|
|
|
|
|
MOVEit Central has the ability to detect attempts by an intruder to alter the database tables containing audit information and activity history. An intruder might wish to alter these records in order to erase evidence of unauthorized use of the system, or to falsify file transfer histories.
MOVEit Central implements tamper detection by populating a field named Hash on each record of its three major database tables. This Hash field contains the cryptographic hash of the current record and the previous record's Hash value, and is therefore part of a "hash chain". MOVEit Central uses its built-in FIPS 140-2 validated SHA1-HMAC keyed hash algorithm. The key to each hash chain is derived from a tamper detection key which is entered during installation of the product, and which is stored (in a cryptographically altered form) in the registry.
Current tamper detection information is stored, in encrypted form, in a file named michash.xml, in the same directory as MOVEit Central's configuration and state files.
Detecting tampering
MOVEit Central's built-in task Tamper Detect checks for tampering. This task runs the built-in Tamper Detect script. By default, it runs nightly. It can also be run upon demand.
Recovering from problems
In the case of a system crash or certain other problems, the michash.xml file may become corrupted or out-of-date. MOVEit Central will continue to run, but the Tamper Detect task will begin to send alerts of possible tampering. Normally, tamper detection will reset itself after sending an email alert, but you can reset tamper detection by using MOVEit Central Admin's Reset Tamper Detection command. Subsequent to using this command, MOVEit Central will be able to detect future tampering, but it will ignore any tampering that has already occurred.