What *is* a "location"? A/the remote IP address? Or where the
actual desk/chair where a specific user is sitting is located?

In our environment, all logins comes from the same "location" (an
Citrix application server where the terminal emulator is running),
no matter where on the earth that user actually is sitting. The
IP address changes randomly between 2 or 3 servers.

for
way is
looking
to
and
VMS
it's
mistakes
only
is bad
looking
worked
they
black
help
and
but
is
sda
credit
the
still for
to
whatever
offer
believing VMS
for
whole
While I agree with you that there are a number of areas that OpenVMS
needs to improve on (Security is definitely one area), one also has to
ask "at what point does the OS have to provide everything when there
are commercial products available that address some of the missing
functionality?"

Case in point - PointSecure offers a few products that can
significantly improve the security and auditing of OpenVMS.

System Detective:
http://pointsecure.com/products/system-detective/

Point Audit:
http://pointsecure.com/products/pointaudit/

Patch Analyzer:
http://pointsecure.com/products/patchanalyzer/

Security Snapshot:
http://pointsecure.com/products/snapshot/

As example - you can define all sorts of security event rules with
Security Detective from PointSecure.

Custom written rules can be triggered by:
- Login (process discovery)
- File access (via the XQP)
- Image activation (via the image activator)
- Image exit (via exit handler)
- Idle time (via one minute timer)

Rule initiated primary actions:
- Idle rules checking on or off
- Delete process
- Force image exit
- Force security event
- Log session temporarily or permanently
- Log session input only
- Stop temporary session logging
- Lock user's keyboard (user unlock)
- Manager lock keyboard
- Exclude rules until end of block
- Ignore this process

Rule initiated secondary actions:
- Send a message to operator(s)
- Notify (send a message to) the user
- Execute a DCL command in a batch job

You can also setup System Detective so that a show system does not
display that it is installed.

Regards,

Kerry Main
Kerry dot main at starkgaming dot com

Have you been around long enough to remember
DECinspect (a security auditing tool from the
early 1990s)? It was in the docset, and in
Europe at least it was probably in the DECdirect
software catalogue for a while.

DECinspect begat POLYcenter Security something or
other, which in due course was sold off like all
the other ahead-of-its time software, because
the future of DEC/CPQ was in selling IA64-based
hardware (according to a certain Bob Palmer).
Lots of saleable systems management stuff just
faded away once it had left DEC (not that it was
particularly visible anyway).

The PointSecure family (as mentioned by Kerry)
seems to share some of the DECinspect concepts
and capabilities. There are presentations around
(even from as recently as 2016).

Seek and ye may find.

DEC/CPQ/HP management may not have understood the
value of things like integrated multi-system
security capabilities but there were architects
and engineers that did. Maybe they're still
available ? Maybe the hooks they designed in are
still there and working, and would be a good
place to start from for the future security work
which VSIVMS will undoubtedly required?

VMS has had auditing built in to the OS
architecture for decades but doesn't have an
auditing GUI built in, and is missing lots of
other handy stuff too. On the other hand...

If an increased attack surface is a bad thing,
then in that respect VMS already has a massive
advantage over Windows - VMS is radically
smaller, and historically has things like a
sensible approach to shared libraries and
multiversioning, one part of which is "don't
***unnecessarily*** break compatibility"
(sometimes it's inevitable).

Compare with Windows. Strategy, interfaces,
and libraries change every year or two, as
does the approach to multi-version
compatibility (side by side was Win7, Win10
has something new and incompatible, right?).

Windows doesn't have a meaningful auditing
or event log architecture in the OS, but has
lots of shiny add-ons, in addition to the
pointless built-in event logging system.

Meanwhile, many in the world of Window boxes
still think "application whitelisting" is
something more than security theatre. It's
going to be an uphill battle defeating that
level of understanding. Where to even start?


For those unfamiliar with Stuxnet, the new
documentary movie Zero Days tells the story
in an approachable way. It was recently on
BBC TV in the StoryVille series [1] and is
available on iPlayer for another ten days:
http://www.bbc.co.uk/programmes/b08bcc18
Available soon in cinemas etc (?).

Where was Windows security there?

More to a lot of this than meets the eye -
but being well informed is a good start :)

Have a lot of fun.

[1] I mention Storyville simply because on
my TV's version of iPlayer, if you search
for Storyville you find Zero Days, but a
search for Zero Days finds no results even
though it's in the program title. Oh well.

We're going to be using passwords for the foreseeable future.
Increasingly with 2FA. Because there isn't an alternative.
Always challenge assumptions. Sometimes they're still necessary and
appropriate. Sometimes not.

Doing the same thing usually gives you the same outcome. That might
not be the best outcome, particularly in changing conditions.
Get yourself onto the security flaw feeds, and start getting a feel for
where the problems are, and how fast the flaws become known, too.
Start looking at how some of the newer systems are being managed, too.
The ones I work with are vastly easier to deal with than OpenVMS, and
do more. That's starting with a base of knowledge around how OpenVMS
works, too.
This extends well beyond security. We're not going to get more staff,
more experienced staff, better staff. Not easily, nor cheaply. Most
likely, we're going to get what we have, or less. As end-users, we
can't use systems that require more effort. As product producers,
shifting management and development costs onto the end-users is
increasingly intractable, too. Go try setting up clustering some
time. It's an utter train-wreck. Works great once it's all
configured, but getting to the working configuration is just insanely
manual. Sure, if the end-users are willing to wade through the manuals
— and know where the ~24 shared files are documented — clustering is a
fine solution.

But once you have that clustering configured and working, you still
have security problems and double-secret "best practices" — rather
than, you know, just installing and working and being simple and
secure. Just working. Like we'd all prefer. Like OpenVMS used to
do and to be, back when it was a good and cheap and simple alternative
to then-current servers. What many of us remember. Instead, we're
now dealing with configuring and managing and securing management VLANs
and protecting the clustering traffic against rogue printers and
writing our own DCL procedures to correctly secure our keys and encrypt
our backups and the rest of the "you didn't _know_ that?" steps
increasingly involved. This because we're dealing with badly
down-revision iLOs and down-revision SSL and SSH and the rest.

Just getting an OpenVMS system patched to current is a slog, compared
with other systems. What's that tell you?

As a developer, go try to write a secure network-accessed distributed
app on OpenVMS, using cluster features. Go ahead. Try it. I'll
wait. Get 2FA and maybe Kerberos working while you're at it, given
you're going to have to go write your own 2FA or acquire and integrate
some third-party support for that, and sort out how to deal with
delegation.

This whole area needs to be massively simpler to install, configure,
manage, troubleshoot, develop for....
Massively.
2FA is about the best that's available, preferably not via SMS.
Command auditing doesn't do what you want. It's useful as part of
DFIR, but it's not going to be a reliable access control mechanism.

If you're not going to actually solve the problem with whatever you're
doing, then aren't you really just adding more complexity?
See previous comment.
If you want to disable access, you need to work within the
security-relevant accessors and objects involved, and commands are not
those. That is, ACLs and ownership and identifiers and related, and
files and queues and sections and such. Within what the OpenVMS access
control system is designed to mediate. There's a big diagram in the
OpenVMS security manual. That diagram and the whole OpenVMS model
really needs to be extended out to deal with LDAP and Kerberos, but it
covers local authentication well.
Logging everything is great if you want to drown yourself in data, and
quite possibly meaningless data.
Across all systems, too. Integrated with app failures, too, as
crashes can be an indication of probes. But most folks are not
working with systems that are directly accessed via the command line
for the end-users, with general DCL access increasingly reserved for
developers, administrators, and other trusted folks. And only when
they really need that, if we look forward.
Heuristics. Distributed logging and correlation. Etc. But that's
so far out ahead of what OpenVMS currently provides, that'll most
likely only ever be available a third-party add-on for the foreseeable
future.
Existing and isolated and task-dedicated servers and shops are a nice
base where they even still exist, but they're not the future.
Again, it ain't the password that was being discussed in this thread,
it's the password hash.
Security isn't a huge selling point for most folks, unfortunately.
It's a nice-to-have, but just as soon as it gets in the way, or gets
too expensive, security tends to either get ignored or otherwise worked
around, or somebody has to mandate the security requirements (e.g. PCI,
financial regulations, etc) and that approach is also certainly
problematic. In many ways, security is similar to insurance. You
want to have enough. Too little or too much is a problem. Each site
invariably ends up making those calculations, too. It'd be really
nice to differentiate on easy-to-use and fully-integrated or other
such, but I'm working with other platforms that already have that.
That's not going to happen easily. I'm sure the folks at VSI are
learning a whole lot about this, and rate of change across the whole
area is not slowing down.
I'd be surprised if there was particular new work going on here. Some
incremental work such as 2L1, certainly. Integrating fixes for the
password hash or adopting and integrating LDAP and Kerberos will be
more effort and more disruptive, and there's a constituency that
strongly prefers compatibility over change. That work also pushes out
the port, and you can be certain VSI wants to get the x86-64 port out
the door just as soon as it's stable and supportable and salable.
Just as soon as you connect to the network, and have some reason —
credit card data, sensitive information, vulnerabilities that can be
leveraged into a DDoS against others, whatever — you're targeted. No
cloud needed.
I've been discussing this topic for years here in comp.os.vms, and have
delivered multiple presentations on the topic at boot camp. Others
have posted and presented, too. But then some of us actually have to
use OpenVMS security, and get it connected to other servers. That's
increasingly an adventure, particularly for anyone that's used other
platforms and then has to try the same on OpenVMS. The "cool and
unhackable" mantra quickly runs afoul of the "why can't modern SSH
connect to my OpenVMS system?" or "why aren't my network connections
encrypted?" or "why am I being told to fall back to TCP 80 and disable
TCP 443 when the rest of the world is moving to 443?", and goes rapidly
downhill from there.

VSI is working diligently on the port and on updating the capabilities,
and they've already done some work on security and networking. This
however is a massive effort. VSI needs to get to stable positive and
preferably increasing revenues first, and then they can start looking
at addressing security or whatever other areas will bring them the
revenues they need to build their staff and build their installed base
and — once they get far enough along — start adding wholly new partners
and new apps.

I believe both Stephen and I have said a few things on this subject
over the last year or two. :-)

If you want a really simple example of something which VMS lacks
(at least as far as VSI is concerned) then you might want to ask
VSI why they _still_ don't have a secure security bug public
reporting mechanism in place.

This is an absolutely standard thing to be present on an OS vendor's
website these days and it's omission doesn't exactly give you
confidence that VSI are on the ball when it comes to the security
culture as seen in today's world.

Simon.