3 Replies Latest reply on May 31, 2013 12:35 PM by jaimen

    Compliance related question

    rohanparath

      Hi,

       

      There was a question put forward to me on how do I prove that the logs collected on the ESM/ELM/Receiver are tamper proof. Or rather how do I prove that the logs are only "write once and read many"? Is there any documentation regarding this.

       

      Thanks

      Rohan

       

      Message was edited by: rohanparath on 5/30/13 3:20:19 AM CDT
        • 1. Re: Compliance related question

          Create an Integrity Check Job

          An integrity job checks if the files that you define have been altered since they were originally stored. This can alert you to unauthorized modification of critical system or content files. The results of this check will show which files have been altered. If none of the files have been altered, you will be notified that the check was successful.

           

          For documentation search the help for 'Integrity Check'.

          • 2. Re: Compliance related question
            rohanparath

            Hi Jaimen,

             

            The thing is the integrity check will let me know that somebody altered the logs after the fact. What I need to prove is that there are security measures in place so that logs are not knowingly/unknowingly tampered or deleted.

             

            Thanks

            Rohan

             

            Message was edited by: rohanparath on 5/31/13 1:28:41 AM CDT
            • 3. Re: Compliance related question

              There are a few layers of security.  First the logs are stored in a non-human readable format. Second, if the logs are stored on the McAfee approved hardware (local ELM or McAfee DAS) the security measures are the same for the appliance with restricted, one user, admin only access.  If the user chooses the option to store the logs on the network via CIFS or NFS, the security of those ELM logs becomes dependent on the system admin to administer on those remote servers.