Operating System - OpenVMS
1827929 Members
1782 Online
109973 Solutions
New Discussion

Security Audit on OpenVMS

 
Ed Welsh
New Member

Security Audit on OpenVMS

Hi all,

I am researching products such as Pedestal-Security Expressions<> for semi-automated security audit of various systems.

For those that are not interested in wading through the marketing bull: Security Expressions use a remote login via ssh/telnet to audit supported systems. Essentially, it has a batch of scripts that check for security problems by logging in remotely and running the sh scripts and then builds a nice report out of the findings.

Security Expressions does not have a module for OpenVMS and I need to find a tool similar in nature to use on OpenVMS.

Any suggestions?

Thanks
EW
5 REPLIES 5
Wim Van den Wyngaert
Honored Contributor

Re: Security Audit on OpenVMS

Wim Van den Wyngaert
Honored Contributor

Re: Security Audit on OpenVMS

Here are my findings/notes from 1998 (or was it 97).

Wim
Wim
Ian Miller.
Honored Contributor

Re: Security Audit on OpenVMS

I've not tried it but there is
http://www.pointsecure.com/products/pointaudit.asp

HP sell a security sevice.

CA ePCM has some support for a few versions of VMS.

____________________
Purely Personal Opinion
Robert Gezelter
Honored Contributor

Re: Security Audit on OpenVMS

Ed,

Many products in the *XIX world check for a list of vulnerabilities. Unfortunately (or fortunately, depending on one's perspective I suppose), many of these problems are specific to *XIX implementations. OpenVMS systems have a fairly different potential set of problems, so I would be VERY surprised if the sh scripts written for a *XIX were of any real use on an OpenVMS platform (e.g., *XIX systems typically use sendmail, which has had numerous vulnerabilities, see the applicable CERT warnings available through http://www.cert.org).

That said, the checklists in the back of the Guide to System Security are a good place to start a security audit. The Pointsecure products are certainly a good start.

Having been involved on both sides of security audits, the tools can only tell you the "What", documenting the "Why" is often more important when the security audit is part of the ongoing package designed to increase the integrity of corporate processes.

- Bob Gezelter, http://www.rlgsc.com
Ed Welsh
New Member

Re: Security Audit on OpenVMS

Bob,

You are completely correct in the matching of business case with system configuration. A thorough security policy should always be used as a guide to system setup.

My task is to find a tool that automates the checking of common issues in OpenVMS the same way that Security Expressions does for AIX/Linux.

I would expect the tool to be specific enough to not check an OpenVMS system for sendmail type configurations. My familiarity is with linux and Solaris making this task more challenging. Hence my post to this forum.

Thanks
EW