This article contains information regarding anti-tampering protection of the keystroke log files in BoKS Manager 6.7 and 7.0.
BoKS Manager 7.0 features the addition that the logs are now on-the-fly compressed and (optionally) on-the-fly encrypted, making it more difficult to view local logs. It also includes the possibility to log remotely on a BoKS Replica.
1. Modify log content
A checksum is continuously updated whenever data is written to the log file. When the session is closing, the calculated checksum is added at the end of the file. The checksum is reported separately to the BoKS Master where it is compared (after the log file has been transported) with the checksum from the file.
2. Modify log content and adjust checksum to the corresponding value
Checksum is sent separately. See (1) above.
3. Delete/move log
Deleting or moving the file while the file is open is detected and since the file is open, we can reset the file pointer and re-create the log file. An audit log about missing files and re-creation is logged.
Deleting or moving the file when it has been closed cannot be prevented, nor can the file be recreated. But it will be detected. See (4) below.
4. Preventing the log file and/or checksum from being sent
BoKS cannot prevent anyone with local root access from stopping the log file and/or checksum from being sent (stopping BoKS or killing the kslog process), but BoKS will detect it.
Since BoKS logs that a keystroke-logged session has been started to the audit log together with a notification to the BoKS Master prior to logging keystroke log data, this is detected. Using the notification, the BoKS Master will detect that a keystroke log has not been finalized within a configurable time (default is 24 hours).
5. Substituting another valid log file and checksum
Checksum, session start audit log and notification are sent separately. See (1) above.
Still have questions? We can help. Submit a case to Technical Support.