03-06-2012 03:07 AM
Our company is looking for a solution that can help address potential security and regulatory concerns. Basically, we are looking for a solution that can help record sessions (OpenVMS, Unix/Linux, Windows) that can be later on reviewed as required.
Do you use such solution right now? If yes, can you share to me the product name/website so that we can visit it and check whether the product is suitable for our needs?
Thanks in advance for your help!
03-06-2012 06:50 AM
There is no direct solution; OpenVMS doesn't track and log every command entered.
OpenVMS can and and often is configured to audit object accesses. (Monitoring the individual commands generates vast piles of mostly-useless data, and which may or may not reflect what actually happened. Auditing object accesses tells you who did what, and when. You can actually detect and act on it "live", too.)
The OpenVMS FAQ has pointers to monitoring tools including Peek and Spy, and Contrl, which can do something like what you want; that's fairly old information.
Setting up security correctly is more valuable than logging commands, in my experience tracking down breaches in vast piles of mostly-useless logged commands.
There are also network tools and gateways that can log this stuff. The downside with those is that you have to MitM the secure connections. Well, no matter what you're doing, you have to MitM to log commands.) It's also common practice to log the security-relevent activities (object accesses, etc) to central auditing servers, and that's again as part of just figuring out if you're being pen-tested or if you're being attacked, and responding to it.
Do your own due diligence, of course. Your question, your corporate politics, your legal entanglements, your data, etc.
03-06-2012 07:51 AM
What you've written, "we are looking for a solution that can help record sessions ", can be addressed with System Detective by PointSecure - if in fact all you want to do is record sessions.
Hoff brought up other likely relevant issues, System Detective can help with some of those too.
We have customers who use System Detective and they are quite happy with it.
Software Concepts International
03-06-2012 08:44 AM
I deal with regulatory requirements as well, and rarely are exact keyboard input logs required. Usually, data access logs are required. For example, in the healthcare fiield, we are required to record any access to patient data with what is termed a HIPAA log. We are required to record who, when and what data was accessed/updated. Rather than looking for a product/service that can potentially address your compliance needs, why don't you specify those needs. Then, we can suggest ways or products that can address those requirements. Blanket logging of user inputs will generate enormous amounts of data, most of which will be of little to no value. Too much data will also make the tracking you most likely need, difficult to understand and document.
Please give us an idea of the compliance issues you need to address.
03-06-2012 07:41 PM
Thanks guys for the invaluable input!
The question actually raised by our management is something like: if system admins are the police of our systems, who can/how can we police our system admins? Thus, the idea is to record specific privileged user sessions and retain for a certain period, that can be reviewed in the future when required.
I definitely agree that too much logging will also not be helpful in the long run, thus the purpose of this study is that we only plan to do selective logging for system admins or developers who have privileged access to our systems. Of course, we are currently doing necessary loggings in our systems now using the security tools embedded in the OS.
I checked System Detective by PointSecure, and it seems that this will only cover OpenVMS. We are hoping that there might be a single solution out there that can cover all our OS platform here, e.g. HP-UX, Linux, Windows.
I also checked around regarding Hoff's input on access gateway and so far, just in case anyone want to know, I found an appliance from Imera that might actually fullfill our requirement. I still have to contact them on this though.
Again, thanks for the input!
03-07-2012 05:52 AM
This basic question gets asked regularly, when you're dealing with competent auditors.
Please read the checklists that I've linked to. Those are what the (good) auditors can use (on VMS) to manage access, log activities and otherwise review
At the lowest level, the so-called dual-password login is the benchmark approach; that's used at secure sites.
And for those that are particularly or necessarily "paranoid" about this stuff, write-only media can be configured and used for logging activities.
Again, read through the available checklists. And skim through the OpenVMS Security Manual, too.
Do the auditor's jobs for them, too - some auditors are good and saavy and very useful, and some will recommend some really horrid configurations. Some know and appreciate what VMS implements here, and some (bad) auditors will regurgitate a generic checklist or (worse) a checklist for another platform. By reading and understanding those and other checklists, you'll have a better idea of what's possible and what's reasonable and what's available here, and what various security-conscious environments can use or recommend. And you'll have documentation that'll help you avoid implementing Bad Ideas, should your particularly auditors be unfamiliar with VMS security.
03-30-2012 06:46 AM
Depending on just how paranoid your auditors are, you should point out to them that as system administrators, if you ever change someone's password and that gets logged, you have just violated one of the most basic concepts of security - recording passwords. I word at a Dept. of Defense site and even THEY aren't so paranoid. We turn on auditing, tie down SOGW and ACL settings, enable audit-logging of Object Accesses (and deletes), and do some creative scripts regarding evaluation of changes to user directory infrastructure. That passes DoD standards for FOUO systems pretty well.
03-30-2012 07:23 AM
>...you have just violated one of the most basic concepts of security - recording passwords.
HP broke that policy within VMS, with a security update that causes all password failures to be logged. Not just those passwords that were originally logged after breakin evasion was triggered.
05-09-2012 09:13 AM
Provn also has a security suite that includes a keylogger. We use the keylogger.
I don't think you're going to get a single solution that covers all operating systems. Windows and VMS are very different. Ultimately, I don't see the point, as what you're probably looking for is an aggregator so that you can administer your logs in one place. We use Loglogic to do that, since it has clients for some OSes like Windows and for those that don't (like VMS and network hardware) you can use Syslog.