You can configure Waveset to prevent the following forms of audit log tampering:
Adding or inserting audit log records
Modifying existing audit logs records
Deleting audit log records or the entire audit log
Truncating audit logs
All Waveset audit log records have unique, per-server sequence numbers and encrypted hash of records and sequence numbers.
When you create a Tamper Detection Report, it scans the audit logs per server for:
Gaps in the sequence number (indicating a deleted record)
Hash mismatches (indicating a modified record)
Duplicate sequence numbers (indicating a copied record)
Last sequence number that is less than expected (indicating a truncated log)
Create a tampering report by selecting Reports > New > Audit Log Tampering Report.
When the Define a Tampering Report page displays, as shown in Figure 3–1, enter a title for the report and then Save it.
You can also specify the following optional parameters:
Report Summary. Enter a descriptive summary of the report.
Starting sequence for server ’<server_name>’. Enter the starting sequence number for the server.
This option enables you to delete old log entries without having them flagged as tampering and limits the report’s scope for performance reasons.
Email Report. Enable to email report results to a specified email address.
When you select this option, the page refreshes and prompts you for email addresses. However, keep in mind that email is not safe for text content-sensitive information (such as account IDs or account history) may be exposed.
Override default PDF options. Select to override the default PDF options for this report.
Organizations. Select organizations that should have access to this report.
Next, select Configure -> Audit to open the Audit Configuration page, as shown in Figure 3–2.
Select Use Custom Publisher, and then click on the Repository publisher link.
Select Enable tamper-resistant audit logs, and then click OK.
Click Save to save the settings.
You can turn this option off again, but unsigned entries will be flagged as such in the Audit Log Tampering Report, and you must reconfigure the report to ignore these entries.