Configure Tamper-Proof Logging
Any log records stored in a database can be changed by a malicious user with access to that database. To capture these changes, and understand if any log record has been tampered with or not, a tamper-proof mechanism is available in Kron PAM.
The Tamper Proof feature prevents unauthorized access to the database and the modification of any logs. All log types are stored and hashed in the database as encrypted binary data. This hashing mechanism is used to secure any changes to the database.
The SHA-256 algorithm is used in Kron PAM for hashing purposes. Each record type is hashed with a hash value and encrypted with a customer key (the hash value and hash date of each record type are stored in the database). In the event a hash value or any other information is changed in the log record by a malicious user, the newly generated hash value will not match the previous one, thanks to the encryption key. Using this algorithm the system recognizes if any log record is in its original state or has been tampered with.
ļ»æ
Tamper Proof is set as a parameter and is enabled by default. When this parameter is enabled, the batch process is set as hashing. If Tamper Proof is disabled, the batch process will not be executed.
- Navigate to Administration > System Config Man.
- Add the tamper.proof.enabled parameter, and set the parameter value as true or false to enable or disable it.
- Navigate to Administration > Job Scheduler.
- Set the Tamper Proof Log Job parameters. By setting this job, the logs will be hashed in the background. This job can be set periodically or triggered manually.
You can review logs' tamper-proof status from Session Logs, HTTP Proxy Logs, Activity Logs, Command Logs, Authentication Logs, Event Logs, or Video Logs.
- Navigate to Logging > User Auth Logs.
- Check the Show Tamper Proof Status box and enter other fields as you require to filter the logs.
- Click the Search button to display all the results on the screen.
- See the final column in the Search Results section, as it shows logs' tamper-proof status:
- If the log record is tagged as Original, no modification has been made.
- If the log record is tagged as Tampered, some log record information on the database, such as on name, time, client IP, hash info etc., has somehow been changed by a malicious user.
- If the log record is tagged as Unknown, it has still not been hashed by the batch process. Once it is hashed in the background, the status will change to Original or Tampered.
When a user searches for logs in tamper-proof status, this operation is recorded as an activity log.
To search for such activity:
- Navigate to Logging > Activity Logs
- Select the /log/activity-log/search-tamper-proof/ parameter as the Event Type.
- Click Search to see the following results: a) Users who searched for the tamper-proof records, b) Time, c) Instance Name, d) Event Type, and e) Event Parameters
ļ»æ