CimTrak is computer software for file integrity monitoring and regulatory compliance auditing. It assists in ensuring the availability and integrity of critical IT assets by detecting the root-cause and responding immediately to any unexpected changes to the host operating system, applications, and network devices located on the IT infrastructure. CimTrak works cross-platform and is supported on multiple Windows, Linux, Unix, and Macintosh operating systems. It is licensed as commercial software.
1. Product Architecture
CimTrak has multiple core components:[1][2]
- CimTrak Master Repository is a Microsoft Windows-based data repository and database that stores files and configurations and performs comparisons to determine file/configuration additions, deletions, and changes. The Master Repository contains information relating to Authoritative Copies, Baseline Monitor Data, Configuration Database, and Logging/Reporting Database.
- CimTrak Management Console is a centralized Microsoft Windows-based thin client, graphical user interface (GUI) that allows for configuration of the CimTrak application. The Management Console allows for authorized CimTrak administrators to perform the configuration of Object Group Watch Policies, CimTrak Configuration Parameters, CimTrak Permissions, and viewing and querying CimTrak Event Logs and integrated reporting.
- CimTrak Agents are available for the operating systems Windows, Linux, Unix, and OS X.[1] The agents monitor files or configurations for additions, deletions, and modifications. Additionally, the agents have the ability to monitor system resources such as utilization of CPUs, networks, memory, and disks. Variants exist to facilitate varying file integrity monitoring and network monitoring tasks.
- CimTrak File System Agents
- CimTrak for Servers
- CimTrak for Workstations/Desktops
- CimTrak for Point of Sales (POS)
- CimTrak Network Device Agent
- CimTrak for Network Devices
- CimTrak Tools are tools designed to enhance CimTrak abilities via command line administration, remote access to monitored data, component communication diagnostics, and component communication proxy.
- CimTrak Tools
- CimTrak Command Line Utility
- CimTrak FTP Server Utility
- CimTrak ping Utility
- CimTrak Proxy Utility
- CimTrak ODBC Driver provides a method to interact with the Master Repository's internal, secured database. The repository has a wealth of data that can be used for reporting and analysis. The CimTrak ODBC Driver allows a CimTrak administrator, auditor, or user to perform SQL queries of information stored in the logging and configuration database.
2. Product Functionality
CimTrak has many functions.[3] It can detect additions, deletions and modifications to files and configurations on computer operating systems and components installed on the operating system. On initial configuration, it takes a snapshot of the files and configurations on the operating system, and uses this data to create a cryptographic hash of the files and configurations, and stores them securely in the CimTrak Master Repository as the known, good baseline.
The CimTrak Agents are installed on operating systems containing data that is configured for monitoring or, in the case of the Network Device Agent, installed on systems that have a TCP/IP network connection to supported network devices. The agent detects when changes are made to monitored files and configurations by communicating with the Kernel and comparing changes to the known cryptographic hash associated with affected files or configurations. If the calculated cryptographic hash is different then the known baseline, CimTrak will initiate the user-configured corrective action defined in the CimTrak Object Group Policy and will send internal and external event notifications using one or many of the following methods:
- Internal Event Log and Change Logs
- NitroSecurity NitroView Plugin Protocol
- Syslog
- Simple Network Management Protocol (SNMPv1)
- SMTP (email)
- WebTrends Logging Format
- Custom configured alerting methods
2.1. Change Detection
CimTrak provides insight into the IT infrastructure by detecting changes that could compromise servers, networks, or sensitive customer data such as payment card information (Payment Card Industry Data Security Standard (PCI)). It can provide instant change remediation options without requiring the integration of external applications. When a change is detected, CimTrak captures the change at the exact moment it occurs and provides a detailed audit trail of the incident, including:
- Event Date and Time
- Source IP Address
- Operating System User
- Process Used
- Physical content modified
2.2. Automated Remediation
CimTrak will report the automated response taken and, if configured, initiate remediation. Automated responses are termed Corrective Actions, and include:
- Restore from Repository - Monitored files and operating system configurations are automatically restored to a prior baseline without needing user intervention. The Restore from Repository mode restores operating system/configuration changes using stored authoritative files.
- Update Baseline - An incremental backup or snapshot is taken of monitored files and operating system configurations. Authorized administrators can compare between captured baselines and, in many cases, manually roll-back to prior baselines using stored authoritative files.
- Log Only - CimTrak audits monitored files and operating system configurations without the ability to restore back to a prior generation.
- Prompt for Approval - Changes are allowed for files and operating system configurations. CimTrak Administrators have the ability to disallow changes which result in remediation to a prior baseline from stored authoritative files.
Corrective actions can be defined based on each type of change action (file/configuration addition, file/configuration change, file/configuration deletion). In addition to the automated remediation functionality, CimTrak can automatically launch different custom scripts based on the detected change type.
2.3. Change Monitoring
CimTrak File System Agents and Network Device Agents can perform change management functions by monitoring file and configurations based on the configured Object Group Watch Policies, which abilities vary by operating system.
File System Agent - Microsoft Windows abilities
- Drivers (poll-based auditing)
- Installed Software (poll-based auditing)
- Network Shares (poll-based auditing and remediation)
- Registry (real-time auditing and remediation)
- Local Security Policy (poll-based auditing)
- Services (poll-based auditing)
- System Users (poll-based auditing)
- System Groups (poll-based auditing)
- File Integrity Monitoring (real-time auditing and remediation)
File System Agent - Linux-Unix-Macintosh abilities
- System Users (poll-based auditing)
- System Groups (poll-based auditing)
- File Integrity Monitoring (real-time/poll-based auditing and remediation)
- Network File System Integrity Monitoring (poll-based auditing and remediation)
Network Device Agent - supported network devices
Additional monitoring abilities - Windows-Linux
CimTrak Plug-ins enhance the abilities of CimTrak by adding additional monitoring functions, and will attach toFile System Agents, Network Device Agents, or both.
Plug-ins include:
- CimTrak for Databases ensures that critical database configurations, schema, user roles and permissions, and access settings do not deviate from their known, trusted state.
- CimTrak Network Flex Module analyzes script output and determines when a variance to the known expected occurs.
- CimTrak Server Flex Module analyzes script output and determines when a variance to the known expected occurs.
- CimTrak PCI Configuration Monitor provides a stream-lined auditing utility capable of indicating overall compliance status, non-compliant configurations, and compliant configurations of Microsoft Windows-based servers, workstations and POS Systems.
- CimTrak VMware ESXi Configuration Monitor monitors critical core VMware ESXi configurations such a user/host access permissions, active directory realms, network settings, integrated 3rd party tools, and advanced user configurations.
- CimTrak for Active Directory/LDAP monitors directory services for deviations to objects, attributes, and schema.
3. Application Security
CimTrak is constructed to follow software and communication security standards, and has government and IT security product certifications. Information stored within CimTrak is secure from external modification or access. Data at rest and data in transit are encrypted using the Cimcor Cryptographic Module, which has several certifications, including:
- Validated for FIPS 140-2 Level 1[4] and FIPS 140-2 Level 2[5]
The Federal Information Processing Standard (FIPS) Publication 140-2, FIPS PUB 140-2, is a United States government computer security standard used to accredit cryptographic modules. Level 1 indicates that the cryptographic module supports the lowest level of acceptable security. Security Level 1 allows the cryptographic module to be executed using an unevaluated operating system. Security Level 2 enhances the physical security mechanisms of Security Level 1 by adding the requirement for tamper-evidence and protection.[6]
- Certified at Common Criteria EAL4 Augmented with ALC_FLR.2[7]
The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 15408) for computer security certification. Common Criteria allows specifying and verifying vendor claims relating to security functionality and assurance requirements. Verification of claims is performed using approved testing laboratories.[8] The Evaluation Assurance Level of EAL4 permits the developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs. Augmented with ALC_FLR.2 establishes and verifies the claim that the developer has established flaw remediation procedures that describe the tracking of security flaws, the identification of corrective actions, and the distribution of corrective action information to TOE users.[9]
- Certified for the Department of Defense Unified Capabilities Approved Product List[10]
Cimcor's flagship software CimTrak is the only File Integrity Monitoring tool on the Department of Defense Unified Capabilities Approved Products List.[10] This unique factor allows CimTrak to be the only File Integrity Monitoring product available for use within the Department of Defense boundaries.
- Certified for the United States Army Approved Product List[10]
Products contained on the United States Army Approved products list have been deemed acceptable for use within the boundaries of the United States Army.
4. Compliance Objectives
The CimTrak application can be used to facilitate the following compliance and security objectives:[11]
- Payment Card Industry Data Security Standard (PCI DSS)[12]
- Natural Environment Research Council (NERC)-CIP[13]
- FISMA[14]
- SOX[15]
- Health Insurance Portability and Accountability Act (HIPAA)[16]
- Security[17]
- Continuity[18]
- File integrity monitoring[19]
- Change control[20]
- Website defacement[21]
4.1. Master Repository
For Microsoft Windows versions:
- Windows XP SP2 or SP3
- Windows Server 2003 R1 and R2 Releases, SP1 or SP2
- Windows Vista Release, SP1 or SP2
- Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Windows 7 Release, SP1
4.2. Management Console
For Microsoft Windows versions:
- Windows XP SP2 or SP3
- Windows Server 2003 R1 and R2 Releases, SP1 or SP2
- Windows Vista Release, SP1 or SP2
- Windows Server 2008 R1 and R2 Releases, SP1 or SP2 (non-core)
- Windows 7 Release, SP1
4.3. File System, Network Device Agent
- Microsoft Windows 2000 Server SP4 and Workstation SP4
- Microsoft Windows XP SP2 or SP3
- Microsoft Windows Server 2003 R1 and R2 Releases, SP1 or SP2
- Microsoft Windows Vista Release, SP1 or SP2
- Microsoft Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Microsoft Windows 7 Release, SP1
- Sun SPARC/x86 Solaris 10 Update 8
- OpenSolaris 2008.05 through 2009.06
- Linux 2.4.21 through 2.6.32 Kernel
- AIX 6.1
- HP-UX Itanium 11i V2 (11.23)
- HP-UX PA-RISC 11i V2 (11.23)
- Mac Intel OS 10.4.4 through 10.6.0
- Mac PowerPC OS 10.3.6 through 10.4.2
4.4. Command Line Utility
- Microsoft Windows 2000 Server SP4 and Workstation SP4
- Microsoft Windows XP SP2 or SP3
- Microsoft Windows Server 2003 Release, SP1 or SP2
- Microsoft Windows Vista Release, SP1 or SP2
- Microsoft Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Microsoft Windows 7 Release, SP1
- Sun SPARC/x86 Solaris 10 Update 8
- OpenSolaris 2008.05 through 2009.06
- Linux 2.4.21 through 2.6.32 Kernel
- AIX 6.1
- HP-UX Itanium 11i V2 (11.23)
- HP-UX PA-RISC 11i V2 (11.23)
- Mac Intel OS 10.4.4 through 10.6.0
- Mac PowerPC OS 10.3.6 through 10.4.2
4.5. FTP Repository Interface
For Microsoft Windows versions:
- Windows XP SP2 or SP3
- Windows Server 2003 R1 and R2 Releases, SP1 or SP2
- Windows Vista Release, SP1 or SP2
- Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Windows 7 Release, SP1
4.6. Ping Utility
- Microsoft Windows 2000 Server SP4 and Workstation SP4
- Microsoft Windows XP SP2 or SP3
- Microsoft Windows Server 2003 Release, SP1 or SP2
- Microsoft Windows Vista Release, SP1 or SP2
- Microsoft Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Microsoft Windows 7 Release, SP1
- Sun SPARC/x86 Solaris 10 Update 8
- OpenSolaris 2008.05 through 2009.06
- Linux 2.4.21 through 2.6.32 Kernel
- AIX 6.1
- HP-UX Itanium 11i V2 (11.23)
- HP-UX PA-RISC 11i V2 (11.23)
- Mac Intel OS 10.4.4 through 10.6.0
- Mac PowerPC OS 10.3.6 through 10.4.2
4.7. Proxy Utility
- Microsoft Windows 2000 Server SP4 and Workstation SP4
- Microsoft Windows XP SP2 or SP3
- Microsoft Windows Server 2003 Release, SP1 or SP2
- Microsoft Windows Vista Release, SP1 or SP2
- Microsoft Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Microsoft Windows 7 Release, SP1
- Sun SPARC/x86 Solaris 10 Update 8
- OpenSolaris 2008.05 through 2009.06
- Linux 2.4.21 through 2.6.32 Kernel
- AIX 6.1
- HP-UX Itanium 11i V2 (11.23)
- HP-UX PA-RISC 11i V2 (11.23)
- Mac Intel OS X 10.4.4 through 10.6.0
- Mac PowerPC OS X 10.3.6 through 10.4.2
4.8. ODBC Driver
For Microsoft Windows versions:
- Windows XP SP2 or SP3
- Windows Server 2003 R1 and R2 Releases, SP1 or SP2
- Windows Vista Release, SP1 or SP2
- Windows Server 2008 R1 and R2 Releases, SP1 or SP2
- Windows 7 Release, SP1