Tamper Detection

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Tamper Detection

    Tamper Detection enhances security by detecting unauthorized changes to your quorum control settings in ServiceNow. It uses a hash-based message authentication code (HMAC) to validate the integrity of these settings, ensuring that only authorized configurations are applied within your instance.

    Show full answer Show less

    Key Features

    • HMAC Validation: When a quorum control setting is created or modified, an HMAC is generated based on the setting’s value. This HMAC is used for ongoing validation.
    • Daily Automated Checks: A scheduled job runs daily to verify the integrity of quorum control settings and logs any validation failures.
    • Pre-Execution Validation: Before any key withdrawal operation, tamper detection validates the settings to prevent execution if tampering is detected.
    • Logging and Warning Notifications: Validation failures are recorded in node and security logs with specific record identifiers (sysid). Warnings also appear on the Quorum Control Policy settings page for quick visibility.
    • Alerting Security and KMF Admins: Administrators with Security Admin and KMF Admin roles receive notifications if tampering is detected or when issues are resolved.

    Handling Tampering Issues

    If tamper detection identifies unauthorized changes, the affected quorum control settings are blocked from use and the issue is logged and notified to appropriate admins. Resolving these validation failures requires contacting ServiceNow support, as only support agents can assist with remediation. Once resolved, administrators receive confirmation notifications.

    Use tamper detection to improve security by detecting unauthorized changes to your quorum control settings.

    Tamper detection process

    When enabled, tamper detection validates your quorum control settings by checking for any unauthorized modifications (tampering). Tamper detection uses hash-based message authentication code (HMAC).

    1. When a setting is changed or created, your instance creates an HMAC. The HMAC is based on the value of the setting (dare_property) record.
    2. Whenever your instance uses these settings, tamper detection validates it using the HMAC.
    3. If the setting validates successfully, it can be used by the platform, otherwise it cannot.
    Tamper detection runs daily on your instance

    Tamper detection checks your settings for tampering using a daily scheduled job, and reports validation failures in your node and security logs. Tamper detection send a notification to Security and KMF admins for validation failures.

    flowchart displaying tamper detection job
    Tamper detection runs before executing a key withdrawal

    Tamper detection also validates your properties when you request a key withdrawal. If your settings do not pass validation, the key withdrawal does not execute. In this case, you must resolve any validation issues before key withdrawal can compete.

    flowchart displaying tamper detection during key withdrawal

    Identifying tampering

    Tamper detection updates your logs when validation fails.

    If tamper detection fails to validate any of your quorum control settings, these failures appear in your node and security logs. The log entry includes the sys_id of the settings (dare_property) record that failed validation.

    2022-06-28 13:45:46 (582) Default-thread-5 B6FAC1F6C3D01110CF37169D7940DD6E txid=231c4d72c310 SEVERE HMAC_VALIDATION_FAILED:The dare_property record with sys_id: 776e3200c3210110900b169d7940dd76 failed HMAC validation

2022-06-28 13:47:35 (264) Default-thread-8 B6FAC1F6C3D01110CF37169D7940DD6E txid=8e8cc972c310 SEVERE HMAC_VALIDATION_FAILED:The dare_property record with sys_id: 758b3200c3210110900b169d7940dd76 failed HMAC validation

    Logging displays information similar to these examples when validation fails. Successful validations do not appear in the logs.

    Tamper detection displays a warning message on your quorum control settings page

    If a quorum control setting has failed validation, you can see a warning when you view the Quorum Control Policy settings page on your instance. The warning includes the sys_id of the settings (dare_property) record that failed validation.

    Example banner warning on quorum control page
    Tamper detection sends notifications to users with the Security Admin and KMF Admin roles

    If tamper detection fails to validate any of your quorum control settings, your security admins and KMF admins receive a notification similar to this example.

    Example message for tamper detection

    Resolving tampering issues with ServiceNow support

    Important:
    Tamper detection validation failures can only be resolved with assistance of ServiceNow support.
    flowchart displaying tamper detection during key withdrawal

    If tamper detection fails to validate any of your quorum control settings, contact ServiceNow support for assistance in resolving the issue. After a support agent has resolved the validation failure, security and KMF admins receive a notification indicating that the issue has been resolved.

    Example message for tamper detection resolution