How-To Guides
Configuration Guides
Configure Tamper-Proof Logging
8 min
any log records stored in a database can be changed by a malicious user with access to that database to capture these changes, and understand if any log record has been tampered with or not, a tamper proof mechanism is available in kron pam the tamper proof feature prevents unauthorized access to the database and the modification of any logs all log types are stored and hashed in the database as encrypted binary data this hashing mechanism is used to secure any changes to the database the sha 256 algorithm is used in kron pam for hashing purposes each record type is hashed with a hash value and encrypted with a customer key (the hash value and hash date of each record type are stored in the database) in the event a hash value or any other information is changed in the log record by a malicious user, the newly generated hash value will not match the previous one, thanks to the encryption key using this algorithm the system recognizes if any log record is in its original state or has been tampered with configuring tamper proof tamper proof is set as a parameter and is enabled by default when this parameter is enabled, the batch process is set as hashing if tamper proof is disabled, the batch process will not be executed navigate to administration > system config man add the tamper proof enabled parameter, and set the parameter value as true or false to enable or disable it navigate to administration > job scheduler set the tamper proof log job parameters by setting this job, the logs will be hashed in the background this job can be set periodically or triggered manually checking if logs are tamper proof you can review logs' tamper proof status from session logs, http proxy logs, activity logs, command logs, authentication logs, event logs, or video logs navigate to logging > user auth logs check the show tamper proof status box and enter other fields as you require to filter the logs click the search button to display all the results on the screen see the final column in the search results section, as it shows logs' tamper proof status if the log record is tagged as original , no modification has been made if the log record is tagged as tampered , some log record information on the database, such as on name, time, client ip, hash info etc , has somehow been changed by a malicious user if the log record is tagged as unknown , it has still not been hashed by the batch process once it is hashed in the background, the status will change to original or tampered checking activity log to see if users searched for tamper proof logs when a user searches for logs in tamper proof status, this operation is recorded as an activity log to search for such activity navigate to logging > activity logs select the /log/activity log/search tamper proof/ parameter as the event type click search to see the following results a) users who searched for the tamper proof records, b) time , c) instance name , d) event type , and e) event parameters