Security Audit tool

To document and evaluate the security risk of their integration implementation, Cloverleaf security administrators can use the Security Audit tool. This screens and evaluates the security risk that is associated with user developed/implemented Cloverleaf integration objects.

Note: For developers that create custom code connections to Cloverleaf that are hosted by Infor, security best practice is to first use the Audit Tool. Then, remediate any findings from the security audit.

The security audit options are accessed in the Server Administration > Security Audit tab.

With this tool, you can scan the Cloverleaf host servers' user-defined configurations in the currently selected root or site and generate a security audit report. The generated report is available in plain text. The default is a full instance report.

This report alerts you to potential security risks in High, Medium, and Low risk levels. Then, you can mitigate these vulnerabilities, based on the suggestions in the report.

Evaluated items include:

  • Cloverleaf security level. An alert is prompted if advanced security is not enabled.
  • UPOC scripts are scanned for system and exec calls.
    • TCL scripts are scanned for reserved words that are used in lines that are not comments. These include open, read, mkdir, eval, and exec.
    • Java class files are scanned.
  • Protocols are evaluated to determine if they are configured to connect outside of the local network. Users are cautioned when connecting outside of their domain.
  • Users are notified if they enable a transport encryption layer version that is not current. Users are cautioned if configuring a protocol to use a transport layer that is not the latest supported by Cloverleaf.
  • Connections are tested with the connecting system. Users are alerted if a connecting system negotiates the transport layer version down.
  • Users are cautioned on all protocol connections that are not encrypted. This check is disabled through an argument to the audit tool. If the user decides to disable this, then it is noted on the audit report. The audit report is encrypted and stored on the host server.

Server interface

The Security Audit tool can be run through a CL command that optionally accepts a site name and file name as parameters. By default, the security audit report is generated for all sites and HCIROOT.

Passing the site name parameter generates the security audit report for the designated site.

Passing a file name to the security audit tool results in the unencrypted reported being written to the file name for retrieval by the user.