Audit code in Domino server - part 1: Requirements
I have made a presentation at Collabsphere and Engage about a NSF tool I developed in order to audit the code of a Domino server for a Spanish customer.
I receive attention from many English-speaking users who asked me for an English version.
As I see space for improvements, I will explain the process from scratch and add new features.
My personal list of requirements:
- One server = one audit database who contains all the data.
- One central location who gather system information in one place before starting analysis
- Option to choose what to analyze
- Easy to maintain and with possible manual live analysis triggered by the user
- Always accurate through nightly automatic update processes
- Focus on usability instead of top-of-the-noch analysis, extra detailed extraction
- Lotuscript and Java based (No API C calls)
- Possible creation and exportation of a report for a database or a group of databases
- High value information presented easily
What DBs to analyze?
We will not analyze System databases, templates, mail files. We will focus on Business applications.
What are the questions we want to answer about the code?
Where do we have the following bad practices:
- Hard-coded server names
- Hard-coded usernames, who can be current users, deprecated users (DENY ACCESS GROUP Members), disabled users (temporary disabled users)
- Hard-coded database names
- Hardcoded emails
- Other hard-coded values from a list per request
- Inheritance of design elements blocked at low level
What language are in use in the NSF to develop applications
- Externals JAR stored in NSF
- Use of Java language
- Use of Javascript
- Use of Bootstrap + version
What are the others components in use
- Use of Libre Office, Word, Excel
- Use of PDF
- Teamstudio Buildmanager
- http API calls
Where do we use specific components
- OLE calls
- LSXLC y LSXODBC
- LS2J - LotusScript 2 Java Bridge
- LEI
- DECS
- Search for specific CreateObject method
Where we see ties to Operating System bitiness:
- lock-unlock method
- NotesSession.Platform="Windows/32"
- NotesSession.Platform,3))="win"
- GetActiveWindow
- List of DLL used ("kernel32")
Long term limitations for Nomad
- JavaAgents
- XPages
- LS2J
- Web Services
- LSXLC y LSXODBC
- @Command( [EditFind] )
- C Api "OSLoadProgram"
- NotesHTTPRequest
https://help.hcltechsw.com/nomad/1.0/hcln_limitations.html
- All the Nomad platform differences in lotuscript https://help.hcltechsw.com/dom_designer/12.0.0/basic/LSAZ_NOMAD_PLATFORM_DIFFERENCES.html
Construct | Usage in HCL Nomad |
---|---|
ActivateApp | Not supported. Generates the error "Operation not supported on this platform." |
ChDir | If a drive letter is contained in the argument, generates the error "Device unavailable." |
CreateObject | Not supported. Generates the error "Operation not supported on this platform." |
Date, Date$ | Can fetch current date. Setting the date generates the error "Illegal function call." |
Declare | Generates the error "Error in Loading DLL." |
GetFileAttr | Does not return the following attributes: ATTR_HIDDEN, ATTR_ARCHIVE, ATTR_VOLUME, ATTR_SYSTEM. |
GetObject | Not supported. Generates the error "Operation not supported on this platform." |
Lock, Unlock | Not supported. Generates the error "Operation not supported on this platform." |
SendKeys | Not supported. Because CreateObject is not supported, unable to get Wscript.Shell object. |
SetFileAttr | Ignores the attributes ATTR_HIDDEN, ATTR_ARCHIVE, and ATTR_VOLUME. |
Shell | Not supported. Generates the error "Unable to open file." |
Time, Time$ | Can fetch current time. Setting the time generates the error "Illegal function call." |