While LOGbinder SP is processing events, it
will perform actions that generate SharePoint events. What happens, though, if
these same actions are performed maliciously by a SharePoint user? Will this compromise
the integrity of the audit trail? No. LOGbinder SP can detect log tampering.
How?
In order to distinguish between authorized
and unauthorized changes, LOGbinder SP (version 3 and later), when processing
these events, will indicate whether it performed the action itself, or the
action might be unauthorized. A tamper warning will be generated in the
following cases:
·
Audit policy change: When processing
event #11 “Site collection audit policy changed” or #12 “Audit policy changed,”
LOGbinder will determine if the change overrides the settings in LOGbinder. If
so, LOGbinder will reset the audit policy and generate a tamper warning (#60
“Possible tampering warning”).
·
Audit logs deleted: When processing
event #20 “SharePoint audit logs deleted,” LOGbinder will determine whether
LOGbinder deleted the logs, and indicate it in an additional line added to this
event. The line “Purge performed by LOGbinder” will show value “Yes” if LOGbinder
performed the purge, and “No” otherwise.
In the latter case, a tamper warning event (#60 “Possible tampering
warning”) will be generated.
Note: If it cannot determined whether the logs were deleted by LOGbinder SP,
the “Purge performed by LOGbinder” value will be set to “Indeterminate”. This
typically occurs when processing backlog events, i.e. those produced before
LOGbinder started processing the site collection.
By alerting on event #60 “Possible tampering
warning”, malicious audit tampering attempts can be detected, so the audit
trail is not compromised.