Previous Topic

Next Topic

Book Contents

Book Index

Miscellaneous - Tamper Detection

MOVEit DMZ's audit log is a tamper-evident. No changes, deletions or additions can be made to the log without breaking the strict chain of cryptographic hashes locked to the specific content and order of log entries.

All chains must begin somewhere and the tamper-evident chain in MOVEit DMZ is no different. Starting hashes for MOVEit DMZ tamper-evident chains are retained in encrypted form in the registry. To further prevent against tampering, the hashes used are keyed hashes that require the input of the correct key to be matched and read.

To allow different organizations to maintain different archive periods on their own audit trails MOVEit DMZ maintains a single tamper-evident chain for each organization. When entries are archived, the starting hash of each organization is advanced to just before the oldest remaining record.

If MOVEit DMZ's TamperCheck scheduled task detects tampering, an email with related logs will be sent to the Send Errors To email address(es).

If tampering is encountered and detected, the starting hash of each organization is automatically advanced to the last known good position (i.e., now) after notifications are sent. However, MOVEit DMZ's Reset function provides an easy way to perform the same action at any time this.

View/Reset

Admins have access to a View/Reset link that takes them to a page that will allow them to advance their organization's starting hash to the present time.

Other Tamper-Evident Administration

SysAdmins have the power to reset the start hashes of all organizations. They also have the power to turn tamper-evident logs on and off (they are on by default). More information about this can be found in Web Interface - Settings - System - TamperDetection.

Every night a scheduled tamper check process will go through all log entries and ensure that the chain of cryptographic hashes remains intact. If any problems are encountered, any administrator listed in the MOVEit DMZ Config utility's Send Errors To field will automatically be notified via email.

This check may also be initiated manually by administrators with access to MOVEit DMZ's console. (Start | Programs | MOVEit DMZ | MOVEit DMZ Log Tamper Check) Any TamperCheck that ends with the phrase Completed with errors should be considered a failed TamperCheck; the exact reason for the failure will be explained in the log. A web-based tamper-check is not available because checking the entire log of evidence for tampering often takes more time than the average web browser (or web browser user) is willing to wait.