OpenVMS and Security getting even more grip on your security with - - PowerPoint PPT Presentation

OpenVMS and Security getting even more grip on your security with Pointsecure or NDC

Gerrit Woertman

VSI Professional Services Alliance member VSI OpenVMS trainer EMEA & VSI OpenVMS Ambassador

gerrit.woertman@vmsconsultancy.com www.vmsconsultancy.com

Agenda

• OpenVMS and Security
• EU security laws to report security issues
• Non‐HPE/VSI Security packages
• Pointsecure

– PointAudit – System Detective

• Networking Dynamics Corporation (NDC)

– Peek & Spy – KEY Capture – Assassin

• Questions

OpenVMS and Security ‐ 1

• OpenVMS – secure by design
• No viruses
• One of the first to become US DoD C2‐rating
• Declared “Cool and Unhackable” at 2001

DefCon9 as described in 4AA0‐2896ENW.pdf

(HP, 11/2005) Alpha OpenVMS with the help of Pointsecure System Detective

OpenVMS and Security ‐ 2

• OpenVMS has got optional security solutions

– OpenSSL (Secure Socket Layer) https://www.openssl.org/ – Common Data Security Architecture (CDSA) – Kerberos

• Everything fine? Seems so, but there is still

need for more and better implementation

– On VSI’s research list

OpenVMS and Security – 3

• OpenVMS ‐ Linux – Windows
• With 100% OpenVMS no problems – fine

– That’s not real; today’s softwarestacks complex – Splendid isolation?

• OpenSource – is that safe? ?

OpenVMS and Security – 4

• From http://vmssoftware.com/products.html

Unmatched Security Compare OpenVMS' security vulnerability record against other

• perating systems at CVE Details: http://www.cvedetails.com. The

following are direct links to reports for OpenVMS, Linux and Windows:

• OpenVMS http://www.cvedetails.com/product/4990/HP‐Openvms.html?vendor_id=10
• Linux http://www.cvedetails.com/product/47/Linux‐Linux‐Kernel.html?vendor_id=33
• Windows
• http://www.cvedetails.com/product/23546/Microsoft‐Windows‐Server‐2012.html?vendor_id=26
• http://www.cvedetails.com/product/11366/Microsoft‐Windows‐Server‐2008.html?vendor_id=26
• http://www.cvedetails.com/product/7108/Microsoft‐Windows‐Server‐2003.html?vendor_id=26
• http://www.cvedetails.com/product/2594/Microsoft‐Windows‐2003‐Server.html?vendor_id=26
• http://www.cvedetails.com/product/107/Microsoft‐Windows‐2000.html?vendor_id=26

OpenVMS and Security ‐ 5

• Cybersecurity
• More and more security breaches must be

reported (EU legislation)

• How good do you know your security‐status?
• Regularly with audit‐reports, and ad hoc?
• Audit‐alarm  OPCOM, do you notice?

– You might have CockpitMgr with real‐time security event monitoring, and you see a security event in the display, but otherwise? – Analyze/audit for reporting

OpenVMS and Security ‐ 6

• With Digital we had DECInspect Compliance

Manager to compare with Security Standards

• DEC sold Polycenter to CA, and the Polycenter

security products to http://www.ttinet.com

• What now?
• Pointsecure PointAudit can help
• PointAudit presentation and demo

OpenVMS and Security ‐ 7

• PointSecure – System Detective
• Rules – capture trails/advise, etc.
• System Detective presentation and demo

OpenVMS and Security ‐8

• Networking Dynamics Corporation (NDC)
• Peek&Spy and KeyCapture
• Peek&Spy exist for many years

– Peek with beep; Spy without notice – Log own terminal

• Assassin – idle terminal management
• NDC securityproducts presentation and demo

Q & A

Auditing Your OpenVMS System With PointAudit

Gerrit Woertman

Gerrit.Woertman@VMSConsultancy.com www.vmsconsultancy.com

PointAudit ‐ Overview

• Leading auditing product for securing OpenVMS systems
• Auditing OpenVMS sites for over 15 years
• Comply with security policies and government regulations
• Audit disabling of accounts of users no longer authorized
• Report on unused accounts or infrequently used accounts
• Report on privileged accounts
• Audit system patches !
• Audit system generation parameters
• Audit system licenses
• Audit the system audit server
• 96 provided reports and custom reports easily generated

PointAudit primary functions

• Create security related audit reports
• Assist the system manager
• Provide separation of audit data from systems
• Separation of audit and system management

duties

Why does security matter?

• What would happen if your systems are

compromised?

• Financial cost of recovery
• Business disruption
• Corporate embarrassment
• Regulatory difficulties

Why use PointAudit?

• OpenVMS is the most secure operating system
• Security on any system can be improved
• Many system managers are overworked and

under educated

• PointAudit enhances and simplifies OpenVMS

security reporting and auditing

PointAudit Planning

• Where to locate the PointAudit system
• In the audit office with physical security
• Outside the access area of operational personnel
• At the disaster recovery site
• Communications protocol to use
• SSH is recommended
• TELNET is available if needed
• Create PointAudit accounts on all the systems to be audited
• Grant privileges: NETMBX, SECURITY, SYSLCK, SYSPRV, TMPMBX
• Use a complex password – nobody has to remember it
• The username and password may be different on each audited system
• Setup the accounts to not use any menus or ask questions during login
• There is no agent to install on the audited system

PointAudit Configuration

• Use the Add Server Wizard to create the server entries
• Connection settings – server name, host IP, license key
• Server properties – Company, manager, location, department
• Use the New Scan Wizard to create scans
• Select the servers to run the scan
• Name the scan and select the connection protocol and port
• Optionally enter a description
• Optionally enter email addresses to be notified when the scan completes
• Enter the username, password, and test the connection
• Select the data to be gathered
• Optionally enable scan to run at a specified interval

PointAudit Scanning

• Scan on demand
• Scan unattended on a schedule
• Scan data is stored in a database

Predesigned Reports

• 96 modifiable reports predesigned
• Accounts with specific privileges
• Accounts in privilege groups
• Accounts used/unused for a period of time
• Accounts never used
• Passwords not changed for a period of time
• Accounts with flags set

Predesigned Reports ‐ continued

• Identifiers
• Audit server settings
• Patches applied/needed
• System generation parameters
• License inventory
• Compare differences between scans or servers

Custom Reports

• Modified standard reports
• New reports using any gathered data
• Create them any time
• Use them on any scanned data in database
• Match your site specific policies

Summary Screen

Management Screen

Online Report

PDF Report

Spreadsheet Report

Patch Installed/Available Report

Suggestions are appreciated!

Gerrit.Woertman@vmsconsultancy.com or Warren Kahle, CSA, CSE, Security+, CISSP PointSecure Technologies Inc 802 Lovett Blvd Houston, TX 77006‐3906 Warren.Kahle@PointSecure.com Cell: 713‐906‐5600 Office: 713‐868‐1222 ext 2

Protecting Your OpenVMS System With System Detective

Gerrit Woertman

CTO OpenVMS VMSConsultancy Gerrit.Woertman@vmsconsultancy.com www.vmsconsultancy.com

System Detective ‐ Overview

• Leading security product for protecting OpenVMS

systems

• Versions protecting OpenVMS sites for over 15 years
• Declared “virtually unhackable” at Defcon
• Comply with security policies and government

regulations

• Host based intrusion detection
• Real time observation and selective logging of user

sessions

• Inactivity monitoring and protective action initiation
• Implemented as execlet code
• Rules defined using language‐like block structure

System Detective primary functions

• Create security events
• Log interactive user activity
• Restrict access to sensitive files and

information

• Secure or terminate idle sessions
• Monitor or take control of interactive sessions
• Create customized alerts and notifications
• Generate comprehensive reports

Why use System Detective?

• OpenVMS is the most secure operating system
• ut of the box
• Security on any system can be improved
• System Detective enhances OpenVMS

security:

• Demonstrate regulatory compliance
• Protect the system from privileged users
• Maintain audit trails
• Assist users

System Detective Configuration

• Defaults for System Detective parameters
• Optionally encrypt session logs
• Change the session lock character
• Optionally inhibit user’s ability to lock their own

sessions

• Optionally inhibit user’s ability to permit others to

advise

• Locations for databases and files
• Table of remote or local locations
• Proxy access to remote systems
• Suggested session log file names
• List of users who can shut down System Detective

Rules and how they work

• Rules are language‐like block structures

containing triggers and actions

• Select a rule for a process
• Trigger the rule by a process activity
• Qualify a rule based on its environment
• Primary actions
• Secondary actions

Rules selected for a process based on

• [No]Username
• [No]UIC group
• [No]Identifier
• [No]Captive

Rule initiated primary actions

• Idle rules checking on or off
• Delete process
• Force image exit
• Force security event
• Log session temporarily or permanently
• Log session input only
• Stop temporary session logging
• Lock user's keyboard (user unlock)
• Manager lock keyboard
• Exclude rules until end of block
• Ignore this process

Rule initiated secondary actions

• Send a message to operator(s)
• Notify (send a message to) the user
• Execute a DCL command in a batch job

How it works

• Triggers from callouts from XQP, image activator,

exit handler, etc.

• Kernel and executive mode threads in process

context for efficiency and account billing

• Implemented as execlets
• Logging from class/port driver interface
• Only required data stored in system space
• Process related data is pageable
• Install or upgrade without reboot
• SDA extension for examining data structures
• Debug mode for debugging rules

Examples of uses

• The privileged executive who logs in on

weekends.

• Payroll clerk who leaves terminal unattended.
• Formatting a session log
• Advising an interactive process
• Forced encryption

Executive login on weekend example

• A highly privileged executive is not expected

to log in on weekends and he is not good at hiding his password.

• The site security manager would like for
• perations to be alerted and the session

activity logged if his account is ever active on weekends

Executive login on weekend rule

[Selector] Username george [Trigger] Login ! Anytime he logs in [Time] weekend ! on a weekend [Action] Temp_Log ! log him and tell operator. [Action] opcom=(central) George logged in.

Executive login event

TIME : 27‐FEB‐2013 10:00:15.87 NODE : I64 EPID : 210614D0 USERNAME : GEORGE LNAME : GEORGE TERMINAL : _TNA48: PORT : Host: 172.17.3.1 Port: 1372 EVENT_TYPE : LOGIN ACTION_TYPE : LOG_TEMP OPENV$SD_M_LOG_TEMP_DISCOVERY Logged temporarily from discovery

Payroll idle rule example

The payroll account is only used by the payroll clerk in the accounting department. Only the payroll clerk account can modify the payroll database. Sometimes the payroll clerk takes a break without logging out.

Payroll idle rule set

• [selector] username payroll
• [trigger] idle 30
• [action] notify = Idle for 30 minutes ‐ another 15 to lock.
• [selector] username payroll
• [trigger] idle 45
• [action] notify = Idle for 45 minutes ‐ another 15 to delete.
• [action] lock_keyboard
• [selector] username payroll
• [trigger] idle 60
• [action] notify = Idle too long ‐ deleting process.
• [action] delete

Formatting a session log for printing example

The legal department wants a printed copy of the session log of the account of George to show that he did not corrupt the customer’s database resulting in a law suit. The printout must be the whole record of the session so that a business records affidavit may attest to its correctness.

Formatting a session log for printing example

The corporate security officer issues the command: $ sysdetect format – GEORGE _2013‐02‐20‐ 103648_00009557.SESSIONLOG_WK – /output=sys$login:george_log.txt The security officer then prints sys$login:george_log.txt, executes the business records affidavit, and delivers both to the legal department.

Advising an interactive process example

The hospital help desk is called from a nursing station where the nurse is trying to enter the proper diagnosis code in a patient record. The nurse has the doctor’s notes but does not know the proper diagnosis code to enter into the patient’s record.

Advising an interactive process

The help desk user has been granted the identifier OPENV$SDIS_I_NURSE and the nurse has been granted the identifier NURSE so the help desk

• perator may advise and enter input into the

interactive session of the nurse. The help desk operator asks the nurse for the terminal name she is using and enters the command: $ sysd advise/notify=“I’m here, Maggie” FTA24 The nurse displays the doctor’s notes and the helpdesk operator enters the proper diagnosis code.

Forced encryption example

At this site there are a group of users who edit sensitive information from remote sites where unencrypted traffic might be observed. It was decided that these users would only be allowed to connect to the OpenVMS system using encrypted protocols so they would not be allowed to use telnet or ftp.

Forced encryption example

The following two rules were added to the configuration file to delete the processes of the target group if they were telnet or ftp. [Selector] uic 700 [Trigger] login [Qualifier] terminal = *TNA* ! Telnet login [Action] delete [Selector] uic 700 [Trigger] image *TCPIP$FTP_CHILD.EXE ! FTP [Action] delete

Suggestions are appreciated!

Gerrit.Woertman@vmsconsultancy.com or Warren Kahle, CSA, CSE, Security+, CISSP PointSecure Technologies Inc 802 Lovett Blvd Houston, TX 77006‐3906 Warren.Kahle@PointSecure.com Cell: 713‐906‐5600 Office: 713‐868‐1222 ext 2

Networking Dynamics Corporation (NDC) security products

Gerrit Woertman Gerrit.Woertman@vmsconsultancy.com www.vmsconsultancy.com

Networking Dynamics Corporation

Since 1982 Networking Dynamics Corporation has developed and marketed innovative software, and has evolved into a stable provider of high‐quality multi‐platform software, technical support and customer service. NDC distributes worldwide to small, mid‐size and Fortune 500 companies

• perating in the areas of finance, healthcare,

manufacturing, education, government and

• telecommunications. NDC's software solutions

enhance security, productivity and assist companies to comply with mandated regulatory requirements

• r those stipulated by audit regulations.

Networking Dynamics Corporation

Networking Dynamics first earned early recognition in the DEC VMS marketplace with VXTD the predecessor to MultiSessions, products whose development was driven by a real need: how to increase user productivity without increasing VMS licensing costs or adding hardware. PEEK & SPY, 1992 Digital Review Target Awards winner for best training products and services, and premier security and support desk tool, has earned such renown and respect that we were tempted to change our name to that of “The PEEK & SPY Company”.

Networking Dynamics Corporation

During the 29 years that NDC has been in business, we have seen numerous ISVs succumb due to various factors, but a common fatal error is that they did not invest resources into updating their software products. Our entire line of software has been ported to HP Itanium OpenVMS and is supported on the latest version of OpenVMS.

PEEK & SPY

Allows the privileged user to see and log everything done by another user using any one of four journaling options. Logs the observed user’s session actions to an output file. Permits locking out a user’s keyboard in the case of a security breach. Lets a privileged user see exactly what is on another user’s terminal; permits him to either take control

• f that terminal to fix the problem from his own or

let the user have control while he gives any needed instructions.

PEEK & SPY

Technical Description

• Allows watching and logging of output sent to user's screens
• Written mostly in Macro‐32; uses non‐public VMS kernel

interfaces

• Watching of another user's screen is controlled by hot‐keys
• Can be used to log all output sent to selected user's terminals
• Contains a facility written in C++ which does very good VT100

through VT500 emulation

KEY Capture

Allows the system administrator to log keyboard input read from the terminals of selected users. Documents exactly what VMS users did and when they did it. Creates log files which contain the input read from the terminal keyboard; records a timestamp and the name of the program which issued the read. When the terminal read contains a prompt, the prompt is also recorded in the log file.

KEY Capture

Technical Description

• Keyboard logging application
• Written mostly in Macro‐32; uses non‐public VMS kernel

interfaces

• Records input read from the keyboard. Includes a time‐

stamp, any prompt connected with the read, and the executable image receiving the input

• KEYCapture records completed lines of input read from

the keyboard, rather than individual keystrokes which might include corrections for typos, or other line‐editing prior to final submission to the running program

ASSASSIN

Automatically performs pre‐defined actions on processes that are idle, inactive or meet special

• conditions. Locks terminal device of the idle

process; user must supply correct VMS password to unlock and continue working.

ASSASSIN

Technical Description

• Idle‐process management application
• Written in C; uses public VMS interfaces
• Determines a process is idle using CPU time, page

faults, and IO criteria Exceptions can be configured for images, users, processes, terminals, etc.

• Can issue warnings prior to logging off an idle

process