did find files with actual SSNs in them (old reports) before it aborts. Seems the server was used for some Personnel/Payroll system. Anyway, mission accomplished (sort of).

Thanks again,
Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
David Jones_21
Trusted Contributor

Re: Need something to scan for SSNs & CCNs

Generally, SSN scanners are prone to producing so many false positives to make them useless. International phone numbers often have an SSN type format. If you want to be complete, you need to decode MIME encodings and PDFs and the various archive formats (ZIP, gz, etc) to include them in the search.

In other words, it's a tough problem.
I'm looking for marbles all day long.
Wim Van den Wyngaert
Honored Contributor

Re: Need something to scan for SSNs & CCNs

It seems one of my posts didn't arrive.

https://www.pcisecuritystandards.org/pdfs/asv_report.html you only have to find out which is supported on VMS. Or scan the VMS disks starting from *nix using NFS (is what I would do because thus only 1 product).

Wim
Wim
Victor Semaska_3
Esteemed Contributor

Re: Need something to scan for SSNs & CCNs

Scanning the VMS disks on *nix via NFS mounts sounds like a nice idea. Would be able to use the same script we're using on the *nix servers.

The TCP stack (if that's what it's called) that's being used is Multinet. Looked thru the NFS options with MULTINET CONFIGURE/MENU but wasn't able to make it work. Kind of looks like the NFS option wasn't purchased. There's no service contract for Multinet anymore so no supoort available.

Will have to wait to see what the auditors want to do this sensitive data on this old VAXstation. See if I have to identify the specific files.

Thanks,
Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
Wim Van den Wyngaert
Honored Contributor
Solution

Re: Need something to scan for SSNs & CCNs

Or zip them and unzip them on *nix.

Wim
Wim
Hoff
Honored Contributor

Re: Need something to scan for SSNs & CCNs

For those that aren't acquainted with fossil-vintage software, or that are not themselves of fossil-vintage -- and being guilty on both counts myself...

POSIX was a supported DEC product for OpenVMS VAX, and there are probably copies of it on your V6.2 distro kit. No license was required to use it, only the time spent to install it. POSIX provides a full Unix shell.

POSIX was retired in the early V7.* range and had some issues when upgraded past a specified release (you needed to remove it), and the capabilities it offered were later replaced with the gnv kit in more recent times. But back in this era, it worked fine. And I'm guessing you're not going to be upgrading this particular OpenVMS VAX anytime soon...

POSIX directly allows most Unix bash shell scripts and most Unix commands to operate.
John Gillings
Honored Contributor

Re: Need something to scan for SSNs & CCNs

Vic,

>Scanning the VMS disks on *nix via NFS
>mounts sounds like a nice idea. Would be
>able to use the same script we're using on
>the *nix servers.

Yes and no.

Yes, if the files are all sequential text, and the NFS server does the right thing in interpreting record formats other than stream_lf.

However, if you have indexed files, especially if they're compressed, the data from NFS won't make any sense, and it's unlikely you'll find any target fields if they're present.

In contrast, running the script on OpenVMS where the indexed file is opened as a sequential file, RMS will present the records in primary key order, de-compressed just as if it were a text file.

You may get something similar happening with NFS, but I wouldn't want to bet my business on it!

Consider that if there are SSNs and CCNs on the system, in an OpenVMS context they'd be far more likely to be in an indexed file or data base than in a flat text file.
A crucible of informative mistakes
Victor Semaska_3
Esteemed Contributor

Re: Need something to scan for SSNs & CCNs

Thanks Wim,

Zipping up the files and put them on a *nix server to be scanned turned out to be the best and simplest solution.

The VAXstation has plenty of free diskspace so I was able to zip up the files one disk at a time. Then ftp the zip files over to a test Linux box that I have with lots of free space.

Not the perfect solution but the auditors are happy so I'm happy.

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.