A post was made and I
was working through some security stuff of my one. I felt inspired to
make a post about it. Below is a list of logs we need to review
regularly for ServiceNow
Can anyone provide us with Names, Tables, and Sources for the logs
listed?
- Authentication successes and failures
- Authorization (access control) failures
- This would be very verbose and you wouldn't want this.
- Do you mean code failures? They would show up as errors in the
logs... but not explicitly listed for an acl, just an code
error.
- Application startups and shutdowns
- So. Application startups depends on what you mean
"applications". If you mean NODES than thats on
sys_cluster_statein the payload look forservlet.started
xml node. - If you mean something else I don't think that's how this works.
- So. Application startups depends on what you mean
- Configuration changes
- this is available on
sys_update_xml
- this is available on
- Changes to code files or memory
- This is the same as configuration changes. Servicenow has no
files you can modify like a traditional server, at least not
that we can access.
- This is the same as configuration changes. Servicenow has no
- Application errors and system events e.g. syntax and runtime errors,
connectivity problems, performance issues, third party service error
messages, file system errors - Input validation failures e.g. protocol violations, unacceptable
encodings, invalid parameter names and values- I'd guess this would be in the syslog_list, but I'm not sure
exactly the types of things you're expecting.
- I'd guess this would be in the syslog_list, but I'm not sure
- Output validation failures e.g. database record set mismatch,
invalid data encoding- I'd guess this would be in the syslog_list, but I'm not sure
exactly the types of things you're expecting.
- I'd guess this would be in the syslog_list, but I'm not sure
- Session management failures e.g. cookie session identification value
modification - Acceptance of EULA/terms of use
- Not ootb, but if you applied
servicenowguru's
then you'd look on the "Terms Acceptance table". However I can't
find the update set to download.
- Not ootb, but if you applied
- Personal data usage notification/consent
- Not sure what you mena by this. Do you mean like HIPAA, PII and
the like? If so there's nothing to say this ssn, or address is
added as a comment in the system. You'd have to add that via a
customization.
- Not sure what you mena by this. Do you mean like HIPAA, PII and
- Attack detection e.g. excessive authentication failures, file upload
virus detection- See Auth
Failures - There is no virus checking to my knowledge of uploaded files,
however you can control the upload types and sizes from these
properties- System Properties >
glide.ui.strict_customer_uploaded_content_typesrestricts
what can be loaded vs downloaded to stop xss - System Properties >
glide.security.file.mime_type.validationrestricts the
file's mime type on upload - System Properties >
glide.ui.strict_customer_uploaded_static_contentrestricts
the files somehow - System Properties >
glide.attachment.extensionsrestricts
the files extensions allowed to be uploaded - System Properties >
glide.image_provider.security_enabled
restricts access to uploads to authenticated users - System Properties >
glide.ui.attachment.download_mime_typesrestricts
downloadable mime types
- System Properties >
- See Auth
- Any other logs that would help identify suspicious, unacceptable,
unexpected behavior, or other possibly malicious activities.