In order that the security of a Notes system can be maintained during ongoing operations, it is essential to monitor the system. Only in this way can possible configuration errors, security loopholes, security breaches by users and attacks on the system come to light.
Monitoring of the system generally entails the collection of user-related data. Otherwise it is not possible to establish in the event of a security breach which user was responsible. The Data Privacy Officer and the staff council and works council must therefore be involved in planning the monitoring concept as early as possible.
In particular, Lotus Notes' IT security features do not yet include any systematic auditing mechanism, but instead system activities are captured in several log files. However, it is possible to arrange an automatic response to the occurrence of various system events.
At this point it is not possible to make any general recommendations regarding the logging settings, as the type and scope of information that needs to be logged will depend strongly on the particular operational scenario concerned and the monitoring concept used.
With regard to the monitoring of a Notes system, the following factors should be considered:
Some protocol databases have to be explicitly created by the Administrator or Auditor (e.g. "certlog.nsf") or the creation of protocol entries has to be configured (e.g. "domlog.nsf"). It is strongly recommended creating the "certlog.nsf" database in order that the users certified by the relevant server can be documented.
The granularity of the log entries is often not adequate to permit detailed monitoring. Depending on the requirements, it may be necessary to adopt other safeguards outside of the Notes system (e.g. involving the use of third-party products, organisational safeguards or in-house developments) as well.
Activities on clients are not recorded in the server log files. However, there are local log files on clients.
In medium and large systems tools are needed to monitor and evaluate log files. Appropriate add-on tools are available from third party vendors for this purpose.
Access to the log files must be restricted. Depending on the auditing security guidelines, Administrators should not be able to access them. Instead, read access should be granted to Auditors.
The events database ("events4.nsf") permits the definition of monitoring rules which trigger predefined actions (e.g. notification of Administrators or entries in the operating system log) when particular events occur. In particular, appropriate actions in line with the monitoring concept must be configured for events which fall in the "Security" category.
Under Windows NT the degree of logging can be controlled via the Lotus Notes configuration file e.g. "notes.ini". The predefined values should be reviewed and, if necessary, modified.
The size of the log files must be appropriate to the server loading. Thus the Lotus Notes log file "log.nsf" can be configured via entries in the configuration file (e.g. the parameter "log=log.nsf,1,0,7,40000" in "notes.ini" under Windows NT). When planning the auditing concept, care must be taken to ensure that no log entries can unintentionally be lost.
