What stops a Service-now admin with privileged access from tampering with the logs?
• The product keeps two sets of logs. One is visible within the instance as the “system log”. An administrative user can, in theory, manipulate this log although the security manager can be configured to make such tampering extremely difficult. A second log exists on the file system of the application server and cannot be manipulated directly from within the App server. In the event of a forensic situation wherein an administrator has deliberately tampered with the application’s own internal auditing and logging capabilities, the file system based log can be used to reconstruct a user’s transactional history.
Related Questions
- What stops a Service-now admin with privileged access from giving themselves the role that is allowed to encrypt/decrypt?
- I find that Firewall Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?
- What stops a Service-now admin with privileged access accessing the key?