Re: Information on Informix and Lotus Dominos Audit

[Philip Storry <phil () philipstorry net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello MY-Magdelin,

Friday, September 26, 2003, 2:09:58 AM, you wrote:

MMT> Is there any documentation out there for auditing informix and lotus
dominos
MMT> on a solaris platform?

I can't comment on auditing Informix or Solaris, due to a lack of
knowledge - but I can comment on Lotus Domino.

Auditing Lotus Domino can be a long, long process. You don't mention
what the purpose of the Domino server is, so it's difficult for me to
even offer general advice here. And even if I did know, this is a
subject that a pretty weighty book could probably be written on - so
it would probably not be well suited for one email. Not unless you
want to wait a year for me to write it, and want a few tens of
megabytes in your inbox!

(This is due to the sheer number of things Domino can do, as it is a
very versatile product.)


That having been said, here's some pointers:

NGSSoftware have an excellent product which can perform a scan for
security problems on a Domino Web Server:
http://www.nextgenss.com/products/dominoscan.htm

There is also some good basic advice here:
http://searchdomino.techtarget.com/tip/1,289483,sid4_gci784290,00.html
Note, however, that you will need to know a lot about Domino
administration (and possibly development if you run custom apps) in
order to be able to take this approach.

DominoSecurity.org has a list of products and services that may be of
use to you. There are also links to articles that you may wish to read
if you are performing the audit yourself.
http://www.dominosecurity.org/


A word of caution - if you're not sure what to do for an audit, you
really shouldn't be carrying it out yourself. You should pay a
knowledgeable and experienced person or organisation to do it for you,
or the results will be, quite frankly, useless.

There is also something good to be said for having someone external
performing the audit, as they are removed from both any internal
political issues AND they may not have any lax habits or historical
background that would cause them to not notice or question things that
may be wrong.

Sadly, the downside to a security audit is that it will probably not
be cheap to do - whether sourced internally or externally. The time
required is likely to be quite significant, even for a single server.

I hope this has helped!

- --
Best regards,
 Philip                            mailto:phil () philipstorry net

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBP3R//v5iYgfYHvp6EQLhIQCfdEesCTuxkB5jqeRCe3bj0j6IZ5wAoNq4
SVX0x9PcQIPXUXujnZ8CRM8t
=uXI7
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------