Security Basics mailing list archives
Re: Information on Informix and Lotus Dominos Audit
From: Philip Storry <phil () philipstorry net>
Date: Fri, 26 Sep 2003 19:05:42 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello MY-Magdelin, Friday, September 26, 2003, 2:09:58 AM, you wrote: MMT> Is there any documentation out there for auditing informix and lotus dominos MMT> on a solaris platform? I can't comment on auditing Informix or Solaris, due to a lack of knowledge - but I can comment on Lotus Domino. Auditing Lotus Domino can be a long, long process. You don't mention what the purpose of the Domino server is, so it's difficult for me to even offer general advice here. And even if I did know, this is a subject that a pretty weighty book could probably be written on - so it would probably not be well suited for one email. Not unless you want to wait a year for me to write it, and want a few tens of megabytes in your inbox! (This is due to the sheer number of things Domino can do, as it is a very versatile product.) That having been said, here's some pointers: NGSSoftware have an excellent product which can perform a scan for security problems on a Domino Web Server: http://www.nextgenss.com/products/dominoscan.htm There is also some good basic advice here: http://searchdomino.techtarget.com/tip/1,289483,sid4_gci784290,00.html Note, however, that you will need to know a lot about Domino administration (and possibly development if you run custom apps) in order to be able to take this approach. DominoSecurity.org has a list of products and services that may be of use to you. There are also links to articles that you may wish to read if you are performing the audit yourself. http://www.dominosecurity.org/ A word of caution - if you're not sure what to do for an audit, you really shouldn't be carrying it out yourself. You should pay a knowledgeable and experienced person or organisation to do it for you, or the results will be, quite frankly, useless. There is also something good to be said for having someone external performing the audit, as they are removed from both any internal political issues AND they may not have any lax habits or historical background that would cause them to not notice or question things that may be wrong. Sadly, the downside to a security audit is that it will probably not be cheap to do - whether sourced internally or externally. The time required is likely to be quite significant, even for a single server. I hope this has helped! - -- Best regards, Philip mailto:phil () philipstorry net -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBP3R//v5iYgfYHvp6EQLhIQCfdEesCTuxkB5jqeRCe3bj0j6IZ5wAoNq4 SVX0x9PcQIPXUXujnZ8CRM8t =uXI7 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Information on Informix and Lotus Dominos Audit MY-Magdelin Tey (Sep 26)
- Re: Information on Informix and Lotus Dominos Audit Philip Storry (Sep 26)