Getting Even More Grip on Your Security with Pointsecure Or

Home , OpenVMS

OpenVMS and Security getting even more grip on your security with Pointsecure or NDC Gerrit Woertman VSI Professional Services Alliance member VSI OpenVMS trainer EMEA & VSI OpenVMS Ambassador [email protected] www.vmsconsultancy.com Agenda

• OpenVMS and Security • EU security laws to report security issues • Non‐HPE/VSI Security packages • Pointsecure – PointAudit – System Detective • Networking Dynamics Corporation (NDC) – Peek & Spy – KEY Capture – Assassin • Questions OpenVMS and Security ‐ 1

• OpenVMS – secure by design • No viruses • One of the first to become US DoD C2‐rating • Declared “Cool and Unhackable” at 2001 DefCon9 as described in 4AA0‐2896ENW.pdf (HP, 11/2005) Alpha OpenVMS with the help of Pointsecure System Detective OpenVMS and Security ‐ 2

• OpenVMS has got optional security solutions – OpenSSL (Secure Socket Layer) https://www.openssl.org/ – Common Data Security Architecture (CDSA) – Kerberos

• Everything fine? Seems so, but there is still need for more and better implementation – On VSI’s research list OpenVMS and Security – 3

• OpenVMS ‐ Linux – Windows • With 100% OpenVMS no problems – fine – That’s not real; today’s softwarestacks complex – Splendid isolation?

• OpenSource – is that safe? ? OpenVMS and Security – 4 • From http://vmssoftware.com/products.html Unmatched Security Compare OpenVMS' security vulnerability record against other operating systems at CVE Details: http://www.cvedetails.com. The following are direct links to reports for OpenVMS, Linux and Windows: • OpenVMS http://www.cvedetails.com/product/4990/HP‐Openvms.html?vendor_id=10 • Linux http://www.cvedetails.com/product/47/Linux‐Linux‐Kernel.html?vendor_id=33 • Windows • http://www.cvedetails.com/product/23546/Microsoft‐Windows‐Server‐2012.html?vendor_id=26 • • http://www.cvedetails.com/product/11366/Microsoft‐Windows‐Server‐2008.html?vendor_id=26 • • http://www.cvedetails.com/product/7108/Microsoft‐Windows‐Server‐2003.html?vendor_id=26 • • http://www.cvedetails.com/product/2594/Microsoft‐Windows‐2003‐Server.html?vendor_id=26 • • http://www.cvedetails.com/product/107/Microsoft‐Windows‐2000.html?vendor_id=26

OpenVMS and Security ‐ 5

• Cybersecurity • More and more security breaches must be reported (EU legislation) • How good do you know your security‐status? • Regularly with audit‐reports, and ad hoc? • Audit‐alarm  OPCOM, do you notice? – You might have CockpitMgr with real‐time security event monitoring, and you see a security event in the display, but otherwise? – Analyze/audit for reporting OpenVMS and Security ‐ 6

• With Digital we had DECInspect Compliance Manager to compare with Security Standards • DEC sold Polycenter to CA, and the Polycenter security products to http://www.ttinet.com • What now? • Pointsecure PointAudit can help • PointAudit presentation and demo OpenVMS and Security ‐ 7

• PointSecure – System Detective • Rules – capture trails/advise, etc. • System Detective presentation and demo OpenVMS and Security ‐8

• Networking Dynamics Corporation (NDC) • Peek&Spy and KeyCapture • Peek&Spy exist for many years – Peek with beep; Spy without notice – Log own terminal • Assassin – idle terminal management • NDC securityproducts presentation and demo Q & A Auditing Your OpenVMS System With PointAudit Gerrit Woertman [email protected] www.vmsconsultancy.com PointAudit ‐ Overview

• Leading auditing product for securing OpenVMS systems • Auditing OpenVMS sites for over 15 years • Comply with security policies and government regulations • Audit disabling of accounts of users no longer authorized • Report on unused accounts or infrequently used accounts • Report on privileged accounts • Audit system patches ! • Audit system generation parameters • Audit system licenses • Audit the system audit server • 96 provided reports and custom reports easily generated PointAudit primary functions

• Create security related audit reports • Assist the system manager • Provide separation of audit data from systems • Separation of audit and system management duties Why does security matter?

• What would happen if your systems are compromised? • Financial cost of recovery • Business disruption • Corporate embarrassment • Regulatory difficulties Why use PointAudit?

• OpenVMS is the most secure operating system • Security on any system can be improved • Many system managers are overworked and under educated • PointAudit enhances and simplifies OpenVMS security reporting and auditing PointAudit Planning

• Where to locate the PointAudit system • In the audit office with physical security • Outside the access area of operational personnel • At the disaster recovery site • Communications protocol to use • SSH is recommended • TELNET is available if needed • Create PointAudit accounts on all the systems to be audited • Grant privileges: NETMBX, SECURITY, SYSLCK, SYSPRV, TMPMBX • Use a complex password – nobody has to remember it • The username and password may be different on each audited system • Setup the accounts to not use any menus or ask questions during login • There is no agent to install on the audited system PointAudit Configuration

• Use the Add Server Wizard to create the server entries • Connection settings – server name, host IP, license key • Server properties – Company, manager, location, department • Use the New Scan Wizard to create scans • Select the servers to run the scan • Name the scan and select the connection protocol and port • Optionally enter a description • Optionally enter email addresses to be notified when the scan completes • Enter the username, password, and test the connection • Select the data to be gathered • Optionally enable scan to run at a specified interval PointAudit Scanning

• Scan on demand • Scan unattended on a schedule • Scan data is stored in a database Predesigned Reports

• 96 modifiable reports predesigned • Accounts with specific privileges • Accounts in privilege groups • Accounts used/unused for a period of time • Accounts never used • Passwords not changed for a period of time • Accounts with flags set Predesigned Reports ‐ continued

• Identifiers • Audit server settings • Patches applied/needed • System generation parameters • License inventory • Compare differences between scans or servers Custom Reports

• Modified standard reports • New reports using any gathered data • Create them any time • Use them on any scanned data in database • Match your site specific policies Summary Screen Management Screen Online Report PDF Report Spreadsheet Report Patch Installed/Available Report Suggestions are appreciated!

[email protected] or Warren Kahle, CSA, CSE, Security+, CISSP PointSecure Technologies Inc 802 Lovett Blvd Houston, TX 77006‐3906 [email protected] Cell: 713‐906‐5600 Office: 713‐868‐1222 ext 2 Protecting Your OpenVMS System With System Detective

Gerrit Woertman CTO OpenVMS VMSConsultancy [email protected] www.vmsconsultancy.com System Detective ‐ Overview

• Leading security product for protecting OpenVMS systems • Versions protecting OpenVMS sites for over 15 years • Declared “virtually unhackable” at Defcon • Comply with security policies and government regulations • Host based intrusion detection • Real time observation and selective logging of user sessions • Inactivity monitoring and protective action initiation • Implemented as execlet code • Rules defined using language‐like block structure System Detective primary functions

• Create security events • Log interactive user activity • Restrict access to sensitive files and information • Secure or terminate idle sessions • Monitor or take control of interactive sessions • Create customized alerts and notifications • Generate comprehensive reports Why use System Detective?

• OpenVMS is the most secure operating system out of the box • Security on any system can be improved

• System Detective enhances OpenVMS security: • Demonstrate regulatory compliance • Protect the system from privileged users • Maintain audit trails • Assist users System Detective Configuration

• Defaults for System Detective parameters • Optionally encrypt session logs • Change the session lock character • Optionally inhibit user’s ability to lock their own sessions • Optionally inhibit user’s ability to permit others to advise • Locations for databases and files • Table of remote or local locations • Proxy access to remote systems • Suggested session log file names • List of users who can shut down System Detective Rules and how they work

• Rules are language‐like block structures containing triggers and actions • Select a rule for a process • Trigger the rule by a process activity • Qualify a rule based on its environment • Primary actions • Secondary actions Rules selected for a process based on

• [No]Username • [No]UIC group • [No]Identifier • [No]Captive Rule initiated primary actions • Idle rules checking on or off • Delete process • Force image exit • Force security event • Log session temporarily or permanently • Log session input only • Stop temporary session logging • Lock user's keyboard (user unlock) • Manager lock keyboard • Exclude rules until end of block • Ignore this process Rule initiated secondary actions

• Send a message to operator(s) • Notify (send a message to) the user • Execute a DCL command in a batch job How it works

• Triggers from callouts from XQP, image activator, exit handler, etc. • Kernel and executive mode threads in process context for efficiency and account billing • Implemented as execlets • Logging from class/port driver interface • Only required data stored in system space • Process related data is pageable • Install or upgrade without reboot • SDA extension for examining data structures • Debug mode for debugging rules Examples of uses

• The privileged executive who logs in on weekends.

• Payroll clerk who leaves terminal unattended.

• Formatting a session log

• Advising an interactive process

• Forced encryption Executive login on weekend example

• A highly privileged executive is not expected to log in on weekends and he is not good at hiding his password.

• The site security manager would like for operations to be alerted and the session activity logged if his account is ever active on weekends Executive login on weekend rule

[Selector] Username george [Trigger] Login ! Anytime he logs in [Time] weekend ! on a weekend [Action] Temp_Log ! log him and tell operator. [Action] opcom=(central) George logged in. Executive login event

TIME : 27‐FEB‐2013 10:00:15.87 NODE : I64 EPID : 210614D0 USERNAME : GEORGE LNAME : GEORGE TERMINAL : _TNA48: PORT : Host: 172.17.3.1 Port: 1372 EVENT_TYPE : LOGIN ACTION_TYPE : LOG_TEMP OPENV$SD_M_LOG_TEMP_DISCOVERY Logged temporarily from discovery Payroll idle rule example

The payroll account is only used by the payroll clerk in the accounting department.

Only the payroll clerk account can modify the payroll database.

Sometimes the payroll clerk takes a break without logging out. Payroll idle rule set

• [selector] username payroll • [trigger] idle 30 • [action] notify = Idle for 30 minutes ‐ another 15 to lock.

• [selector] username payroll • [trigger] idle 45 • [action] notify = Idle for 45 minutes ‐ another 15 to delete. • [action] lock_keyboard

• [selector] username payroll • [trigger] idle 60 • [action] notify = Idle too long ‐ deleting process. • [action] delete Formatting a session log for printing example The legal department wants a printed copy of the session log of the account of George to show that he did not corrupt the customer’s database resulting in a law suit.

The printout must be the whole record of the session so that a business records affidavit may attest to its correctness. Formatting a session log for printing example The corporate security officer issues the command:

$ sysdetect format – GEORGE _2013‐02‐20‐ 103648_00009557.SESSIONLOG_WK – /output=sys$login:george_log.txt

The security officer then prints sys$login:george_log.txt, executes the business records affidavit, and delivers both to the legal department. Advising an interactive process example The hospital help desk is called from a nursing station where the nurse is trying to enter the proper diagnosis code in a patient record.

The nurse has the doctor’s notes but does not know the proper diagnosis code to enter into the patient’s record. Advising an interactive process

The help desk user has been granted the identifier OPENV$SDIS_I_NURSE and the nurse has been granted the identifier NURSE so the help desk operator may advise and enter input into the interactive session of the nurse. The help desk operator asks the nurse for the terminal name she is using and enters the command: $ sysd advise/notify=“I’m here, Maggie” FTA24 The nurse displays the doctor’s notes and the helpdesk operator enters the proper diagnosis code. Forced encryption example

At this site there are a group of users who edit sensitive information from remote sites where unencrypted traffic might be observed.

It was decided that these users would only be allowed to connect to the OpenVMS system using encrypted protocols so they would not be allowed to use telnet or ftp. Forced encryption example

The following two rules were added to the configuration file to delete the processes of the target group if they were telnet or ftp.

[Selector] uic 700 [Trigger] login [Qualifier] terminal = *TNA* ! Telnet login [Action] delete [Selector] uic 700 [Trigger] image *TCPIP$FTP_CHILD.EXE ! FTP [Action] delete Suggestions are appreciated!

[email protected] or Warren Kahle, CSA, CSE, Security+, CISSP PointSecure Technologies Inc 802 Lovett Blvd Houston, TX 77006‐3906 [email protected] Cell: 713‐906‐5600 Office: 713‐868‐1222 ext 2 Networking Dynamics Corporation (NDC) security products

Gerrit Woertman [email protected] www.vmsconsultancy.com Networking Dynamics Corporation Since 1982 Networking Dynamics Corporation has developed and marketed innovative software, and has evolved into a stable provider of high‐quality multi‐platform software, technical support and customer service. NDC distributes worldwide to small, mid‐size and Fortune 500 companies operating in the areas of finance, healthcare, manufacturing, education, government and telecommunications. NDC's software solutions enhance security, productivity and assist companies to comply with mandated regulatory requirements or those stipulated by audit regulations. Networking Dynamics Corporation Networking Dynamics first earned early recognition in the DEC VMS marketplace with VXTD the predecessor to MultiSessions, products whose development was driven by a real need: how to increase user productivity without increasing VMS licensing costs or adding hardware. PEEK & SPY, 1992 Digital Review Target Awards winner for best training products and services, and premier security and support desk tool, has earned such renown and respect that we were tempted to change our name to that of “The PEEK & SPY Company”. Networking Dynamics Corporation

During the 29 years that NDC has been in business, we have seen numerous ISVs succumb due to various factors, but a common fatal error is that they did not invest resources into updating their software products. Our entire line of software has been ported to HP Itanium OpenVMS and is supported on the latest version of OpenVMS. PEEK & SPY

Allows the privileged user to see and log everything done by another user using any one of four journaling options. Logs the observed user’s session actions to an output file. Permits locking out a user’s keyboard in the case of a security breach. Lets a privileged user see exactly what is on another user’s terminal; permits him to either take control of that terminal to fix the problem from his own or let the user have control while he gives any needed instructions. PEEK & SPY Technical Description • Allows watching and logging of output sent to user's screens • Written mostly in Macro‐32; uses non‐public VMS kernel interfaces • Watching of another user's screen is controlled by hot‐keys • Can be used to log all output sent to selected user's terminals • Contains a facility written in C++ which does very good VT100 through VT500 emulation KEY Capture

Allows the system administrator to log keyboard input read from the terminals of selected users. Documents exactly what VMS users did and when they did it. Creates log files which contain the input read from the terminal keyboard; records a timestamp and the name of the program which issued the read. When the terminal read contains a prompt, the prompt is also recorded in the log file. KEY Capture

Technical Description

• Keyboard logging application • Written mostly in Macro‐32; uses non‐public VMS kernel interfaces • Records input read from the keyboard. Includes a time‐ stamp, any prompt connected with the read, and the executable image receiving the input • KEYCapture records completed lines of input read from the keyboard, rather than individual keystrokes which might include corrections for typos, or other line‐editing prior to final submission to the running program ASSASSIN

Automatically performs pre‐defined actions on processes that are idle, inactive or meet special conditions. Locks terminal device of the idle process; user must supply correct VMS password to unlock and continue working. ASSASSIN

Technical Description

• Idle‐process management application • Written in C; uses public VMS interfaces • Determines a process is idle using CPU time, page faults, and IO criteria Exceptions can be configured for images, users, processes, terminals, etc. • Can issue warnings prior to logging off an idle process