MOVEit Automation can detect attempts by an intruder to alter the database tables containing audit information and activity history. An intruder might change these records to erase evidence of unauthorized use of the system, or to falsify file transfer histories.
MOVEit Automation implements tamper detection by populating a field named Hash on each record of its three major database tables. This Hash field contains the cryptographic hash of the current record and the previous record's Hash value, and is therefore part of a "hash chain". MOVEit Automation uses its built-in FIPS 140-2 validated SHA1-HMAC keyed hash algorithm. The key to each hash chain is derived from a tamper detection key that is entered during installation of the product, and stored (in a cryptographically altered form) in the registry.
Current tamper detection information is stored, in encrypted form, in a file named michash.xml
, in the same directory as the MOVEit Automation configuration and state files.
Detecting tampering
MOVEit Automation contains the built-in task Tamper Detect that checks for tampering. This task runs the built-in Tamper Detect script. By default, it runs nightly. It can also be run upon demand.
Recovering from problems
In the event of a system crash or certain other problems, the michash.xml
file might become corrupted or out-of-date. MOVEit Automation continues to run, but the Tamper Detect task begins sending alerts of possible tampering. Normally, tamper detection resets itself after sending an email alert, but you can reset tamper detection by using the MOVEit Automation Admin Reset Tamper Detection command. Subsequent to using this command, MOVEit Automation can detect future tampering, but ignores any tampering that has already occurred.