Meta/Blog
Blog about people, security, and a new way to IT.
Integrating OpenVMS with ArcSight
ArcSight supports a wide variety of “legacy” products out of the box, such as large parts of IBM, z/OS and others. ArcSight’s support of these older platforms is lacking in certain areas and may require a fair amount of extra work in order to be integrated properly. I recently discovered this when installing a connector for my favorite “legacy” platform, VMS. This article will focus on how to properly integrate ArcSight with HP’s OpenVMS (don’t tell anyone I called VMS a “legacy” product around comp.os.vms or HECnet though).
On VMS
In 1977 DEC had more than a dozen different operating systems running on a variety of hardware platforms, from PDP-8s to the widely successful PDP-11 (which also ran two of its most popular operating systems, RT-11 and RSX). A new strategy was developed around one hardware platform, and thus my favorite OS was born as VAX/VMS. This was the successor to the various PDP-11 OS’s that DEC had back before then. It was designed to take advantage of the new 32 bit VAX hardware and was tightly coupled with the hardware design.
Despite this, early VAX/VMS systems included an RSX (PDP-11 – in fact the boot console to a VAX 11/780 was a stripped down PDP-11) compatibility mode since the earlier users were quite attached to their software investments. Many people still use the RSX “MCR” command to invoke things in the SYS$SYSTEM (a sort of /bin for your UNIX types).
The “RUN” command is the standard way to do this, but it requires the full path name of the executable and won’t pass the program any arguments. The “MCR” command is sometimes preferred because it assumes the path is SYS$SYSTEM and will pass along any argument.
So "RUN SYS$SYSTEM:NCP" becomes "MCR NCP". (*Bootnote:* You can also define a symbol and then use that to invoke the program, arguments and all. However, you must do this for every login session (which can be automated but is still tedious).
A lot of parts of VMS (esp. the ones inherited from RSX) eventually made it into (at least the early editions) of Windows NT when Dave Cutler, principal designer of VMS and RSX, moved across to Microsoft.
Especially the security model (with ACLs etc.) came across - how well is a matter for further debate.
Enter the Alpha and the move to OpenVMS
In a VERY brief history of a complicated process, DEC decided to port VMS to their shiny new Alpha platform (in fact AltaVista was originally built to show off the new architecture) and add a POSIX layer and renamed the product OpenVMS - open as in Open Systems Foundations "open", not open source. The systems even came with CDE as the default GUI - and continue to do so today!
You can theoretically compile most POSIX stuff on it, but anything more than "Hello World" gets a bit tricky - yet, for example, SAMBA and APACHE have been ported and run rather well.
Compaq Acquires DEC Acquires HP and the Move to IA64
DEC was acquired in June 1998 by Compaq, which subsequently merged with Hewlett-Packard in May 2002. HP decided to port OpenVMS to Intel Itanium and both the Alpha and Itanium platforms are still supported, but there are still a lot of VAXes in production use.
After ORACLE's decision to drop support for Itanium, we will see how much life is left in both of the main IA64 OSes - HP-UX and VMS.
The SAMPSACOM setup
In my lab, I run three systems:
- RHESUS - An rx2600 HP Itanium
- GORVAX - A simulated (SIMH-VAX) MicroVAX 3900
- CHIMPY - A DEC DS10 being migrated as we speak from a recently dead AlphaServer800, (usually publicly accessible at telnet://chimpy.sampsa.com)
These are all connected to the global hobbyist DECNET, HECnet, as well as running various TCP/IP stacks.
VMS Auditing
VMS can audit just about anything, from logons to file access with specific overriding permissions. Here's an example from my system GORVAX (running in rather paranoid mode):
System security audits currently enabled for:
ACL
Mount
Authorization
INSTALL
Time
SYSGEN
Identifier
Connection
NCP
Audit: illformed
Process: CREPRC,DELPRC,SCHDWK,CANWAK,WAKE,SUSPND,RESUME,GRANTID,REVOKID,
GETJPI,FORCEX,SIGPRC,SETPRI,PRCTERM
Breakin: dialup,local,remote,network,detached
Login: batch,dialup,local,remote,network,subprocess,detached,server
Logfailure: batch,dialup,local,remote,network,subprocess,detached,server
Logout: batch,dialup,local,remote,network,subprocess,detached,server
Privilege use:
ACNT ALLSPOOL ALTPRI AUDIT BUGCHK BYPASS CMEXEC CMKRNL
IMPERSONATDIAGNOSE EXQUOTA GROUP GRPNAM GRPPRV LOG_IO MOUNT
NETMBX OPER PFNMAP PHY_IO PRMCEB PRMGBL PRMMBX PSWAPM
READALL SECURITY SETPRV SHARE SHMEM SYSGBL SYSLCK SYSNAM
SYSPRV TMPMBX VOLPRO WORLD
Privilege failure:
ACNT ALLSPOOL ALTPRI AUDIT BUGCHK BYPASS CMEXEC CMKRNL
IMPERSONATDIAGNOSE EXQUOTA GROUP GRPNAM GRPPRV LOG_IO MOUNT
NETMBX OPER PFNMAP PHY_IO PRMCEB PRMGBL PRMMBX PSWAPM
READALL SECURITY SETPRV SHARE SHMEM SYSGBL SYSLCK SYSNAM
SYSPRV TMPMBX VOLPRO WORLD
FILE access:
Failure: read,write,execute,delete,control
SYSPRV: read,write,execute,delete,control
BYPASS: read,write,execute,delete,control
GRPPRV: read,write,execute,delete,control
READALL: read,write,execute,delete,control
Other: create,deaccess
For the uninitiated, the above includes:
- Login success and failure from various sources
- User with a temporary privilege (a VMS user is assigned a set of default privileges and ones he can activate temporarily )
- What file accesses should be logged?
A good guide to what all this means is the OpenVMS Guide to System Security and is far beyond the scope of this article. However, on RHESUS, which is a slightly more relaxed system than GORVAX, I have the following audit setup:
RHESUS$ show audit/audit
System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Login: dialup,local,remote,network,subprocess,detached,server
Logfailure: batch,dialup,local,remote,network,subprocess,detached,server
Logout: batch,dialup,local,remote,network,subprocess,detached,server
FILE access:
Failure: read,write,execute,delete,control
SYSPRV: read,write,execute,delete,control
BYPASS: read,write,execute,delete,control
GRPPRV: read,write,execute,delete,control
READALL: read,write,execute,delete,control
Tips On Integrating VMS with ArcSight
Unfortunately the SmartConnector documentation that comes with the connector for OpenVMS is a bit vague as to the VMS side of things - it shows a single command for pulling out the logs, and that's it. If you were to simply run this, you would get both the old logs (that you've already imported into the ESM/Logger) as well as the new entries.
One simple solution is to wipe the log after every extract:
$ SET AUDIT/SERVER=NEW
This of course is not ideal on anything else on your system that relies on the audit log.
The Other Way
To solve this problem I created a script that pulls all log entries SINCE the last output file was created. Due to VMS's file versioning, the different output files will not overwrite each other and most sensible file transfer programs will pull down all files with their version numbers appended after the file's extension.
Also, due to DECNET's built-in file sharing, there is no need to mount any disks etc. to write the output onto another machine (for example, this script, designed to run on GORVAX, actually writes its output to a directory on RHESUS).
This way by setting the output filename to a directory on a single central host, a copy of this script running on each individually monitored system will transparently output the logs onto that single location where they can be picked up by a simple log retrieval script for processing by a Standard ArcSight SmartConnector.
$!! --------------------------------------------
$!!
$!! proclogs.com v0.02
$!!
$!! This script extracts all audit journal events based on the time stamp
$!! of it's output file. It will fail if the output file does not exist,
$!! we suggest running the following command before the first run of the script:
$!!
$!! anal/audit/full/output=''OUTPUTFILE'
$!!
$!! e.g.
$!!
$!! anal/audit/full/output=LOGMACHINE::DISK1:[USER.LOGS]HOSTNAME-LOGS-OUT.LOG
$!!
$!! After extracting the log, it can be downloaded and parsed by the OpenVMS
$!! SmartConnector for use by ArcSight products.
$!!
$!! The script automatically adds itself to the SYS$BATCH queue after running to
$!! enable it to automatically restart after a delay, which defaults to 2 min.
$!!
$!! It is a good idea to make this delay longer than the delay of the fetches of
$!! the output to the SmartConnector to avoid interlock problems (i.e. the fetcher
$!! attempting to download the output file whilst it is still being written).
$!!
$!! For example, if you retrieve logs every 30 secs, set this delay to at least
$!! 2 minutes.
$!!
$!! Alternatively turn off the resubmission below and execute the script manually
$!! every time before you do a fetch.
$!!
$!! --------------------------------------------
$
$!! Configurable parameters
$
$OUTPUTFILE="RHESUS::DKA0:[ArcSight]GORVAX-LOGS-OUT.LOG" ! Output filename
$RESUB="YES" ! Set to YES if you wish the script to resubmit itself
$RESUBDELAY="2" ! Delay (in minutes) between resubmissions
$RESUBQ="SYS$BATCH" ! Set this to the queue you wish the script to use
$CLEARLOG="NO" ! Set this to yes if you want the VMS audit journal zero'd after running
$
$!! grab the appropriate privileges
$
$ set proc/priv=all
$
$!!
$!! Uncomment the line below to set the file version limit to 50 so we don't
$!! unnecessarily fill up the disk
$!!
$!! NOTE: this seems to break over DECNET as the set versioning op is not
$!! supported. In this case, set the file version limit manually - it's not
$!! really necessary to do on each run in any case.
$
$! set file/version=50 ''OUTPUTFILE'
$
$!! get time of last log extract
$
$ LASTRUN=F$FILE("''OUTPUTFILE'","CDT")
$
$!! get the date, pad with 0 if necessary
$
$ LASTDATE=F$EXTRACT(0,11,LASTRUN)
$ firstletter=f$extract(0,1,LASTDATE)
$ if firstletter .eq. " "
$ then
$ LASTDATE=F$EXTRACT(1,10,LASTDATE)
$ LASTDATE="0''LASTDATE'"
$ endif
$!! get the time
$
$ LASTTIME=F$EXTRACT(12,11,LASTRUN)
$
$!! build the argument for /SINCE using time and date
$
$ LASTARG="''LASTDATE':''LASTTIME'"
$
$!! extract logs since the last one
$
$ write sys$output "Retrieving logs since |''LASTARG'|..."
$ anal/audit/full/output='OUTPUTFILE'/since="''LASTARG'" Sys$manager:Security.Audit$journal
$
$ !! if we've been asked to, clear the log
$ if CLEARLOG .eq. "YES"
$ then
$ write sys$output "Clearing security log journal"
$ SET AUDIT/SERVER=NEW
$ endif
$ !! if necessary, add ourselves to a batch queue to run again in 2 mins
$
$ if RESUB .eq. "YES"
$then
$ procname = F$ENVIRONMENT("PROCEDURE")
$ SUBMIT/QUEUE='RESUBQ'/AFTER="+:''RESUBDELAY'" 'procname'
This script will pull the log entries since the last output file defined as OUTPUTFILE and write them there. Since VMS has file versioning, the previous version will not get overwritten, but a new file with an incremented file version will be created instead.
NB: It's a good idea to limit how many versions of files are allowed to be created in the output directory, viz.:
$ SET DIR/VERSION=50
The cool thing about VMS is that you can specify a hostname in the file spec, so for example I collect all my logs in my directory (DKA0:[ArcSight]) on my second server RHESUS, so the OUTPUTFILE variable is set to "RHESUS::DKA0:[ArcSight]GORVAX-LOGS-OUT.LOG" (this does require the relevant DECNET proxies to have been set up, of course)
Keep in mind that each server should have its own file name, like my machine GORVAX is called "GORVAX-LOGS-OUT.LOG"
NB: One small caveat/bug with this script (mostly due to laziness): It expects at least one output file to be present in the output directory, so you could do something like
CREATE outputfilename
And just hit CTRL-Z to create an empty file.
Getting the logs off the box
I personally use SFTP for systems that can handle it (Alphas and Itaniums) and FTP for systems that can’t (VAXes etc.). I will be presenting my FTP script and other methods of pulling files from VMS systems in the Part 2 of this post.
Related Post
- Integrating OpenVMS with ArcSight, Part II In the last part of this post we discussed the methods of extracting logs from OpenVMS systems for processing by ArcSight SmartConnectors. This insta...
- Do Most Customers Underutilize ArcSight? Whether or not most ArcSight SIEM customers underutilize their solutions is an excellent question, although the answer may be completely subjective. ...
- SIEM Report Recommendations Overview of recommendations for log reports.
- Leveraging Twitter for Threat Intelligence There is a multitude of automated sources tweeting out there, aside from bots and spammers. All those updates broadcasted in real-time by scripts and...
- High Volume SIEM Architectures As IT infrastructure demands grow, so does the increasing need to monitor and control the IT environment. Information security professionals are de...