User Guidance. CimTrak Integrity & Compliance Suite

Transcription

1 CimTrak Integrity & Compliance Suite Master Repository Management Console File System Agent Network Device Agent Command Line Utility Ping Utility Proxy Utility FTP Repository Interface User Guidance

2 LEGAL NOTICES The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of the agreement. COPYRIGHT NOTICE Copyright CIMCOR, Inc. All Rights Reserved. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from CIMCOR Inc., 8252 Virginia Street Suite C, Merrillville, IN ALL EXAMPLES WITH NAMES, COMPANY NAMES, OR COMPANIES THAT APPEAR IN THIS DOCUMENT ARE IMAGINARY AND DO NOT REFER TO, OR PORTRAY ANY ACTUAL NAMES, COMPANIES, ENTITIES, OR INSTITUTIONS. ANY RESEMBLANCE TO ANY REAL PERSON, COMPANY, ENTITY, OR INSTITUTION IS PURELY COINCIDENTAL. Every effort has been made to ensure the accuracy of this document. However, CIMCOR Inc. makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. CIMCOR Inc. shall not be liable for any errors or for incidental or consequential damages in connection with the furnishing, performance, or use of this document or the examples herein. The information in this document is subject to change without notice. TRADEMARKS CimTrak is a trademark of CIMCOR Inc. Microsoft, MS, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008, and Windows 7 are trademarks of Microsoft Corporation in the United States and/or other countries. Macintosh and Mac OSX are registered trademarks of Apple Inc. in the USA and other countries. Netscape is a registered trademark and Netscape Communicator is a trademark of Netscape Communications Corporation. InstallShield is a registered trademark and service mark of InstallShield Software Corporation. Linux is a registered trademark of Linus Torvalds. Solaris is a registered trademark of Sun Microsystems. All other products mentioned are trademarks and/or registered trademarks of their respective owners. Document Released June 15, 2011 CIMCOR CimTrak Integrity Suite 2 CIMCOR CimTrak Integrity & Compliance Suite

3 Table of Contents K 1. INTRODUCTION DOCUMENTATION PURPOSE AND CONVENTIONS CIMCOR CIMTRAK INTEGRITY & COMPLIANCE SUITE INTRODUCTION CIMTRAK MASTER REPOSITORY CIMTRAK MANAGEMENT CONSOLE CIMTRAK FILE SYSTEM AGENT CIMTRAK NETWORK DEVICE AGENT CIMTRAK TOOLS CONFIGURATION PRE-REQUISITES PRE-REQUISITE OVERVIEW CONFIGURING AND USING THE CIMTRAK MANAGEMENT CONSOLE STARTING THE CIMTRAK MANAGEMENT CONSOLE ASSOCIATING THE MANAGEMENT CONSOLE WITH A MASTER REPOSITORY NEGOTIATING A MASTER REPOSITORY COMMUNICATION CERTIFICATE AUTHENTICATING WITH THE MASTER REPOSITORY VIA THE MANAGEMENT CONSOLE NAVIGATING THE CIMTRAK MANAGEMENT CONSOLE UNDERSTANDING THE MANAGEMENT CONSOLE SYSTEM MENU UNDERSTANDING THE MANAGEMENT CONSOLE TOOLBAR UNDERSTANDING THE MANAGEMENT CONSOLE OBJECT GROUP TREE UNDERSTANDING THE MANAGEMENT CONSOLE INFORMATION DISPLAY AREA CIMTRAK MANAGEMENT CONSOLE SYSTEM MENU: HELP ABOUT CIMTRAK SYSTEM INFORMATION LEGAL NOTICES CONFIGURING AND USING THE CIMTRAK MASTER REPOSITORY MANAGING THE MASTER REPOSITORY FROM THE MANAGEMENT CONSOLE MASTER REPOSITORY PROPERTIES CONFIGURING LOGGING OPTIONS CONFIGURING SMTP NOTIFICATIONS CONFIGURING NITROSECURITY NPP LOGGING CONFIGURING SNMP LOGGING CONFIGURING SYSLOG LOGGING CONFIGURING WEBTRENDS LOGGING CONFIGURING MASTER REPOSITORY SETTINGS CONFIGURING THE MASTER REPOSITORY NAME CONFIGURING THE MANAGEMENT CONSOLE DISCONNECT TIMEOUT CONFIGURING THE MASTER REPOSITORY DISK SPACE MONITOR CONFIGURING THE MASTER REPOSITORY ACCESS RESTRICTIONS CONFIGURING THE MASTER REPOSITORY PASSWORD POLICIES CONFIGURING THE MASTER REPOSITORY COMMUNICATION SETTINGS CONFIGURING THE MASTER REPOSITORY LOGON BANNER CONFIGURING ACTIVE DIRECTORY/LDAP USER ACCOUNT INTEGRATION ADDING/EDITING/DELETING ACTIVE DIRECTORY/LDAP HOSTS ADDING/DELETING ACTIVE DIRECTORY/LDAP USERS MASTER REPOSITORY OPTIONS CHANGING ACCOUNT PASSWORD CHANGING THE MANAGEMENT CONSOLE LANGUAGE MODIFYING USER PREFERENCES AUDITING THE MASTER REPOSITORY FROM THE MANAGEMENT CONSOLE User Guidance 3

4 MASTER REPOSITORY INFORMATION ADDING, REMOVING, VIEWING AND ACTIVATING CIMTRAK LICENSES MASTER REPOSITORY EVENT LOG FILTERING AND SORTING THE MASTER REPOSITORY EVENT LOG CREATING MASTER REPOSITORY EVENT LOG FILTERS SORTING THE MASTER REPOSITORY EVENT LOG MASTER REPOSITORY NOTES MASTER REPOSITORY LOGGED ON USERS MASTER REPOSITORY LOCKED USER ACCOUNTS MANAGING MASTER REPOSITORY USERS & GROUPS FROM THE MANAGEMENT CONSOLE UNDERSTANDING THE USERS DIALOG TOOLBAR UNDERSTANDING THE USER GROUP TREE UNDERSTANDING CIMTRAK USER GROUPS CIMTRAK ADMINISTRATORS GROUP EXPLAINED CIMTRAK AUDITORS GROUP EXPLAINED CIMTRAK INSTALLERS GROUP EXPLAINED CIMTRAK STANDARD GROUP EXPLAINED ADDING CIMTRAK LOCAL USER ACCOUNTS ADDING CIMTRAK AD/LDAP USER ACCOUNTS ADDING CIMTRAK USER GROUPS EDITING CIMTRAK LOCAL USER & GROUP ACCOUNTS DELETING CIMTRAK LOCAL USER & GROUP ACCOUNTS DELETING CIMTRAK AD/LDAP USER ACCOUNTS UNLOCKING CIMTRAK USER ACCOUNTS CIMTRAK MASTER REPOSITORY DOCUMENT CONTROL CREATING A MASTER REPOSITORY DOCUMENT CONTROL DOCUMENT CONTROL PRIVATE KEY EDITING MASTER REPOSITORY DOCUMENT CONTROL PROPERTIES WORKING WITH MASTER REPOSITORY DOCUMENT CONTROL FILES AND FOLDERS ADDING FILES AND FOLDERS TO THE MASTER REPOSITORY DOCUMENT CONTROL DELETING FILES AND FOLDERS FROM THE MASTER REPOSITORY DOCUMENT CONTROL VIEWING FILE CONTENT FROM THE MASTER REPOSITORY DOCUMENT CONTROL DOWNLOADING LOCAL COPIES OF FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL COMPARING CHANGES WITH PAST GENERATIONS FROM THE MASTER REPOSITORY DOCUMENT CONTROL UNDERSTANDING THE DOCUMENT CONTROL FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER EDITING DOCUMENT CONTROL FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL CHECKING OUT FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL CHECKING IN FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL AUDITING MASTER REPOSITORY DOCUMENT CONTROL EVENTS FILTERING AND SORTING THE MASTER REPOSITORY EVENT LOG CREATING DOCUMENT CONTROL EVENT LOG FILTERS SORTING THE DOCUMENT CONTROL EVENT LOG MASTER REPOSITORY DOCUMENT CONTROL GENERATIONS DOWNLOADING COPIES OF DOCUMENT CONTROL GENERATIONS VIEWING AND COMPARING CONTENT OF DOCUMENT CONTROL GENERATIONS DEPLOYING ROLLING BACK DOCUMENT CONTROL GENERATIONS MASTER REPOSITORY DOCUMENT CONTROL NOTES MASTER REPOSITORY DOCUMENT CONTROL PERMISSIONS MODIFYING AN EXISTING USER/GROUP DOCUMENT CONTROL PERMISSIONS ADDING AND REMOVING USERS AND GROUPS TO DOCUMENT CONTROL PERMISSIONS MANAGING MASTER REPOSITORY PERMISSIONS MODIFYING EXISTING USER/GROUP PERMISSIONS CIMCOR CimTrak Integrity & Compliance Suite

5 ADDING AND REMOVING USERS AND GROUPS TO MASTER REPOSITORY PERMISSIONS MASTER REPOSITORY AREAS CREATING AND DELETING MASTER REPOSITORY AREAS MODIFYING MASTER REPOSITORY AREA PROPERTIES MANAGING AREA PERMISSIONS MODIFYING EXISTING USER/GROUP PERMISSIONS ADDING AND REMOVING USERS AND GROUPS TO AREA PERMISSIONS AREA EVENT LOG FILTERING AND SORTING THE AREA EVENT LOG CREATING AREA EVENT LOG FILTERS SORTING THE AREA EVENT LOG AREA NOTES AREA OVERVIEW MASTER REPOSITORY TEMPLATES IMPORTING MASTER REPOSITORY TEMPLATES EXPORTING MASTER REPOSITORY TEMPLATES CUSTOMIZING EXPORTED MASTER REPOSITORY TEMPLATES CONFIGURING AND USING THE CIMTRAK FILE SYSTEM AGENT MANAGING THE CIMTRAK FILE SYSTEM AGENT FROM THE MANAGEMENT CONSOLE FILE SYSTEM AGENT PROPERTIES CONFIGURING THE FILE SYSTEM AGENT DESCRIPTION PROPERTIES CONFIGURING THE FILE SYSTEM AGENT LICENSE PROPERTIES CONFIGURING THE FILE SYSTEM AGENT LOG RETENTION PROPERTIES CONFIGURING THE FILE SYSTEM AGENT DISCONNECT WARNING CONFIGURING THE FILE SYSTEM AGENT HEARTBEAT AND STATISTIC GATHERING INTERVAL CONFIGURING THE FILE SYSTEM AGENT THROTTLE FILE SYSTEM AGENT MONITORING PARAMETERS ADDING FILE SYSTEM AGENT MONITORING PARAMETERS EDITING FILE SYSTEM AGENT MONITORING PARAMETERS DELETING FILE SYSTEM AGENT MONITORING PARAMETERS WORKING WITH FILE SYSTEM AGENT POLICIES CREATING AND EDITING OBJECT GROUP WATCH POLICIES OBJECT GROUP PROPERTIES OBJECT GROUP WATCH POLICY PRIVATE KEY WATCH PROPERTIES CORRECTIVE ACTION AUTHORITATIVE COPY FILE COMPARISON METHOD STORE CHANGES AUTO EXCLUDE OPTIONS EVENT DETECTION METHOD CONNECTION LOSS TUNING WATCH PROPERTIES EXCLUDING AND INCLUDING USING REGULAR EXPRESSIONS EXCLUDING FOLDERS USING REGULAR EXPRESSIONS EXCLUDING FILES USING REGULAR EXPRESSIONS INVERSE EXCLUDING OF FOLDERS USING REGULAR EXPRESSIONS INVERSE EXCLUDING OF FILES USING REGULAR EXPRESSIONS SAVING OBJECT GROUP WATCH POLICIES TO TEMPLATES CREATING OBJECT GROUP WATCH POLICIES USING TEMPLATES DELETING OBJECT GROUP WATCH POLICIES ENABLING AND DISABLING OBJECT GROUP MONITORING SYNCHRONIZING OBJECT GROUP DATA FILE SYSTEM AGENT INFORMATION DISPLAY REVIEWING FILE SYSTEM AGENT SETTINGS AUDITING FILE SYSTEM AGENT EVENTS FILTERING AND SORTING THE FILE SYSTEM AGENT EVENT LOG User Guidance 5

6 CREATING FILE SYSTEM AGENT EVENT LOG FILTERS SORTING THE FILE SYSTEM AGENT EVENT LOG REVIEWING FILE SYSTEM AGENT STATISTICS FILE SYSTEM AGENT NOTES FILE SYSTEM AGENT OBJECT GROUP OVERVIEW FILE SYSTEM AGENT PERMISSIONS MODIFYING AN EXISTING USER/GROUP FILE SYSTEM AGENT PERMISSIONS ADDING AND REMOVING USERS AND GROUPS TO FILE SYSTEM AGENT PERMISSIONS OBJECT GROUP INFORMATION DISPLAY AUDITING OBJECT GROUP EVENTS FILTERING AND SORTING THE OBJECT GROUP EVENT LOG CREATING OBJECT GROUP EVENT LOG FILTERS SORTING THE FILE SYSTEM AGENT EVENT LOG REVIEWING OBJECT GROUP MONITORED CHANGES FILTERING AND SORTING THE OBJECT GROUP CHANGE LOG CREATING OBJECT GROUP CHANGE LOG FILTERS SORTING THE FILE SYSTEM AGENT CHANGE LOG ACCESSING THE CHANGE LOG TAB CONTEXT MENU VIEWING CHANGE CONTENT VIEWING CHANGE CONTENT IN BINARY VIEWING CHANGE FORENSIC DATA DOWNLOADING A COPY OF CHANGE DATA COMPARING CHANGE DATA WITH THE AUTHORITATIVE COPY AT THE TIME OF THE CHANGE UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER COMPARING CHANGE DATA WITH THE CURRENT AUTHORITATIVE COPY UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER REVIEWING OBJECT GROUP MONITORING INFORMATION REVIEWING OBJECT GROUP DATA PENDING REPAIR FILTERING AND SORTING THE PENDING REPAIR TAB CREATING PENDING REPAIR FILTERS SORTING THE PENDING REPAIR TAB CHANGES PENDING APPROVAL OBJECT GROUP GENERATIONS DOWNLOADING GENERATION DATA VIEWING AND COMPARING CONTENT OF OBJECT GROUP GENERATIONS UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER DEPLOYING ROLLING BACK OBJECT GROUP GENERATIONS OBJECT GROUP NOTES OBJECT GROUP PERMISSIONS MODIFYING AN EXISTING USER/GROUP OBJECT GROUP PERMISSIONS ADDING AND REMOVING USERS AND GROUPS TO OBJECT GROUP PERMISSIONS CONFIGURING AND USING THE CIMTRAK NETWORK DEVICE AGENT MANAGING THE CIMTRAK NETWORK DEVICE AGENT FROM THE MANAGEMENT CONSOLE NETWORK DEVICE AGENT PROPERTIES CONFIGURING THE NETWORK DEVICE AGENT DESCRIPTION PROPERTIES CONFIGURING THE NETWORK DEVICE AGENT LICENSE PROPERTIES CIMCOR CimTrak Integrity & Compliance Suite

7 CONFIGURING THE NETWORK DEVICE AGENT LOG RETENTION PROPERTIES CONFIGURING THE NETWORK DEVICE AGENT DISCONNECT WARNING CONFIGURING THE NETWORK DEVICE AGENT HEARTBEAT AND STATISTIC GATHERING INTERVAL CONFIGURING THE NETWORK DEVICE AGENT THROTTLE NETWORK DEVICE AGENT MONITORING PARAMETERS ADDING NETWORK DEVICE AGENT MONITORING PARAMETERS EDITING NETWORK DEVICE AGENT MONITORING PARAMETERS DELETING NETWORK DEVICE AGENT MONITORING PARAMETERS WORKING WITH NETWORK DEVICE AGENT POLICIES CREATING AND EDITING OBJECT GROUP WATCH POLICIES OBJECT GROUP PROPERTIES OBJECT GROUP WATCH POLICY PRIVATE KEY WATCH PROPERTIES CORRECTIVE ACTION AUTHORITATIVE COPY FILE COMPARISON METHOD STORE CHANGES AUTO EXCLUDE OPTIONS EVENT DETECTION METHOD CONNECTION LOSS TUNING WATCH PROPERTIES EXCLUDING AND INCLUDING USING REGULAR EXPRESSIONS EXCLUDING FOLDERS USING REGULAR EXPRESSIONS EXCLUDING FILES USING REGULAR EXPRESSIONS INVERSE EXCLUDING OF FOLDERS USING REGULAR EXPRESSIONS INVERSE EXCLUDING OF FILES USING REGULAR EXPRESSIONS SAVING OBJECT GROUP WATCH POLICIES TO TEMPLATES CREATING OBJECT GROUP WATCH POLICIES USING TEMPLATES DELETING OBJECT GROUP WATCH POLICIES ENABLING AND DISABLING OBJECT GROUP MONITORING SYNCHRONIZING OBJECT GROUP DATA NETWORK DEVICE AGENT INFORMATION DISPLAY REVIEWING NETWORK DEVICE AGENT SETTINGS AUDITING NETWORK DEVICE AGENT EVENTS FILTERING AND SORTING THE NETWORK DEVICE AGENT EVENT LOG CREATING NETWORK DEVICE AGENT EVENT LOG FILTERS SORTING THE NETWORK DEVICE AGENT EVENT LOG REVIEWING NETWORK DEVICE AGENT STATISTICS NETWORK DEVICE AGENT NOTES NETWORK DEVICE AGENT OBJECT GROUP OVERVIEW NETWORK DEVICE AGENT PERMISSIONS MODIFYING AN EXISTING USER/GROUP NETWORK DEVICE AGENT PERMISSIONS ADDING AND REMOVING USERS AND GROUPS TO NETWORK DEVICE AGENT PERMISSIONS OBJECT GROUP INFORMATION DISPLAY AUDITING OBJECT GROUP EVENTS FILTERING AND SORTING THE OBJECT GROUP EVENT LOG CREATING OBJECT GROUP EVENT LOG FILTERS SORTING THE NETWORK DEVICE AGENT EVENT LOG REVIEWING OBJECT GROUP MONITORED CHANGES FILTERING AND SORTING THE OBJECT GROUP CHANGE LOG CREATING OBJECT GROUP CHANGE LOG FILTERS SORTING THE NETWORK DEVICE AGENT CHANGE LOG ACCESSING THE CHANGE LOG TAB CONTEXT MENU VIEWING CHANGE CONTENT VIEWING CHANGE CONTENT IN BINARY VIEWING CHANGE FORENSIC DATA DOWNLOADING A COPY OF CHANGE DATA COMPARING CHANGE DATA WITH THE AUTHORITATIVE COPY AT THE TIME OF THE CHANGE 357 User Guidance 7

8 UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER COMPARING CHANGE DATA WITH THE CURRENT AUTHORITATIVE COPY UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER REVIEWING OBJECT GROUP MONITORING INFORMATION REVIEWING OBJECT GROUP DATA PENDING REPAIR FILTERING AND SORTING THE PENDING REPAIR TAB CREATING PENDING REPAIR FILTERS SORTING THE PENDING REPAIR TAB CHANGES PENDING APPROVAL OBJECT GROUP GENERATIONS DOWNLOADING GENERATION DATA VIEWING AND COMPARING CONTENT OF OBJECT GROUP GENERATIONS UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER DEPLOYING ROLLING BACK OBJECT GROUP GENERATIONS OBJECT GROUP NOTES OBJECT GROUP PERMISSIONS MODIFYING AN EXISTING USER/GROUP OBJECT GROUP PERMISSIONS ADDING AND REMOVING USERS AND GROUPS TO OBJECT GROUP PERMISSIONS CONFIGURING AND USING THE CIMTRAK COMMAND LINE UTILITY ACCESSING THE CIMTRAK COMMAND LINE UTILITY DISPLAYING THE CIMTRAK COMMAND LINE UTILITY PARAMETERS AND SYNTAX LOCKING AND UNLOCKING OBJECT GROUPS FROM THE COMMAND LINE DISPLAYING THE STATUS OF OBJECT GROUPS FROM THE COMMAND LINE DISPLAYING A LIST OF ALL OBJECT GROUPS FROM THE COMMAND LINE ENTERING AND EXITING DATABASE BACKUP MODE FROM THE COMMAND LINE DEFRAGMENTING THE CIMTRAK DATABASE FROM THE COMMAND LINE SYNCHRONIZING OBJECT GROUPS FROM THE COMMAND LINE RUNNING CIMTRAK REPORTS FROM THE COMMAND LINE CONFIGURING AND USING THE CIMTRAK FTP SERVER UTILITY ACCESSING AND USING THE CIMTRAK FTP SERVER UTILITY CONFIGURING AND USING THE CIMTRAK PING UTILITY ACCESSING AND USING THE CIMTRAK PING UTILITY CONFIGURING AND USING THE CIMTRAK PROXY UTILITY ACCESSING AND USING THE CIMTRAK PROXY UTILITY CIMTRAK INTEGRATED REPORTING ACCESSING CIMTRAK REPORTING NAVIGATING THE AVAILABLE REPORTS DIALOG AND EXECUTING REPORTS EXPLAINING AVAILABLE CIMTRAK REPORTS EXPLAINING CIMTRAK COMPLIANCE FLAGS WORKING WITH CIMTRAK REPORT PACKAGES UPLOADING ADDITIONAL CIMTRAK REPORTS CIMCOR CimTrak Integrity & Compliance Suite

9 APPENDIX A: DOCUMENT VERSIONING A.1 CIMTRAK USER GUIDANCE DOCUMENTATION HISTORY APPENDIX B: FILE SYSTEM AGENT OBJECT GROUP WORKSHEET B.1 OBJECT GROUP WORKSHEET APPENDIX C: NETWORK DEVICE AGENT OBJECT GROUP WORKSHEET C.1 OBJECT GROUP WORKSHEET APPENDIX D: MESSAGE LEVELS AND EXAMPLES D.1 OBJECT GROUP WORKSHEET APPENDIX E: SUPPORT CONTACT INFORMATION E.1 CIMTRAK TECHNICAL SUPPORT SERVICES E.2 SUPPORT VIA ELECTRONIC MAIL User Guidance 9

10 This page is intentionally left blank. 10 CIMCOR CimTrak Integrity & Compliance Suite

11 Index of Tables TABLE 1: TEMPLATE ENVIRONMENT VARIABLES TABLE 2: NETWORK DEVICE COMMUNICATION AND FILE TRANSFER PROTOCOLS TABLE 3: DOCUMENT VERSIONING TABLE 4: COMMON LOG MESSAGES Index of Images FIGURE 1: CIMTRAK ARCHITECTURE FIGURE 2: CIMTRAK MANAGEMENT CONSOLE ICON FIGURE 3: CIMTRAK MANAGEMENT CONSOLE SPLASH SCREEN FIGURE 4: CIMTRAK MANAGEMENT CONSOLE (NO CONNECTIONS) FIGURE 5: CIMTRAK MANAGEMENT CONSOLE "NEW" BUTTONS (OUTLINED IN RED) FIGURE 6: CONNECT TO CIMTRAK REPOSITORY DIALOG FIGURE 7: CIMTRAK MANAGEMENT CONSOLE "CONNECT" BUTTON (OUTLINED IN RED) FIGURE 8: CONNECT TO CIMTRAK REPOSITORY DIALOG FIGURE 9: AUTHENTICATED CIMTRAK MANAGEMENT CONSOLE FIGURE 10: CIMTRAK MANAGEMENT CONSOLE SECTIONS FIGURE 11: CIMTRAK SYSTEM MENU FIGURE 12: EXAMPLE MASTER REPOSITORY NODE FIGURE 13: CIMTRAK TOOLBAR FIGURE 14: OBJECT GROUP TREE SHOWING MASTER REPOSITORY AND ASSOCIATED CIMTRAK AGENTS FIGURE 15: CIMTRAK MANAGEMENT CONSOLE INFORMATION DISPLAY AREA (MASTER REPOSITORY LEVEL) FIGURE 16: CIMTRAK ABOUT DIALOG FIGURE 17: SYSTEM INFORMATION DIALOG FIGURE 18: CIMTRAK END USER LICENSE AGREEMENT FIGURE 19: CIMTRAK MASTER REPOSITORY PROPERTIES FIGURE 20: CIMTRAK MASTER REPOSITORY LOGGING DIALOG FIGURE 21: CIMTRAK MASTER REPOSITORY REPOSITORY SETTINGS DIALOG FIGURE 22: CIMTRAK PASSWORD POLICIES DIALOG FIGURE 23: CIMTRAK MASTER REPOSITORY COMMUNICATION SETTINGS FIGURE 24: CIMTRAK LOGON BANNER DIALOG FIGURE 25: CIMTRAK LOGON BANNER FIGURE 26: AD/LDAP PROPERTIES DIALOG FIGURE 27: AD/LDAP HOSTS FIGURE 28: CIMTRAK MANAGEMENT CONSOLE ALERT DIALOG FIGURE 29: SEARCH AD/LDAP SERVER DIALOG FIGURE 30: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 31: ADD USERS DIALOG FIGURE 32: ALLOWING/DENYING AD/LDAP USERS FIGURE 33: CIMTRAK MANAGEMENT CONSOLE DIALOG FIGURE 34: NEW PASSWORD DIALOG FIGURE 35: MANAGEMENT CONSOLE DIALOG FIGURE 36: CHANGE PASSWORD DIALOG User Guidance 11

12 FIGURE 37: OPEN LANGUAGE DIALOG FIGURE 38: CIMTRAK MANAGEMENT CONSOLE INFORMATION DISPLAY AREA (MASTER REPOSITORY LEVEL) FIGURE 39: CIMTRAK LICENSING DIALOG FIGURE 40: ADD LICENSE DIALOG FIGURE 41: ACTIVATE SERIAL NUMBER DIALOG FIGURE 42: 67 FIGURE 43: ACTIVATION CODE RESPONSE FIGURE 44: SERIAL NUMBER REQUIRING ACTIVATION (DISPLAYED IN RED) FIGURE 45: MASTER REPOSITORY EVENT LOG FIGURE 46: FILTERS DIALOG SHOWING FILTER DATA FIGURE 47: OPERATOR SELECTION DROPDOWN FIGURE 48: GROUPED FILTERS FIGURE 49: FILTERED EVENT LOG DATA FIGURE 50: FILTERS DIALOG SHOWING SORT DATA FIGURE 51: FILTERED EVENT LOG DATA FIGURE 52: CIMTRAK NOTES TOOLBAR FIGURE 53: MASTER REPOSITORY NOTES DIALOG FIGURE 54: MASTER REPOSITORY LOGGED ON USERS TAB FIGURE 55: MASTER REPOSITORY LOCKED ACCOUNT TAB FIGURE 56: USERS DIALOG FIGURE 57: USERS DIALOG TOOLBAR FIGURE 58: USER GROUP TREE SHOWING GROUPS AND CHILD USERS FIGURE 59: EDIT USERS DIALOG FIGURE 60: RANDOMLY GENERATED PASSWORD FIGURE 61: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 62: ADD USERS DIALOG FIGURE 63: EDIT GROUP DIALOG FIGURE 64: EDIT USERS DIALOG FIGURE 65: EDIT GROUP DIALOG FIGURE 66: USER/GROUP DELETION CONFIRMATION DIALOG FIGURE 67: MASTER REPOSITORY LOCKED ACCOUNTS TAB FIGURE 68: LOCKED USER ACCOUNT (HIGHLIGHTED IN RED) FIGURE 69: DOCUMENT CONTROL PROPERTIES DIALOG FIGURE 70: DOCUMENT CONTROL OBJECT GROUP FIGURE 71: SET DOCUMENT CONTROL PRIVATE KEY DIALOG FIGURE 72: DOCUMENT CONTROL PROPERTIES DIALOG FIGURE 73: DOCUMENT CONTROL DIRECTORY/FILE DIALOG FIGURE 74: DOCUMENT CONTROL ADD FILES DIALOG FIGURE 75: ENTER PRIVATE KEY DIALOG FIGURE 76: DOCUMENT CONTROL INFORMATION DISPLAY AREA SHOWING ADDED FILES FIGURE 77: ENTER PRIVATE KEY DIALOG FIGURE 78: FILE VIEW DIALOG (NON-BINARY) FIGURE 79: FILE VIEW DIALOG (BINARY) FIGURE 80: ENTER PRIVATE KEY DIALOG FIGURE 81: ENTER PRIVATE KEY DIALOG FIGURE 82: FILE TO COMPARE AGAINST DIALOG FIGURE 83: ENTER PRIVATE KEY DIALOG FIGURE 84: FILE COMPARISON RESULTS DIALOG FIGURE 85: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 86: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 87: ENTER PRIVATE KEY DIALOG FIGURE 88: EDIT FILE DIALOG FIGURE 89: ENTER PRIVATE KEY DIALOG FIGURE 90: DOCUMENT CONTROL INFORMATION DISPLAY AREA SHOWING CHANGED FILE FIGURE 91: BROWSE FOR FOLDER DIALOG CIMCOR CimTrak Integrity & Compliance Suite

13 FIGURE 92: ENTER PRIVATE KEY DIALOG FIGURE 93: DOCUMENT CONTROL FILE CHECKED OUT FIGURE 94: ENTER PRIVATE KEY DIALOG FIGURE 95: DOCUMENT CONTROL INFORMATION DISPLAY AREA SHOWING CHANGED FILE FIGURE 96: DOCUMENT CONTROL EVENT LOG FIGURE 97: FILTERS DIALOG SHOWING FILTER DATA FIGURE 98: OPERATOR SELECTION DROPDOWN FIGURE 99: GROUPED FILTERS FIGURE 100: FILTERED EVENT LOG DATA FIGURE 101: FILTERS DIALOG SHOWING SORT DATA FIGURE 102: FILTERED EVENT LOG DATA FIGURE 103: DOCUMENT CONTROL GENERATION TAB FIGURE 104: ENTER PRIVATE KEY DIALOG FIGURE 105: FILE VIEW DIALOG (NON-BINARY) FIGURE 106: FILE VIEW DIALOG (BINARY) FIGURE 107: ENTER PRIVATE KEY DIALOG FIGURE 108: FILE TO COMPARE AGAINST DIALOG FIGURE 109: ENTER PRIVATE KEY DIALOG FIGURE 110: FILE COMPARISON RESULTS DIALOG FIGURE 111: CONFIRM DEPLOY DIALOG FIGURE 112: NOTES DIALOG FIGURE 113: CIMTRAK NOTES TOOLBAR FIGURE 114: DOCUMENT CONTROL NOTES DIALOG FIGURE 115: DOCUMENT CONTROL SECURITY PERMISSIONS DIALOG FIGURE 116: ADD USERS DIALOG FIGURE 117: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 118: ADD USERS DIALOG FIGURE 119: DOCUMENT CONTROL SECURITY PERMISSIONS DIALOG FIGURE 120: ADD USERS DIALOG FIGURE 121: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 122: ADD USERS DIALOG FIGURE 123: AREA DIALOG FIGURE 124: OBJECT GROUP TREE SHOWING AREA FIGURE 125: DOCUMENT CONTROL SHOWING MULTIPLE AREAS WITH CHILDREN FIGURE 126: CONFIRM DELETE DIALOG FIGURE 127: AREA DIALOG FIGURE 128: AREA SECURITY PERMISSIONS DIALOG FIGURE 129: ADD USERS DIALOG FIGURE 130: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 131: ADD USERS DIALOG FIGURE 132: AREA EVENT LOG FIGURE 133: FILTERS DIALOG SHOWING FILTER DATA FIGURE 134: OPERATOR SELECTION DROPDOWN FIGURE 135: GROUPED FILTERS FIGURE 136: FILTERED EVENT LOG DATA FIGURE 137: FILTERS DIALOG SHOWING SORT DATA FIGURE 138: FILTERED EVENT LOG DATA FIGURE 139: CIMTRAK NOTES TOOLBAR FIGURE 140: AREA NOTES DIALOG FIGURE 141: AREA OVERVIEW FIGURE 142: TEMPLATE MAINTENANCE FIGURE 143: TEMPLATE OPEN DIALOG FIGURE 144: IMPORT TEMPLATE(S) DIALOG FIGURE 145: TEMPLATE MAINTENANCE DIALOG FIGURE 146: BROWSE FOR FOLDER DIALOG FIGURE 147: CIMTRAK FILE SYSTEM AGENT IN OBJECT GROUP TREE User Guidance 13

14 FIGURE 148: CIMTRAK AGENT CONFIGURATION FIGURE 149: FILE SYSTEM AGENT DESCRIPTION FIGURE 150: CIMTRAK AGENT LICENSE SETTINGS FIGURE 151: NUMBER OF EVENTS TO KEEP SETTINGS FIGURE 152: CIMTRAK AGENT DB OPTIONS SETTINGS FIGURE 153: CIMTRAK AGENT POLL INTERVALS SETTINGS (DEFAULTS) FIGURE 154: FILE SYSTEM AGENT THROTTLING SETTINGS FIGURE 155: AGENT MONITORING PARAMETERS FIGURE 156: AGENT MONITOR PARAMETERS DIALOG FIGURE 157: CIMTRAK EVENT LOG PERFORMANCE ALERT (MEMORY UTILIZATION) FIGURE 158: AGENT MONITOR PARAMETERS DIALOG (DEVICE SELECTED) FIGURE 159: CIMTRAK EVENT LOG PERFORMANCE ALERT (MEMORY UTILIZATION) FIGURE 160: CIMTRAK MANAGEMENT CONSOLE'S OBJECT GROUP TREE SHOWING OBJECT GROUPS FIGURE 161: OBJECT GROUP PROPERTIES DIALOG FIGURE 162: FILE SYSTEM AGENT OBJECT INFORMATION FIGURE 163: FILE SYSTEM AGENT OBJECT GROUP PRIVATE KEY BUTTON FIGURE 164: FILE SYSTEM AGENT MONITORING INFORMATION FIGURE 165: MICROSOFT WINDOWS OPERATING SYSTEM TREE FIGURE 166: WATCH NOTIFICATIONS FIGURE 167: SET OBJECT GROUP PRIVATE KEY DIALOG FIGURE 168: WATCH PROPERTIES DIALOG FIGURE 169: WATCH PROPERTIES SECTION SHOWING MONITORED DIRECTORY FIGURE 170: CORRECTIVE ACTION PROPERTIES FIGURE 171: CORRECTIVE ACTION ADVANCED SETTINGS FIGURE 172: OPEN FILE DIALOG FIGURE 173: CORRECTIVE ACTION WAIT & TIMEOUT SETTINGS FIGURE 174: CORRECTIVE ACTION PARAMETERS SETTINGS FIGURE 175: AUTHORITATIVE COPY PARAMETER SETTINGS FIGURE 176: FILE COMPARISON METHOD PARAMETER SETTINGS FIGURE 177: AUTO EXCLUDE PARAMETER SETTINGS FIGURE 178: OPTIONS PARAMETER SETTINGS FIGURE 179: EVENT DETECTION METHOD PARAMETER SETTINGS FIGURE 180: CONNECTION LOSS PARAMETER SETTINGS FIGURE 181: WATCH PROPERTIES SECTION SHOWING MONITORED DATA FIGURE 182: ADD REGULAR EXPRESSION EXCLUDE DIALOG FIGURE 183: REGULAR EXPRESSION FOLDER EXCLUDE (BLUE TEXT) FIGURE 184: REGULAR EXPRESSION FILE EXCLUDE (BLUE TEXT) FIGURE 185: REGULAR EXPRESSION FOLDER EXCLUDE (BLUE TEXT) FIGURE 186: REGULAR EXPRESSION FILE EXCLUDE (BLUE TEXT) FIGURE 187: SAVE TO TEMPLATE DIALOG FIGURE 188: SELECT TEMPLATE DIALOG FIGURE 189: CONFIRM DELETE DIALOG FIGURE 190: OBJECT GROUP LOCK PROCESS (EVENT LOG) FIGURE 191: OBJECT GROUP LOCK PROCESS STOPPED (EVENT LOG) FIGURE 192: OBJECT GROUP UNLOCK PROCESS (EVENT LOG) FIGURE 193: OBJECT GROUP SYNCHRONIZATION PROCESS (EVENT LOG) FIGURE 194: FILE SYSTEM AGENT INFORMATION DISPLAY AREA (AGENT SETTINGS TAB SELECTED)..207 FIGURE 195: FILE SYSTEM AGENT INFORMATION DISPLAY AREA (AGENT SETTINGS TAB SELECTED) FIGURE 196: FILE SYSTEM AGENT EVENT LOG FIGURE 197: FILTERS DIALOG SHOWING FILTER DATA FIGURE 198: OPERATOR SELECTION DROPDOWN FIGURE 199: GROUPED FILTERS FIGURE 200: FILTERED EVENT LOG DATA FIGURE 201: FILTERS DIALOG SHOWING SORT DATA FIGURE 202: FILTERED EVENT LOG DATA CIMCOR CimTrak Integrity & Compliance Suite

15 FIGURE 203: CIMTRAK FILE SYSTEM AGENT STATS TAB FIGURE 204: GRAPH QUANTITY BUTTON FIGURE 205: CIMTRAK NOTES TOOLBAR FIGURE 206: FILE SYSTEM AGENT NOTES DIALOG FIGURE 207: FILE SYSTEM AGENT OVERVIEW TAB FIGURE 208: FILE SYSTEM AGENT SECURITY PERMISSIONS DIALOG FIGURE 209: ADD USERS DIALOG FIGURE 210: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 211: ADD USERS DIALOG FIGURE 212: OBJECT GROUP INFORMATION DISPLAY AREA (EVENT LOG TAB SELECTED) FIGURE 213: FILE SYSTEM AGENT EVENT LOG FIGURE 214: FILTERS DIALOG SHOWING FILTER DATA FIGURE 215: OPERATOR SELECTION DROPDOWN FIGURE 216: GROUPED FILTERS FIGURE 217: FILTERED EVENT LOG DATA FIGURE 218: FILTERS DIALOG SHOWING SORT DATA FIGURE 219: FILTERED EVENT LOG DATA FIGURE 220: OBJECT GROUP CHANGE LOG FIGURE 221: FILTERS DIALOG SHOWING FILTER DATA FIGURE 222: OPERATOR SELECTION DROPDOWN FIGURE 223: GROUPED FILTERS FIGURE 224: FILTERED EVENT LOG DATA FIGURE 225: FILTERS DIALOG SHOWING SORT DATA FIGURE 226: FILTERED EVENT LOG DATA FIGURE 227: FILE VIEW DIALOG FIGURE 228: ENTER PRIVATE KEY DIALOG FIGURE 229: FILE VIEW DIALOG (BINARY) FIGURE 230: ENTER PRIVATE KEY DIALOG FIGURE 231: FORENSIC DATA DIALOG FIGURE 232: SAVE AS DIALOG FIGURE 233: ENTER PRIVATE KEY DIALOG FIGURE 234: FILE COMPARISON RESULTS FIGURE 235: ENTER PRIVATE KEY DIALOG FIGURE 236: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 237: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 238: FILE COMPARISON RESULTS FIGURE 239: ENTER PRIVATE KEY DIALOG FIGURE 240: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 241: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 242: OBJECT GROUP MONITOR INFO TAB FIGURE 243: MONITOR INFO STATS DIALOG FIGURE 244: MONITOR INFO STATUS WINDOW TAB FIGURE 245: MONITOR INFO DETAILS TAB FIGURE 246: PENDING REPAIR TAB SHOWING 3 PENDING REPAIRS FIGURE 247: FILTERS DIALOG SHOWING FILTER DATA FIGURE 248: OPERATOR SELECTION DROPDOWN FIGURE 249: GROUPED FILTERS FIGURE 250: FILTERED PENDING REPAIR DATA FIGURE 251: FILTERS DIALOG SHOWING SORT DATA FIGURE 252: FILTERED PENDING REPAIR DATA FIGURE 253: CHANGES PENDING APPROVAL DIALOG FIGURE 254: OBJECT GROUP GENERATION TAB FIGURE 255: ENTER PRIVATE KEY DIALOG FIGURE 256: FILE VIEW DIALOG (NON-BINARY) FIGURE 257: FILE VIEW DIALOG (BINARY) FIGURE 258: ENTER PRIVATE KEY DIALOG User Guidance 15

16 FIGURE 259: FILE TO COMPARE AGAINST DIALOG FIGURE 260: ENTER PRIVATE KEY DIALOG FIGURE 261: FILE COMPARISON RESULTS DIALOG FIGURE 262: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 263: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 264: CONFIRM DEPLOY DIALOG FIGURE 265: NOTES DIALOG FIGURE 266: CIMTRAK NOTES TOOLBAR FIGURE 267: OBJECT GROUP NOTES DIALOG FIGURE 268: OBJECT GROUP SECURITY PERMISSIONS DIALOG FIGURE 269: ADD USERS DIALOG FIGURE 270: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 271: ADD USERS DIALOG FIGURE 272: CIMTRAK NETWORK DEVICE AGENT IN OBJECT GROUP TREE FIGURE 273: CIMTRAK AGENT CONFIGURATION FIGURE 274: NETWORK DEVICE AGENT DESCRIPTION FIGURE 275: CIMTRAK AGENT LICENSE SETTINGS FIGURE 276: NUMBER OF EVENTS TO KEEP SETTINGS FIGURE 277: CIMTRAK AGENT DB OPTIONS SETTINGS FIGURE 278: CIMTRAK AGENT POLL INTERVALS SETTINGS (DEFAULTS) FIGURE 279: NETWORK DEVICE AGENT THROTTLING SETTINGS FIGURE 280: AGENT MONITORING PARAMETERS FIGURE 281: AGENT MONITOR PARAMETERS DIALOG FIGURE 282: CIMTRAK EVENT LOG PERFORMANCE ALERT (MEMORY UTILIZATION) FIGURE 283: AGENT MONITOR PARAMETERS DIALOG (DEVICE SELECTED) FIGURE 284: CIMTRAK EVENT LOG PERFORMANCE ALERT (MEMORY UTILIZATION) FIGURE 285: CIMTRAK MANAGEMENT CONSOLE'S OBJECT GROUP TREE SHOWING OBJECT GROUPS FIGURE 286: NEW NETWORK DEVICE DIALOG FIGURE 287: OBJECT GROUP PROPERTIES DIALOG FIGURE 288: NETWORK DEVICE AGENT OBJECT INFORMATION FIGURE 289: NETWORK DEVICE AGENT OBJECT GROUP PRIVATE KEY BUTTON FIGURE 290: NETWORK DEVICE AGENT MONITORING INFORMATION FIGURE 291: CISCO IOS OPERATING SYSTEM TREE FIGURE 292: WATCH NOTIFICATIONS FIGURE 293: SET OBJECT GROUP PRIVATE KEY DIALOG FIGURE 294: WATCH PROPERTIES DIALOG FIGURE 295: WATCH PROPERTIES SECTION SHOWING MONITORED DIRECTORY FIGURE 296: CORRECTIVE ACTION PROPERTIES FIGURE 297: CORRECTIVE ACTION ADVANCED SETTINGS FIGURE 298: OPEN FILE DIALOG FIGURE 299: CORRECTIVE ACTION WAIT & TIMEOUT SETTINGS FIGURE 300: CORRECTIVE ACTION PARAMETERS SETTINGS FIGURE 301: AUTHORITATIVE COPY PARAMETER SETTINGS FIGURE 302: FILE COMPARISON METHOD PARAMETER SETTINGS FIGURE 303: AUTO EXCLUDE PARAMETER SETTINGS FIGURE 304: OPTIONS PARAMETER SETTINGS FIGURE 305: EVENT DETECTION METHOD PARAMETER SETTINGS FIGURE 306: CONNECTION LOSS PARAMETER SETTINGS FIGURE 307: WATCH PROPERTIES SECTION SHOWING MONITORED DATA FIGURE 308: ADD REGULAR EXPRESSION EXCLUDE DIALOG FIGURE 309: REGULAR EXPRESSION FOLDER EXCLUDE (BLUE TEXT) FIGURE 310: REGULAR EXPRESSION FILE EXCLUDE (BLUE TEXT) FIGURE 311: REGULAR EXPRESSION FOLDER EXCLUDE (BLUE TEXT) FIGURE 312: REGULAR EXPRESSION FILE EXCLUDE (BLUE TEXT) FIGURE 313: SAVE TO TEMPLATE DIALOG CIMCOR CimTrak Integrity & Compliance Suite

17 FIGURE 314: SELECT TEMPLATE DIALOG FIGURE 315: CONFIRM DELETE DIALOG FIGURE 316: OBJECT GROUP LOCK PROCESS (EVENT LOG) FIGURE 317: OBJECT GROUP LOCK PROCESS STOPPED (EVENT LOG) FIGURE 318: OBJECT GROUP UNLOCK PROCESS (EVENT LOG) FIGURE 319: OBJECT GROUP SYNCHRONIZATION PROCESS (EVENT LOG) FIGURE 320: NETWORK DEVICE AGENT INFORMATION DISPLAY AREA (AGENT SETTINGS TAB SELECTED) FIGURE 321: NETWORK DEVICE AGENT INFORMATION DISPLAY AREA (AGENT SETTINGS TAB SELECTED) FIGURE 322: NETWORK DEVICE AGENT EVENT LOG FIGURE 323: FILTERS DIALOG SHOWING FILTER DATA FIGURE 324: OPERATOR SELECTION DROPDOWN FIGURE 325: GROUPED FILTERS FIGURE 326: FILTERED EVENT LOG DATA FIGURE 327: FILTERS DIALOG SHOWING SORT DATA FIGURE 328: FILTERED EVENT LOG DATA FIGURE 329: CIMTRAK NETWORK DEVICE AGENT STATS TAB FIGURE 330: GRAPH QUANTITY BUTTON FIGURE 331: CIMTRAK NOTES TOOLBAR FIGURE 332: NETWORK DEVICE AGENT NOTES DIALOG FIGURE 333: NETWORK DEVICE AGENT OVERVIEW TAB FIGURE 334: NETWORK DEVICE AGENT SECURITY PERMISSIONS DIALOG FIGURE 335: ADD USERS DIALOG FIGURE 336: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 337: ADD USERS DIALOG FIGURE 338: OBJECT GROUP INFORMATION DISPLAY AREA (EVENT LOG TAB SELECTED) FIGURE 339: NETWORK DEVICE AGENT EVENT LOG FIGURE 340: FILTERS DIALOG SHOWING FILTER DATA FIGURE 341: OPERATOR SELECTION DROPDOWN FIGURE 342: GROUPED FILTERS FIGURE 343: FILTERED EVENT LOG DATA FIGURE 344: FILTERS DIALOG SHOWING SORT DATA FIGURE 345: FILTERED EVENT LOG DATA FIGURE 346: OBJECT GROUP CHANGE LOG FIGURE 347: FILTERS DIALOG SHOWING FILTER DATA FIGURE 348: OPERATOR SELECTION DROPDOWN FIGURE 349: GROUPED FILTERS FIGURE 350: FILTERED EVENT LOG DATA FIGURE 351: FILTERS DIALOG SHOWING SORT DATA FIGURE 352: FILTERED EVENT LOG DATA FIGURE 353: FILE VIEW DIALOG FIGURE 354: ENTER PRIVATE KEY DIALOG FIGURE 355: FILE VIEW DIALOG (BINARY) FIGURE 356: ENTER PRIVATE KEY DIALOG FIGURE 357: SAVE AS DIALOG FIGURE 358: ENTER PRIVATE KEY DIALOG FIGURE 359: FILE COMPARISON RESULTS FIGURE 360: ENTER PRIVATE KEY DIALOG FIGURE 361: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 362: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 363: FILE COMPARISON RESULTS FIGURE 364: ENTER PRIVATE KEY DIALOG FIGURE 365: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 366: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 367: OBJECT GROUP MONITOR INFO TAB User Guidance 17

18 FIGURE 368: MONITOR INFO STATS DIALOG FIGURE 369: MONITOR INFO STATUS WINDOW TAB FIGURE 370: MONITOR INFO DETAILS TAB FIGURE 371: PENDING REPAIR TAB SHOWING 3 PENDING REPAIRS FIGURE 372: FILTERS DIALOG SHOWING FILTER DATA FIGURE 373: OPERATOR SELECTION DROPDOWN FIGURE 374: GROUPED FILTERS FIGURE 375: FILTERED PENDING REPAIR DATA FIGURE 376: FILTERS DIALOG SHOWING SORT DATA FIGURE 377: FILTERED PENDING REPAIR DATA FIGURE 378: CHANGES PENDING APPROVAL DIALOG FIGURE 379: OBJECT GROUP GENERATION TAB FIGURE 380: ENTER PRIVATE KEY DIALOG FIGURE 381: FILE VIEW DIALOG (NON-BINARY) FIGURE 382: FILE VIEW DIALOG (BINARY) FIGURE 383: ENTER PRIVATE KEY DIALOG FIGURE 384: FILE TO COMPARE AGAINST DIALOG FIGURE 385: ENTER PRIVATE KEY DIALOG FIGURE 386: FILE COMPARISON RESULTS DIALOG FIGURE 387: FILE COMPARISON RESULTS DIALOG TOOLBAR FIGURE 388: FILE COMPARISON RESULTS DIALOG CHANGES TAB FIGURE 389: CONFIRM DEPLOY DIALOG FIGURE 390: NOTES DIALOG FIGURE 391: CIMTRAK NOTES TOOLBAR FIGURE 392: OBJECT GROUP NOTES DIALOG FIGURE 393: OBJECT GROUP SECURITY PERMISSIONS DIALOG FIGURE 394: ADD USERS DIALOG FIGURE 395: EXAMPLE AD/LDAP SERVER SEARCH INFORMATION FIGURE 396: ADD USERS DIALOG FIGURE 397: CIMTRAK COMMAND LINE UTILITY COMMANDS AND SYNTAX FIGURE 398: LOCKING AN OBJECT GROUP FROM THE COMMAND LINE FIGURE 399: UNLOCKING AN OBJECT GROUP FROM THE COMMAND LINE FIGURE 400: SHOWING THE STATUS OF AN OBJECT GROUP FROM THE COMMAND LINE FIGURE 401: SHOWING THE LIST OF OBJECT GROUPS FROM THE COMMAND LINE FIGURE 402: DEFRAGMENTING THE CIMTRAK DATABASE FIGURE 403: SYNCING AN OBJECT GROUP FROM THE COMMAND LINE FIGURE 404: AVAILABLE REPORTS (VARIANCE BY QUANTITY SELECTED) FIGURE 405: VARIANCE BY QUANTITY PARAMETERS FIGURE 406: EXAMPLE FTP CONNECTION FIGURE 407: CIMTRAK PING PARAMETERS AND SYNTAX FIGURE 408: EXAMPLE CIMTRAK PING STANDARD OUTPUT FIGURE 409: CIMTRAK PROXY PARAMETERS AND SYNTAX FIGURE 410: CIMTRAK PROXY TOGGLE PARAMETERS FIGURE 411: EXAMPLE PROXY CONSOLE OUTPUT FIGURE 412: AVAILABLE REPORTS DIALOG (MASTER REPOSITORY LEVEL) FIGURE 413: REPORT PARAMETERS DIALOG FIGURE 414: SAMPLE CIMTRAK REPORT (PAGE 1 OF 2) FIGURE 415: SAMPLE CIMTRAK REPORT (PAGE 2 OF 2) FIGURE 416: FILE REPORT TOOLBAR FIGURE 417: COMPLIANCES DIALOG FIGURE 418: REPORT PACKAGES DIALOG CIMCOR CimTrak Integrity & Compliance Suite

19 1. Introduction 1.1. DOCUMENTATION PURPOSE AND CONVENTIONS The purpose of this documentation is to provide user guidance to users and administrators of the CimTrak Integrity & Compliance Suite. Conformance with this guidance documentation is intended to result in deployment and configuration of the CimTrak product consistent with CIMCOR recommended best practices. This guidance document is comprised of sections detailing the configuration options associated with each CimTrak component. Additional components, not described in this documentation, may also exist in your region. Contact an authorized CimTrak sales representative for more information. Occasionally additional notes are relevant to the component being described. These notes are indicated by the information symbol CIMCOR CIMTRAK INTEGRITY & COMPLIANCE SUITE INTRODUCTION The CIMCOR CimTrak Integrity & Compliance Suite application provides a flexible file-based security solution that allows Administrators the capability to protect selected files, operating system components, and network device configurations against unauthorized changes from a centralized location within the network. CimTrak immediately identifies the change, determines if it is authorized and then institutes corrective action based on the application configuration. Since CimTrak maintains a master set of protected files, unauthorized changes can immediately be reversed to mitigate malicious activity or human error. CimTrak is comprised of a multi-component architecture. The primary CimTrak components consist of the Master Repository, Management Console, and File System Agent. Additional (optional) CimTrak components may be attached to the primary configuration to enhance file and configuration monitoring and remediation. The CimTrak Integrity Suite presents a multifaceted approach to protecting key information system resources and provides comprehensive change control tracking. The application consists of three primary components: CimTrak Master Repository CimTrak Management Console CimTrak File System Agent User Guidance 19

20 Additionally the CimTrak Integrity Suite has a combination of multiple (optional) components including: CimTrak Network Device Agent CimTrak Tools These required and optional components will be discussed in subsequent sections of the documentation. Additional CimTrak optional components may exist based on your region. Please contact an authorized CimTrak sales representative for details CIMTRAK MASTER REPOSITORY The CimTrak Master Repository component maintains a centralized store of protected files and change history within a centralized server. This store provides an isolated, compressed, and encrypted copy of critical files that allows for restoration in the event of unauthorized change and provides a basis for identifying changes made to protected files and configurations within the network. Additionally, the application supports a rollback capability which allows previous versions of a protected file or configuration to be restored at a later date CIMTRAK MANAGEMENT CONSOLE The CimTrak Integrity Suite includes a Management Console which features a Graphic User Interface (GUI) that allows Administrators the capability to manage and configure the application from a separate Administrator management workstation within the network. The Management Console supports the selection of files and configurations on attached components to lock and configure an action to take in the event a change is detected. The Management Console provides access to a series of reports that detail changes made based on a series of saved baselines stored in the Master Repository. This capability can be used to superimpose changes over the stored baselines to immediately identify what aspects of the locked file were changed. Use of the Management Console is not intended for mobile users CIMTRAK FILE SYSTEM AGENT The CimTrak File System Agent is installed on protected resources within the Operational Environment. The File System Agent provides real-time or poll based monitoring of protected files and configurations and identifies changes made to protected files. When a change is detected, the File System Agent communicates with the CimTrak Master Repository to report change status and (when configured) transfer the master file (Authoritative Copy) from the Master Repository to the File System Agent server to overwrite unauthorized 20 CIMCOR CimTrak Integrity & Compliance Suite

21 changes. The File System Agent utilizes CimTrak configuration data to determine if the change is allowed based on Administrator policy settings for the subject file or configuration. The File System Agent can then institute one of the following actions on the change: Allow the change and log the event, update the master file baseline stored within the Master Repository, disallow the change and immediately overwrite the change with the master file copy from the Master Repository, or Prompt the authorized user to either allow or disallow the file change attempt. Additionally the CimTrak File System Agent can be configured to allow a combination of remediation settings. In addition to file change detection and remediation, the File System Agent provides configuration monitoring remediation. 1 Windows file system configuration monitoring includes: Read Access monitoring Monitoring and remediation of the Windows Registry Monitoring of Windows Local User accounts Monitoring of Windows Local Groups Monitoring of Windows Local Security Policy settings Monitoring of Windows Local Services Monitoring of Windows Local Device Drivers Monitoring of Windows Local Installed Software Monitoring of Windows Network Share Settings 1.6. CIMTRAK NETWORK DEVICE AGENT The CimTrak Network Device Agent component is installed on device monitoring resources within the Operational Environment. The CimTrak Network Device Agent provides real-time (SNMPv3) or poll based (SSHv1, SSHv2, Telnet) monitoring of protected files and identifies changes made to protected files. When a change is detected, the CimTrak File System Agent communicates with the CimTrak Master Repository to report change status and/or transfer the master file (authoritative copy) from the Master Repository to the Agent Network Host server to overwrite unauthorized changes. The CimTrak Network Device Agent utilizes CimTrak configuration data to determine if the change is allowed based on Administrator policy settings for the subject file. The Agent can then institute one of the following actions on the change: Allow the change and log the event, Update the master file baseline stored within the Master Repository, Disallow the change and immediately overwrite the change with the master file copy from the Master Repository, or Prompt the authorized user to either allow or disallow the file change attempt. 1 Monitoring of the Windows registry allows for remediation when changes are detected. All other configuration monitoring features only provide monitoring capabilities. User Guidance 21

22 1.7. CIMTRAK TOOLS Optional CimTrak applications and command line tools exist allowing CimTrak Administrators to automate common CimTrak procedures. These tools include: CimTrak Command Line Utility CimTrak FTP Repository Interface CimTrak Ping Utility CimTrak Proxy Utility 22 CIMCOR CimTrak Integrity & Compliance Suite

23 2. Configuration Pre-requisites 2.1. PRE-REQUISITE OVERVIEW Prior to configuring CimTrak to monitor and remediate critical system files and configurations it is necessary to install the base CimTrak components. Please refer to the CimTrak Installation Guidance for additional information on installing CimTrak components. Generally, the CimTrak Master Repository is installed on a dedicated server operating system. The CimTrak Management Console connects remotely to the Master Repository to configure watch policies, view event data, and manage the CimTrak application. File System Agents are deployed on critical servers and workstations that require monitoring and remediation. Network Device Agents are deployed on select servers with a logical network connection to organization network devices. A single deployment may have many Master Repositories, Management Consoles, File System Agents, and Network Device Agents. It is important to note that a single Management Console can manage multiple Master Repositories. Figure 1: CimTrak Architecture Once all components are installed and communication between the components is established, it is necessary to configure the CimTrak Management Console to operate with your CimTrak Master Repository. User Guidance 23

24 3. Configuring and Using the CimTrak Management Console 3.1. STARTING THE CIMTRAK MANAGEMENT CONSOLE The CimTrak Management Console application is launched by double clicking its associated icon located on the Windows Desktop or in the Windows Start Menu. Figure 2: CimTrak Management Console Icon The CimTrak Management Console is launched from the Windows Start Menu by clicking: Start All Programs Cimcor, Inc. CimTrak CimTrak Management Console The CimTrak Management Console will display an informative splash screen indicating the version number and supported operating systems. Figure 3: CimTrak Management Console Splash Screen The CimTrak Management Console splash screen displays for 10 seconds before starting the Management Console Application. This 10 second timeout can be eliminated by clicking once on the splash screen. 24 CIMCOR CimTrak Integrity & Compliance Suite

25 After several seconds the CimTrak Management console will appear on the screen ASSOCIATING THE MANAGEMENT CONSOLE WITH A MASTER REPOSITORY Please note that the CimTrak Management Console must be associated with a CimTrak Master Repository before any configurations and process review may occur. Figure 4: CimTrak Management Console (No Connections) Adding a connection to a CimTrak Master Repository is accomplished by clicking the following on the Management Console Menu Bar: File Attach to Repository Optionally, a new Master Repository connection can be created by clicking the New button or New context button located on the Management Console Menu Bar. Figure 5: CimTrak Management Console "New" buttons (outlined in red) The Connect to CimTrak Repository dialog will appear. It is necessary to populate the CimTrak Repository text box with the IPv4, IPv6, or Fully Qualified Domain Name associated with the CimTrak Master Repository. Additionally, it is necessary to populate the Port text box with the TCP Port associated with the Master Repository. After entering the associated Master User Guidance 25

26 Repository information click Continue. connection process. Clicking Cancel will abort the Figure 6: Connect to CimTrak Repository dialog The Default Port number is NEGOTIATING A MASTER REPOSITORY COMMUNICATION CERTIFICATE The first time a connection is initiated with the Master Repository a communication certificate must be negotiated. Clicking Continue on the No Valid Certificate for Repository dialog will automatically negotiate and save this communication certificate. Clicking Abort will cancel the certificate negotiation and abort the connection process. Clicking Continue will result in the Connect to CimTrak Repository dialog to appear. To Save the Communication Certificate requires to launching use to have administrative privaleges. Windows users with lesser privaleges or restricted by user access control may need to run the Management Console with administrative privaleges to save the communication certificate AUTHENTICATING WITH THE MASTER REPOSITORY VIA THE MANAGEMENT CONSOLE From the Management Console, right clicking on a Master Repository Name or IP Address and clicking Connect will result in the Connect to CimTrak Repository dialog to appear. Additionally, the connection dialog can be initiated by clicking the Connect button on the CimTrak Management Console Menu Bar. Figure 7: CimTrak Management Console "Connect" button (outlined in red) Ensure the CimTrak Master Repository IP Address and Port number are the intended target. For local (non-ad/ldap account) select Local Logon and Enter your CimTrak user credentials in the associated Username and 26 CIMCOR CimTrak Integrity & Compliance Suite

27 Password text boxes and then click Connect. Click Cancel to abort the connection process. Figure 8: Connect to CimTrak Repository dialog If connecting using an AD/LDAP account, select the appropriate domain name and then enter your user credentials and password and then click Connect. Click Cancel to abort the connection process. The username must be entered in the following format: The Domain section of the Connect to CimTrak Repository will only display when the Master Repository has been configured to authenticate with an AD/LDAP server. See section for more information on configuring AD/LDAP Entering recognized username and password credentials will result in an authenticated connection with the CimTrak Master Repository. User Guidance 27

28 Figure 9: Authenticated CimTrak Management Console 3.4. NAVIGATING THE CIMTRAK MANAGEMENT CONSOLE The CimTrak Management Console graphical interface is comprised of four primary sections: 1. System Menu 2. Toolbar 3. Object Group Tree 4. Information Display Area. 28 CIMCOR CimTrak Integrity & Compliance Suite

29 Figure 10: CimTrak Management Console Sections Each primary section has specific uses or functions in configuring, maintaining and reviewing the functionality of the CimTrak Integrity and Compliance Suite UNDERSTANDING THE MANAGEMENT CONSOLE SYSTEM MENU The System Menu allows authorized CimTrak users to perform various management functions within the software suite. Figure 11: CimTrak System Menu The functionality associated with each System Menu option is as follows. Please note that the functionality associated with the System Menu option is dependant on the CimTrak Master Repository selected in the Object Group Tree. Selecting a CimTrak Master Repository is accomplished by clicking on the Master Repository Node name or IP Address in the Object Group Tree. Figure 12: Example Master Repository Node File Attach to Repository : Connect the CimTrak Management Console to a CimTrak Master Repository. Information concerning connecting to CimTrak Master Repositories is explained in section 3.2. Exit: Exit the CimTrak Management Console and automatically log out of any connected CimTrak Master Repositories. Edit User Guidance 29

30 Delete: Delete the selected Object Group Tree component View Changes Pending Approval : View outstanding object group changes that require administrative attention. Discussed in section Refresh: Refresh the information displayed in all sections of the CimTrak Management Console. Templates : Delete, Import, and Export CimTrak Templates. Templates are explained in section 4.7. Find : Find criteria listed in the Object Group Tree. Reports View Reports : Run CimTrak Reports at a Master Repository Level. Discussed in section 11. Upload Reports : Upload additional or custom CimTrak Reports. Discussed in section Report Packages : Upload CimTrak Report Packages. Discussed in section Options Users : Open the Users Dialog to add, delete, and modify user accounts associated with the selected CimTrak Master Repository. Working with CimTrak User accounts is described in section 4.3. Change Password : Change the password associated with the currently authenticated CimTrak User Account associated with the selected CimTrak Master Repository. Changing passwords is described in section Language File : Select the language used by the CimTrak Management Console. Changing the user language is described in section Preferences : Modify Management Console functionality associated with the authenticated CimTrak User Account associated with the selected CimTrak Master Repository. Managing preferences is described in section Help About : Display CimTrak legal notices, system information, and version information. The About dialog is described in section UNDERSTANDING THE MANAGEMENT CONSOLE TOOLBAR The Toolbar allows authorized CimTrak users to perform various management functions within the software suite. Figure 13: CimTrak Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the Object Group Tree Component selected in the Object Group Tree. 30 CIMCOR CimTrak Integrity & Compliance Suite

31 New: Connect the CimTrak Management Console to a CimTrak Master Repository. Information concerning connecting to CimTrak Master Repositories is explained in section 3.2. New: Connect the CimTrak Management Console to a CimTrak Master Repository explained in section 3.2, create a new CimTrak Object Group Tree Area explained in section 4.6.1, or create a New CimTrak Document Control explained in section 4.4. Connect: Authenticate with the selected CimTrak Master Repository. Log Off: Log out and disconnect the authenticated CimTrak Management Console. Refresh: Refresh the information displayed in all sections of the CimTrak Management Console. Lock All: Lock and enable monitoring of the selected Object Group Tree Component. Unlock All: Unlock and disable monitoring of the selected Object Group Tree Component. Force Sync on All: Synchronize monitored object node data with the Master Repository. Cancel all Locks: Immediately stop and discontinue an initiated action associated with a selected Object Group Tree Component. Rename: Rename the selected Object Group Tree Component. Delete: Delete the selected Object Group Tree component Permissions: Modify access and notification permissions associated with the selected Object Group Tree Component. Discussed in section 4.5. Properties: Modify the properties associated with the selected Object Group Tree Component. Exit: Exit the CimTrak Management Console and automatically log out of any connected CimTrak Master Repositories. User Guidance 31

32 UNDERSTANDING THE MANAGEMENT CONSOLE OBJECT GROUP TREE The Object Group tree is a hierarchical view of all CimTrak Master Repositories, associated nodes, and Object Group policies. Data contained in the Object Group Tree can be expanded or collapsed by clicking the corresponding + or symbol. Figure 14: Object Group Tree Showing Master Repository and Associated CimTrak Agents Each Object Group Component existing in the Object Group tree has an associated right-click context menu. The associated context menu content changes dynamically with the Object Group Component type. The different context menus will be discussed in the sections corresponding with each Object Group Component type UNDERSTANDING THE MANAGEMENT CONSOLE INFORMATION DISPLAY AREA The Information Display Area displays information for the selected CimTrak Object Group Component. The information displayed is often broken up into several tabbed viewing areas. The available tab viewing areas, content, and capabilities vary depending on the Object Group Component type selected. The capabilities of this section will be explained in the sections corresponding with each Object Group Component type. 32 CIMCOR CimTrak Integrity & Compliance Suite

33 Figure 15: CimTrak Management Console Information Display Area (Master Repository Level) 3.5. CIMTRAK MANAGEMENT CONSOLE SYSTEM MENU: HELP The CimTrak Management Console System Menu Help option provides valuable information relating to the CimTrak deployment. Available options contained in the Help option include: About The CimTrak Help menu can be accessed by clicking Help on the CimTrak Management Console System Menu. Details associated with these available options are discussed in section ABOUT CIMTRAK The CimTrak About dialog provides information relating to CimTrak legal notices, system information, and version information. The information displayed in this dialog is dependant on the deployed version of CimTrak and the system containing the CimTrak Management Console. The CimTrak About dialog can be accessed by clicking Help About on the CimTrak Management Console System Menu. User Guidance 33

34 Figure 16: CimTrak About dialog The About dialog has three buttons: OK: Used to exit the about dialog System Info : Microsoft Windows System Information dialog displaying information about the operating system containing the CimTrak Management Console. Legal Notice: Information dialog displaying the CimTrak Integrity and Compliance Suite End User License Agreement SYSTEM INFORMATION System Information (also known as msinfo32.exe) shows details about the Management Console computer s hardware configuration, computer components, software, and drivers. System Information can be accessed by clicking Help About on the CimTrak Management Console System Menu followed by clicking the System Info button on the CimTrak About dialog. 34 CIMCOR CimTrak Integrity & Compliance Suite

35 Figure 17: System Information dialog The System Information dialog lists categories in the left pane and details about each category in the right pane. The categories include: System Information: Displays general information about the Management Console computer s operating system such as the computer name and manufacturer, the type of basic input/output system (BIOS) the system uses, and the amount of memory that is installed. Hardware Resources: Displays advanced details about the Management Console computer s hardware and is intended for IT professionals. Components: Displays information about the Management Console computer s disk drivers, sound devices, modems, and other installed components. Software Environment: Displays information about the Management Console computer s drivers, network connections, and other programrelated details. To find a specific detail in System Information, type the information you are looking for in the Find what box at the bottom of the windows. For example, to find the Management Console computer s Internet protocol (IP) address, type ip address in the Find what box, and then click Find. For additional information on the System Information dialog and Microsoft system diagnostics go to the Microsoft Website for IT Professionals located online at: Clicking File Exit on the System Information dialog Menu bar will exit the System Information dialog. User Guidance 35

36 LEGAL NOTICES Information relating to CimTrak Legal Notices and the End User License Agreement can be accessed by clicking Help About on the CimTrak Management Console System Menu followed by clicking the Legal Notices button on the CimTrak About dialog. Figure 18: CimTrak End User License Agreement Clicking OK exits the License dialog. 36 CIMCOR CimTrak Integrity & Compliance Suite

37 4. Configuring and Using the CimTrak Master Repository 4.1. MANAGING THE MASTER REPOSITORY FROM THE MANAGEMENT CONSOLE Management of the Master Repository requires that the Management Console is associated with the Master Repository and that a valid user account has been authenticated. For more information on associating the Management Console with the Master Repository please refer to section 3.2. For more information on authenticating with the Master Repository please refer to section 3.3. Once authenticated with the Master Repository multiple configuration, customization, and reporting options are available through the Management Console MASTER REPOSITORY PROPERTIES The Master Repository Properties dialog allows authorized CimTrak users to perform administrative tasks relating to CimTrak internal and external logging, Master Repository connections and data storage, CimTrak Password Policies, data communication and storage settings, Logon Banner, and Active Directory/LDAP authentication. Accessing the CimTrak Master Repository Properties dialog is accomplished by one of two methods: Method 1 or Method 2. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. The CimTrak Master Repository Properties dialog is broken down into multiple tabs. Changing between tabs is accomplished by clicking the desired tab. Available tabs include: Logging Repository Settings Password Policies Communication Logon Banner AD/LDAP User Guidance 37

38 The functionality associated with these tabs is explained in subsequent sections. Figure 19: CimTrak Master Repository Properties CONFIGURING LOGGING OPTIONS The CimTrak Integrity and Compliance Suite has various external and internal logging settings that can be customized to meet logging organization log retention requirements. Accessing the CimTrak Master Repository Properties Logging dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logging tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. 38 CIMCOR CimTrak Integrity & Compliance Suite

39 Figure 20: CimTrak Master Repository Logging dialog The CimTrak Master Repository Properties Logging dialog allows for the configuration of forwarding logging output to various external security information and event management systems (SIEM) and system information management systems (SIM). Additionally logging can be forwarded to a single SMTP server for notification via electronic mail ( ). The Logging Properties dialog is comprised of the following sections: External Reporting SMTP: configuration settings NitroSecurity NPP: NitroSecurity NitroView Plugin Protocol settings SNMP: Simple Network Management Protocol (SNMP) Manager settings Syslog: Syslog aggregation server settings WebTrends: Enable WebTrends logging format output Optionally CimTrak can be configured to purge WebTrends log files after a user-specified amount of days Internal Reporting Repository Events to Keep: Number of CimTrak events (days or quantity) to maintain in the CimTrak Master Repository Event Log. Log Administrative DB Changes: Enable logging of CimTrak administrative tasks by authorized users. Logging of Administrative DB Changes is automatically enabled in the FIPS release of CimTrak and cannot be disabled. The Enterprise and International releases of CimTrak have the option to disable this setting. User Guidance 39

40 CONFIGURING SMTP NOTIFICATIONS CimTrak has the capability to export CimTrak-related event notifications over SMTP. SMTP, Simple Mail Transfer Protocol, is a standardized specification for transmission of electronic mail ( ) over the internet protocol enabled networks. Configuring CimTrak to send electronic mail involves configuring several authentication and communication settings associated with the facilitating electronic mail server. This configuration is accomplished through the CimTrak Master Repository Properties Logging dialog. CimTrak External Logging properties may have been configured during the initial installation of the CimTrak Master Repository. Accessing the CimTrak Master Repository Properties Logging dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logging tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. SMTP settings required the following associated text boxes be populated with information relating to the electronic mail server CimTrak will interact with to send messages. The associated text boxes include: Server IP: IPv4, IPv6, or fully qualified domain name associated with the sending Server Port: Port number associated with the sending server Username: Username associated with the server who has permission to send electronic mail. Password: Password for the username associated with the server who has permission to send electronic mail. Display Name: From Name that will appear in the electronic mail message. This name does not need to be a valid account on the electronic mail server. From Address: From Address that will appear in the electronic mail message. This name does not need to be a valid account on the electronic mail server. Interval: Interval (in minutes) to send messages. Since it is likely multiple CimTrak events can occur over a short period of time it is 40 CIMCOR CimTrak Integrity & Compliance Suite

41 necessary to group notifications into a single message sent at a user-specified interval. Require TLS: Enable transport layer security (TLS) for all communications. Once all SMTP settings have been populated it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes. In order for CimTrak to send messages three settings must be configured within CimTrak. The Master Repository Properties must have SMTP settings configured (this section). A CimTrak User s profile must contain an address since alerts are sent to this address. messages can be sent to multiple users. CimTrak Object Group Tree Components must have their permissions configured to send alerts when changes are detected. Setting additional alert settings are discussed in subsequent sections. The default port associated with SMTP transmissions is CONFIGURING NITROSECURITY NPP LOGGING CimTrak has the capability to export CimTrak-related event notifications over the NitroSecurity Plugin Protocol to NitroSecurity NitroView. Configuring CimTrak to send NPP logs involves configuring several authentication and communication settings associated with the facilitating log transmission. This configuration is accomplished through the CimTrak Master Repository Properties Logging dialog. CimTrak External Logging properties may have been configured during the initial installation of the CimTrak Master Repository. Accessing the CimTrak Master Repository Properties Logging dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logging tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: User Guidance 41

42 Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. NitroSecurity NPP settings required the following associated text boxes be populated with information relating to the NitroSecurity NitroView system CimTrak will interact with. The associated text boxes include: Server IP: IP Address associated with the NitroSecurity NitroView system. Port: Port number associated with NPP transmissions for the NitroSecurity NitroView system. Require TLS: Require encrypted NPP transmissions to the NitroSecurity NitroView system. Once all NitroSecurity NPP settings have been populated it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING SNMP LOGGING CimTrak has the capability to export CimTrak-related event notifications to Simple Network Management Protocol (SNMP) managers. Configuring CimTrak to send SNMP logs involves configuring several authentication and communication settings associated with the facilitating log transmission. This configuration is accomplished through the CimTrak Master Repository Properties Logging dialog. CimTrak External Logging properties may have been configured during the initial installation of the CimTrak Master Repository. Accessing the CimTrak Master Repository Properties Logging dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logging tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. 42 CIMCOR CimTrak Integrity & Compliance Suite

43 SNMP settings required the following associated text boxes be populated with information relating to the SNMP manager CimTrak will interact with. The associated text boxes include: Server IP: IP Address associated with the SNMP manager. Port: Port number associated with the SNMP manager. Community: Community name associated with the SNMP manager. Once all SNMP settings have been populated it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes. The default port associated with SNMP transmissions is CONFIGURING SYSLOG LOGGING CimTrak has the capability to export CimTrak-related event notifications to Syslog servers. Configuring CimTrak to send Syslog events involves configuring several authentication and communication settings associated with the facilitating log transmission. This configuration is accomplished through the CimTrak Master Repository Properties Logging dialog. CimTrak External Logging properties may have been configured during the initial installation of the CimTrak Master Repository. Accessing the CimTrak Master Repository Properties Logging dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logging tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. Syslog settings required the following associated text boxes be populated with information relating to the Syslog server CimTrak will interact with. The associated text boxes include: Server IP: IP Address associated with the Syslog server. Port: Port number associated with the Syslog manager. User Guidance 43

44 Protocol: Transmission protocol (TCP or UDP) used to send the Syslog events to the Syslog manager. Once all Syslog settings have been populated it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes. The default port associated with Syslog transmissions is 514. Generally, Syslog communications are facilitated via UDP CONFIGURING WEBTRENDS LOGGING CimTrak has the capability to save CimTrak-related event notifications to the WebTrends logging format. Configuring CimTrak to save WebTrends events is accomplished through the CimTrak Master Repository Properties Logging dialog. CimTrak External Logging properties may have been configured during the initial installation of the CimTrak Master Repository. Accessing the CimTrak Master Repository Properties Logging dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logging tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. WebTrends logging is enabled by clicking the Enable Logging to File (WebTrends) checkbox. Optionally, WebTrends log files can be purged from the system after the user specified number of days. By default, WebTrends files are stored in the C:\Program Files\Cimcor\CimTrak\CimTrakServer\WTLogs folder on the system containing the CimTrak Master Repository. Once all WebTrends settings have been populated it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes. 44 CIMCOR CimTrak Integrity & Compliance Suite

45 CONFIGURING MASTER REPOSITORY SETTINGS The CimTrak Integrity and Compliance Suite has various connectivity and Master Repository health settings that can be customized to meet organization security requirements. These settings are accomplished through the Master Repository Properties Repository Settings dialog. Accessing the CimTrak Master Repository Properties Repository Settings dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Repository Settings tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. Figure 21: CimTrak Master Repository Repository Settings dialog The CimTrak Master Repository Properties Repository Settings dialog allows for the configuration of the Master Repository name, Management Console timeout interval, Master Repository storage drive space monitoring, and Master Repository access restrictions. The Repository Settings dialog is comprised of the following sections: Name: Master Repository Name User Guidance 45

46 Management Console disconnect timeout: Management console idle timeout Warn if storage drops below: Master Repository disk space monitoring. An Event Log warning (and optionally external notification) will be sent if the Master Repository disk space falls below the specified threshold. By Default, All Computers Will Be Granted/Denied Access: Network access restrictions for connections to the Master Repository CONFIGURING THE MASTER REPOSITORY NAME Setting the CimTrak Master Repository name is helpful for uniquely identifying a particular Master Repository in Event Logs and reporting. Setting the Master Repository name is achieved by modifying the Name text box located in the Master Repository Properties Repository Settings dialog. Accessing the CimTrak Master Repository Properties Repository Settings dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Repository Settings tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. The Master Repository name can be 50 characters/digits or less. By default, the Master Repository name is automatically populated with the host computer s system name. Once the Master Repository name has been populated it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING THE MANAGEMENT CONSOLE DISCONNECT TIMEOUT The CimTrak Master Repository can be configured to automatically disconnect an idle Management Console connection after a user-specified period of time. Setting a timeout period is essential in ensuring that a connected, inactive Management Console session is not assumed by another user. Setting the Management Console timeout is achieved by modifying the Management Console Disconnect Timeout properties located in the Master Repository Properties Repository Settings dialog. 46 CIMCOR CimTrak Integrity & Compliance Suite

47 Accessing the CimTrak Master Repository Properties Repository Settings dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Repository Settings tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. The Management Console timeout can be configured for any value between 2 minutes and 10,000 minutes. By default, the Management Console timeout is set to 5 minutes. Once the Management Console timeout is configured it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING THE MASTER REPOSITORY DISK SPACE MONITOR The disk space utilized by the CimTrak Master Repository storage location can be monitored for space exhaustion. Monitoring for space exhaustion is essential for maintaining a healthy, functional CimTrak Master Repository. Setting the Master Repository disk space monitor is achieved by modifying the Warn if Storage Drops Below properties located in the Master Repository Properties Repository Settings dialog. Accessing the CimTrak Master Repository Properties Repository Settings dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Repository Settings tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. User Guidance 47

48 The Warn if Storage Drops Below properties can be configured for any value between 0% and 100%. By default, the Master Repository Disk Space Monitor is disabled. Once the Master Repository disk space monitor is configured it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING THE MASTER REPOSITORY ACCESS RESTRICTIONS The CimTrak Master Repository has the capability to allow or deny connectivity by CimTrak Management Consoles and connecting Agents. Restricting access to the Master Repository adds an additional layer of security to the Master Repository resulting in additional confidentiality, availability, and integrity of the CimTrak Integrity and Compliance Suite. Setting the Master Repository access restrictions is achieved by modifying the By Default, all Computers will be Granted/Denied Access properties located in the Master Repository Properties Repository Settings dialog. Accessing the CimTrak Master Repository Properties Repository Settings dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Repository Settings tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. Allowing or restricting access to the Master Repository is accomplished by selecting either the Granted Access or Denied Access radio buttons and then populating the Except Those Listed Below properties. For example, if an IP address of and Subnet Mask of are specified, all x IP addresses will be Granted/Denied. In order to Grant/Deny specific IP addresses, the Subnet Mask should be set as Please note that IPv4 and IPv6 IP addresses are valid. By default, all IP addresses are allowed access to the Master Repository. 48 CIMCOR CimTrak Integrity & Compliance Suite

49 Once the Master Repository access restrictions are configured it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING THE MASTER REPOSITORY PASSWORD POLICIES The CimTrak Master Repository has the capability to enforce password complexity requirements for CimTrak user account passwords. Password complexity requirements settings allow authorized CimTrak administrators the capability to configure CimTrak to require password complexities meeting organizational requirements. Figure 22: CimTrak Password Policies Dialog Accessing the CimTrak Master Repository Properties Password Policies dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Password Policies tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. CimTrak has the capability to enforce four primary password complexity categories. Enforcing password complexity requirements is accomplished by selected the applicable password complexity requirement: None No password complexity requirements are enforced. User Guidance 49

50 Advanced Password Policy (AR 25-2 Compliant) User-entered Password: Meeting or exceeding user-generated password complexity requirements prescribed by United States Army Information Assurance Regulation 25-2 Require 2 lower case, 2 upper case, 2 numbers, and 2 special characters Check against password dictionary Require minimum password length of 10 alpha-numeric characters/symbols Passwords expire after 30 days Prevent use of the last 10 passwords Lock out the account after 3 logon failures Locked out accounts are indefinite (until unlocked by an authorized CimTrak administrator. Advanced Password Policy (AR 25-2 Compliant) Randomlygenerated password: Meeting or exceeding password complexity requirements prescribed by United States Army Information Assurance Regulation Passwords are randomly generated. Require 2 lower case, 2 upper case, 2 numbers, and 2 special characters Random Password Generation Check against password dictionary Require minimum password length of 10 alpha-numeric characters/symbols Passwords expire after 30 days Prevent use of the last 10 passwords Lock out the account after 3 logon failures Locked out accounts are indefinite (until unlocked by an authorized CimTrak administrator. Custom: Allows for the configuration of custom password policies. Complexity options available for the custom setting include: Require 2 lower case, 2 upper case, 2 numbers, and 2 special characters Random Password Generation Check against password dictionary Require minimum password length of alpha-numeric characters/symbols (Minimum = 0, Maximum = 50) Passwords expire after # days (Never = 0, Minimum = 1, Maximum = 365) Prevent use of the last ## passwords (Minimum = 0, Maximum = 30) 50 CIMCOR CimTrak Integrity & Compliance Suite

51 Lock out the account after ## logon failures (Never = 0, Minimum = 1, Maximum = 10) Locked out accounts for ## minutes (0 = Indefinite until unlocked by an authorized CimTrak administrator, Minimum = 1, Maximum = 4320) Once the Master Repository Password Policies are configured it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING THE MASTER REPOSITORY COMMUNICATION SETTINGS The CimTrak Master Repository communication encryption settings can be changed for any data communications directed to or from the CimTrak Master Repository. It is important to have the capability to change encryption settings in the event a used communication cipher/encryption type has been publicly compromised. Figure 23: CimTrak Master Repository Communication Settings Accessing the CimTrak Master Repository Properties Communication dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Communication tab. Encryption settings for data stored in the Master Repository cannot be changed after installation. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. User Guidance 51

52 Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. To select the communication settings for all data-in-transit communications to/from the CimTrak Master Repository, select the appropriate cipher string from the Communication Settings dropdown. Available cipher strings are dependant on the CimTrak release type. Available cipher strings are outlined in the Installation Documentation. Changes to the Master Repository communication settings will not be reflected until all entities connected to the Master Repository reconnect. Once the Master Repository Communication Settings are configured it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING THE MASTER REPOSITORY LOGON BANNER The CimTrak Master Repository supports logon banners. Logon banners are used to inform connecting users of any restrictions, policies, or disclaimers relating to the use of an application. The logon banner is displayed whenever any user interface attaches to the Master Repository. The user must accept the logon banner before using the application. Figure 24: CimTrak Logon Banner Dialog 52 CIMCOR CimTrak Integrity & Compliance Suite

53 Accessing the CimTrak Master Repository logon banner dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the Logon Banner tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. Figure 25: CimTrak Logon Banner To enter a logon banner, type the desired information in the provided text box. To disable the logon banner, delete all contents of the logon banner text box. Right-clicking anywhere in the logon banner text box provides additional text editing functionality for additional logon banner customization. Additional functionality includes: Undo Cut Copy Paste Delete Select All Right to left Reading order Show Unicode control characters Insert Unicode control character LRM: Left-to-right mark RLM: Right-to-left mark ZWJ: Zero width joiner ZWNJ: Zero width non-joiner LRE: Start of left-to-right embedding RLE: Start of right-to-left embedding LRO: Start of left-to-right override RLO: Start of right-to-left override PDF: Pop directional formatting User Guidance 53

54 NADS: National digit shapes substitution NODS: Nominal (European) digit shapes ASS: Active symmetric swapping ISS: Inhibit symmetric swapping AAFS: Active Arabic form shaping IAFS: Inhibit Arabic form shaping RS: Record Separator (Block separator) US: Unit Separator (Segment separator) Close IME Reconversion The Logon Banner accepts between 0 and 3,999 alphanumeric/symbol characters. Once the Master Repository Logon Banner Settings are configured it is necessary to click OK to accept the settings. Clicking Cancel will abort the changes CONFIGURING ACTIVE DIRECTORY/LDAP USER ACCOUNT INTEGRATION CimTrak supports local user accounts and Active Directory/LDAP integrated user accounts. Using Active Directory/LDAP user accounts simplifies the administrative task of adding additional user accounts to the CimTrak Master Repository. Active Directory/LDAP integration allows the CimTrak Master Repository to authenticate and authorize users directly with the Active Directory/LDAP Server. Additionally, using Active Directory/LDAP integration helps maintain a consistent password policy, facilitates single sign-on, and enables the use of CAC cards for authentication and authorization. Unlike the other tabs in the CimTrak Master Repository Properties dialog, all changes made in the AD/LDAP tab are updated in the Master Repository automatically. For this reason the Cancel button is not available once the AD/LDAP tab is selected. The computer hosting the Master Repository does not need to be a member of the domain before the Master Repository connects to the AD/LDAP server. The Master Repository must have full communication with the domain server. 54 CIMCOR CimTrak Integrity & Compliance Suite

55 Figure 26: AD/LDAP Properties Dialog Accessing the CimTrak Master Repository AD/LDAP dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the AD/LDAP tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. The AD/LDAP dialog is broken into two sections: Configure AD/LDAP Hosts Configure AD/LDAP Users The Configure AD/LDAP Hosts section displays all Active Directory/LDAP hosts the CimTrak Master Repository is currently authenticated with. Selecting the AD/LDAP host will populate the Configure AD/LDAP Users section with all added user accounts ADDING/EDITING/DELETING ACTIVE DIRECTORY/LDAP HOSTS Adding Active Directory/LDAP hosts is accomplished through the Master Repository properties AD/LDAP dialog. User Guidance 55

56 Accessing the CimTrak Master Repository Properties AD/LDAP dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the AD/LDAP tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. Adding an AD/LDAP host is accomplished by clicking the Add button located in the Configure AD/LDAP Hosts section of the AD/LDAP dialog. The AD/LDAP Hosts dialog will appear. Figure 27: AD/LDAP Hosts Populate the Host Name/IP Address, Port number, SSL requirements, Username, and Password associated with the AD/LDAP host. Click OK when completed. Clicking Cancel will abort the host configuration process. Invalid settings or communication errors are indicated with a CimTrak Management Console alert dialog. Figure 28: CimTrak Management Console Alert dialog 56 CIMCOR CimTrak Integrity & Compliance Suite

57 Successful authentication with the AD/LDAP host will be indicated by the Host Name/IP, Port, Domain, and Use SSL columns being populated in the Configure AD/LDAP Hosts section of the AD/LDAP dialog. It is possible to add additional AD/LDAP Hosts by repeating the processes in this section. Once the Master Repository Logon Banner Settings are configured it is necessary to configure AD/LDAP users before continuing. Deleting AD/LDAP Hosts is accomplished by selecting the Host Name/IP associated with the AD/LDAP host in the Configure AD/LDAP Hosts section and then clicking the Remove button. Editing AD/LDAP Hosts is accomplished by selecting the Host Name/IP associated with the AD/LDAP host in the Configure AD/LDAP Hosts section and then clicking the Edit button ADDING/DELETING ACTIVE DIRECTORY/LDAP USERS Adding Active Directory/LDAP Users is accomplished through the Master Repository properties AD/LDAP dialog. Prior to adding AD/LDAP users the AD/LDAP host associated with the user accounts must be added to the AD/LDAP Hosts list. See section for more details. Accessing the CimTrak Master Repository Properties AD/LDAP dialog is accomplished by first opening the Master Repository Properties dialog using one of two methods: Method 1 or Method 2 and then clicking the AD/LDAP tab. Method 1: Right click on the Master Repository Name/IP Address in the Object Group tree and then select Properties. Method 2: Click on the Master Repository Name/IP Address in the Object Group tree. While the Master Repository Name/IP Address is selected, click the Properties button on the CimTrak Toolbar. Adding an AD/LDAP users is accomplished by first clicking the AD/LDAP Host located in the Configure AD/LDAP Hosts section and then clicking the Add button located in the Configure AD/LDAP Users section of the AD/LDAP dialog. The Search AD/LDAP Server dialog will appear. User Guidance 57

58 Figure 29: Search AD/LDAP Server dialog Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. 58 CIMCOR CimTrak Integrity & Compliance Suite

59 Figure 30: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 31: Add Users dialog Selecting a user account/group and then clicking OK in the Add Users dialog will return you to the AD/LDAP dialog. Note that the user account/group selected now appears in the Configure AD/LDAP Users section. To enable the user account/group select the corresponding Allow checkbox. To deny access select the corresponding Deny checkbox. User Guidance 59

60 Figure 32: Allowing/Denying AD/LDAP Users When completed click OK to add the user/group account. Deleting the user/group account is accomplished by selecting the applicable AD/LDAP user/group account and then clicking the Remove button. Adding AD/LDAP user/group accounts requires an additional CimTrak configuration. This additional configuration is discussed in section of this documentation MASTER REPOSITORY OPTIONS The Master Repository allows for the configuration of user-specific options. These options are dependant on the Master Repository the CimTrak user is authenticated with. These options include the capability to change the language displayed by the CimTrak Management Console, changing account passwords, and customizing preferences. Accessing CimTrak Master Repository Options is accomplished by clicking Options in the Menu Bar followed by the required task CHANGING ACCOUNT PASSWORD The attached user has the capability of changing their password. Passwords can only be changed by local CimTrak Users. AD/LDAP users must change their password following the instructions provided by their domain. Changing a CimTrak User password is accomplished by clicking Options in the Menu Bar followed by Change Password. In the event random password generation is enabled a CimTrak Management Console dialog will display asking if it is okay to generate a new random 60 CIMCOR CimTrak Integrity & Compliance Suite

61 password. Click Yes to generate a new random password. Click No to abort the password creation. Figure 33: CimTrak Management Console dialog Clicking Yes will result in the New Password dialog to display showing the newly generated password. Make sure to record this new password and then click OK. Figure 34: New Password dialog The Management Console will prompt that the new password is assigned. It is necessary to re-logon to the Management Console using the new password credentials. Figure 35: Management Console dialog If random passwords are disabled the Change Password dialog will display prompting for a new password. Populate the New Password textbox and the Confirm Password textbox with the new password. Click OK to save the new password or Cancel to abort the password creation. User Guidance 61

62 Figure 36: Change Password dialog The Management Console will prompt that the new password is assigned. It is necessary to re-logon to the Management Console using the new password credentials CHANGING THE MANAGEMENT CONSOLE LANGUAGE The International and Enterprise releases of CimTrak have the capability to display the Management Console text and dialogs in different languages. Changing languages is achieved by clicking Options in the CimTrak Management Console Menu Bar followed by Language File. The Open dialog will appear. Figure 37: Open Language dialog Select the appropriate language and then click Open. Click Cancel to abort the language selection. The Management Console will refresh with the newly selected language. 62 CIMCOR CimTrak Integrity & Compliance Suite

63 MODIFYING USER PREFERENCES Each CimTrak user account has Management Console preferences that are specific to their user account. Various dialogs have options indicating Do not show this again. These options can be reset in the Preferences dialog. Accessing the preferences dialog is accomplished by clicking Options in the Management Console Menu Bar followed by Preferences. The Preferences dialog will display. The Preferences dialog displays customization options that are specific to each CimTrak user account. By default, all customization options are enabled. Available options include: Prompt for Notes on Deploy: When a generation is deployed the Management Console will provide the deploying user with the capability to enter optional notes. Prompt for Notes on Lock: When enabling (locking) monitoring of CimTrak Agent Object Groups the Management Console will provide the enabling user with the capability to enter optional notes. Prompt Before Deleting Objects: When deleting CimTrak Agent Object Groups the Management Console will prompt the deleting user for approval. Prompt When Deleting a Watch With Excludes: When deleting a CimTrak Agent s Object Group watch containing excludes the Management Console will prompt the deleting user for approval. Prompt When Locking For the First Time if Restore is the Corrective Action: When locking a CimTrak Agent Object Group that is set to Restore Mode the Management Console will prompt the locking user for approval. Pending Repair Refresh Interval (seconds): Interval at which the Pending Repair dialog will refresh the display. Clicking OK to save the configured preferences or Cancel to abort AUDITING THE MASTER REPOSITORY FROM THE MANAGEMENT CONSOLE Each CimTrak Master Repository installation has the capability to be audited via the CimTrak Management Console Information Display Area. Auditing of the Master Repository provides authorized CimTrak Administrators a list of events occurring on components connected to the Master Repository. The Auditing capabilities are broken into five primary categories: Repository Information Event Log Notes Logged On Users Locked Accounts User Guidance 63

64 Auditing capabilities are accessed by selecting the Master Repository name/ip Address in the Management Console Object Group Tree. The auditing capabilities will display in the Management Console Information Display Area. Figure 38: CimTrak Management Console Information Display Area (Master Repository Level) MASTER REPOSITORY INFORMATION The Master Repository Information Tab displays information about the Master Repository Host Operating System, Master Repository Uptime, connection information, and licensing. The Master Repository Information Tab is accessed from the Management Console in the Information Display Area by clicking the Repository Info tab. See Figure 15: CimTrak Management Console Information Display Area (Master Repository Level). The Master Repository Information Tab is divided into 3 sections: Master Repository Information Master Repository Connections Licensing The Master Repository Information section displays information relating to: 64 CIMCOR CimTrak Integrity & Compliance Suite

65 Version: Version and build number associated with the CimTrak Master Repository Operating System: Operating system of the host the CimTrak Master Repository is installed on. System Uptime: Master Repository host system uptime. Repository Uptime: Master Repository uptime. Port: Communication port used by the Master Repository. File Storage Path: Location of the file storage used by the Master Repository to store authoritative copy and intrusion data. The Master Repository Connections section displays information about external agents and Management Console connections currently associated with the Master Repository. The Licensing section displays information relating to currently assigned CimTrak Licenses. Licensing is discussed in a section of the documentation ADDING, REMOVING, VIEWING AND ACTIVATING CIMTRAK LICENSES CimTrak licenses are required for each attached CimTrak component. Adding, removing, viewing, and activating CimTrak licenses is accomplished in the Licensing section of the CimTrak Management Console Information Display Area Repository Information Tab. Figure 39: CimTrak Licensing dialog Each license key is allotted a number of Professional or Standard Agents and Objects that can be used when the license is activated. The total number of Agents and Objects is displayed with each license key in the corresponding row. The total number of used Agents and Objects is calculated at the bottom of the licensing dialog. Additionally, license key expiration data is also displayed for reference purposes. Typically Agents refers to CimTrak File System Agents and Objects refers to External Devices being monitored by a CimTrak Network Device Agent. User Guidance 65

66 To add a license key click the Add button. The Add License dialog will display. Enter to license key in the Key textbox and then click OK. Click Cancel to abort the key entry process. Figure 40: Add License dialog The license key will automatically activate by contacting In the event the activation server cannot be reached, the Activate Serial Number dialog will display providing instructions for manual activation. Figure 41: Activate Serial Number dialog Proceed to to manually activate CimTrak. 66 CIMCOR CimTrak Integrity & Compliance Suite

67 Figure 42: Populate all dialogs with information corresponding to your account. The Serial and Activation Key textbox information is provided on the Activate Serial Number dialog. Please note that all fields need to be populated to activate the serial number. When completed click Submit. The activation server will return an activation code. Populate the Activation Code textbox on the Activate Serial Number dialog and then click OK to accept activation. Figure 43: Activation Code Response In the event Cancel were to be clicked on the Activate Serial Number dialog, the newly entered serial number will display in red indicating that it requires activation. User Guidance 67

68 Figure 44: Serial Number Requiring Activation (displayed in red) To activate the serial number click once on the serial number requiring activation followed by clicking the Activate button. CimTrak will attempt to automatically activate the serial number by contacting In the event the activation server cannot be contacted CimTrak will require manual activation (discussed earlier in this section). Expired or unwanted serial numbers can be deleted by clicking once on the serial number to delete followed by clicking the Delete button. Please note that any Agents or Objects requring the deleted serial number will no longer function MASTER REPOSITORY EVENT LOG Master Repository Event Log provides audit information relating to events occurring in the Master Repository and objects connected to the Master Repository. Accessing the Master Repository Event Log is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The Master Repository Event Log displays details of all events that have occurred on the Master Repository and objects connected to the Master Repository. The level of detail displayed is dependent on the auditing level configured in the Master Repository Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the Master Repository Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Event: Brief description of the detected event. Correction: The action taken on the detected event. Performed by: CimTrak User Account responsible for the detected event. Modified by: File System User responsible for the detected event.. Absolute Path: File path affected by the detected event. 68 CIMCOR CimTrak Integrity & Compliance Suite

69 Completion Date/Time: Date and time the correction response completed. Event Code: Internal CimTrak Event Code corresponding to the detected event. Path: Object Tree Path to the affected CimTrak object. Figure 45: Master Repository Event Log Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. User Guidance 69

70 Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in the Appendix of this documentation. Data displayed in the Mangement Console Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE MASTER REPOSITORY EVENT LOG The Master Repository Event Log can be filtered to only show events matching the specified criteria. Accessing the Master Repository Event Log is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Master Repository Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Master Repository Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING MASTER REPOSITORY EVENT LOG FILTERS The Master Repository Event Log can be filtered to only show events matching the specified criteria. Accessing the Master Repository Event Log is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. 70 CIMCOR CimTrak Integrity & Compliance Suite

71 To filter the information displayed in the Master Repository Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 46: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. User Guidance 71

72 Figure 47: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 48: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. 72 CIMCOR CimTrak Integrity & Compliance Suite

73 Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Management Console Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 49: Filtered Event Log data SORTING THE MASTER REPOSITORY EVENT LOG The Master Repository Event Log can be sorted by any column using the Filters dialog. Accessing the Master Repository Event Log is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To sort the information displayed in the Master Repository Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column User Guidance 73

74 Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 50: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. 74 CIMCOR CimTrak Integrity & Compliance Suite

75 The Management Console Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 51: Filtered Event Log data MASTER REPOSITORY NOTES The Master Repository Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the Master Repository Notes Tab is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 52: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. User Guidance 75

76 New: Create a new Master Repository Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Proceed to the last, newest note. The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted. 76 CIMCOR CimTrak Integrity & Compliance Suite

77 Figure 53: Master Repository Notes dialog MASTER REPOSITORY LOGGED ON USERS The Master Repository Logged On Users Tab allows CimTrak Administrators the capability to view and modify existing CimTrak user connections to the Master Repository. Accessing the Master Repository Logged on Users Tab is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Logged On Users tab in the Management Console Information Display Area. The Logged On Users Tab displays information pertaining to any CimTrak User connection with the Master Repository. Pertaining information includes: Username: CimTrak Account Username Name: Full first and last name associated with the CimTrak user account. IP Address: IP Address the connection with the Master Repository has been established from. Connect Time: Date and Time the connection with the Master Repository occurred. The Logged On Users Tab automatically refreshed every 10 seconds. Refreshing manually is initiated by clicking the Refresh button in the Management Console Toolbar. Right-clicking on any user account displayed in the Logged On Users Tab allows for additional functionality by means of a context menu. Using the context menu User Guidance 77

78 authorized CimTrak Administrators have the capability to Edit and Disconnect users. To edit a currently connected user account, right-click on the user account and select Edit User. The Edit User dialog will display. See section for more information on editing user accounts. To disconnect a currently connected user account, right-click on the user account and select Disconnect. The user will instantly be disconnected without notice. Figure 54: Master Repository Logged On Users Tab MASTER REPOSITORY LOCKED USER ACCOUNTS The Master Repository Locked Accounts Tab allows CimTrak Administrators the capability to view currently locked out CimTrak user accounts. Accessing the Master Repository Locked Accounts Tab is accomplished by first clicking once on the Master Repository name/ip Address in the Object Group Tree to select it followed by clicking the Locked Accounts tab in the Management Console Information Display Area. The Locked Accounts Tab displays information pertaining to any locked out CimTrak User accounts. Pertaining information includes: Username: CimTrak Account Username Group: CimTrak User Group the locked out account is a member of. Last Logon Failure: Date and Time of the last failed logon attempt. First Name: First name associated with the CimTrak User Account. Last Name: Last name associated with the CimTrak User Account. 78 CIMCOR CimTrak Integrity & Compliance Suite

79 Typically, user accounts are locked out due to violating the failed logon attempts password policy. Configuration of Password Policies is explained in section Figure 55: Master Repository Locked Account Tab To unlock locked user accounts, unlock the account using the CimTrak Users dialog. See section for instructions on unlocking a locked account MANAGING MASTER REPOSITORY USERS & GROUPS FROM THE MANAGEMENT CONSOLE To help improve the functionality, deployment, and security of the Master Repository, CimTrak supports the creation of additional user accounts. User accounts and groups support prescribing differing access permissions based on the purpose and the account. During the installation of the CimTrak Master Repository a single user account was created. This first user account was automatically added to the Administrators group. For functionality reasons, at least one administrator-level account must exist at all times. The Users dialog provides the functionality to view, edit, delete, and add CimTrak users and groups. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. User Guidance 79

80 Figure 56: Users dialog The Users dialog is broken into three primary sections: 1. Toolbar 2. User Group Tree 3. Information Display Area Each primary section has specific uses or functions in configuring, maintaining and reviewing the CimTrak user and group settings. Collapsing and expanding the displayed groups is accomplished by clicking the + or - located to the left of the group name UNDERSTANDING THE USERS DIALOG TOOLBAR The Toolbar allows authorized CimTrak users the capability to add, delete, and modify CimTrak users and groups. Figure 57: Users dialog Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the CimTrak User/Group selected in the User Group Tree. Selecting a CimTrak User/Group is accomplished by clicking on the User/Group Node name in the User Group Tree. 80 CIMCOR CimTrak Integrity & Compliance Suite

81 New: Create a new CimTrak User Account for the selected Group Node. New: Create a new CimTrak User Group, User Account, or manage AD/LDAP Users and Groups associated with the Master Repository. Edit: Edit selected user account or group to provide additional user/group related information. Delete: Delete the selected user account or group UNDERSTANDING THE USER GROUP TREE The User Group tree is a hierarchical view of all users and groups. Data contained in the User Group Tree can be expanded or collapsed by clicking the corresponding + or symbol. Figure 58: User Group Tree Showing Groups and Child Users Each User Group and User Component existing in the User Group tree has an associated right-click context menu. The associated context menu content changes dynamically with the User Group/User type. The different context menus will be discussed in the sections corresponding with each User Group/User type UNDERSTANDING CIMTRAK USER GROUPS CimTrak User Groups are a collection of user accounts that have the same security permissions. A single CimTrak user account can only be a member of one user group. A default CimTrak installation contains four default user groups: Administrators Auditors Installers Standard By default, the initial CimTrak User Account created during the installation of the Master Repository belongs to the Administrator group. Users of the Administrator group are the only CimTrak user accounts with the capability to create, delete, and modify user accounts. When users are added the creating User Guidance 81

82 administrative user has the option on assigning which group the new user will be assigned to. See section for more information on creating CimTrak groups CIMTRAK ADMINISTRATORS GROUP EXPLAINED The CimTrak Administrators Group has complete administrative power of the CimTrak Master Repository and attached nodes. Permissions associated with the Administrators Group cannot be changed. The permissions assigned to the Administrators Group include: Create Objects Edit Objects and Settings Lock Objects Execute and view Reports Unlock Objects View Objects and Settings Additionally, the CimTrak Administrators Group has the capability of modifying Master Repository Properties and performing CimTrak User Account maintenance CIMTRAK AUDITORS GROUP EXPLAINED The CimTrak Auditors Group has read-only privileges of the CimTrak Master Repository and attached nodes. Permissions associated with the Auditors Group cannot be changed. The permissions assigned to the Auditors Group include: Execute and view Reports View Objects and Settings Additionally, the CimTrak Auditors Group has the capability of viewing Master Repository Properties CIMTRAK INSTALLERS GROUP EXPLAINED The CimTrak Installers Group has Node installation privileges and cannot perform any CimTrak user and administrative tasks. This group is intended to be used for silent installation purposes when a user account is required to provide authorization for the installing nodes to access the Master Repository. The silent installation process should always use an Installers group member since username and password credentials are often stored in plain text for silent installation scripts. Populating installation scripts with administrative credentials could compromise the security of the CimTrak installation. 82 CIMCOR CimTrak Integrity & Compliance Suite

83 CIMTRAK STANDARD GROUP EXPLAINED By default the CimTrak Standard Group has no permissions. Permissions are allocated to the Standard Group as needed per Master Repository, Node, or Object. Available permissions include: Create Objects Edit Objects and Settings Lock Objects Execute and view Reports Unlock Objects View Objects and Settings CimTrak User accounts that do not require full administrative privileges should be assigned to the Standard Group or other custom-created groups. See section for more information on adding custom user groups ADDING CIMTRAK LOCAL USER ACCOUNTS CimTrak has the capability to add additional user accounts via the Users dialog. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. There are three different ways to add user accounts: 1. Selecting the desired user group in the User Group Tree and then clicking the New button on the toolbar. 2. Right-clicking on the desired user group in the User Group Tree and then selecting New User. 3. Right-clicking on the desired user group in the User Group Tree and then selecting New AD/LDAP Users and Groups. Selecting options 1 or 2 results in the Edit User dialog to display. Option 3 is discussed in section User Guidance 83

84 Figure 59: Edit Users dialog The Edit User dialog allows for addition of or editing to user accounts. The following properties are available for modifying: Username: Username associated with the user account. (1-50 Alphanumeric characters) Password/Confirm Password: Password associated with the user account. This option is disabled if random password generation has been enabled in Master Repository Password Policies. See section for additional information. Group: CimTrak User Group the account is associated with. First Name: First name of the user associated with the user account. (1-40 Alpha-numeric characters) Last Name: Last name of the user associated with the user account. (1-40 Alpha-numeric characters) Position: Role of the user associated with the user account. (1-100 Alpha-numeric characters) Address: Address of the user associated with the user account. (1-100 Alpha-numeric characters) 84 CIMCOR CimTrak Integrity & Compliance Suite

85 City: City of the user associated with the user account. (1-100 Alphanumeric characters) State: State of the user associated with the user account. (1-2 Alphanumeric characters) Zip: Zip Code of the user associated with the user account. (1-5 Alphanumeric characters) Phone: Primary phone number of the user associated with the user account. (1-20 Alpha-numeric characters) Ext.: Phone extension for the primary phone associated with the user account. (1-5 Alpha-numeric characters) Fax: Fax phone number for the user associated with the user account. (1-20 Alpha-numeric characters) Address: Electronic mail associated with the user account. (1-100 Alpha-numeric characters) Alt. Phone: Alternate phone number of the user associated with the user account. (1-20 Alpha-numeric characters) Alt. Ext.: Phone extension for the alternate phone associated with the user account. (1-5 Alpha-numeric characters) Pager: Pager number for the pager associated with the user account. (1-20 Alpha-numeric characters) Notes: Additional administrative notes associated with the user account. ( Alpha-numeric characters) The password associated with the user account must match the complexity requirements indicated in the Master Repository Password Policy. See section for more information. The Address field must be populated with a valid address if notifications are inteded to be sent to this recipient. See section and section for more information. When completed filling in the user information click the Save button. Click Cancel to abort any changes. If random password generation is enabled clicking the OK button results in the New Password dialog to appear. Figure 60: Randomly Generated Password User Guidance 85

86 Take note of the password as it will be necessary to provide this information to the person associated with the new user account ADDING CIMTRAK AD/LDAP USER ACCOUNTS CimTrak has the capability to add AD/LDAP users and group via the Users dialog. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. Before adding AD/LDAP users, AD/LDAP hosts and authorized users/groups must be configured in the Master Repository properties. See section for more information. AD/LDAP user accounts are added by right-clicking on the desired user group in the User Group Tree and then selecting New AD/LDAP Users and Groups. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. 86 CIMCOR CimTrak Integrity & Compliance Suite

87 Figure 61: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 62: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the User Group tree under the CimTrak group selected. When completed adding users click the Close button to exit the Users dialog ADDING CIMTRAK USER GROUPS CimTrak has the capability to add additional user groups via the Users dialog. The Users dialog is accessed from the Management Console by first selecting User Guidance 87

88 the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. There are two different ways to add user accounts: 1. Right-clicking on and existing user or group in the User Group Tree and then selecting New User. 2. Clicking the New dropdown button on the toolbar and then selecting New Group. Either method used will result in the Edit Group dialog to display. The Edit Group dialog allows for the creation CimTrak groups. Additionally group description information can be provided by populating the Edit Group form. Figure 63: Edit Group dialog It is first necessary to select a unique name for the user group. The unique name can consist of between 1 and 50 alpha-numeric characters. Right-clicking anywhere in the Edit Group form provides additional text editing functionality for additional customization. Additional functionality includes: Undo Cut Copy Paste Delete 88 CIMCOR CimTrak Integrity & Compliance Suite

89 Select All Right to left Reading order Show Unicode control characters Insert Unicode control character LRM: Left-to-right mark RLM: Right-to-left mark ZWJ: Zero width joiner ZWNJ: Zero width non-joiner LRE: Start of left-to-right embedding RLE: Start of right-to-left embedding LRO: Start of left-to-right override RLO: Start of right-to-left override PDF: Pop directional formatting NADS: National digit shapes substitution NODS: Nominal (European) digit shapes ASS: Active symmetric swapping ISS: Inhibit symmetric swapping AAFS: Active Arabic form shaping IAFS: Inhibit Arabic form shaping RS: Record Separator (Block separator) US: Unit Separator (Segment separator) Close IME Reconversion The Edit Group form accepts between 0 and 4,000 alphanumeric/symbol characters. Once the CimTrak group properties are configured it is necessary to click Save to accept the settings. Clicking Cancel will abort the changes EDITING CIMTRAK LOCAL USER & GROUP ACCOUNTS CimTrak has the capability to edit user and custom group information via the Users dialog. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. There are two different ways to modify user and custom group information: 1. Selecting the desired user or group in the User Group Tree and then clicking the Edit button. 2. Right-clicking on the desired user or group in the User Group Tree and then selecting Edit. The properties associated with the default Administrators, Auditors, and Installers groups cannot be modified. User Guidance 89

90 Properties can only be modified for custom groups. See section for more information. In the event a user account is selected for editing the Edit User dialog will display. Figure 64: Edit Users dialog The Edit User dialog allows for addition of or editing to user accounts. The following properties are available for modifying: Username: Username associated with the user account. (1-50 Alphanumeric characters) Password/Confirm Password: Password associated with the user account. This option is disabled if random password generation has been enabled in Master Repository Password Policies. See section for additional information. Group: CimTrak User Group the account is associated with. First Name: First name of the user associated with the user account. (1-40 Alpha-numeric characters) 90 CIMCOR CimTrak Integrity & Compliance Suite

91 Last Name: Last name of the user associated with the user account. (1-40 Alpha-numeric characters) Position: Role of the user associated with the user account. (1-100 Alpha-numeric characters) Address: Address of the user associated with the user account. (1-100 Alpha-numeric characters) City: City of the user associated with the user account. (1-100 Alphanumeric characters) State: State of the user associated with the user account. (1-2 Alphanumeric characters) Zip: Zip Code of the user associated with the user account. (1-5 Alphanumeric characters) Phone: Primary phone number of the user associated with the user account. (1-20 Alpha-numeric characters) Ext.: Phone extension for the primary phone associated with the user account. (1-5 Alpha-numeric characters) Fax: Fax phone number for the user associated with the user account. (1-20 Alpha-numeric characters) Address: Electronic mail associated with the user account. (1-100 Alpha-numeric characters) Alt. Phone: Alternate phone number of the user associated with the user account. (1-20 Alpha-numeric characters) Alt. Ext.: Phone extension for the alternate phone associated with the user account. (1-5 Alpha-numeric characters) Pager: Pager number for the pager associated with the user account. (1-20 Alpha-numeric characters) Notes: Additional administrative notes associated with the user account. ( Alpha-numeric characters) The password associated with the user account must match the complexity requirements indicated in the Master Repository Password Policy. See section for more information. The Address field must be populated with a valid address if notifications are inteded to be sent to this recipient. See section and section for more information. When completed editing the user information click the Save button. Click Cancel to abort any changes. In the event a user group has been selected for edit the Edit Group dialog will display. The Edit Group dialog allows for the renaming of user-created CimTrak groups. Additionally group description information can be provided by populating the Edit Group form. User Guidance 91

92 Figure 65: Edit Group dialog Right-clicking anywhere in the Edit Group form provides additional text editing functionality for additional customization. Additional functionality includes: Undo Cut Copy Paste Delete Select All Right to left Reading order Show Unicode control characters Insert Unicode control character LRM: Left-to-right mark RLM: Right-to-left mark ZWJ: Zero width joiner ZWNJ: Zero width non-joiner LRE: Start of left-to-right embedding RLE: Start of right-to-left embedding LRO: Start of left-to-right override RLO: Start of right-to-left override PDF: Pop directional formatting NADS: National digit shapes substitution NODS: Nominal (European) digit shapes 92 CIMCOR CimTrak Integrity & Compliance Suite

93 ASS: Active symmetric swapping ISS: Inhibit symmetric swapping AAFS: Active Arabic form shaping IAFS: Inhibit Arabic form shaping RS: Record Separator (Block separator) US: Unit Separator (Segment separator) Close IME Reconversion The Edit Group form accepts between 0 and 4,000 alphanumeric/symbol characters. Once the CimTrak group properties are configured it is necessary to click Save to accept the settings. Clicking Cancel will abort the changes DELETING CIMTRAK LOCAL USER & GROUP ACCOUNTS CimTrak has the capability to delete user and custom group accounts via the Users dialog. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. There are two different methods used for deleting local user accounts and groups. 1. Select the CimTrak User or Group in the User Group Tree and then click the Delete button in the Users dialog toolbar. 2. Select the CimTrak User or Group in the User Group Tree and then right-click and select Delete. Recursive deleting is not support. A CimTrak group cannot be deleted until all users in the group are either assigned to other groups or deleted. Once the selected CimTrak User or Group has been selected for deletion a confirmation dialog will display. Click Yes to delete the CimTrak User or Group. Click cancel to abort the deletion. Figure 66: User/Group Deletion Confirmation dialog User Guidance 93

94 The process of deleting CimTrak Users and Groups is permanent and cannot be undone DELETING CIMTRAK AD/LDAP USER ACCOUNTS CimTrak has the capability to delete AD/LDAP user accounts via the Users dialog. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. Deleting AD/LDAP user accounts is accomplished by selecting the user account in the CimTrak Object Group tree and then right-clicking and selecting Remove CimTrak Role. The process of deleting AD/LDAP Users only removes the account from CimTrak and does not delete the actual AD/LDAP user account. The process of deleting CimTrak AD/LDAP Users is permanent and cannot be undone. Click the Close button to exit the Users dialog. Once the AD/LDAP user account has been deleted it is necessary to deny access to the account. This process is accomplished in the Configured AD/LDAP Users section of the CimTrak Master Repository Properties AD/LDAP dialog. See section for additional information UNLOCKING CIMTRAK USER ACCOUNTS The Master Repository Properties Password Policies dialog allows for the configuration of automatic lockout for users who have entered invalid password credentials too many times. In the event indefinite lockout has been configured it will be necessary to unlock user accounts before they can authenticate with the Master Repository. See section for more information on configuring Password Policies. Locked out accounts are displayed in the Locked Accounts tab in the Master Repository Information Display Area and in the Users dialog. 94 CIMCOR CimTrak Integrity & Compliance Suite

95 Figure 67: Master Repository Locked Accounts Tab Figure 68: Locked User Account (highlighted in red) Unlocking locked user accounts is accomplished in the Users dialog. The Users dialog is accessed from the Management Console by first selecting the desired Master Repository in the Object Group Tree and then clicking Options in the System Menu followed by Users. User Guidance 95

96 To unlock a locked user account select the locked account in the User Group Tree, right-click and then select Reset Account. When completed, click Close to exit the Users dialog CIMTRAK MASTER REPOSITORY DOCUMENT CONTROL Each CimTrak Master Repository installation contains an encrypted document vault known as Document Control. The Document Control component functions similar to a source control suite in that it provides management of changes to documents, programs, and other information. Common uses of document control include software development, configuration archives, and protection of confidential information. Changes, additions, and deletions are audited and a transaction record is kept. Each revision is associated with a timestamp and authorized user making the change. Changes can be compared to or reverted from previous changes. This history of changes is known as a CimTrak generation CREATING A MASTER REPOSITORY DOCUMENT CONTROL The process of creating a Document Control is accomplished by right-clicking on the Master Repository IP Address in the Management Console Object Group Tree and then selecting New Document Control. The Document Control Properties dialog will display. Figure 69: Document Control Properties dialog The Document Control Properties dialog allows for the configuration of Document Control object information, monitoring information, File Comparison Method, and Private Key implementation. Document Control Object Information: Object Group Name: Used to indicate a unique name for the Document Control Object Group. Location: Optional Document Control Location information. Description: Optional Document Control Description information. 96 CIMCOR CimTrak Integrity & Compliance Suite

97 Date Put in Service: Optional Date and Time associated with the inservice date of the Document Control. Contact: Optional Contact information associated with the Document Control. URL: Optional URL information associated with the Document Control. Notes: Optional dialog to enter administrative notes associated with the Document Control. Monitoring Information: Number of Revisions to Keep: Number of generations to keep for each revision to items stored in the Document Control. A zero placed in this field indicates unlimited revisions will be stored. Number of Events to Keep: Quantity or Days to store Document Control Event Log audit records. Storing an unlimited number of events has the potential to exhaust all available disk space on the Master Repository and degrade system performance. File Comparison Method: File Comparison Method: Comparison algorithm used to compare document control contents across other collected generations. Private Key Implementation: Set Document Control Private Key: Password to protect unauthorized viewing, adding, or changing of files within the Document Control. See section for more information. Once all sections have been populated, click the OK button to create the document control. Click Cancel to abort the Document Control creation. Once created, the document control will display attached to the Master Repository in the Object Group Tree. Clicking the Document Control name will result in the Document Control to display in the Management Console Information Area. User Guidance 97

98 Figure 70: Document Control Object Group A Document Control Object Group can be deleted by selecting the Document Control in the Object Group Tree, right-clicking and then selecting Delete DOCUMENT CONTROL PRIVATE KEY The process of creating a Document Control Private Key is accomplished during the creation of the Document Control Object Group or by editing the Document Control Object Group via the Document Control Properties dialog. The creation of a Document Control is accomplished by right-clicking on the Master Repository IP Address in the Management Console Object Group Tree and then selecting New Document Control. See section for additional information. Editing of a Document Control is possible by right-clicking on the Document Control in the Object Group Tree and clicking Properties. Click Set Document Control Private Key to create the Private Key. The Set Document Control Private Key dialog will appear. Once the Document Control Object Group Private Key is created the Private Key cannot be changed. The creation of a Document Control Private Key is optional but is recommended when it is necessary to conceal the contents of stored files from CimTrak users. The Document Control Private Key provides a secondary layer of security for the information stored within a CimTrak Document Control. When a Private Key 98 CIMCOR CimTrak Integrity & Compliance Suite

99 has been applied, all contents stored within the Document Control are protected by an additional layer of encryption. If the CimTrak user attempts to compare or change contents of a Document Control, the user is prompted to enter the Private Key. Only by entering a valid Private Key can the contents of the Document Control be viewed, compared, or modified. Document Control Private Keys can be automatically inherited from the Master Repository, if configured, or can be set per Document Control. The Document Control Private Key only protects viewing of contents within CimTrak. If an unauthorized user is able to gain access to the file system, and Document Control files were not removed from the system, the user will be able to view the contents of the files. Proper security measures are still necessary to prevent unauthorized access to system data. In the event a Private Key has been applied to a Document Control the optional FTP Repository Interface will not be able to access the files stored within the Document Control. In the event that a configured Private Key has been lost, it can *not* be recovered. Figure 71: Set Document Control Private Key dialog Populate the Private Key and Confirm Private Key textboxes with the intended Private Key and then click the OK button to accept the Private Key. Click Cancel to abort the Private Key creation process. When completed, click OK on the Document Control Properties dialog EDITING MASTER REPOSITORY DOCUMENT CONTROL PROPERTIES The process of editing a Document Control is accomplished by right-clicking on the Document Control node in the Object Group Tree and then selecting User Guidance 99

100 Properties or by clicking the Properties button on the Management Console Toolbar. The Document Control Properties dialog will display. Figure 72: Document Control Properties dialog The Document Control Properties dialog allows for the configuration of Document Control object information, monitoring information, File Comparison Method, and Private Key implementation. Document Control Object Information: Object Group Name: Used to indicate a unique name for the Document Control Object Group. Location: Optional Document Control Location information. Description: Optional Document Control Description information. Date Put in Service: Optional Date and Time associated with the inservice date of the Document Control. Contact: Optional Contact information associated with the Document Control. URL: Optional URL information associated with the Document Control. Notes: Optional dialog to enter administrative notes associated with the Document Control. Monitoring Information: Number of Revisions to Keep: Number of generations to keep for each revision to items stored in the Document Control. A zero placed in this field indicates unlimited revisions will be stored. Number of Events to Keep: Quantity or Days to store Document Control Event Log audit records. Storing an unlimited number of events has the potential to exhaust all available disk space on the Master Repository and degrade system performance. A Document Control can be renamed by either changing the name in the Object Group Name textbox or by right-clicking 100 CIMCOR CimTrak Integrity & Compliance Suite

101 the Document Control in the Object Group Tree and selecting Rename. File Comparison Method: File Comparison Method: Comparison algorithm used to compare document control contents across other collected generations. Private Key Implementation: Set Document Control Private Key: Password to protect unauthorized viewing, adding, or changing of files within the Document Control. See section for more information. Once all sections have been populated, click the OK button to save the document control properties. Click Cancel to abort the Document Control properties modification WORKING WITH MASTER REPOSITORY DOCUMENT CONTROL FILES AND FOLDERS The Document Control component functions similar to a source control suite in that it provides management of changes to documents, programs, and other information. Document Control functions are accomplished by first selecting the Document Control Object Group from the Management Console Object Group Tree, right-clicking on the document control file or folder and then selecting the appropriate option from the context menu. The options included in the Document Control context menu include: View: View the contents of a file contained in the Document Control. View as Binary: View the contents of a binary file contained in the Document Control. Download: Download a copy of the file contained in the Document Control to the local system. Compare: Compare the contents of the file contained in the Document Control to a previous generation of the same file. Edit: Automatically Check out the selected file and open the file in the user-selected editor. Check out: Mark the selected file as check out. Download a copy of the file to the local system. Check in: Upload and save the checked out local copy of a file back to the document control. Add: Add additional files and directories to the Document Control. Delete: Delete the selected files and/or directories to the Document Control. User Guidance 101

102 ADDING FILES AND FOLDERS TO THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component functions similar to a source control suite in that it provides management of changes to documents, programs, and other information. Common uses of document control include software development, configuration archives, and protection of confidential information. Changes, additions, and deletions are audited and a transaction record is kept. Each revision is associated with a timestamp and authorized user making the change. Changes can be compared to or reverted from previous changes. This history of changes is known as a CimTrak generation. To begin utilizing the Document Control feature it is necessary to add files to the Document Control Object Group. Click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. For information on creating a Document Control Object Group refer to section Figure 73: Document Control Directory/File dialog The process of adding files to Document Control is accomplished by one of two methods: Drag-and-Drop Context Dialog 102 CIMCOR CimTrak Integrity & Compliance Suite

103 Drag-and-Drop Method: To use the Drag-and-Drop method, click the file or directory you would like to add to the Document Control and then drag the file or directory icon into the Directory/File dialog. Please note that multiple files and directories may be added simultaneously. The Add Files dialog will display. Context Dialog Method: To use the Context Dialog method, right-click in the Directory/File dialog, click Add followed by Files to add files or Directory to add an entire directory. Browse the file system to select the files or directories to add. Upon selection the Add Files dialog will display. Upon initiating a file or directory addition, the Add Files dialog will display. The Add files dialog allows for the configuration of properties relating to the newly added files or directories. Properties include: Notes: Optional information describing the reason for the addition. Recursive: Apply properties to all files and directories being added. Create New Generation: Create a new baseline for all files being added. Any future revisions to these files will result in a new generation being created. Remove Local Copy: All files and directories being added to the Document Control are removed from the local system. Clicking the OK button will add the file and directories to the document control with the selected parameter value options. Clicking Cancel will abort the addition process. User Guidance 103

104 Figure 74: Document Control Add Files dialog If the Private Key feature has been enabled the adding user will be prompted to enter a valid private key. See section for more information. Figure 75: Enter Private Key dialog The Document Control Information Display Area will show all added files and directories. Added files will be displayed in green. Previously existing files will display in black. Additionally, each file added to the Document Control will show the Change from Previous status of Added, the file size, and the calculated hash value. 104 CIMCOR CimTrak Integrity & Compliance Suite

105 Figure 76: Document Control Information Display Area showing added files The hash value calculation will be based on the File Comparison Method indicated in the Document Control Properties dialog. See section DELETING FILES AND FOLDERS FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component functions similar to a source control suite in that it provides management of changes to documents, programs, and other information. Common uses of document control include software development, configuration archives, and protection of confidential information. Changes, additions, and deletions are audited and a transaction record is kept. Each revision is associated with a timestamp and authorized user making the change. Changes can be compared to or reverted from previous changes. This history of changes is known as a CimTrak generation. To remove previously added files and folders from an already existing Document Control, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file or folder to delete by clicking once on the file or folder. With the file or folder selected, right click and select Delete. If the Private Key feature has been enabled the deleting user will be prompted to enter a valid private key. See section for more information. User Guidance 105

106 Figure 77: Enter Private Key dialog VIEWING FILE CONTENT FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component function has the capability to display the contents of files stored within the Document Control. To view the content of files, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file to view by clicking once on the file. To view the non-binary file contents associated with a file, right-click on the file and then select View. The File View dialog will display. Figure 78: File View dialog (non-binary) To view the binary file contents associated with a file, right-click on the file and then select View as Binary. 106 CIMCOR CimTrak Integrity & Compliance Suite

107 Figure 79: File View dialog (binary) Click Close to exit the File View dialog. If the Private Key feature has been enabled the viewing user will be prompted to enter a valid private key. See section for more information. Figure 80: Enter Private Key dialog DOWNLOADING LOCAL COPIES OF FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component function has the capability to download copies of files stored within the Document Control to the local system. To download files, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file to download by clicking once on the file. To download the file, right-click on the file and then select Download. The Browse for Folder dialog will display. Navigate the local file system to pick a User Guidance 107

108 location to save the file to. Click OK when completed or Cancel to abort the download process. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 81: Enter Private Key dialog Files saved on the local system may be accessible by other users of the system COMPARING CHANGES WITH PAST GENERATIONS FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component function has the capability to compare previous file generations with the current state of the file stored within the Document Control to the local system. To compare a file, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file to compare with by clicking once on the file. To compare the file, right-click on the file and then select Compare. The Select File to Compare Against dialog will display. Select the generation to compare with by clicking once on the revision. Click OK to perform the comparison or click Cancel to abort the comparison process. The File Comparison Results dialog will display. 108 CIMCOR CimTrak Integrity & Compliance Suite

109 Figure 82: File to Compare Against dialog If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 83: Enter Private Key dialog User Guidance 109

110 Figure 84: File Comparison Results dialog Click the Close button to exit the File Comparison Results dialog UNDERSTANDING THE DOCUMENT CONTROL FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between the generation revisions of a Document Control file. See section for more information on performing file comparisons. The File Comparison dialog is comprised of three primary sections. Toolbar Information Display Area Tab Browser UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between generation revisions to a Document Control file. See section for more information on performing file comparisons. Figure 85: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. 110 CIMCOR CimTrak Integrity & Compliance Suite

111 Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between generation revisions to a Document Control file. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a Document Control File to a revision stored in another Document Control generation. Lines that have been modified are highlighted in blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. User Guidance 111

112 Figure 86: File Comparison Results dialog Changes tab EDITING DOCUMENT CONTROL FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component function has the capability to edit file content associated with Document Control files. To edit a file, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file to edit by clicking once on the file. To edit the file, right-click on the file and then select Edit. The Edit File dialog will display. The Edit File dialog consists of several options: Notes: Administrative notes that will be appended to generation data when the edited file is saved back to the Document Control. Create New Generation: Create a new generation revision when the edited file is saved. Creating a new generation allows for the comparison between generations and the capability to rollback to previous generations. Remove Local Copy: The Edited file will be removed from the file system upon saving. Open File With: Edit the file using the indicated file editor. The editor is selected using the Browse button. Download File To: File location to save the file to edit to. The location is selected using the Browse button. 112 CIMCOR CimTrak Integrity & Compliance Suite

113 Click OK to begin the edit process. Click Cancel to abort the edit process and return to the CimTrak Management Console. If the Private Key feature has been enabled the editing user will be prompted to enter a valid private key. See section for more information. Figure 87: Enter Private Key dialog Figure 88: Edit File dialog Clicking OK results in the selected file opening in the editor selected. Make the necessary modifications to the file, save, and then exit the editor. The file will automatically be Checked In to the Document Control. User Guidance 113

114 If the Private Key feature has been enabled the saving user will be prompted to enter a valid private key. See section for more information. Figure 89: Enter Private Key dialog The edited file is now saved and will display in the Document Control Information Display Area as being Changed. Figure 90: Document Control Information Display Area showing Changed File While the file is opened for editing it will be in a locked state. While in the locked state other CimTrak Users cannot modify this file. However, other CimTrak Users will still be able to view the file contents even if the file is in a locked state. Locked files display in red text. 114 CIMCOR CimTrak Integrity & Compliance Suite

115 CHECKING OUT FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component requires files to be checked out before they can be edited. While a file is checked out other CimTrak Users cannot modify the file. However, other CimTrak Users will still be able to view the contents of the file. To Check Out a file, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file to Check Out by clicking once on the file. To check out the file, right-click on the file and select Check out. The Browse for Folder dialog will display. Navigate to a location on the local system to save a copy of the selected file. When completed, select OK to save the local copy of the file. Click Cancel to abort the Check out process. Figure 91: Browse For Folder dialog If the Private Key feature has been enabled the checking out user will be prompted to enter a valid private key. See section for more information. User Guidance 115

116 Figure 92: Enter Private Key dialog While the file is checked out it will be locked from editing by other CimTrak Users. The Document Control Information Display Area will show the checked out file in red and will include information relating to the CimTrak User Account and Date/Time of the check out. Figure 93: Document Control File Checked Out Once the file modification is completed it is necessary to return the file to the Document Control by checking in the file. Checking in files is explained in section CHECKING IN FILES FROM THE MASTER REPOSITORY DOCUMENT CONTROL The Document Control component requires files to be checked out before they can be edited. Once an edit is completed it is necessary to check the file back into the Document Control. To Check In a file, click the Document Control node in the Management Console Object Group Tree. The Information Display Area 116 CIMCOR CimTrak Integrity & Compliance Suite

117 will change to show the Document Control Directory/File dialog. Select the file to Check In by clicking once on the file. To check in the file, right-click on the file and select Check in. The Check in dialog will display. The Check in dialog consists of several options: Notes: Administrative notes that will be appended to generation data when the edited file is saved back to the Document Control. Create New Generation: Create a new generation revision when the edited file is saved. Creating a new generation allows for the comparison between generations and the capability to rollback to previous generations. Remove Local Copy: The Edited file will be removed from the file system upon saving. Click OK to begin the Check in process. Click Cancel to abort the Check in process and return to the CimTrak Management Console. If the Private Key feature has been enabled the editing user will be prompted to enter a valid private key. See section for more information. Figure 94: Enter Private Key dialog The previously checked out file is now saved and will display in the Document Control Information Display Area as being Changed. User Guidance 117

118 Figure 95: Document Control Information Display Area showing Changed File AUDITING MASTER REPOSITORY DOCUMENT CONTROL EVENTS The Document Control Event Log provides audit information relating to events occurring in a Document Control Object Group. Accessing the Document Control Event Log is accomplished by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The Document Control Event Log displays details of all events that have occurred in the selected Document Control. The level of detail displayed is dependent on the auditing level configured in the Master Repository Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the Document Control Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Event: Brief description of the detected event. Correction: Not used in the Document Control feature. Performed by: CimTrak User Account responsible for the detected event. Modified by: Not used in the Document Control feature. Modifying users are recorded in the Performed by column. Absolute Path: Document Control file affected by the detected event. Completion Date/Time: Not used in the Document Control feature. Event Code: Internal CimTrak Event Code corresponding to the detected event. 118 CIMCOR CimTrak Integrity & Compliance Suite

119 Figure 96: Document Control Event Log Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. User Guidance 119

120 Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in the appendix of this documentation. Data displayed in the Mangement Console Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE MASTER REPOSITORY EVENT LOG The Document Control Event Log can be filtered to only show events matching the specified criteria. Accessing the Document Control Event Log is accomplished by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Document Control Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Document Control Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING DOCUMENT CONTROL EVENT LOG FILTERS The Document Control Event Log can be filtered to only show events matching the specified criteria. Accessing the Document Control Event Log is accomplished by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Document Control Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. 120 CIMCOR CimTrak Integrity & Compliance Suite

121 Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 97: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. User Guidance 121

122 Figure 98: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 99: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. 122 CIMCOR CimTrak Integrity & Compliance Suite

123 Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Management Console Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 100: Filtered Event Log data SORTING THE DOCUMENT CONTROL EVENT LOG The Document Control Event Log can be sorted by any column using the Filters dialog. Accessing the Document Control Event Log is accomplished by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To sort the information displayed in the Document Control Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column User Guidance 123

124 Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 101: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. 124 CIMCOR CimTrak Integrity & Compliance Suite

125 The Management Console Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 102: Filtered Event Log data MASTER REPOSITORY DOCUMENT CONTROL GENERATIONS The Document Control Generation Tab provides revision information for changes occurring to files and folders contained in a Document Control. Accessing the Document Control Generations Tab is accomplished by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. The Generation Tab is broken into two sections: Revisions Table Revision Details User Guidance 125

126 Figure 103: Document Control Generation Tab The Revisions Table displays overview information relating to each generation revision. Selecting a specific generation revision in the Revision Table will populate the corresponding information in the Revision Details section. Information in the Revisions Table includes: Revision: Primary revision number indicating the number of the generation. Sub-revision: Secondary revision number indicating the number of events that have occurred since the primary generation was created. Date/Time: Date and time associated with the creation of the revision or sub-revision. Changed by: The CimTrak User account responsible for the creation of the revision or sub-revision. # of Dirs: Quantity of directories contained in the revision or sub-revision. # of Files: Quantity of files contained in the revision or sub-revision. Total Size (bytes): The total amount of disk space utilized by the contents of the revision or sub-revision. The Revision Details section displays detailed information relating to a revision or sub-revision. The Revision Details section has three tabs: Revision Information: Details of the revision or sub-revision such as the date of the revision, revising user account, number of revisions, number of sub-revisions, number of files, number of directories, and notes. Details: Complete list of all files and folders contained in a generation. Files and folders indicate their generation status such as Added, Deleted, and Modified. 126 CIMCOR CimTrak Integrity & Compliance Suite

127 Change from Previous: Partial file list showing what files were Added, Deleted or Modified in the selected generation DOWNLOADING COPIES OF DOCUMENT CONTROL GENERATIONS Each file stored in a Document Control generation has the capability to be downloaded and copied to a local system. A Document Control generation can be accessed by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. Copies of generation data can be downloaded by right-clicking on the Revisions Table generation and selecting Download from the context menu. Additionally, copies of generation data can also be downloaded from the Revision Details Details tab or Change from Previous tab by right-clicking on the file or folder to download and then clicking Download. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 104: Enter Private Key dialog VIEWING AND COMPARING CONTENT OF DOCUMENT CONTROL GENERATIONS Files stored in a Document Control generation have the capability to be viewed and compared with other generations. A Document Control generation can be accessed by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. To view the non-binary file contents associated with a file, select either the Details or Change from Previous tab in the Document Control Generation Revision Details section. Right-click on the file and then select View. The File View dialog will display. User Guidance 127

128 Figure 105: File View dialog (non-binary) To view the binary file contents associated with a file, right-click on the file and then select View as Binary. Figure 106: File View dialog (binary) Click Close to exit the File View dialog. If the Private Key feature has been enabled the viewing user will be prompted to enter a valid private key. See section for more information. 128 CIMCOR CimTrak Integrity & Compliance Suite

129 Figure 107: Enter Private Key dialog The Document Control component function has the capability to compare previous file generations with the current state of the file stored within the Document Control to the local system. To compare a file, click the Document Control node in the Management Console Object Group Tree. The Information Display Area will change to show the Document Control Directory/File dialog. Select the file to compare with by clicking once on the file. To compare the file, from either the Details or Change from Previous tab, rightclick on the file and then select either Compare with Other Generation or Compare with Authoritative Copy (current). If Compare with Other Generation is selected the Select File to Compare Against dialog will display. Select the generation to compare with by clicking once on the revision. Click OK to perform the comparison or click Cancel to abort the comparison process. The File Comparison Results dialog will display. Figure 108: File to Compare Against dialog In the event Compare with Authoritative Copy (current) is selected the File Comparison Results will display. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. User Guidance 129

130 Figure 109: Enter Private Key dialog Figure 110: File Comparison Results dialog Click the Close button to exit the File Comparison Results dialog. The File Comparison Results dialog is explained in detail in section DEPLOYING ROLLING BACK DOCUMENT CONTROL GENERATIONS Files stored in a Document Control generation have the capability to be deployed back. A Document Control generation can be accessed by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. To deploy roll back a generation, select the generation in the Generation Tab Revisions Table, right-click, and then select Deploy. The Confirm Deploy dialog will display warning that deploying will overwrite everything in the Document Control with the content of this generation. Click Yes to proceed or No to cancel. 130 CIMCOR CimTrak Integrity & Compliance Suite

131 Figure 111: Confirm Deploy dialog Upon clicking Yes on the Confirm Deploy dialog the Notes dialog will appear. Enter any administrative notes relating to this deployment and then click OK. Click Cancel to abort the deployment. Figure 112: Notes dialog A new generation revision will be created with the rolled-back content. This newly created generation is the current generation MASTER REPOSITORY DOCUMENT CONTROL NOTES The Document Control Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the Document Control Notes Tab is accomplished by first clicking once on the Document Control in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form User Guidance 131

132 The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 113: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. New: Create a new Document Control Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Proceed to the last, newest note. The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. 132 CIMCOR CimTrak Integrity & Compliance Suite

133 Figure 114: Document Control Notes dialog To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted MASTER REPOSITORY DOCUMENT CONTROL PERMISSIONS Document Control Object Groups can be configured restrict access based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the Document Control. Accessing Document Control permissions is accomplished by first clicking once on the Document Control in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. User Guidance 133

134 By default each Document Control will have the following permissions: Administrators Create Objects: Create Document Control Object Groups. Edit: Check out/check in/edit document control contents. Lock: Enable active monitoring of Object Group Data (not used in Document Control) Reports: View reports relating to Document Control contents. Unlock: Disable active monitoring of Object Group Data (not used in Document Control) View: View contents and configurations relating to the Document Control. Auditors Reports: View reports relating to Document Control contents. View: View contents and configurations relating to the Document Control. Installers Attach CimTrak Agents to a Master Repository (not used in Document Control) 134 CIMCOR CimTrak Integrity & Compliance Suite

135 Figure 115: Document Control Security Permissions dialog Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section. User Guidance 135

136 MODIFYING AN EXISTING USER/GROUP DOCUMENT CONTROL PERMISSIONS It is possible to modify existing user and group Document Control Permissions and notification settings. Accessing Document Control permissions is accomplished by first clicking once on the Document Control in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create Document Control Object Groups. Edit: Check out/check in/edit document control contents. Lock: Enable active monitoring of Object Group Data (not used in Document Control) Reports: View reports relating to Document Control contents. Unlock: Disable active monitoring of Object Group Data (not used in Document Control) View: View contents and configurations relating to the Document Control. Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. Information: Receive alerts relating to information level notifications. To apply the permission settings to all children objects (not applicable in Document Control), ensure that the Apply permissions to children recursively checkbox is selected. 136 CIMCOR CimTrak Integrity & Compliance Suite

137 When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the Master Repository) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object ADDING AND REMOVING USERS AND GROUPS TO DOCUMENT CONTROL PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that Document Control Permissions and notification settings can be assigned or changed. Accessing Document Control permissions is accomplished by first clicking once on the Document Control in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. Figure 116: Add Users dialog Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. User Guidance 137

138 The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. Figure 117: Example AD/LDAP Server search information 138 CIMCOR CimTrak Integrity & Compliance Suite

139 Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 118: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information MANAGING MASTER REPOSITORY PERMISSIONS The CimTrak Master Repository can be configured restrict access to children objects based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the Master Repository and children objects. Accessing Master Repository permissions is accomplished by first clicking once on the Repository Name/IP Address in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. By default each Area will have the following permissions: Administrators Create Objects: Create Object Groups. Edit: Edit Object Group settings. Lock: Enable active monitoring of Object Group data. Reports: View reports relating to children objects. Unlock: Disable active monitoring of Object Group Data. User Guidance 139

140 View: View contents and configurations relating to children data. Auditors Reports: View reports relating to children objects. View: View contents and configurations relating to children data. Installers Attach CimTrak Agents to a Master Repository. Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section. 140 CIMCOR CimTrak Integrity & Compliance Suite

141 Figure 119: Document Control Security Permissions dialog MODIFYING EXISTING USER/GROUP PERMISSIONS It is possible to modify existing user and group Permissions and notification settings. Accessing Master Repository permissions is accomplished by first clicking once on the Master Repository IP Address/Name in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. User Guidance 141

142 Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create Object Groups. Edit: Edit Object Group settings. Lock: Enable active monitoring of Object Group data. Reports: View reports relating to children objects. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to children data. Create Objects: Create Object Groups. Edit: Edit Object Group settings. Lock: Enable active monitoring of Object Group data. Reports: View reports relating to children objects. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to children data. Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. Information: Receive alerts relating to information level notifications. To apply the permission settings to all children objects, ensure that the Apply permissions to children recursively checkbox is selected. When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the Master Repository) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object. 142 CIMCOR CimTrak Integrity & Compliance Suite

143 ADDING AND REMOVING USERS AND GROUPS TO MASTER REPOSITORY PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that Master Repository Permissions and notification settings can be assigned or changed. Accessing Master Repository permissions is accomplished by first clicking once on the Master Repository IP Address/name in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. Figure 120: Add Users dialog Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. User Guidance 143

144 The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. Figure 121: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. 144 CIMCOR CimTrak Integrity & Compliance Suite

145 Figure 122: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information. To delete all permissions for an existing user or group, select the User or Group in the Group or User Names section of the Security Permissions dialog and then click the Remove button MASTER REPOSITORY AREAS CimTrak allows for the creation of logical Areas in the Management Console Object Group Tree. Areas are created to organize Document Control Objects and attached Agents in a logical order. Event logs, permissions, and reports can be ran and configured in unison for all components contained within an Area CREATING AND DELETING MASTER REPOSITORY AREAS CimTrak allows for the creation of logical Areas in the Management Console Object Group Tree. To create an Area, right-click on the Master Repository name/ip Address in the Management Console Object Group Tree and then select New Area. The Area dialog will display. The Area dialog allows for the configuration of details relating to a CimTrak Area. The only required field is the Name textbox. All additional fields are optional. Populate the fields of the Area dialog and then click OK to create the Area. Click Cancel to abort the Area creation process. User Guidance 145

146 Figure 123: Area dialog The Area will display in the Object Group Tree. Figure 124: Object Group Tree showing Area Document Control Objects and CimTrak Agents can be added to the area by right-clicking on the Document Control Object or CimTrak Agent, selecting cut, right-clicking on the Area, and selecting Paste. Optionally, Document Control Objects or CimTrak Agents can also be added to Areas by means of drag-anddrop. To drag-and-drop click and hold on the Document Control Object or CimTrak Agent and then drag the selection to the Area icon. Once the selection is over the Area icon let go of the mouse button. Figure 125: Document Control showing multiple Areas with children Objects can be removed from Areas by moving the component back to the Master Repository level. To delete an Area, right-click on the Area and select Delete. The Confirm Delete dialog will display. Click Yes to delete the area or No to abort the deletion. 146 CIMCOR CimTrak Integrity & Compliance Suite

147 Figure 126: Confirm Delete dialog Deleting an Area containing Document Control Objects or Agents will also delete the contents of the Area. Deleting of Areas cannot be undone MODIFYING MASTER REPOSITORY AREA PROPERTIES CimTrak allows for the editing of properties associated with logical Areas in the Management Console Object Group Tree. To edit the properties of an Area, right-click on the Master Repository name/ip Address in the Management Console Object Group Tree and then Properties or click the Properties button on the Management Console Toolbar. The Area dialog will display. Figure 127: Area dialog The Area dialog allows for the configuration of details relating to a CimTrak Area. The only required field is the Name textbox. All additional fields are optional. Populate the fields of the Area dialog and then click OK to update the Area. Click Cancel to abort the Area creation process. CimTrak Areas can be renamed by right-clicking the Area in the Management Console Object Group Tree and then selecting Rename. User Guidance 147

148 MANAGING AREA PERMISSIONS CimTrak Areas can be configured restrict access to children objects based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the Area and children objects. Accessing Area permissions is accomplished by first clicking once on the Area in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. By default each Area will have the following permissions: Administrators Create Objects: Create Object Groups. Edit: Edit Object Group settings. Lock: Enable active monitoring of Object Group data. Reports: View reports relating to children objects. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to children data. Auditors Reports: View reports relating to children objects. View: View contents and configurations relating to children data. Installers Attach CimTrak Agents to a Master Repository. Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section. 148 CIMCOR CimTrak Integrity & Compliance Suite

149 Figure 128: Area Security Permissions dialog MODIFYING EXISTING USER/GROUP PERMISSIONS It is possible to modify existing user and group Permissions and notification settings. Accessing Area permissions is accomplished by first clicking once on the Master Repository IP Address/Name in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. User Guidance 149

150 Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create Object Groups. Edit: Edit Object Group settings. Lock: Enable active monitoring of Object Group data. Reports: View reports relating to children objects. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to children data. Create Objects: Create Object Groups. Edit: Edit Object Group settings. Lock: Enable active monitoring of Object Group data. Reports: View reports relating to children objects. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to children data. Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. Information: Receive alerts relating to information level notifications. To apply the permission settings to all children objects, ensure that the Apply permissions to children recursively checkbox is selected. When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the Master Repository) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object. 150 CIMCOR CimTrak Integrity & Compliance Suite

151 ADDING AND REMOVING USERS AND GROUPS TO AREA PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that Area Permissions and notification settings can be assigned or changed. Accessing Master Repository permissions is accomplished by first clicking once on the Master Repository IP Address/name in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. Figure 129: Add Users dialog Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. User Guidance 151

152 The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. Figure 130: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. 152 CIMCOR CimTrak Integrity & Compliance Suite

153 Figure 131: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information. To delete all permissions for an existing user or group, select the User or Group in the Group or User Names section of the Security Permissions dialog and then click the Remove button AREA EVENT LOG The Area Event Log provides audit information relating to events occurring in the Area and objects connected to the Area. Accessing the Area Event Log is accomplished by first clicking once on the Area name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The Area Event Log displays details of all events that have occurred on the Area and objects connected to the Area. The level of detail displayed is dependent on the auditing level configured in the Master Repository Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the Area Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Event: Brief description of the detected event. Correction: The action taken on the detected event. Performed by: CimTrak User Account responsible for the detected event. User Guidance 153

154 Modified by: File System User responsible for the detected event.. Absolute Path: File path affected by the detected event. Completion Date/Time: Date and time the correction response completed. Event Code: Internal CimTrak Event Code corresponding to the detected event. Path: Object Tree Path to the affected CimTrak object. Figure 132: Area Event Log Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. 154 CIMCOR CimTrak Integrity & Compliance Suite

155 Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section. Data displayed in the Area Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE AREA EVENT LOG The Area Event Log can be filtered to only show events matching the specified criteria. Accessing the Area Event Log is accomplished by first clicking once on the Area in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Area Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Area Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING AREA EVENT LOG FILTERS The Area Event Log can be filtered to only show events matching the specified criteria. Accessing the Area Event Log is accomplished by first clicking once on the Area in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. User Guidance 155

156 To filter the information displayed in the Area Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 133: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. 156 CIMCOR CimTrak Integrity & Compliance Suite

157 Figure 134: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 135: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. User Guidance 157

158 Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Area Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 136: Filtered Event Log data SORTING THE AREA EVENT LOG The Area Event Log can be sorted by any column using the Filters dialog. Accessing the Area Event Log is accomplished by first clicking once on the Area name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To sort the information displayed in the Area Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order 158 CIMCOR CimTrak Integrity & Compliance Suite

159 Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 137: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. User Guidance 159

160 The Area Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 138: Filtered Event Log data AREA NOTES The Area Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the Area Notes Tab is accomplished by first clicking once on the Area name in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 139: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. 160 CIMCOR CimTrak Integrity & Compliance Suite

161 New: Create a new Master Repository Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Proceed to the last, newest note. The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted. User Guidance 161

162 Figure 140: Area Notes dialog AREA OVERVIEW The Area Overview Tab allows authorized CimTrak users the capability to view system resource utilization for attached CimTrak Agents. Accessing the Overview tab is accomplished by first clicking the Area name in the Management Console Object Group Tree and then clicking the Overview Tab in the Information Display Area. The Area Overview displays information corresponding to CimTrak Agents belonging to the selected Area. Information includes: Server/Device: Name of the CimTrak Agent. Host Name/IP: IPv4 or IPv6 IP Address associated with the attached CimTrak Agent. % CPU Utilization: Percentage of CPU utilized on the attached CimTrak Agent. % Physical Memory Utilization: Percentage of physical CPU utilized on the attached CimTrak Agent. 162 CIMCOR CimTrak Integrity & Compliance Suite

163 Figure 141: Area Overview 4.7. MASTER REPOSITORY TEMPLATES Certain CimTrak components, such as Agents, have the capability to store preconfigured policies in the form of Templates. Templates can be imported, exported, and deleted to/from Master Repositories. Template maintenance is performed using the Template Maintenance dialog access from the CimTrak Management Console Menu Bar by clicking View Templates. Figure 142: Template Maintenance User Guidance 163

164 By default, CimTrak is preconfigured with a CimTrak File System Agent Windows Directory template. Using templates to create Object Groups is discussed in subsequent sections IMPORTING MASTER REPOSITORY TEMPLATES CimTrak has the capability to import Object Group Templates from other Master Repositories. Importing of Templates is performed using the Template Maintenance dialog accessed from the CimTrak Management Console Menu Bar by clicking View Templates. To import a single template or multiple templates click the Import button. The Import Template(s) dialog will display. Click the Add button to browse the file system for CimTrak templates. The Open File dialog will display. Select the template file and then click Open to import the template or Cancel to abort the import process. Figure 143: Template Open dialog The selected template will display in the Import Template(s) dialog. Click Add to add additional templates or Remove to remove templates. When completed click OK to return to the Templates Maintenance dialog. Clicking cancel will abort the import process. Select the Private Checkbox to make the imported template only accessible to your CimTrak user account. 164 CIMCOR CimTrak Integrity & Compliance Suite

165 Figure 144: Import Template(s) dialog The Template Maintenance dialog will now display the template that was added. Click Close to exit the Template Maintenance dialog. Figure 145: Template Maintenance dialog EXPORTING MASTER REPOSITORY TEMPLATES CimTrak has the capability to export Object Group Templates from the Master Repository. Exporting of Templates is performed using the Template User Guidance 165

166 Maintenance dialog accessed from the CimTrak Management Console Menu Bar by clicking View Templates. To export a single template or multiple templates select the appropriate templates and then click the Export button. The Browse for Folder dialog will display asking where to save the selected template(s). Navigate the file system for the intended location and then click OK to save the template(s). Clicking Cancel will abort the export process. Figure 146: Browse for Folder dialog Exported templates can be imported into another Master Repository using the Import feature discussed in section Optionally, exported templates can be modified in a text editor to enable custom configurations. Modifying of templates is discussed in section CUSTOMIZING EXPORTED MASTER REPOSITORY TEMPLATES It is possible to modify Object Group Templates that have been exported from the Master Repository. Once a Template has been modified it can then be imported into a Master Repository. Exporting of Templates is explained in section Importing of Templates is explained in section Templates created for CimTrak File System Agent monitoring of Microsoft Windows operating system folders can be customized to include environment variables. The use of environment variables is important when deploying templates across multiple systems that may not have consistent file system structures. For example, one system s Windows Directory may be C:\WINNT while another may be C:\Windows. Customizing the Template with environment variables can help facilitate this scenario. 166 CIMCOR CimTrak Integrity & Compliance Suite

167 After exporting the Template open it in a text editor. Navigate to the line beginning with the path parameter. If the path parameter value is C:\Windows change it to <WindowsDirectory>. Save the changes and import the template back into the Master Repository. This template can now be used to monitor the Windows directory in any supported version of Microsoft Windows. Additional environment variables exist for additional customization. Environment Variable Windows 2000 Example Windows XP Example <SystemDirectory> C:\WINNT\system32 C:\Windows\system32 <WindowsDirectory> C:\WINNT C:\Windows <SystemWindowsDirectory> C:\WINNT C;\Windows Table 1: Template Environment Variables Additionally, templates can be customized using regular expressions. If a Template is used to create an Object Group, and the Template has specified files and folders to be excluded, the files within the locked folder that match the excluded files in the Template are automatically excluded. However, the excluded entries are case sensitive. For example, if the Template file lists C:\data\exclude.txt as an excluded file, and the actual filename path is C:\data\Exclude.txt, the file will not be excluded. It is possible to modify the Template replacing the static path and filename of a file with dynamic Regular Expressions. This will make the Excluded file or directory case insensitive. For example, the case sensitive path and filename: Excludepath1 = C:\WINDOWS\system32\ Excludefile1 = wpa.dbl Excludetype1 = File can be modified to a case insensitive path and filename: Excludepath1 = [a-za-z]:\\.+\\[ss][yy][ss][tt][ee][mm]32\\ Excludefile1 = [ww][pp][aa]+\.[dd][bb][ll]$ Excludetype1 = Regular Expression Please note that the first entry set specifically lists the exact path of the file; the second lists a Regular Expression wildcard path before the \system32\ directory. Using wildcards the wpa.dbl file can be locked in various versions of Windows. User Guidance 167

168 5. Configuring and Using the CimTrak File System Agent 5.1. MANAGING THE CIMTRAK FILE SYSTEM AGENT FROM THE MANAGEMENT CONSOLE Management of the CimTrak File System Agent requires that the Management Console is associated with the Master Repository and that a valid user account has been authenticated. For more information on associating the Management Console with the Master Repository please refer to section 3.2. For more information on authenticating with the Master Repository please refer to section 3.3. Once authenticated with the Master Repository multiple configuration, customization, and reporting options are available through the Management Console. File System Agents that have been installed and associated with the selected Master Repository will display in the CimTrak Management Console s Object Group Tree. Figure 147: CimTrak File System Agent in Object Group Tree The connection status of the CimTrak File System Agent can easily be determined by its associated icon. Server Attached to Agent: The CimTrak Master Repository and CimTrak File System Agent are in direct communication. The File System Agent is currently selected in the Object Group Tree. Server Communication Failure: The CimTrak Master Repository and CimTrak File System Agent are not communicating due to a communication failure. Server Status Good: The CimTrak Master Repository and CimTrak File System Agent are in direct communication FILE SYSTEM AGENT PROPERTIES The File System Agent Properties dialog allows authorized CimTrak users to perform administrative tasks relating to CimTrak File System Agent logging, 168 CIMCOR CimTrak Integrity & Compliance Suite

169 throttling, heartbeat and statistic transmissions and health monitoring parameters. Accessing the CimTrak File System Agent Properties dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The CimTrak Agent Configuration dialog consists of several functional sections including: Description Agent Throttling Monitoring Parameters License Number of Events to Keep DB Options Poll Intervals The functionality associated with these sections is explained in subsequent sections. Figure 148: CimTrak Agent Configuration User Guidance 169

170 CONFIGURING THE FILE SYSTEM AGENT DESCRIPTION PROPERTIES The CimTrak File System Agent Description and associated information can be customized through the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Figure 149: File System Agent Description File System Agent Description Information: Name: Used to indicate a unique name for the File System Agent. Date in Service: Optional Date and Time associated with the in-service date of the File System Agent Location: Optional File System Agent Location information. Description: Optional File System Agent Description information. URL: Optional URL information associated with the File System Agent.. Contact: Optional Contact information associated with the File System Agent. Once all sections have been populated, click the OK button to save the File System Agent Description Information. Click Cancel to abort the File System Agent properties modification. A File System Agent can be renamed by either changing the name in the Name textbox or by right-clicking the File System Agent in the Object Group Tree and selecting Rename CONFIGURING THE FILE SYSTEM AGENT LICENSE PROPERTIES The CimTrak File System Agent License settings can be customized through the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. 170 CIMCOR CimTrak Integrity & Compliance Suite

171 The License section of the CimTrak Agent Configuration dialog allows for the selection of the Standard or Professional operation mode. The Standard license mode provides only monitoring capabilities. The Professional license mode provides for monitoring and optional restoration capabilities. Selection of the license mode is accomplished by clicking the associated radio button. Figure 150: CimTrak Agent License settings The license mode selected must match an available CimTrak license type. See section for more information on CimTrak licenses. Once the license mode has been selected, click the OK button to save the File System Agent properties configuration. Click Cancel to abort the File System Agent properties configuration CONFIGURING THE FILE SYSTEM AGENT LOG RETENTION PROPERTIES The CimTrak File System Agent log retention settings can be customized through the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The Number of Events to Keep section of the dialog allows for the configuration of File System Agent Event Log data retention. The event log can be configured to flush older records on a day interval or message quantity limit. Figure 151: Number of Events to Keep settings Days: The event log will automatically remove event messages older than the indicated value. Entering 0 will store event messages indefinitely. (Maximum Days: 10,000) Quantity: The event log will automatically remove older event messages as the amount of messages exceeds the indicated value. Entering 0 will store event messages indefinitely. (Maximum Quantity: 10,000) User Guidance 171

172 Storing an unlimited number of events has the potential to exhaust all available disk space on the Master Repository and degrade system performance. Once the data retention settings have been selected, click the OK button to save the File System Agent properties configuration. Click Cancel to abort the File System Agent properties configuration CONFIGURING THE FILE SYSTEM AGENT DISCONNECT WARNING The CimTrak File System Agent must remain in communication with the Master Repository at all times. If configured a failure to communicate with the Master Repository can generate an auditable event. Setting of disconnection notices is performed in the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The DB Options section of the dialog allows for the configuration of Agent disconnection warnings. Warnings are generated if the Agent is out of communication with the Master Repository for a time period longer than the specified time in minutes. Accepted values (in minutes) include 1 through 4,194,304. Setting the Warn if Disconnected minute value to 0 disables the warning. Figure 152: CimTrak Agent DB Options settings The notification of the disconnect occurs at the nearest heatbeat transmission. For example, if a heartbeat is set to 30 seconds and the disconnect is set to 2 minutes the alert will occur between 2 minutes and 2 minutes, 30 seconds depending on where the event occurs in the heartbeat cycle. Once the DB Options settings have been selected, click the OK button to save the File System Agent properties configuration. Click Cancel to abort the File System Agent properties configuration. 172 CIMCOR CimTrak Integrity & Compliance Suite

173 CONFIGURING THE FILE SYSTEM AGENT HEARTBEAT AND STATISTIC GATHERING INTERVAL The CimTrak File System Agent must remain in communication with the Master Repository at all times. A heartbeat communication will occur between the File System Agent and the Master Repository to check that communication is still possible. The heartbeat interval is configurable in the CimTrak Agent Configuration dialog. Additionally CimTrak Agent Statistics are gathered at a specified interval. Statistics are transmitted with the Heartbeat transmission. The statistics interval is configurable in the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Figure 153: CimTrak Agent Poll Intervals settings (defaults) The Poll Intervals section of the CimTrak Agent Configuration dialog allows for the configuration of the heartbeat and statistics interval. All intervals are indicated in seconds. Accepted heartbeat intervals include 1 second through 300 seconds. Accepted statistics intervals include 1 second through 120 seconds. Once the Poll Intervals settings have been selected, click the OK button to save the File System Agent properties configuration. Click Cancel to abort the File System Agent properties configuration CONFIGURING THE FILE SYSTEM AGENT THROTTLE The CimTrak File System Agent communications can be throttled to control the speed of communications with the Master Repository. This capability is useful in limiting network bandwidth requirements and CPU cycles on the Agent host operating system. Setting of Agent Throttling is performed though the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. User Guidance 173

174 Figure 154: File System Agent Throttling settings Setting Agent Throttling does not delay the remediation capabilities of the File System Agent. The Throttle is applied to communication transfer relating to events. The Throttle indicates the wait time between file transmissions and/or 60 KB data transmission. The Throttle applies to the following scenarios: Sending Watch Data and Files to the Master Repository Syncing Watch Directories Locking Directories Sliding the Agent Throttling slider to the left reduces the throttling (speeds up communications). Sliding the Agent Throttling slider to the right increases the throttling (slows down communications). By default, the Agent Throttling is set one tick right of Off. Once the Agent Throttling settings have been selected, click the OK button to save the File System Agent properties configuration. Click Cancel to abort the File System Agent properties configuration FILE SYSTEM AGENT MONITORING PARAMETERS The CimTrak File System Agent Monitoring Parameters allows for the configuration of system health monitoring. Agent Monitoring Parameters are configured through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Figure 155: Agent Monitoring Parameters 174 CIMCOR CimTrak Integrity & Compliance Suite

175 The addition, editing, and deletion of monitoring parameters is explained in subsequent sections ADDING FILE SYSTEM AGENT MONITORING PARAMETERS The CimTrak File System Agent Monitoring Parameters allows for the configuration of system health monitoring. Adding Agent Monitoring Parameters is performed through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Click the Add button in the Monitoring Parameters section. The Agent Monitor Parameters dialog will display. Figure 156: Agent Monitor Parameters dialog The Agent Monitor Parameters dialog allows for the configuration of host health monitoring by monitoring the utilization of host devices. The list of available devices is host dependant. Generally, devices available for monitoring include: Network Adapter Bandwidth Utilization CPU Processor Utilization Disk Space Utilization Memory Utilization Each selected device has the capability to define specific monitoring rules. Monitoring rules include the condition to monitor, the percentage of utilization, and the time interval of measured utilization. Each monitoring rule is described in the following information: Condition: The comparison to use against the alarm value percent. Equal Greater Than Greater Than or Equal Less Than Less Than or Equal User Guidance 175

176 Alarm Percent: The threshold at which the alarm will generate an event log message. Acceptable values between 1 and 99 %. After: The number of seconds that the specified condition must exist before the alarm generates an event log message. Acceptable values between 1 and 172,800 seconds. After creating the monitoring rules click the OK button. Clicking Cancel will abort the creation of the monitoring rule. The created rule will now display in the Monitoring Parameters section of the CimTrak Agent Configuration dialog. It is possible to add additional monitoring rules by clicking the Add button and following the same steps. Click OK in the CimTrak Agent Configuration dialog to save the changes. Click Cancel to abort the changes. Monitoring parameters will only generate a single event log message upon the initial triggering of the event. If the host has already exceeded the defined threshold when the monitoring parameter is created no event will be generated. Notifications of monitored parameters that are not within the designated threshold are provided as Warning Events in the CimTrak Master Repository Level Event Log and via external reporting tools such as Syslog, SNMP, WebTrends, NitroSecurity Plugin Protocol, and SMTP (when configured). Figure 157: CimTrak Event Log Performance Alert (Memory Utilization) EDITING FILE SYSTEM AGENT MONITORING PARAMETERS The CimTrak File System Agent Monitoring Parameters allows for the configuration of system health monitoring. Editing Agent Monitoring Parameters is performed through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Select the device monitoring parameter and then click the Edit button in the Monitoring Parameters section. The Agent Monitor Parameters dialog will display showing the selected device. 176 CIMCOR CimTrak Integrity & Compliance Suite

177 Figure 158: Agent Monitor Parameters dialog (device selected) The Agent Monitor Parameters dialog allows for the configuration of host health monitoring by monitoring the utilization of host devices. The list of available devices is host dependant. Generally, devices available for monitoring include: Network Adapter Bandwidth Utilization CPU Processor Utilization Disk Space Utilization Memory Utilization Each selected device has the capability to define specific monitoring rules. Monitoring rules include the condition to monitor, the percentage of utilization, and the time interval of measured utilization. Each monitoring rule is described in the following information: Condition: The comparison to use against the alarm value percent. Equal Greater Than Greater Than or Equal Less Than Less Than or Equal Alarm Percent: The threshold at which the alarm will generate an event log message. Acceptable values between 1 and 99 %. After: The number of seconds that the specified condition must exist before the alarm generates an event log message. Acceptable values between 1 and 172,800 seconds. Modify the selected monitoring rule and then click the OK button. Clicking Cancel will abort the modification of the monitoring rule. It is possible to edit additional monitoring rules by selecting the rule to modify, clicking the Edit button and following the same steps. Click OK in the CimTrak Agent Configuration dialog to save the changes. Click Cancel to abort the changes. Monitoring parameters will only generate a single event log message upon the initial triggering of the event. If the host User Guidance 177

178 has already exceeded the defined threshold when the monitoring parameter is created no event will be generated. Notifications of monitored parameters that are not within the designated threshold are provided as Warning Events in the CimTrak Master Repository Level Event Log and via external reporting tools such as Syslog, SNMP, WebTrends, NitroSecurity Plugin Protocol, and SMTP (when configured). Figure 159: CimTrak Event Log Performance Alert (Memory Utilization) DELETING FILE SYSTEM AGENT MONITORING PARAMETERS The CimTrak File System Agent Monitoring Parameters allows for the configuration of system health monitoring. Deleting Agent Monitoring Parameters is performed through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the File System Agent name in the Object Group tree and then selecting Properties or clicking on the File System Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Select the device monitoring parameter to delete and then click the Delete button in the Monitoring Parameters section. The selected device monitoring parameter will be deleted. It is possible to delete additional monitoring rules by selecting the rule to delete and then clicking the Delete button. Click OK in the CimTrak Agent Configuration dialog to save the changes. Click Cancel to abort the changes. Deleting monititoring parameters is permanent and cannot be undone once OK is clicked in the CimTrak Agent Configuration dialog. No confirmation notice is displayed WORKING WITH FILE SYSTEM AGENT POLICIES The File System Agent has the capability to monitor critical files and operating system configurations on the host system containing the File System Agent or remote file shares. For many monitored files and configurations, CimTrak has the capability to remediate detected changes. The CimTrak File System Agent works by detecting additions, deletions, and modifications of files and configurations. Upon initial Object Group Policy configuration, CimTrak takes a snapshot of the files and configurations being monitored. The CimTrak File System Agent creates a cryptographic has of the files and configurations being monitored and stores this calculated data in the CimTrak Master Repository. Once a known baseline has been determined, the CimTrak File System Agent monitors the file system and configurations to 178 CIMCOR CimTrak Integrity & Compliance Suite

179 determine when a change occurs. The CimTrak File System Agent can send alerts of detected changes and remediation via the Master Repository s SNMP, SMTP, Syslog, WebTrends, and NitroSecurity Plug-in Protocol (when configured). To enable monitoring the CimTrak File System Agent must have Object Group Policies created and enabled. The process of creating, editing, and performing additional Object Group Policy tasks is described in subsequent sections of this documentation CREATING AND EDITING OBJECT GROUP WATCH POLICIES The File System Agent has the capability to monitor critical files and operating system configurations on the host system containing the File System Agent or remote file shares. For many monitored files and configurations, CimTrak has the capability to remediate detected changes. To enable monitoring the CimTrak File System Agent must have Object Group Policies created and enabled. To create a new Object Group Watch Policy, select the File System Agent of the system to monitor by clicking it once in the Management Console s Object Group Tree, right-click and select New Object Group in the Context menu. Optionally, the process of creating a new Object Group Watch Policy can be initiated by selecting the File System Agent of the system to monitor by clicking it once in the Management Console s Object Group Tree, clicking the New dropdown button in the Menu Bar, followed by Object Group. The Object Group Properties dialog will display. To edit an Object Group Watch Policy, select the Object Group Policy to modify by right-clicking its name in the Object Group Tree. Select Properties in the Context menu. Optionally, the process of creating a new Object Group Watch Policy can be initiated by selecting the Object Group name in the Management Console s Object Group Tree and then clicking the Properties button on the Menu Bar. The Object Group Properties dialog will display. Once the Object Group has been created it will display in the CimTrak Management Console s Object Group Tree. User Guidance 179

180 Figure 160: CimTrak Management Console's Object Group Tree Showing Object Groups To enable monitoring of the Object Group it must be locked. Detailed information about creating Object Group Watch Policies and enabling/disabling monitoring is explained in subsequent sections OBJECT GROUP PROPERTIES The process of creating a new or editing an Object Group Watch Policy can be initiated by selecting the File System Agent of the system to monitor by clicking it once in the Management Console s Object Group Tree, clicking the New dropdown button in the Menu Bar, followed by Object Group. The Object Group Properties dialog will display. To edit an Object Group Watch Policy, select the Object Group Policy to modify by right-clicking its name in the Object Group Tree. Select Properties in the Context menu. Optionally, the process of creating a new Object Group Watch Policy can be initiated by selecting the Object Group name in the Management Console s Object Group Tree and then clicking the Properties button on the Menu Bar. The Object Group Properties dialog will display. 180 CIMCOR CimTrak Integrity & Compliance Suite

181 Figure 161: Object Group Properties dialog The Object Group Properties dialog is comprised of several sections. Each of these sections has specific functionality relating to the monitoring performed by the File System Agent. Object Information Private Key Implementation Monitoring Information Operating System Tree Watch Properties File System Agent Object Information: Object Information provides CimTrak Users and Administrators detailed information pertaining to the Object Group Watch Policy. The Object Group Name is the only required field. Object Group Names must be unique and may contain between 1 and 49 characters. Figure 162: File System Agent Object Information Object Group Name: Used to indicate a unique name for the File System Agent Object Group. User Guidance 181

182 Location: Optional Object Group Location information. Description: Optional Object Group Description information. Date Put in Service: Optional Date and Time associated with the inservice date of the Object Group. Contact: Optional Contact information associated with the Object Group. URL: Optional URL information associated with the Object Group. Notes: Optional dialog to enter administrative notes associated with the Object Group. Optionally, the Object Group Watch Policy has the capability to require CimTrak Users and Administrators to enter notes when enabling monitoring of the Object Group Watch Policy. Enabling of required notes is performed by selecting the Require Notes on Lock checkbox. Private Key Implementation: Set Object Group Private Key: Password to protect unauthorized viewing, adding, or changing of files monitored by the Object Group. See section for more information. Figure 163: File System Agent Object Group Private Key Button Monitoring Information: Number of Changes to Keep: Number of added files/configurations to keep in the Change Log. A zero placed in this field indicates unlimited changes will be stored. Maximum accepted value of 10,000 changes. Keep Change Size (in KB): The maximum file size an added file can be for it to be stored in the Change Log. Files exceeding this change size limit are still detected but cannot be compared or retrieved. Maximum accepted value of 4,194,304 KB. Number of Revisions to Keep: Number of revisions to keep for each change to files and configurations monitored by the Object Group. A zero placed in this field indicates unlimited changes will be stored. Maximum accepted value of 10,000 revisions Warn if Unlocked (in minutes): Generate a notice if monitoring of the Object Group has been disabled for more than the indicated time. A zero placed in this field disables the warning. Maximum accepted value of 10,000 minutes. Number of Events to Keep: Quantity or Days to store Object Group Event Log audit records. Maximum accepted value of 10,000 events. Storing an unlimited number of events, revisions, or changes has the potential to exhaust all available disk space on the Master Repository and degrade system performance. 182 CIMCOR CimTrak Integrity & Compliance Suite

183 Figure 164: File System Agent Monitoring Information Operating System Tree The Operating System Tree, located at the lower left corner of the Object Group Properties dialog, contains a listing of all files, folders, and operating system configurations that can be monitored by the CimTrak File System Agent. The contents of the Operating System Tree are system specific. Additionally, external CimTrak Plug-ins attached to the File System Agent will appear in the Operating System Tree. Figure 165: Microsoft Windows Operating System Tree Selecting data to monitor is accomplished by checking the checkbox next to the system component. The contents of the Operating System Tree can be expanded or collapsed by clicking the + or - symbols corresponding with each monitor type. Selecting any monitor data results in the Watch Properties dialog to display. See a subsequent section for more information on setting Watch Properties. Content that is monitored in the current Object Group is displayed in the File System Tree in a pink font color. Content that is monitored elsewhere is displayed in a orange font color. Figure 166: Watch notifications Microsoft Windows File System Agents have the capability to monitor: Drivers: Drivers are specialized programs designed to run in the background of a system and to control specific hardware. This feature allows security professionals the capability to monitor drivers for changes, additions, or deletions. Remediation capability is not available for User Guidance 183

184 monitoring of system drivers. The recommended monitoring mode is Update Baseline. This feature supports polling detection. Installed Software: Installed Software monitoring detects any software that has been installed using a standard installation tool. This mode displays any software that is registered in Microsoft Windows to display in the Add/Remove Programs dialog. This feature allows security professionals the capability to monitor if new or additional software has been installed or uninstalled. Remediation capability is not available for monitoring of installed software. The recommended monitoring mode is Update Baseline. This feature supports polling detection. Network Shares: Monitoring of Network Shares allows security professionals the capability to monitor the share settings associated with files and folders on a Windows operating system. This mode allows for remediation of any detected changes. The recommended monitoring mode is Restore from Repository. This feature supports polling detection. Registry: Windows Registry monitoring allows security professionals the capability to define a preset list of registry keys to monitor. CimTrak will detect any modifications to this preset list of keys or values. The recommended monitoring mode is Restore from Repository. This feature supports polling or real-time detection. Security Policy: Monitoring of the local Security Policy allows security professionals the capability to monitor the settings associated with the local security policy. Local security policies are relevant even if the system is attached to a domain since the local security policies are executed before group policies. Locking the Security Policy helps ensure that the intended local security policies of an organization are maintained. The recommended monitoring mode is Update Baseline. This feature supports polling detection. Services: Services are specialized programs designed to run in the background of a system. This feature allows security professionals the capability to monitor when new or additional services have been started or configurations of existing services have been modified. The recommended monitoring mode is Update Baseline. This feature supports polling detection. System Groups: Monitoring of local system groups allows security professionals the capability to detect changes to all local user groups existing on the monitored system. CimTrak detects when groups are added, deleted, or modified. The recommended monitoring mode is Update Baseline. This feature supports polling detection. System Users: Monitoring of local system users allows security professionals the capability to detect when local user accounts are added, deleted, or modified on the system. Using this feature is important even if the system is attached to a domain as additional or modified local user accounts can create a system vulnerability. The recommended monitoring mode is Update Baseline. This feature supports polling detection. 184 CIMCOR CimTrak Integrity & Compliance Suite

185 Local File System: Monitoring of the local file system will detect (and optionally remediate) any addition, deletion, or modification to files and folders on the monitored system. This feature supports polling or realtime detection. Network File System: Using the optional Network Drive Enabler allows for the detection (and optionally remediation) of any addition, deletion, or modification to files and folders to monitored network share data. This feature supports polling detection. Linux, UNIX, and Macintosh File System Agents have the capability to monitor: System Groups: Monitoring of local system groups allows security professionals the capability to detect changes to all local user groups existing on the monitored system. CimTrak detects when groups are added, deleted, or modified. The recommended monitoring mode is Update Baseline. This feature supports polling detection. System Users: Monitoring of local system users allows security professionals the capability to detect when local user accounts are added, deleted, or modified on the system. Using this feature is important even if the system is attached to a domain as additional or modified local user accounts can create a system vulnerability. The recommended monitoring mode is Update Baseline. This feature supports polling detection. Local File System: Monitoring of the local file system will detect (and optionally remediate) any addition, deletion, or modification to files and folders on the monitored system. This feature supports polling or realtime detection. Network File System: Monitoring of mounted shares allows for the detection (and optional remediation) of any addition, deletion, or modification to files and folders on monitored network shares. This feature supports polling detection. Watch Properties The Watch Properties section shows any currently monitored files, folders, and configurations. Additionally, excluded or included paths and files are displayed. The Watch Properties are explained in detail in subsequent sections OBJECT GROUP WATCH POLICY PRIVATE KEY The process of creating a Object Group Private Key is accomplished during the creation of the Object Group or by editing the Object Group via the Object Group Properties dialog. The creation of a File System Agent Object Group is accomplished by right-clicking on the File System Agent IP Address in the Management Console Object Group Tree and then selecting New Object Group. See section for additional information. Editing of a File System Agent Object Group is possible by right-clicking on the Object Group in the Object Group Tree and clicking Properties. Click Set Object Group Private User Guidance 185

186 Key to create the Private Key. The Set Object Group Private Key dialog will appear. Once the Object Group Private Key is created the Private Key cannot be changed. The creation of a Object Group Private Key is optional but is recommended when it is necessary to conceal the contents of stored files from CimTrak users. The Object Group Private Key provides a secondary layer of security for the information monitored within a CimTrak Object Group. When a Private Key has been applied, all contents monitored within the Object Group are protected by an additional layer of encryption. If the CimTrak user attempts to compare Object Group contents, the user is prompted to enter the Private Key. Only by entering a valid Private Key can the contents of the Object Group be viewed or compared. Object Group Private Keys can be automatically inherited from the File System Agent, if configured during installation, or can be set per Object Group. The Object Group Private Key only protects viewing of contents within CimTrak. If an unauthorized user is able to gain access to the file system the user will be able to view the contents of the files. Proper security measures are still necessary to prevent unauthorized access to system data. In the event a Private Key has been applied to an Object Group the optional FTP Repository Interface will not be able to access the files stored within the Object Group. In the event that a configured Private Key has been lost, it can *not* be recovered. Figure 167: Set Object Group Private Key dialog 186 CIMCOR CimTrak Integrity & Compliance Suite

187 Populate the Private Key and Confirm Private Key textboxes with the intended Private Key and then click the OK button to accept the Private Key. Click Cancel to abort the Private Key creation process. When completed, click OK on the Object Group Properties dialog WATCH PROPERTIES Selecting any object listed in the Object Group Properties File System Tree results in the Watch Properties dialog to display. See section for more information on accessing Object Group Properties. Figure 168: Watch Properties dialog The Watch Properties dialog allows for the configuration of detection and reaction parameters. The Watch Properties dialog is comprised of several different sections: Corrective Action Authoritative Copy File Comparison Method Store Changes Options User Guidance 187

188 Event Detection Method Connection Loss Auto Exclude These sections are explained in detail in subsequent sections. After completing the Watch Properties configuration click OK to accept the changes or Cancel to abort and discard the changes. The Watch Properties dialog will close and the Object Group Properties dialog will display showing the configured Watch Properties in the Watch Properties section. Figure 169: Watch Properties section showing monitored directory CORRECTIVE ACTION Defining the corrective action associated with a File System Agent Object Group Policy is accomplished through the Watch Properties dialog. CimTrak supports four primary modes of remediation when changes to modified files/configurations are detected. Additionally, CimTrak has the capability to perform customized remediation actions. Primary modes of remediation include: Restore from Repository: Stored authoritative (original) data files are used to restore files and folders that have been changed. Log: All detected change events are only logged. No authoritative (original) file data is stored. Update Baseline: Changes are allowed to occur. Each change results in an incremental backup being preformed on the watch data. When applicable, previous baselines can be push back to the monitored system. Prompt for Approval: Changes are allowed to occur. The CimTrak Administrator is given the option to allow or undo the detected changes. Optionally, the Custom configuration mode exists allowing for any combination of the primary modes of remediation. For example, when a file is added the administrator may chose to update the baseline; when a file is deleted the administrator may chose to restore the file; when a file is modified the administrator may chose to log the change. 188 CIMCOR CimTrak Integrity & Compliance Suite

189 Figure 170: Corrective Action Properties Selection of the remediation mode is accomplished by selecting the corresponding radio button. Additional advanced remediation settings can be set by clicking the Advanced button. Selecting the Advanced button results in the Corrective Action Advanced Settings dialog to display. The Corrective Action Advanced dialog allows for the configuration of custom corrective actions and the launching of system processes or scripts when a change is detected. Selecting the Custom radio button automatically accesses the Corrective Action Advanced Settings dialog. Figure 171: Corrective Action Advanced Settings To modify the corrective action for each event type (On Change, On Delete, On Add), modify the contents of the associated Corrective Action dropdown. The Corrective Action dropdown allows for the selection of several corrective actions including: Restore from Repository: Stored authoritative (original) data files are used to restore files and folders that have been changed. Log: All detected change events are only logged. No authoritative (original) file data is stored. Update Baseline: Changes are allowed to occur. Each change results in an incremental backup being preformed on the watch data. When applicable, previous baselines can be push back to the monitored system. User Guidance 189

190 Prompt for Approval: Changes are allowed to occur. The CimTrak Administrator is given the option to allow or undo the detected changes. Ignore: Ignore the change. Take no action and do not log the event. To configure the launching of a system process or script for each event type (On Change, On Delete, On Add), modify the contents of the associated Run textbox. Modifying the contents of the Run textbox is accomplished by clicking the Open button. The Open File dialog will display. Navigate the Agent File System to select the process or script to launch. To clear the Run textbox click the Delete button. Open button: The Open button is used to browse the File System Agent s file system for a process or script to launch when an event is detected. Close button: The Closed button is used to de-select the previously configured process or script launched when an event is detected. Figure 172: Open File dialog The Wait/Timeout configurations force CimTrak to wait for a selected script to finish before performing the selected corrective action. Selecting the Wait checkbox and populating the Timeout textbox will force the CimTrak File System Agent to wait the indicated timeout value (in seconds) before initiating the specified corrective action. If the selected script or file concludes before the timeout value, the timeout will expire when the script of file ends. Accepted timeout values are between 0 seconds (disabled) and 300 seconds. 190 CIMCOR CimTrak Integrity & Compliance Suite

191 Figure 173: Corrective Action Wait & Timeout Settings Optionally information can be passed by CimTrak to the launched application or script by enabling the Parameters checkbox associated with each event type (On Change, On Delete, On Add). CimTrak will pass the following information (if applicable) when this option is enabled: ACTION CHANGE ACTION ADD ACTION DELETE FILE path/filename Scripts and applications can be designed to interpret this parameter information to perform additional external custom actions. Figure 174: Corrective Action Parameters Settings CIMCOR recommends Object Groups be monitored in Log Mode for a minimum of one week. This use of Log Mode assists with the determination of which settings to use for the various files, folders, and configurations that will be monitored AUTHORITATIVE COPY Depending on the Corrective Action used, CimTrak has the capability to alter the storage of Authoritative Copy data. The Authoritative Copy refers to a saved copy of locked file system/configuration data stored in the Master Repository for the purpose of restoring files to the last known approved state. Additionally, Authoritative Copy data can be used to compare the contents of monitored files and configurations. Authoritative Copy data is stored in the Master Repository using the user configured cryptology and compressed. Figure 175: Authoritative Copy Parameter Settings User Guidance 191

192 The compression ratio used by CimTrak varies with the type of content being monitored (i.e., images, documents, text files). Generally, the authoritative copy data is stored with a 20-25% compression ratio. The Restore from Repository and Prompt for Approval corrective actions must store Authoritative Copy data. All additional corrective actions allow for custom configurations for storing or not storing authoritative copy data. Corrective Action Authoritative Copy storage defaults include: Restore from Repository: Enabled - Authoritative Copy data is stored. This option cannot be changed. Log: Disabled Authoritative Copy data is not stored. Update Baseline: Enabled Authoritative Copy data is stored. Prompt for Approval: Enabled - Authoritative Copy data is stored. This option cannot be changed. Custom: Dependant on the corrective action selected FILE COMPARISON METHOD Each file, folder, and configuration monitored by CimTrak has a calculated hash value stored in the CimTrak Master Repository. The File Comparison Method parameter setting allows for authorized CimTrak Administrators to modify the comparison algorithm used. By default the most powerful method is selected. The methods allowed vary based on the CimTrak Cryptology release. Figure 176: File Comparison Method Parameter Settings To change the File Comparison Method, select the method to use from the File Comparison Method dropdown STORE CHANGES Depending on the Corrective Action used, CimTrak has the capability to alter the storage of change data. Change data refers to a saved copy of modified file system/configuration data stored in the Master Repository for the purpose of compare the contents with the Authoritative Copy. Change data is stored in the Master Repository using the user configured cryptology and compressed. The compression ratio used by CimTrak varies with the type of change stored (i.e., images, documents, text files). Generally, the change data is stored with a 20-25% compression ratio. 192 CIMCOR CimTrak Integrity & Compliance Suite

193 The Prompt for Approval and Update Baseline corrective actions must store Change data. All additional corrective actions allow for custom configurations for storing or not storing change data. Change data storage defaults include: Restore from Repository: Enabled - Change data is stored. Log: Disabled Change data is not stored. Update Baseline: Enabled Change data is stored. This option cannot be changed. Prompt for Approval: Enabled - Change data is stored. This option cannot be changed. Custom: Dependant on the corrective action selected AUTO EXCLUDE When creating an Object Group Watch Policy it is important to tune the configuration to exclude files that are dynamic and need to change. CimTrak has the capability to auto-tune the Watch Policy by automatically excluding file that change more times than the designated threshold and interval. The Auto Exclude threshold and interval is configured in the File System Agent Watch Properties dialog. The Auto Exclude feature should only be enabled during the initial Object Group Policy tuning process. Leaving this feature enabled indefinately could result in CimTrak missing legitimate system changes. By default the Auto Exclude feature is disabled. To enable the Auto Exclude feature, specify the threshold by indicated the amount of times a file or configuration is allowed to change over a specified time in minutes. Figure 177: Auto Exclude parameter settings Acceptable change values must be between 0 (disabled) and 1,000. The time value must be between 1 minute and 1,440 minutes OPTIONS The CimTrak File System Agent Watch Properties has additional customization options available to reduce the number of detected false changes. These additional options are useful to allow CimTrak to function properly with backup utilities and source control utilities. Additionally options exist to enable additional User Guidance 193

194 monitoring capabilities. The Option settings are available in the File System Agent Watch Properties dialog. Figure 178: Options parameter settings Option parameter settings are enabled by clicking the corresponding checkbox. Options are disabled when unchecked. The Options parameter settings allow for the custom configuration of the following: Ignore Archive Flag: When checked the CimTrak File System Agent will ignore any changes that occur to the archive flag. Ignore Read-only Flag: When checked the CimTrak File System Agent will ignore any changes that occur to the Read-only flag. Log Reads: When checked CimTrak has the capability to monitor specific files and folders for any form of access. Using this feature will generate audit events whenever a file is viewed or copied. Logging of reads requires the File System Agent Forensic Driver. This driver is installed during the installation of the Windows File System Agent EVENT DETECTION METHOD The CimTrak File System Agent has the capability to monitor Object Group Policies in real-time (when supported) or on a polling interval. Configuration of the Event detection method is available in the File System Agent Watch Properties dialog. Figure 179: Event Detection Method parameter settings Available event detection methods include: Real-time Detection: Real-time Detection will report detected changes immediately when they are performed. The configured remediation mode will automatically initiate immediately upon the detection of a change. 194 CIMCOR CimTrak Integrity & Compliance Suite

195 Poll-based Detection: Poll-based Detection will report any changes that have occurred since the last poll-based scan. Acceptable values range between 0 (poll only when force-synced) and 1,440 minutes. The Windows File System Agent Forensic Driver will not show forensic assisting information for changes detected using the Poll-based Detection. Scheduled polling is accomplished by setting the Poll-based Detection interval to 0 and scripting the syncronization using the CimTrak Command Line Interface. These scripts can then be scheduled using Windows Task Scheduler or Linux/UNIX Cron jobs. The Command Line Interface is explained in section CONNECTION LOSS Occasionally the CimTrak Master Repository may lose connectivity with attached File System Agents due to network errors or mobile devices. When this occurs the option exists to automatically perform Object Group synchronization when the connection is re-established. Setting the Connection Loss settings are available through the Object Group Properties Watch Properties dialog. Figure 180: Connection Loss parameter settings To enable synchronization after a connection loss, select the User Approval on Sync checkbox. To disable synchronization, de-select the User Approval on Sync checkbox. When User Approval on Sync is enabled, the CimTrak Administrator is prompted for the desired action to take on detected changes made during the non-connectivity period. The CimTrak Administrator utilizes the Changes Pending Approval Management Console dialog to authorize or deny these changes. The Changes Pending Approval dialog is explained in a subsequent section. The User Approval on Sync dialog has the following default and customizable settings for each of the following corrective actions: User Guidance 195

196 Restore from Repository: Option can be enabled or disabled. By default this option is disabled. Log: Option is disabled by default and cannot be changed. Update Baseline: Option is disabled by default and cannot be changed. Prompt for Approval: Option is enabled by default and cannot be changed TUNING WATCH PROPERTIES When an operating system folder or configuration is selected in the Object Group Properties dialog, all children files, folders, and configurations are also selected. Often certain files need to be excluded or included in the particular watch policy. CimTrak has the capability to create exclude or include rules for files, folders, and configurations. Creating these advanced rules is accomplished in the selected Object Group s Watch Properties. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. Monitored folders, files, and configurations will display in the Object Group Properties Watch Properties section. Each displayed item will include the following information: Path: The operating system location of the parent folder or configuration. Object Type: The Object Type being monitored (i.e. Directory). Type: Action performed by the Watch Property detail (i.e. Watch, Exclude, etc.). Store Files: Indication of whether or not Authoritative Copy data will be stored in the CimTrak Master Repository. Corrective Action: The Corrective Action chosen during the creation of the Object Group Watch Policy. Detection: Indication of the mode of detection (Real-time, Polling). Ignore Archive Flag: Indication of whether or not changes to the Archive Flag will be ignored. Ignore Read-only Flag: Indication of whether or not changes to the Read-only Flag will be ignored. Comparison Method: Displays the comparison method selected in the Object Group s Watch Properties. Quarantine: Indication of whether or not Change Data will be stored in the CimTrak Master Repository. 196 CIMCOR CimTrak Integrity & Compliance Suite

197 Figure 181: Watch Properties section showing monitored data Each column of information can be sorted by column criteria by clicking once on the column title. Right clicking on any item showing in the Watch Properties section results in a context menu to display showing additional configuration and navigation options. Context menu options include: Find In Tree: Locate the selected Watch data in the Object Group Properties dialog File System Tree. Properties: Modify the watch properties associated with the selected Watch data. Opens the Watch Properties dialog. Remove Watch: Disable the selected Watch data by unselecting it in the Object Group Properties dialog File System Tree. Add Regular Expression Exclude: Create customized excludes to prevent or enable of specific folder, file, or configuration criteria. Remove Exclude(s): Delete the customized exclusion created in the Add Regular Expression Exclude EXCLUDING AND INCLUDING USING REGULAR EXPRESSIONS Occasionally a CimTrak Object Group Policy may need to exclude monitor or only monitor data based on file extensions, file names, folder names, configuration names, or various other types of information. Setting these custom watch rules is performed by creating Regular Express Excludes. The process of creating a Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. User Guidance 197

198 Figure 182: Add Regular Expression Exclude dialog The Add Regular Expression Exclude dialog has the capability to exclude files and folders. Additionally, the Add Regular Expression Exclude dialog can create inverse regular expressions excludes to only monitor certain files or folders based on the criteria entered EXCLUDING FOLDERS USING REGULAR EXPRESSIONS The process of creating a Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. To create a Regular Expression folder exclude, enter the folder information to exclude (i.e. \temp). Ensure that the Folders radio button is selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the regular expression exclude is displayed in the Watch Properties data section. Regular expression excludes are displayed in blue text. Regular Expression Folder Excludes can become very complex. It is possible to create custom exclusions using regular expressions. For instance, a regular expression exclude can be created to ignore case: C:\WINDOWS\system32\ can be entered as [a-za-z]:\\.+\\[ss][yy][ss][tt][ee][mm]32\\ 198 CIMCOR CimTrak Integrity & Compliance Suite

199 Figure 183: Regular Expression Folder Exclude (blue text) To add additional Regular Express folder excludes, repeat the same steps. To remove Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes EXCLUDING FILES USING REGULAR EXPRESSIONS The process of creating a Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. To create a Regular Expression file exclude, enter the file type information to exclude (i.e..log). Ensure that the Files radio button is selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the regular expression exclude is displayed in the Watch Properties data section. Regular expression excludes are displayed in blue text. Regular Expression Folder Excludes can become very complex. It is possible to create custom exclusions using regular expressions. For instance, a regular expression exclude can be created to ignore case:.log can be entered as.[ll][oo][gg]$ Figure 184: Regular Expression File Exclude (blue text) To add additional Regular Express file excludes, repeat the same steps. To remove Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes. User Guidance 199

200 INVERSE EXCLUDING OF FOLDERS USING REGULAR EXPRESSIONS The process of creating an Inverse Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. Inverse regular expressions can be used to include information to monitor. To create an Inverse Regular Expression folder exclude, enter the folder information to watch (i.e. \temp). Ensure that the Folders radio button and the Inverse checkbox are selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the Inverse regular expression exclude is displayed in the Watch Properties data section. Inverse Regular expression excludes are displayed in blue text. Inverse Regular Expression Folder Excludes can become very complex. It is possible to create custom inverse exclusions using inverse regular expressions. For instance, an inverse regular expression exclude can be created to ignore case: C:\WINDOWS\system32\ can be entered as [a-za-z]:\\.+\\[ss][yy][ss][tt][ee][mm]32\\ Figure 185: Regular Expression Folder Exclude (blue text) To add additional Inverse Regular Express folder excludes, repeat the same steps. To remove Inverse Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes INVERSE EXCLUDING OF FILES USING REGULAR EXPRESSIONS The process of creating an Inverse Regular Expression to include specified files or extensions is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. 200 CIMCOR CimTrak Integrity & Compliance Suite

201 To create an Inverse Regular Expression file exclude, enter the file type information to exclude (i.e..log). Ensure that the Files radio button and Inverse checkbox are selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the inverse regular expression exclude is displayed in the Watch Properties data section. Inverse Regular expression excludes are displayed in blue text. Inverse Regular Expression Folder Excludes can become very complex. It is possible to create custom exclusions using regular expressions. For instance, an inverse regular expression exclude can be created to ignore case:.log can be entered as.[ll][oo][gg]$ Figure 186: Regular Expression File Exclude (blue text) To add additional Inverse Regular Express file excludes, repeat the same steps. To remove Inverse Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes SAVING OBJECT GROUP WATCH POLICIES TO TEMPLATES Once an Object Group Watch Policy has been created it is possible to save the policy configurations to a template. Using a template can assist in creating identical watch data for other CimTrak File System Agents. See section 4.7 for more information on CimTrak Templates. To create a template, right-click on the Object Group name in the CimTrak Management Console s Object Group Tree and then select Save to Template. The Save to Template dialog will display. Enter a unique name for the template. If you would like this template to be private to your CimTrak account be sure to select the Private option by selecting the Private checkbox. When completed entering the required information click the OK button. Click the cancel button to abort the template creation. A template name can be between 1 and 512 characters. User Guidance 201

202 Figure 187: Save to Template dialog In addition to being able to create Templates for single Object Groups CimTrak has the capability to create Templates for multiple Object Groups at the File System Agent level. To create a File System Agent template, right-click on the File System Agent name in the CimTrak Management Console s Object Group Tree and then select Save to Template. The Save to Template dialog will display. Enter a unique name for the template. If you would like this template to be private to your CimTrak account be sure to select the Private option by selecting the Private checkbox. When completed entering the required information click the OK button. Click the cancel button to abort the template creation. A template name can be between 1 and 512 characters CREATING OBJECT GROUP WATCH POLICIES USING TEMPLATES Once an Object Group Watch Policy has been created it is possible to save the policy configurations to a template. Using a template can assist in creating identical watch data for other CimTrak File System Agents. See section 4.7 for more information on CimTrak Templates. To create an Object Group from template (or multiple Object Groups from a single template) right-click on the File System Agent name in the CimTrak Management Console s Object Group Tree and then select New Object Group(s) from Template. The Select Template dialog will display. 202 CIMCOR CimTrak Integrity & Compliance Suite

203 Figure 188: Select Template dialog Select the template the Object Group will be based off of and then click OK. Click Cancel to abort the Object Group creation. If OK is selected the Select Template dialog will close and the newly created Object Group(s) will display in the CimTrak Management Consoles Object Group Tree DELETING OBJECT GROUP WATCH POLICIES Once an Object Group Watch Policy has been created it is possible to delete the Object Group. Once an Object Group is deleted it cannot be undone. To delete an Object Group Watch Policy right-click on its name in the CimTrak Management Console s Object Group Tree and then select Delete. The Confirm Delete dialog will display. Figure 189: Confirm Delete dialog Select Yes to delete the Object Group, select No to abort the deletion. Select the Do not show this again checkbox to suppress this message from future deletions. Clicking Yes results in the Object Group being deleted. User Guidance 203

204 The Object Group must be unlocked (monitoring disabled) before the Object Group can be deleted. Unlocking an Object Group is explained in a subsequent section ENABLING AND DISABLING OBJECT GROUP MONITORING Before a CimTrak File System Agent can monitor an Object Group Watch Policy the Object Group must be Locked. To disable monitoring the Object Group Watch Policy must be Unlocked. The monitoring status of an Object Group can be determined by the associated icon in the CimTrak Management Console s Object Group Tree. See section for more information on creating Object Group Watch Policies. Possible associated statuses are as follows: Unlocked: The Object Group Watch Policy is not currently being enforced. Locking: The Object Group Watch Policy is currently in the process of locking. Locked: The Object Group Watch Policy is currently enforcing the configured Corrective Action. Locking an Object Group is accomplished by selecting the Object Group to lock in the CimTrak Management Console s Object Group Tree, right-clicking and then selecting Lock and Digitally Sign. Additionally, on Object Group can be locked by selecting the Object Group to lock in the CimTrak Management Console s Object Group Tree and the clicking the Lock button in the Management Console s Toolbar. Lock All: Lock and enable monitoring of the selected Object Group Tree Component. When an Object Group is locked (or locking) it will show the locking and synchronization process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of locking and synchronization creates Information level events. Figure 190: Object Group Lock Process (Event Log) Multiple Object Groups can be locked simultaneously by selecting the File System Agent in the Management Console s 204 CIMCOR CimTrak Integrity & Compliance Suite

205 Object Group Tree and then either right-clicking and selecting Lock and Digitally Sign in the context menu or by clicking the Lock button located in the Management Console s Toolbar. Locking the Object Group will instruct the File System Agent to create digital signatures for each file included in the watch policy. If a Restore from Repository or Update Baseline Corrective Action is assigned, the File System Agent will create Authoritative Copies of the monitored files. All digital signatures and Authoritative Copy data is compressed, encrypted, and then transmitted to the CimTrak Master Repository. While an Object Group is in the process of locking the lock process can be aborted by either right-clicking on the Object Group in the CimTrak Management Console s Object Group Tree and selecting Cancel Lock in the context menu or by clicking the Stop button in the CimTrak Management Consoles Toolbar. Unlock All: Unlock and disable monitoring of the selected Object Group Tree Component. When the locking of an Object Group is Stopped it will show the stop locking process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of Stopping creates error level events. Figure 191: Object Group Lock Process Stopped (Event Log) The Locking of Multiple Object Groups can be stopped simultaneously by selecting the File System Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Cancel Lock in the context menu or by clicking the Stop button located in the Management Console s Toolbar. Before configuration settings associated with an Object Group Watch Policy can be modified, an Object Group is deleted, or simply to temporarily disable Object Group monitoring the Object Group must be Unlocked. Unlocking an Object Group is accomplished by selecting the Object Group to unlock in the CimTrak Management Console s Object Group Tree, right-clicking and then selecting Unlock and Allow Changes. Additionally, on Object Group can be unlocked by selecting the Object Group to unlock in the CimTrak Management Console s Object Group Tree and the clicking the Unlock button in the Management Console s Toolbar. User Guidance 205

206 Cancel all Locks: Immediately stop and discontinue an initiated action associated with a selected Object Group Tree Component. When an Object Group is Unlocked it will show the unlock process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of unlocking creates error level events. Figure 192: Object Group Unlock Process (Event Log) Multiple Object Groups can be unlocked simultaneously by selecting the File System Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Unlock and Allow Changes in the context menu or by clicking the Unlock button located in the Management Console s Toolbar SYNCHRONIZING OBJECT GROUP DATA Data being monitored by a CimTrak File System Agent is monitored either in real-time or at a polling interval. To force the polling interval to expire immediately, CimTrak has the capability to synchronize monitored data on demand by means of Force Sync. Synchronizing an Object Group Watch Policy is performed by either right-clicking on the Object Group in the CimTrak Management Console s Object Group Tree and selecting Force Sync in the context menu or by clicking the Force Sync on All button in the CimTrak Management Consoles Toolbar. Force Sync on All: Synchronize monitored object node data with the Master Repository. Multiple Object Groups can be synchronized simultaneously by selecting the File System Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Force Sync in the context menu or by clicking the Force Sync on All button located in the Management Console s Toolbar. When an Object Group is synchronized it will show the synchronization process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of synchronizing creates information level events. Figure 193: Object Group Synchronization Process (Event Log) 206 CIMCOR CimTrak Integrity & Compliance Suite

207 FILE SYSTEM AGENT INFORMATION DISPLAY The CimTrak Management Console s Information Display Area displays information for the selected CimTrak File System Agent. The information displayed is often broken up into several tabbed viewing areas. Agent Settings: Settings and system information associated with the selected File System Agent. Event Log: Event audit log associated with the File System Agent and children Object Groups of the selected File System Agent. Stats: System statistics associated with the system hosting the File System Agent. Notes: Administrative notes associated with the File System Agent. Overview: Object Group status information for all Object Groups associated with the File System Agent. Figure 194: File System Agent Information Display Area (Agent Settings Tab Selected) The information associated with the File System Agent Information Display Area tabs is explained in subsequent sections REVIEWING FILE SYSTEM AGENT SETTINGS The CimTrak Management Console s File System Information Display Area Agent Settings tab displays Settings and system information associated with the selected File System Agent. To show the File System Agent Settings select the File System Agent in the CimTrak Management Console s Object Group Tree User Guidance 207

208 and then click the Agent Settings tab in the Management Consoles Information Display Area. Figure 195: File System Agent Information Display Area (Agent Settings tab selected) The File System Agent Settings tab shows information associated with the File System Agent and the File System Agent s host. Associated information includes: Version: The version and build number of the CimTrak File System Agent. Operating System: The operating system of the system hosting the CimTrak File System Agent. Agent IP: The IPv4 or IPv6 IP Address associated with the CimTrak File System Agent. System Uptime: The amount of time (days, minutes, seconds) the system hosting the CimTrak File System Agent has been running. Agent Uptime: The amount of time (days, minutes, seconds) the CimTrak File System Agent has been running. Agent Connected Time: The amount of time (days, minutes, seconds) the CimTrak File System Agent has been connected to the CimTrak Master Repository. Location: Location information associated with the CimTrak File System Agent. See section for information on setting the Location information. Description: Description information associated with the CimTrak File System Agent. See section for information on setting the Description information. 208 CIMCOR CimTrak Integrity & Compliance Suite

209 AUDITING FILE SYSTEM AGENT EVENTS The File System Agent Event Log provides audit information relating to events occurring in the File System Agent and Object Groups connected to the File System Agent. Accessing the File System Agent Event Log is accomplished by first clicking once on the File System Agent name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The File System Agent Event Log displays details of all events that have occurred on the File System Agent and Object Groups connected to the File System Agent. The level of detail displayed is dependent on the auditing level configured in the Master Repository Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the File System Agent Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Event: Brief description of the detected event. Absolute Path: File path affected by the detected event. Completion Date/Time: Date and time the correction response completed. Event Code: Internal CimTrak Event Code corresponding to the detected event. Path: Object Tree Path to the affected CimTrak object. Figure 196: File System Agent Event Log User Guidance 209

210 Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section. Data displayed in the File System Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE FILE SYSTEM AGENT EVENT LOG The File System Agent Event Log can be filtered to only show events matching the specified criteria. Accessing the File System Agent Event Log is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. 210 CIMCOR CimTrak Integrity & Compliance Suite

211 To filter the information displayed in the File System Agent Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the File System Agent Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING FILE SYSTEM AGENT EVENT LOG FILTERS The Area Event Log can be filtered to only show events matching the specified criteria. Accessing the File System Agent Event Log is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the File System Agent Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. User Guidance 211

212 Figure 197: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. Figure 198: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. 212 CIMCOR CimTrak Integrity & Compliance Suite

213 Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 199: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The File System Agent Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. User Guidance 213

214 Figure 200: Filtered Event Log data SORTING THE FILE SYSTEM AGENT EVENT LOG The File System Agent Event Log can be sorted by any column using the Filters dialog. Accessing the File System Agent Event Log is accomplished by first clicking once on the File System Agent name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To sort the information displayed in the File System Agent Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. 214 CIMCOR CimTrak Integrity & Compliance Suite

215 Figure 201: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. The File System Agent Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. User Guidance 215

216 Figure 202: Filtered Event Log data REVIEWING FILE SYSTEM AGENT STATISTICS The File System Agent Stats tab provides system resource statistics relating to the host system of the CimTrak File System Agent. Accessing the File System Agent Stats tab is accomplished by first clicking once on the File System Agent name in the Object Group Tree to select it followed by clicking the Stats tab in the Management Console Information Display Area. The File System Agent Statistics Information tab is divided into two sections: Resource Graph: Displays graphs to show a timeline of File System Agent host resource consumption. Resource Summary: Displays category, description, minimum and maximum resource utilization, current resource utilization, and units for all File System Agent host resources. Information displayed in the Resource Graph and the Resource Summary section of the File System Agent Stats Tab varies based on the resources available on the host operating system. 216 CIMCOR CimTrak Integrity & Compliance Suite

217 Figure 203: CimTrak File System Agent Stats tab The Resource Graph displays a graphical timeline of the selected File System Agent host resource since the Stats tab was selected. By default two graphs are displayed simultaneously. To display less or more graphs select the number of graphs to display by clicking either the 1, 2 or 4 # of graphs button. Figure 204: Graph Quantity button To select the resource(s) to display in the graph(s), select the resource dropdown located directly above each graph. The resource dropdown generally displays the following resources: Network Adapter Bandwidth Utilization CPU Processor Utilization Disk Space Utilization Memory Utilization The graph information is updated based on the specified statistics transmission interval. See section for information on configuring the statistics transmission interval. The Resource Summary section displays category, description, minimum and maximum resource utilization, current resource utilization, and units for all File System Agent host resources. The Resource Summary is updated based on the specified statistics transmission interval. See section for information on configuring the statistics transmission interval. User Guidance 217

218 FILE SYSTEM AGENT NOTES The File System Agent Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the File System Agent Notes Tab is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 205: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. New: Create a new File System Agent Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Precede to the last, newest note. 218 CIMCOR CimTrak Integrity & Compliance Suite

219 The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. Figure 206: File System Agent Notes dialog To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted FILE SYSTEM AGENT OBJECT GROUP OVERVIEW The File System Agent Overview tab allows CimTrak Administrators the capability to quickly view the status of all associated Object Group Watch Policies. Accessing the File System Agent Overview Tab is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it User Guidance 219

220 followed by clicking the Overview tab in the Management Console Information Display Area. Information displayed in the File System Agent Overview tab includes: Object Group: The name assigned to the File System Agent Object Group Watch Policy. Status: The status associated with the File System Agent Object Group Watch Policy (Lock, Locking, Unlocked). Date of Last Authorized Change: Date/Time the Object Group Watch Policy was enabled (locked) for monitoring. Date of Last Change Attempt: The Date/Time the Object Group Watch Policy last detected a violation against the specified policy. Figure 207: File System Agent Overview tab FILE SYSTEM AGENT PERMISSIONS File System Agents can be configured restrict access based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the File System Agent. Accessing File System Agent permissions is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. By default each File System Agent will have the following permissions: Administrators 220 CIMCOR CimTrak Integrity & Compliance Suite

221 Create Objects: Create File System Agent Object Groups. Edit: Edit File System Agent settings. Lock: Enable active monitoring of Object Group Data. Reports: View reports relating to the File System Agent contents. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to the File System Agent. Auditors Reports: View reports relating to File System Agent contents. View: View contents and configurations relating to the File System Agent. Installers Attach CimTrak Agents to a Master Repository. Figure 208: File System Agent Security Permissions dialog User Guidance 221

222 Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section MODIFYING AN EXISTING USER/GROUP FILE SYSTEM AGENT PERMISSIONS It is possible to modify existing user and group File System Agent Permissions and notification settings. Accessing File System Agent permissions is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create File System Agent Object Groups. Edit: Edit File System Agent/Object Group control contents. Lock: Enable active monitoring of Object Group Data Reports: View reports relating to File System Agent contents. Unlock: Disable active monitoring of Object Group Data View: View contents and configurations relating to the File System Agent. Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. 222 CIMCOR CimTrak Integrity & Compliance Suite

223 Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. Information: Receive alerts relating to information level notifications. To apply the permission settings to all children objects, ensure that the Apply permissions to children recursively checkbox is selected. When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the Master Repository) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object ADDING AND REMOVING USERS AND GROUPS TO FILE SYSTEM AGENT PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that File System Agent Permissions and notification settings can be assigned or changed. Accessing File System Agent permissions is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. User Guidance 223

224 Figure 209: Add Users dialog Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. 224 CIMCOR CimTrak Integrity & Compliance Suite

225 Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. Figure 210: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 211: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information. User Guidance 225

226 OBJECT GROUP INFORMATION DISPLAY The CimTrak Management Console s Information Display Area displays information for the selected CimTrak File System Agent Object Groups. The information displayed is often broken up into several tabbed viewing areas. Event Log: Event audit log associated with the selected Object Group. Change Log: Change audit log associated with the selected Object Group. Monitor Info: Monitoring information and configuration details associated with a selected Object Group. Pending Repair: Object group corrective action queue associated with the selected Object Group. Notes: Administrative notes associated with the Object Group. 226 CIMCOR CimTrak Integrity & Compliance Suite

227 Figure 212: Object Group Information Display Area (Event Log Tab Selected) The information associated with the Object Group Information Display Area tabs is explained in subsequent sections AUDITING OBJECT GROUP EVENTS The Object Group Event Log provides audit information relating to events occurring in the Object Groups connected to the File System Agent. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The Object Group Event Log displays details of all events that have occurred on the Object Groups connected to the File System Agent. The level of detail displayed is dependent on the auditing level configured in the Master Repository Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the Object Group Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. User Guidance 227

228 Event: Brief description of the detected event. Correction: The Corrective Action performed on the detected event. Performed By: The File System Agent detecting the event and performing the remediation. Modified By: The File System User responsible for the detected event. Absolute Path: File path affected by the detected event. Completion Date/Time: Date and time the correction response completed. Event Code: Internal CimTrak Event Code corresponding to the detected event. Figure 213: File System Agent Event Log Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. 228 CIMCOR CimTrak Integrity & Compliance Suite

229 Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section. Data displayed in the Object Group Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE OBJECT GROUP EVENT LOG The Object Group Event Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the File System Agent Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING OBJECT GROUP EVENT LOG FILTERS User Guidance 229

230 The Object Group Event Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Event Log is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 214: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. 230 CIMCOR CimTrak Integrity & Compliance Suite

231 Figure 215: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 216: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. User Guidance 231

232 Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Object Group Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 217: Filtered Event Log data SORTING THE FILE SYSTEM AGENT EVENT LOG The Object Group Event Log can be sorted by any column using the Filters dialog. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To sort the information displayed in the Object Group Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. 232 CIMCOR CimTrak Integrity & Compliance Suite

233 Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 218: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. User Guidance 233

234 Click the OK button to enable the sorting. Click Cancel to abort all changes. The Object Group Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 219: Filtered Event Log data REVIEWING OBJECT GROUP MONITORED CHANGES The Object Group Change Log provides detailed change event audit information relating to change events occurring in the Object Groups connected to the File System Agent. Accessing the Object Group Change Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. The Object Group Change Log displays details of all addition, deletion, and change events that have occurred on the Object Groups connected to the File System Agent. For each recorded event, the Object Group Change Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Storage Status: Information indicating if the change is stored in the Master Repository. Absolute Path: File path affected by the detected event. 234 CIMCOR CimTrak Integrity & Compliance Suite

235 Modified By: The File System User responsible for the detected event (Windows File System Agent with Driver only). Process: The process used to initiate the detected event (Windows File System Agent with Driver only). Process ID: Windows Process ID associated with the initiating process (Windows File System Agent with Driver only). Thread ID: Process Thread ID associated with the initiating process (Windows File System Agent with Driver only). Figure 220: Object Group Change Log Each Change Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. User Guidance 235

236 Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Generally change events are associated with the Error level. Specifics relating to message types are discussed in a subsequent section. Data displayed in the Object Group Change Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE OBJECT GROUP CHANGE LOG The Object Group Change Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Change Log is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Change Log, click the Filters button located in the Change Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the File System Agent Change Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING OBJECT GROUP CHANGE LOG FILTERS 236 CIMCOR CimTrak Integrity & Compliance Suite

237 The Object Group Change Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Change Log is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Change Log, click the Filters button located in the Change Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 221: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. User Guidance 237

238 Figure 222: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 223: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. 238 CIMCOR CimTrak Integrity & Compliance Suite

239 Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Change log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Object Group Change Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 224: Filtered Event Log data SORTING THE FILE SYSTEM AGENT CHANGE LOG The Object Group Change Log can be sorted by any column using the Filters dialog. Accessing the Object Group Change Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. To sort the information displayed in the Object Group Change Log, click the Filters button located in the Change Log tab. The Filters dialog will display. By default there is no sorting enabled. User Guidance 239

240 Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 225: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. 240 CIMCOR CimTrak Integrity & Compliance Suite

241 Click the OK button to enable the sorting. Click Cancel to abort all changes. The Object Group Change Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 226: Filtered Event Log data ACCESSING THE CHANGE LOG TAB CONTEXT MENU Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. The Change Log Context Menu allows for additional actions to be taken on stored changes including: View: View the content and attributes associated with the stored change. View as Binary: View the content associated with the stored change in a hexadecimal format. View Forensic Data: View the IP Address and Port number associated with the change process. (Windows File System Agent with Driver only). Download: Download a copy of the stored intrusion. Compare with Authoritative Copy (at time of change): Compare the content of the detected change with the known, authoritative copy stored in the Master Repository at the time of the change. User Guidance 241

242 Compare with Authoritative Copy (current): Compare the content of the detected change with the current known, authoritative copy stored in the Master Repository currently. Add to Excludes: Disable monitoring of the selected file or configuration. Details associated with these context menu options are discussed in subsequent sections VIEWING CHANGE CONTENT Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting View from the context menu allows authorized CimTrak administrators the capability to review content associated with a detected change. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Figure 227: File View dialog Viewing of Change data requires the Object Group Policy is configured to store changes. Additionally, the change must not exceed the specified Keep Change Size (in KB) indicated in Object Group Properties Monitoring Information. See sections and for more information. Viewing the content of non-binary files is supported. Binary files cannot be viewed at this time. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. 242 CIMCOR CimTrak Integrity & Compliance Suite

243 Figure 228: Enter Private Key dialog Click the Close button to exit the File View dialog VIEWING CHANGE CONTENT IN BINARY Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting View as Binary from the context menu allows authorized CimTrak administrators the capability to review content associated with a detected change. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Figure 229: File View dialog (Binary) Viewing of Change data requires the Object Group Policy is configured to store changes. Additionally, the change must not exceed the specified Keep Change Size (in KB) indicated in Object Group Properties Monitoring Information. See sections and for more information. Viewing the content of non-binary files is supported. Binary files cannot be viewed at this time. User Guidance 243

244 If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 230: Enter Private Key dialog Click the Close button to exit the File View dialog VIEWING CHANGE FORENSIC DATA Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting View Forensic Data from the context menu allows authorized CimTrak administrators the capability to review connections associated with the offending change process at the time of the change. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Figure 231: Forensic Data dialog Forensic data is only available for remote connections. 244 CIMCOR CimTrak Integrity & Compliance Suite

245 Viewing of forensic data is only supported on Windows File Systems with the File System Agent Driver installed. The Forensic Data dialog displays the following information: Mount Points: The Windows Mount Point Name the change occurred on. Process: The Windows Process name responsible for initiating the detected change. Remote changes display as System. Local Address: IP Address on the affected system the process utilized to make the change. Local Port: Port number on the affected system the process utilized to make the change. Remote Address: IP Address of the remote system that attached to the local process to make the change. Remote Port: Port number of the remote system used to connect to the local system. State: State of the current connection (i.e., Listen or Established). Click the Close button to exit the Forensic Data dialog DOWNLOADING A COPY OF CHANGE DATA Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting Download from the context menu allows authorized CimTrak administrators the capability to download a copy of the actual change file. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Clicking the Download option in the Change Log tab context menu results in the Save As dialog to display. Browse the file system for the desired download location and then click the Save button. Click the Cancel button to abort the download process. User Guidance 245

246 Figure 232: Save As dialog If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 233: Enter Private Key dialog COMPARING CHANGE DATA WITH THE AUTHORITATIVE COPY AT THE TIME OF THE CHANGE Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting Compare with Authoritative Copy (at time of change) allows authorized CimTrak administrators the capability to perform a side-by-side comparison of the changed file with it authoritative copy stored in the Master Repository. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. 246 CIMCOR CimTrak Integrity & Compliance Suite

247 Figure 234: File Comparison Results If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 235: Enter Private Key dialog Click the Close button to exit the File Comparison Results dialog. User Guidance 247

248 UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between a detected change and the authoritative copy associated with watch properties. See section for more information on performing file comparisons. The File Comparison dialog is comprised of three primary sections. Toolbar Information Display Area Tab Browser UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between a change and the authoritative copy associated with the watch properties. See section for more information on performing file comparisons. Figure 236: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER 248 CIMCOR CimTrak Integrity & Compliance Suite

249 The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by accessing the context menu and selected Compare with Authoritative Copy (at time of Change) in the Object Group Change Tab. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a detected change to the Master Repository Authoritative Copy. Lines that have been modified are highlighted in blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. Figure 237: File Comparison Results dialog Changes tab Click the Close button to exit the File Comparison Results dialog COMPARING CHANGE DATA WITH THE CURRENT AUTHORITATIVE COPY Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting Compare with Authoritative Copy User Guidance 249

250 (Current) allows authorized CimTrak administrators the capability to perform a side-by-side comparison of the changed file with it authoritative copy stored in the Master Repository. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Figure 238: File Comparison Results If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. 250 CIMCOR CimTrak Integrity & Compliance Suite

251 Figure 239: Enter Private Key dialog Click the Close button to exit the File Comparison Results dialog UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between a detected change and the authoritative copy associated with watch properties. See section for more information on performing file comparisons. The File Comparison dialog is comprised of three primary sections. Toolbar Information Display Area Tab Browser UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between a change and the authoritative copy associated with the watch properties. See section for more information on performing file comparisons. Figure 240: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison User Guidance 251

252 Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by accessing the context menu and selected Compare with Authoritative Copy (Current) in the Object Group Change Tab. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a detected change to the Master Repository Authoritative Copy. Lines that have been modified are highlighted in blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. 252 CIMCOR CimTrak Integrity & Compliance Suite

253 Figure 241: File Comparison Results dialog Changes tab Click the Close button to exit the File Comparison Results dialog REVIEWING OBJECT GROUP MONITORING INFORMATION The Object Group Monitor Info tab provides Object Group monitoring and status information relating to Object Groups connected to the File System Agent. Accessing the Object Group Monitor Info is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Monitor Info tab in the Management Console Information Display Area. The Object Group Monitor Info tab is comprised of two sections: Path Status Windows/Details User Guidance 253

254 Figure 242: Object Group Monitor Info tab The Path section displays watch path and exclude information pertaining to the select Object Group. Right clicking on any exclude provides a context menu with the following options: Convert to Regular Exclude: Change an auto-excluded file to a regular exclusion. Remove Excludes: Delete an exclusion from the select Object Group. Figure 243: Monitor Info Stats dialog See section for more information on excluding files, folders, and configuration data from the Object Group Watch Policy. The Status Window/Details section is comprised of two tabs: 254 CIMCOR CimTrak Integrity & Compliance Suite

255 Status Window: Displays current lock status information associated with the Object Group Watch Policy. (i.e. Lock, Locking, Unlocked) Details: Displays details associated with the Object Group Watch Policy Configuration including: Detection Mode: The change detection mode enabled (Real-time or polling). File Comparison Method: The hash type performed on monitored data. Type: Object Group policy type (generally Watch). Store Files: Store authoritative copy data in the Master Repository (True, False). Store Changes: Store change data in the Master Repository (True, False). Ignore Archive Flag: Monitor the archive flag associated with file system watch data. (True, False) Ignore Read-only Flag: Monitor the read-only flag associated with the file system watch data. (True, False) User Approval on Sync: Require user intervention for changes detected while the File System Agent was disconnected from the Master Repository. (True, False) Corrective Action (On Add, On Change, On Delete): The Corrective Action mode specified in the Object Group Watch Policy. (Restore, Update Baseline, Log, Prompt, Ignore) Run (On Add, On Change, On Delete): Custom script that is ran when an add, change, or delete action has occurred on monitored watch data. (Path/File Name) Wait (On Add, On Change, On Delete): Use remediation timeout period enforced on custom scripts that are ran when an add, change, or deleted action has occurred on the monitored watch data. (True, False) Timeout (On Add, On Change, On Delete): Remediation timeout period enforced on custom scripts that are ran when an add, change, or deleted action has occurred on the monitored watch data. Parameters (On Add, On Change, On Delete): Pass filed and action parameters to the attached script ran on add, change, or delete actions. User Guidance 255

256 Figure 244: Monitor Info Status Window tab Figure 245: Monitor Info Details tab REVIEWING OBJECT GROUP DATA PENDING REPAIR The Pending Repair tab displays queue information associated with the remediation of folder, file and configuration data. The Pending Repair tab will append the number of pending repairs to the tab title. As changes are repaired they are automatically removed from the Pending Repair tab. Accessing the Object Group Pending Repair tab is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. The Pending Repair tab also displays changes requiring CimTrak Administrator intervention. Intervention is required if the Prompt for Approval corrective action is enabled or the User Approval on Sync has been enabled and there was a 256 CIMCOR CimTrak Integrity & Compliance Suite

257 communication failure between the File System Agent and the Master Repository. Figure 246: Pending Repair tab showing 3 pending repairs For each recorded event, the Object Group Pending Repair tab will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Absolute Path: File path affected by the detected event. Modified By: The File System User responsible for the detected event. Generally, the items contained in the Pending Repair tab will automatically cycle out as the folders, files, and configurations are remediated on the monitored system. The Pending Repair tab will automatically refresh based on the Pending Repair Refresh Interval specified in the Master Repository Preferences dialog. See section for additional information. In the event the Pending Repairs exist due to the Prompt for Approval Corrective Action or a triggered User Approval on Sync the Changes Pending Approval dialog must be referenced. See a subsequent section for additional information on the Changes Pending Approval dialog. Each Pending Repair message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. User Guidance 257

258 Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section FILTERING AND SORTING THE PENDING REPAIR TAB The Pending Repair Tab can be filtered to only show events matching the specified criteria. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. To filter the information displayed in the Pending Repair tab, click the Filters button located in the Pending Repair tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Pending Repair tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order 258 CIMCOR CimTrak Integrity & Compliance Suite

259 The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING PENDING REPAIR FILTERS The Pending Repair Tab can be filtered to only show events matching the specified criteria. Accessing the Pending Repair tab is accomplished by first clicking once on the File System Agent in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. To filter the information displayed in the Pending Repair tab, click the Filters button located in the Pending Repair tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 247: Filters dialog showing filter data User Guidance 259

260 As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. Figure 248: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 249: Grouped filters 260 CIMCOR CimTrak Integrity & Compliance Suite

261 Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Pending Repair filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Pending Repair Tab indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 250: Filtered Pending Repair data SORTING THE PENDING REPAIR TAB The Pending Repair Tab can be sorted by any column using the Filters dialog. Accessing the Pending Repair Tab is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. User Guidance 261

262 To sort the information displayed in the Pending Repair tab, click the Filters button located in the Pending Repair tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 251: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. 262 CIMCOR CimTrak Integrity & Compliance Suite

263 Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. The Pending Repair tab indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 252: Filtered Pending Repair data CHANGES PENDING APPROVAL The Changes Pending Approval dialog contains a list of modified folders, files, and configurations requiring CimTrak Administrator intervention. Accessing the Changes Pending Approval dialog is accomplished by clicking View Changes Pending Approval in the CimTrak Management Console s Toolbar. User Guidance 263

264 Figure 253: Changes Pending Approval dialog Folders, files, and configurations can be sorted by File, Event, Correction, and Path by clicking the associated column name. Available columns include: File: Name of the folder, file, or configuration that requires change approval. Event: Type of event that occurred on the monitored object (Added, Deleted, Changed). Correction: Corrective action to perform on the detected changed (Undo Changes, Accept Changes). Path: Complete path to the file or configuration that has been changed. To approve or deny a detected change, click once on the folder, file, or configuration in the Changes Pending Approval dialog to select the change item. Once selected, select the Corrective action to take by clicking the correction dropdown. Select Undo Changes to roll-back the detected change. Select Accept Changes to allow the change and update the monitored baseline. When finished, click Apply to apply the selected corrective actions. Click Exit to exit the Changes Pending Approval dialog. The selected corrective actions will be enforced and the selected change items will be removed from the Object Group s Pending Repair tab OBJECT GROUP GENERATIONS The Object Group Generation Tab provides revision information for changes occurring to files, folders, operating system configurations contained in a File System Agent Object Group. Accessing the Object Group Generations Tab is accomplished by first clicking once on the Object Group in the Object Group Tree 264 CIMCOR CimTrak Integrity & Compliance Suite

265 to select it followed by clicking the Generation tab in the Management Console Information Display Area. The Generation Tab is broken into two sections: Revisions Table Revision Details Figure 254: Object Group Generation Tab The Revisions Table displays overview information relating to each generation revision. Selecting a specific generation revision in the Revision Table will populate the corresponding information in the Revision Details section. Information in the Revisions Table includes: Revision: Primary revision number indicating the number of the generation. Sub-revision: Secondary revision number indicating the number of events that have occurred since the primary generation was created. Date/Time: Date and time associated with the creation of the revision or sub-revision. Changed by: The CimTrak User account responsible for the creation of the revision or sub-revision. # of Dirs: Quantity of directories contained in the revision or sub-revision. # of Files: Quantity of files contained in the revision or sub-revision. Total Size (bytes): The total amount of disk space utilized by the contents of the revision or sub-revision. User Guidance 265

266 The Revision Details section displays detailed information relating to a revision or sub-revision. The Revision Details section has three tabs: Revision Information: Details of the revision or sub-revision such as the date of the revision, revising user account, number of revisions, number of sub-revisions, number of files, number of directories, and notes. Details: Complete list of all files and folders contained in a generation. Files and folders indicate their generation status such as Added, Deleted, and Modified. Change from Previous: Partial file list showing what files were Added, Deleted or Modified in the selected generation DOWNLOADING GENERATION DATA Each file stored in an Object Group generation has the capability to be downloaded and copied to a local system. An Object Group generation can be accessed by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. Copies of generation data can be downloaded by right-clicking on the Revisions Table generation and selecting Download from the context menu. Additionally, copies of generation data can also be downloaded from the Revision Details Details tab or Change from Previous tab by right-clicking on the file or folder to download and then clicking Download. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 255: Enter Private Key dialog VIEWING AND COMPARING CONTENT OF OBJECT GROUP GENERATIONS Folders, files, and configurations monitored within an Object Group generation have the capability to be viewed and compared with other generations. An Object Group generation can be accessed by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. 266 CIMCOR CimTrak Integrity & Compliance Suite

267 To view the non-binary file contents associated with a file, select either the Details or Change from Previous tab in the Object Group Generation Revision Details section. Right-click on the file and then select View. The File View dialog will display. Figure 256: File View dialog (non-binary) To view the binary file contents associated with a file, right-click on the file and then select View as Binary. Figure 257: File View dialog (binary) Click Close to exit the File View dialog. User Guidance 267

268 If the Private Key feature has been enabled the viewing user will be prompted to enter a valid private key. See section for more information. Figure 258: Enter Private Key dialog The Object Group Generations tab has the capability to compare previous generations with the current state of the file stored within the Master Repository to the local system. To compare a generation, click the Object Group node in the Management Console Object Group Tree. Select the generations tab. To compare the file, from either the Details or Change from Previous tab, rightclick on the file and then select either Compare with Other Generation or Compare with Authoritative Copy (current). If Compare with Other Generation is selected the Select File to Compare Against dialog will display. Select the generation to compare with by clicking once on the revision. Click OK to perform the comparison or click Cancel to abort the comparison process. The File Comparison Results dialog will display. Figure 259: File to Compare Against dialog In the event Compare with Authoritative Copy (current) is selected the File Comparison Results will display comparing the current file content with the most current baseline. 268 CIMCOR CimTrak Integrity & Compliance Suite

269 If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 260: Enter Private Key dialog Figure 261: File Comparison Results dialog Click the Close button to exit the File Comparison Results dialog. The File Comparison Results dialog is explained in detail in section UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between a detected change and the authoritative copy associated with watch properties. See section for more information on performing file comparisons. User Guidance 269

270 The File Comparison dialog is comprised of three primary sections. Toolbar Information Display Area Tab Browser UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between a change and the authoritative copy associated with the watch properties. See section for more information on performing file comparisons. Figure 262: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by accessing the context menu and selected Compare with Authoritative Copy (Current) in the Object Group Change Tab. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a detected change to the Master 270 CIMCOR CimTrak Integrity & Compliance Suite

271 Repository Authoritative Copy. Lines that have been modified are highlighted in blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. Figure 263: File Comparison Results dialog Changes tab Click the Close button to exit the File Comparison Results dialog DEPLOYING ROLLING BACK OBJECT GROUP GENERATIONS Depending on the remediation capabilities of the monitoring Object Group, the Generations tab may have the capability to deploy previous generations back to the File System. An Object Group generation can be accessed by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. To deploy roll back a generation, select the generation in the Generation Tab Revisions Table, right-click, and then select Deploy. The Confirm Deploy dialog will display warning that deploying will overwrite everything in the Document Control with the content of this generation. Click Yes to proceed or No to cancel. User Guidance 271

272 Figure 264: Confirm Deploy dialog Upon clicking Yes on the Confirm Deploy dialog the Notes dialog will appear. Enter any administrative notes relating to this deployment and then click OK. Click Cancel to abort the deployment. Figure 265: Notes dialog A new generation revision will be created with the rolled-back content. This newly created generation is the current generation OBJECT GROUP NOTES The Object Group Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the Object Group Notes Tab is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form 272 CIMCOR CimTrak Integrity & Compliance Suite

273 The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 266: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. New: Create a new Object Group Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Precede to the last, newest note. The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. User Guidance 273

274 Figure 267: Object Group Notes dialog To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted OBJECT GROUP PERMISSIONS Object Groups can be configured restrict access based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the Object Group. Accessing Object Group permissions is accomplished by first clicking once on the File Object Group in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. By default each Object Group will have the following permissions: Administrators Create Objects: Create File System Agent Object Groups. Edit: Edit File System Agent settings. 274 CIMCOR CimTrak Integrity & Compliance Suite

275 Lock: Enable active monitoring of Object Group Data. Reports: View reports relating to the Object Group contents. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to the Object Group. Auditors Reports: View reports relating to Object Group contents. View: View contents and configurations relating to the Object Group.. Installers Attach CimTrak Agents to a Master Repository. (Not applicable for Object Groups). Figure 268: Object Group Security Permissions dialog Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: User Guidance 275

276 Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section MODIFYING AN EXISTING USER/GROUP OBJECT GROUP PERMISSIONS It is possible to modify existing user and group Object Group Permissions and E- mail notification settings. Accessing Object Group permissions is accomplished by first clicking once on the Object Group in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create File System Agent Object Groups. Edit: Edit Object Group control contents. Lock: Enable active monitoring of Object Group Data Reports: View reports relating to Object Group contents. Unlock: Disable active monitoring of Object Group Data View: View contents and configurations relating to the Object Group. Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. 276 CIMCOR CimTrak Integrity & Compliance Suite

277 Information: notifications. Receive alerts relating to information level To apply the permission settings to all children objects, ensure that the Apply permissions to children recursively checkbox is selected. When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the File System Agent) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object ADDING AND REMOVING USERS AND GROUPS TO OBJECT GROUP PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that Object Group Permissions and notification settings can be assigned or changed. Accessing Object Group permissions is accomplished by first clicking once on the Object Group in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. Figure 269: Add Users dialog User Guidance 277

278 Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. 278 CIMCOR CimTrak Integrity & Compliance Suite

279 Figure 270: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 271: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information. User Guidance 279

280 6. Configuring and Using the CimTrak Network Device Agent 6.1 MANAGING THE CIMTRAK NETWORK DEVICE AGENT FROM THE MANAGEMENT CONSOLE Management of the CimTrak Network Device Agent requires that the Management Console is associated with the Master Repository and that a valid user account has been authenticated. For more information on associating the Management Console with the Master Repository please refer to section 3.2. For more information on authenticating with the Master Repository please refer to section 3.3. Once authenticated with the Master Repository multiple configuration, customization, and reporting options are available through the Management Console. Network Device Agents that have been installed and associated with the selected Master Repository will display in the CimTrak Management Console s Object Group Tree. Figure 272: CimTrak Network Device Agent in Object Group Tree The connection status of the CimTrak Network Device Agent can easily be determined by its associated icon. Server Attached to Agent: The CimTrak Master Repository and CimTrak Network Device Agent are in direct communication. The Network Device Agent is currently selected in the Object Group Tree. Server Communication Failure: The CimTrak Master Repository and CimTrak Network Device Agent are not communicating due to a communication failure. Server Status Good: The CimTrak Master Repository and CimTrak Network Device Agent are in direct communication NETWORK DEVICE AGENT PROPERTIES The Network Device Agent Properties dialog allows authorized CimTrak users to perform administrative tasks relating to CimTrak Network Device Agent 280 CIMCOR CimTrak Integrity & Compliance Suite

281 logging, throttling, heartbeat and statistic transmissions and health monitoring parameters. Accessing the CimTrak Network Device Agent Properties dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The CimTrak Agent Configuration dialog consists of several functional sections including: Description Agent Throttling Monitoring Parameters License Number of Events to Keep DB Options Poll Intervals The functionality associated with these sections is explained in subsequent sections. Figure 273: CimTrak Agent Configuration User Guidance 281

282 CONFIGURING THE NETWORK DEVICE AGENT DESCRIPTION PROPERTIES The CimTrak Network Device Agent Description and associated information can be customized through the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Figure 274: Network Device Agent Description Network Device Agent Description Information: Name: Used to indicate a unique name for the Network Device Agent. Date in Service: Optional Date and Time associated with the in-service date of the Network Device Agent Location: Optional Network Device Agent Location information. Description: Optional Network Device Agent Description information. URL: Optional URL information associated with the Network Device Agent.. Contact: Optional Contact information associated with the Network Device Agent. Once all sections have been populated, click the OK button to save the Network Device Agent Description Information. Click Cancel to abort the Network Device Agent properties modification. A Network Device Agent can be renamed by either changing the name in the Name textbox or by right-clicking the Network Device Agent in the Object Group Tree and selecting Rename CONFIGURING THE NETWORK DEVICE AGENT LICENSE PROPERTIES The CimTrak Network Device Agent License settings can be customized through the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting 282 CIMCOR CimTrak Integrity & Compliance Suite

283 Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The License section of the CimTrak Agent Configuration dialog allows for the selection of the Standard or Professional operation mode. The Standard license mode provides only monitoring capabilities. The Professional license mode provides for monitoring and optional restoration capabilities. Selection of the license mode is accomplished by clicking the associated radio button. Figure 275: CimTrak Agent License settings The license mode selected must match an available CimTrak license type. See section for more information on CimTrak licenses. Once the license mode has been selected, click the OK button to save the Network Device Agent properties configuration. Click Cancel to abort the Network Device Agent properties configuration CONFIGURING THE NETWORK DEVICE AGENT LOG RETENTION PROPERTIES The CimTrak Network Device Agent log retention settings can be customized through the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The Number of Events to Keep section of the dialog allows for the configuration of Network Device Agent Event Log data retention. The event log can be configured to flush older records on a day interval or message quantity limit. Figure 276: Number of Events to Keep settings User Guidance 283

284 Days: The event log will automatically remove event messages older than the indicated value. Entering 0 will store event messages indefinitely. (Maximum Days: 10,000) Quantity: The event log will automatically remove older event messages as the amount of messages exceeds the indicated value. Entering 0 will store event messages indefinitely. (Maximum Quantity: 10,000) Storing an unlimited number of events has the potential to exhaust all available disk space on the Master Repository and degrade system performance. Once the data retention settings have been selected, click the OK button to save the Network Device Agent properties configuration. Click Cancel to abort the Network Device Agent properties configuration CONFIGURING THE NETWORK DEVICE AGENT DISCONNECT WARNING The CimTrak Network Device Agent must remain in communication with the Master Repository at all times. If configured a failure to communicate with the Master Repository can generate an auditable event. Setting of disconnection notices is performed in the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. The DB Options section of the dialog allows for the configuration of Agent disconnection warnings. Warnings are generated if the Agent is out of communication with the Master Repository for a time period longer than the specified time in minutes. Accepted values (in minutes) include 1 through 4,194,304. Setting the Warn if Disconnected minute value to 0 disables the warning. Figure 277: CimTrak Agent DB Options settings The notification of the disconnect occurs at the nearest heatbeat transmission. For example, if a heartbeat is set to 30 seconds and the disconnect is set to 2 minutes the alert will occur between 2 minutes and 2 minutes, 30 seconds depending on where the event occurs in the heartbeat cycle. 284 CIMCOR CimTrak Integrity & Compliance Suite

285 Once the DB Options settings have been selected, click the OK button to save the Network Device Agent properties configuration. Click Cancel to abort the Network Device Agent properties configuration CONFIGURING THE NETWORK DEVICE AGENT HEARTBEAT AND STATISTIC GATHERING INTERVAL The CimTrak Network Device Agent must remain in communication with the Master Repository at all times. A heartbeat communication will occur between the Network Device Agent and the Master Repository to check that communication is still possible. The heartbeat interval is configurable in the CimTrak Agent Configuration dialog. Additionally CimTrak Agent Statistics are gathered at a specified interval. Statistics are transmitted with the Heartbeat transmission. The statistics interval is configurable in the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Figure 278: CimTrak Agent Poll Intervals settings (defaults) The Poll Intervals section of the CimTrak Agent Configuration dialog allows for the configuration of the heartbeat and statistics interval. All intervals are indicated in seconds. Accepted heartbeat intervals include 1 second through 300 seconds. Accepted statistics intervals include 1 second through 120 seconds. Once the Poll Intervals settings have been selected, click the OK button to save the Network Device Agent properties configuration. Click Cancel to abort the Network Device Agent properties configuration CONFIGURING THE NETWORK DEVICE AGENT THROTTLE The CimTrak Network Device Agent communications can be throttled to control the speed of communications with the Master Repository. This capability is useful in limiting network bandwidth requirements and CPU cycles on the Agent host operating system. Setting of Agent Throttling is performed though the CimTrak Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network User Guidance 285

286 Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Figure 279: Network Device Agent Throttling settings Setting Agent Throttling does not delay the remediation capabilities of the Network Device Agent. The Throttle is applied to subsequent communications relating to events. The Throttle indicates the wait time between file transmissions and/or 60 KB data transmission. The Throttle applies to the following scenarios: Sending Watch Data and Files to the Master Repository Syncing Watch Directories Locking Directories Sliding the Agent Throttling slider to the left reduces the throttling (speeds up communications). Sliding the Agent Throttling slider to the right increases the throttling (slows down communications). By default, the Agent Throttling is set one tick right of Off. Once the Agent Throttling settings have been selected, click the OK button to save the Network Device Agent properties configuration. Click Cancel to abort the Network Device Agent properties configuration NETWORK DEVICE AGENT MONITORING PARAMETERS The CimTrak Network Device Agent Monitoring Parameters allows for the configuration of system health monitoring of the system hosting the Network Device Agent. Agent Monitoring Parameters are configured through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. 286 CIMCOR CimTrak Integrity & Compliance Suite

287 Figure 280: Agent Monitoring Parameters The addition, editing, and deletion of monitoring parameters is explained in subsequent sections ADDING NETWORK DEVICE AGENT MONITORING PARAMETERS The CimTrak Network Device Agent Monitoring Parameters allows for the configuration of system health monitoring. Adding Agent Monitoring Parameters is performed through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Click the Add button in the Monitoring Parameters section. The Agent Monitor Parameters dialog will display. Figure 281: Agent Monitor Parameters dialog The Agent Monitor Parameters dialog allows for the configuration of host health monitoring by monitoring the utilization of host devices. The list of available devices is host dependant. Generally, devices available for monitoring include: Network Adapter Bandwidth Utilization CPU Processor Utilization Disk Space Utilization Memory Utilization User Guidance 287

288 Each selected device has the capability to define specific monitoring rules. Monitoring rules include the condition to monitor, the percentage of utilization, and the time interval of measured utilization. Each monitoring rule is described in the following information: Condition: The comparison to use against the alarm value percent. Equal Greater Than Greater Than or Equal Less Than Less Than or Equal Alarm Percent: The threshold at which the alarm will generate an event log message. Acceptable values between 1 and 99 %. After: The number of seconds that the specified condition must exist before the alarm generates an event log message. Acceptable values between 1 and 172,800 seconds. After creating the monitoring rules click the OK button. Clicking Cancel will abort the creation of the monitoring rule. The created rule will now display in the Monitoring Parameters section of the CimTrak Agent Configuration dialog. It is possible to add additional monitoring rules by clicking the Add button and following the same steps. Click OK in the CimTrak Agent Configuration dialog to save the changes. Click Cancel to abort the changes. Monitoring parameters will only generate a single event log message upon the initial triggering of the event. If the host has already exceeded the defined threshold when the monitoring parameter is created no event will be generated. Notifications of monitored parameters that are not within the designated threshold are provided as Warning Events in the CimTrak Master Repository Level Event Log and via external reporting tools such as Syslog, SNMP, WebTrends, NitroSecurity Plugin Protocol, and SMTP (when configured). Figure 282: CimTrak Event Log Performance Alert (Memory Utilization) EDITING NETWORK DEVICE AGENT MONITORING PARAMETERS The CimTrak Network Device Agent Monitoring Parameters allows for the configuration of system health monitoring. Editing Agent Monitoring Parameters is performed through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group 288 CIMCOR CimTrak Integrity & Compliance Suite

289 tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Select the device monitoring parameter and then click the Edit button in the Monitoring Parameters section. The Agent Monitor Parameters dialog will display showing the selected device. Figure 283: Agent Monitor Parameters dialog (device selected) The Agent Monitor Parameters dialog allows for the configuration of host health monitoring by monitoring the utilization of host devices. The list of available devices is host dependant. Generally, devices available for monitoring include: Network Adapter Bandwidth Utilization CPU Processor Utilization Disk Space Utilization Memory Utilization Each selected device has the capability to define specific monitoring rules. Monitoring rules include the condition to monitor, the percentage of utilization, and the time interval of measured utilization. Each monitoring rule is described in the following information: Condition: The comparison to use against the alarm value percent. Equal Greater Than Greater Than or Equal Less Than Less Than or Equal Alarm Percent: The threshold at which the alarm will generate an event log message. Acceptable values between 1 and 99 %. After: The number of seconds that the specified condition must exist before the alarm generates an event log message. Acceptable values between 1 and 172,800 seconds. Modify the selected monitoring rule and then click the OK button. Clicking Cancel will abort the modification of the monitoring rule. User Guidance 289

290 It is possible to edit additional monitoring rules by selecting the rule to modify, clicking the Edit button and following the same steps. Click OK in the CimTrak Agent Configuration dialog to save the changes. Click Cancel to abort the changes. Monitoring parameters will only generate a single event log message upon the initial triggering of the event. If the host has already exceeded the defined threshold when the monitoring parameter is created no event will be generated. Notifications of monitored parameters that are not within the designated threshold are provided as Warning Events in the CimTrak Master Repository Level Event Log and via external reporting tools such as Syslog, SNMP, WebTrends, NitroSecurity Plugin Protocol, and SMTP (when configured). Figure 284: CimTrak Event Log Performance Alert (Memory Utilization) DELETING NETWORK DEVICE AGENT MONITORING PARAMETERS The CimTrak Network Device Agent Monitoring Parameters allows for the configuration of system health monitoring. Deleting Agent Monitoring Parameters is performed through the Agent Configuration dialog. Accessing the CimTrak Agent Configuration dialog is accomplished by either right clicking on the Network Device Agent name in the Object Group tree and then selecting Properties or clicking on the Network Device Agent name in the Object Group tree and then clicking the Properties button on the CimTrak Management Console Toolbar. The CimTrak Agent Configuration dialog will display. Select the device monitoring parameter to delete and then click the Delete button in the Monitoring Parameters section. The selected device monitoring parameter will be deleted. It is possible to delete additional monitoring rules by selecting the rule to delete and then clicking the Delete button. Click OK in the CimTrak Agent Configuration dialog to save the changes. Click Cancel to abort the changes. Deleting monititoring parameters is permanent and cannot be undone once OK is clicked in the CimTrak Agent Configuration dialog. No confirmation notice is displayed WORKING WITH NETWORK DEVICE AGENT POLICIES The Network Device Agent has the capability to monitor network device configurations on network devices from the host system containing the Network Device Agent. For many monitored configurations, CimTrak has the capability to remediate detected changes. 290 CIMCOR CimTrak Integrity & Compliance Suite

291 The CimTrak Network Device Agent works by detecting additions, deletions, and modifications of configurations by comparing the configuration on the network device with the configured baseline. Upon initial Object Group Policy configuration, CimTrak takes a snapshot of the files and configurations being monitored. The CimTrak Network Device Agent creates a cryptographic has of the files and configurations being monitored and stores this calculated data in the CimTrak Master Repository. Once a known baseline has been determined, the CimTrak Network Device Agent monitors the file system and configurations to determine when a change occurs. The CimTrak Network Device Agent can send alerts of detected changes and remediation via the Master Repository s SNMP, SMTP, Syslog, WebTrends, and NitroSecurity Plug-in Protocol (when configured). Generally, the Network Device Agent communicates with monitored network devices using SSH, Telnet, SNMPv2, or SNMPv3. Data transmissions are facilitated using TFTP or SCP. To enable monitoring, the CimTrak Network Device Agent must have Object Group Policies created and enabled. The process of creating, editing, and performing additional Object Group Policy tasks is described in subsequent sections of this documentation CREATING AND EDITING OBJECT GROUP WATCH POLICIES The Network Device Agent has the capability to monitor critical files and operating system configurations on the host system containing the Network Device Agent or remote file shares. For many monitored files and configurations, CimTrak has the capability to remediate detected changes. To enable monitoring the CimTrak Network Device Agent must have Object Group Policies created and enabled. To create a new Object Group Watch Policy, select the Network Device Agent of the system to monitor by clicking it once in the Management Console s Object Group Tree, right-click and select New Object Group in the Context menu. Optionally, the process of creating a new Object Group Watch Policy can be initiated by selecting the Network Device Agent of the system to monitor by clicking it once in the Management Console s Object Group Tree, clicking the New drop-down button in the Menu Bar, followed by Object Group. The Object Group Properties dialog will display. To edit an Object Group Watch Policy, select the Object Group Policy to modify by right-clicking its name in the Object Group Tree. Select Properties in the Context menu. Optionally, the process of creating a new Object Group Watch Policy can be initiated by selecting the Object Group name in the Management Console s Object Group Tree and then clicking the Properties button on the Menu Bar. The Object Group Properties dialog will display. User Guidance 291

292 Once the Object Group has been created it will display in the CimTrak Management Console s Object Group Tree. Figure 285: CimTrak Management Console's Object Group Tree Showing Object Groups To enable monitoring of the Object Group it must be locked. Detailed information about creating Object Group Watch Policies and enabling/disabling monitoring is explained in subsequent sections OBJECT GROUP PROPERTIES The process of creating a new or editing an Object Group Watch Policy can be initiated by selecting the Network Device Agent of the system to monitor by clicking it once in the Management Console s Object Group Tree, clicking the New drop-down button in the Menu Bar, followed by Object Group. The Object Group Properties dialog will display. To edit an Object Group Watch Policy, select the Object Group Policy to modify by right-clicking its name in the Object Group Tree. Select Properties in the Context menu. Optionally, the process of creating a new Object Group Watch Policy can be initiated by selecting the Object Group name in the Management Console s Object Group Tree and then clicking the Properties button on the Menu Bar. The New Network Device dialog will display. 292 CIMCOR CimTrak Integrity & Compliance Suite

293 Figure 286: New Network Device dialog The Network Device dialog allows for the communication and data transfer configurations associated with the monitored network device. Default supported network devices, communication methods, and file transfer methods are outlined in Table 2. Device Type Communication Detection Configuration Options Options Transfer Options Cisco IOS SSH Telnet Polling SNMPv3 SCP TFTP SNMPv3 SNMPv2c SNMPv2c Cisco ASA SSH Telnet Polling SCP TFTP Cisco PIX SSH Telnet Polling SCP TFTP Juniper ScreenOS SSH Telnet Polling SCP TFTP Juniper JunOS SSH Telnet Polling SCP TFTP Table 2: Network Device Communication and File Transfer Protocols Additional supported network devices may be available in your region. Contact an authorized CimTrak Sales Representative for more information. User Guidance 293

294 Monitoring and communicating with Cisco IOS devices supporting SNMPv2c or SNMPv3 requires additional configuration on the monitored network device. See a subsequent section for configuration details. Populating the Network Device dialog and clicking the OK button results in the Object Group Properties dialog to display. To abort the Network Device Configuration click the Cancel button. Figure 287: Object Group Properties dialog The Object Group Properties dialog is comprised of several sections. Each of these sections has specific functionality relating to the monitoring performed by the Network Device Agent. Object Information Private Key Implementation Monitoring Information Operating System Tree Watch Properties Network Device Agent Object Information: Object Information provides CimTrak Users and Administrators detailed information pertaining to the Object Group Watch Policy. The Object Group Name is the only required field. Object Group Names must be unique and may contain between 1 and 49 characters. 294 CIMCOR CimTrak Integrity & Compliance Suite

295 Figure 288: Network Device Agent Object Information Object Group Name: Used to indicate a unique name for the Network Device Agent Object Group. Location: Optional Object Group Location information. Description: Optional Object Group Description information. Date Put in Service: Optional Date and Time associated with the inservice date of the Object Group. Contact: Optional Contact information associated with the Object Group. URL: Optional URL information associated with the Object Group. Notes: Optional dialog to enter administrative notes associated with the Object Group. Optionally, the Object Group Watch Policy has the capability to require CimTrak Users and Administrators to enter notes when enabling monitoring of the Object Group Watch Policy. Enabling of required notes is performed by selecting the Require Notes on Lock checkbox. Private Key Implementation: Set Object Group Private Key: Password to protect unauthorized viewing, adding, or changing of files monitored by the Object Group. See section for more information. Figure 289: Network Device Agent Object Group Private Key Button Monitoring Information: Number of Changes to Keep: Number of added files/configurations to keep in the Change Log. A zero placed in this field indicates unlimited changes will be stored. Maximum accepted value of 10,000 changes. Keep Change Size (in KB): The maximum file size an added file can be for it to be stored in the Change Log. Files exceeding this change size limit are still detected but cannot be compared or retrieved. Maximum accepted value of 4,194,304 KB. Number of Revisions to Keep: Number of revisions to keep for each change to files and configurations monitored by the Object Group. A zero placed in this field indicates unlimited changes will be stored. Maximum accepted value of 10,000 revisions Warn if Unlocked (in minutes): Generate a notice if monitoring of the Object Group has been disabled for more than the indicated time. A zero User Guidance 295

296 placed in this field disables the warning. Maximum accepted value of 10,000 minutes. Number of Events to Keep: Quantity or Days to store Object Group Event Log audit records. Maximum accepted value of 10,000 events. Storing an unlimited number of events, revisions, or changes has the potential to exhaust all available disk space on the Master Repository and degrade system performance. Figure 290: Network Device Agent Monitoring Information Operating System Tree The Operating System Tree, located at the lower left corner of the Object Group Properties dialog, contains a listing of all configurations that can be monitored by the CimTrak Network Device Agent. The contents of the Operating System Tree are network device specific. Additionally, external CimTrak Plug-ins attached to the Network Device Agent will appear in the Operating System Tree. Figure 291: Cisco IOS Operating System Tree Selecting data to monitor is accomplished by checking the checkbox next to the system component. The contents of the Operating System Tree can be expanded or collapsed by clicking the + or - symbols corresponding with each monitor type. Selecting any monitor data results in the Watch Properties dialog to display. See a subsequent section for more information on setting Watch Properties. Content that is monitored in the current Object Group is displayed in the File System Tree in a pink font color. Content that is monitored elsewhere is displayed in a orange font color. Figure 292: Watch notifications 296 CIMCOR CimTrak Integrity & Compliance Suite

297 Watch Properties The Watch Properties section shows any currently monitored files, folders, and configurations. Additionally, excluded or included paths and files are displayed. The Watch Properties are explained in detail in subsequent sections OBJECT GROUP WATCH POLICY PRIVATE KEY The process of creating a Object Group Private Key is accomplished during the creation of the Object Group or by editing the Object Group via the Object Group Properties dialog. The creation of a Network Device Agent Object Group is accomplished by right-clicking on the Network Device Agent IP Address in the Management Console Object Group Tree and then selecting New Object Group. See section for additional information. Editing of a Network Device Agent Object Group is possible by right-clicking on the Object Group in the Object Group Tree and clicking Properties. Click Set Object Group Private Key to create the Private Key. The Set Object Group Private Key dialog will appear. Once the Object Group Private Key is created the Private Key cannot be changed. The creation of a Object Group Private Key is optional but is recommended when it is necessary to conceal the contents of stored files from CimTrak users. The Object Group Private Key provides a secondary layer of security for the information monitored within a CimTrak Object Group. When a Private Key has been applied, all contents monitored within the Object Group are protected by an additional layer of encryption. If the CimTrak user attempts to compare Object Group contents, the user is prompted to enter the Private Key. Only by entering a valid Private Key can the contents of the Object Group be viewed or compared. Object Group Private Keys can be automatically inherited from the Network Device Agent, if configured during installation, or can be set per Object Group. The Object Group Private Key only protects viewing of contents within CimTrak. If an unauthorized user is able to gain access to the file system the user will be able to view the contents of the files. Proper security measures are still necessary to prevent unauthorized access to system data. In the event a Private Key has been applied to an Object Group the optional FTP Repository Interface will not be able to access the files stored within the Object Group. In the event that a configured Private Key has been lost, it can *not* be recovered. User Guidance 297

298 Figure 293: Set Object Group Private Key dialog Populate the Private Key and Confirm Private Key textboxes with the intended Private Key and then click the OK button to accept the Private Key. Click Cancel to abort the Private Key creation process. When completed, click OK on the Object Group Properties dialog WATCH PROPERTIES Selecting any object listed in the Object Group Properties File System Tree results in the Watch Properties dialog to display. See section for more information on accessing Object Group Properties. 298 CIMCOR CimTrak Integrity & Compliance Suite

299 Figure 294: Watch Properties dialog The Watch Properties dialog allows for the configuration of detection and reaction parameters. The Watch Properties dialog is comprised of several different sections: Corrective Action Authoritative Copy File Comparison Method Store Changes Options Event Detection Method Connection Loss Auto Exclude These sections are explained in detail in subsequent sections. After completing the Watch Properties configuration click OK to accept the changes or Cancel to abort and discard the changes. The Watch Properties dialog will close and the Object Group Properties dialog will display showing the configured Watch Properties in the Watch Properties section. User Guidance 299

300 Figure 295: Watch Properties section showing monitored directory CORRECTIVE ACTION Defining the corrective action associated with a Network Device Agent Object Group Policy is accomplished through the Watch Properties dialog. CimTrak supports four primary modes of remediation when changes to modified files/configurations are detected. Additionally, CimTrak has the capability to perform customized remediation actions. Primary modes of remediation include: Restore from Repository: Stored authoritative (original) data files are used to restore files and folders that have been changed. Log: All detected change events are only logged. No authoritative (original) file data is stored. Update Baseline: Changes are allowed to occur. Each change results in an incremental backup being preformed on the watch data. When applicable, previous baselines can be push back to the monitored system. Prompt for Approval: Changes are allowed to occur. The CimTrak Administrator is given the option to allow or undo the detected changes. Optionally, the Custom configuration mode exists allowing for any combination of the primary modes of remediation. For example, when a file is added the administrator may chose to update the baseline; when a file is deleted the administrator may chose to restore the file; when a file is modified the administrator may chose to log the change. Figure 296: Corrective Action Properties 300 CIMCOR CimTrak Integrity & Compliance Suite

301 Selection of the remediation mode is accomplished by selecting the corresponding radio button. Additional advanced remediation settings can be set by clicking the Advanced button. Selecting the Advanced button results in the Corrective Action Advanced Settings dialog to display. The Corrective Action Advanced dialog allows for the configuration of custom corrective actions and the launching of system processes or scripts when a change is detected. Selecting the Custom radio button automatically accesses the Corrective Action Advanced Settings dialog. Figure 297: Corrective Action Advanced Settings To modify the corrective action for each event type (On Change, On Delete, On Add), modify the contents of the associated Corrective Action dropdown. The Corrective Action dropdown allows for the selection of several corrective actions including: Restore from Repository: Stored authoritative (original) data files are used to restore files and folders that have been changed. Log: All detected change events are only logged. No authoritative (original) file data is stored. Update Baseline: Changes are allowed to occur. Each change results in an incremental backup being preformed on the watch data. When applicable, previous baselines can be push back to the monitored system. Prompt for Approval: Changes are allowed to occur. The CimTrak Administrator is given the option to allow or undo the detected changes. Ignore: Ignore the change. Take no action and do not log the event. To configure the launching of a system process or script on the CimTrak Network Device Agent host for each event type (On Change, On Delete, On Add), modify the contents of the associated Run textbox. Modifying the contents of the Run textbox is accomplished by clicking the Open button. The Open File dialog will display. Navigate the Agent File System to select the process or script to launch. To clear the Run textbox click the Delete button. User Guidance 301

302 Open button: The Open button is used to browse the Network Device Agent s file system for a process or script to launch when an event is detected. Close button: The Closed button is used to de-select the previously configured process or script launched when an event is detected. Figure 298: Open File dialog The Wait/Timeout configurations force CimTrak to wait for a selected script to finish before performing the selected corrective action. Selecting the Wait checkbox and populating the Timeout textbox will force the CimTrak Network Device Agent to wait the indicated timeout value (in seconds) before initiating the specified corrective action. If the selected script or file concludes before the timeout value, the timeout will expire when the script of file ends. Accepted timeout values are between 0 seconds (disabled) and 300 seconds. Figure 299: Corrective Action Wait & Timeout Settings Optionally information can be passed by CimTrak to the launched application or script by enabling the Parameters checkbox associated with each event type (On Change, On Delete, On Add). CimTrak will pass the following information (if applicable) when this option is enabled: ACTION CHANGE ACTION ADD ACTION DELETE 302 CIMCOR CimTrak Integrity & Compliance Suite

303 FILE path/filename Scripts and applications can be designed to interpret this parameter information to perform additional external custom actions. Figure 300: Corrective Action Parameters Settings CIMCOR recommends Object Groups be monitored in Log Mode for a minimum of one week. This use of Log Mode assists with the determination of which settings to use for the various files, folders, and configurations that will be monitored AUTHORITATIVE COPY Depending on the Corrective Action used, CimTrak has the capability to alter the storage of Authoritative Copy data. The Authoritative Copy refers to a saved copy of locked file system/configuration data stored in the Master Repository for the purpose of restoring files to the last known approved state. Additionally, Authoritative Copy data can be used to compare the contents of monitored files and configurations. Authoritative Copy data is stored in the Master Repository using the user configured cryptology and compressed. Figure 301: Authoritative Copy Parameter Settings The compression ratio used by CimTrak varies with the type of content being monitored (i.e., images, documents, text files). Generally, the authoritative copy data is stored with a 20-25% compression ratio. The Restore from Repository and Prompt for Approval corrective actions must store Authoritative Copy data. All additional corrective actions allow for custom configurations for storing or not storing authoritative copy data. Corrective Action Authoritative Copy storage defaults include: Restore from Repository: Enabled - Authoritative Copy data is stored. This option cannot be changed. Log: Disabled Authoritative Copy data is not stored. User Guidance 303

304 Update Baseline: Enabled Authoritative Copy data is stored. Prompt for Approval: Enabled - Authoritative Copy data is stored. This option cannot be changed. Custom: Dependant on the corrective action selected FILE COMPARISON METHOD Each file, folder, and configuration monitored by CimTrak has a calculated hash value stored in the CimTrak Master Repository. The File Comparison Method parameter setting allows for authorized CimTrak Administrators to modify the comparison algorithm used. By default the most powerful method is selected. The methods allowed vary based on the CimTrak Cryptology release. Figure 302: File Comparison Method Parameter Settings To change the File Comparison Method, select the method to use from the File Comparison Method dropdown STORE CHANGES Depending on the Corrective Action used, CimTrak has the capability to alter the storage of change data. Change data refers to a saved copy of modified file system/configuration data stored in the Master Repository for the purpose of compare the contents with the Authoritative Copy. Change data is stored in the Master Repository using the user configured cryptology and compressed. The compression ratio used by CimTrak varies with the type of change stored (i.e., images, documents, text files). Generally, the change data is stored with a 20-25% compression ratio. The Prompt for Approval and Update Baseline corrective actions must store Change data. All additional corrective actions allow for custom configurations for storing or not storing change data. Change data storage defaults include: Restore from Repository: Enabled - Change data is stored. Log: Disabled Change data is not stored. Update Baseline: Enabled Change data is stored. This option cannot be changed. Prompt for Approval: Enabled - Change data is stored. This option cannot be changed. Custom: Dependant on the corrective action selected. 304 CIMCOR CimTrak Integrity & Compliance Suite

305 AUTO EXCLUDE When creating an Object Group Watch Policy it is important to tune the configuration to exclude files that are dynamic and need to change. CimTrak has the capability to auto-tune the Watch Policy by automatically excluding file that change more times than the designated threshold and interval. The Auto Exclude threshold and interval is configured in the Network Device Agent Watch Properties dialog. The Auto Exclude feature is not recommended for monitoring of network device configurations. By default the Auto Exclude feature is disabled. To enable the Auto Exclude feature, specify the threshold by indicated the amount of times a file or configuration is allowed to change over a specified time in minutes. Figure 303: Auto Exclude parameter settings Acceptable change values must be between 0 (disabled) and 1,000. The time value must be between 1 minute and 1,440 minutes OPTIONS The CimTrak Network Device Agent Watch Properties has additional customization options available to reduce the number of detected false changes. These additional options are useful to allow CimTrak to function properly with backup utilities and source control utilities. Additionally options exist to enable additional monitoring capabilities. The Option settings are available in the Network Device Agent Watch Properties dialog. Figure 304: Options parameter settings Option parameter settings are enabled by clicking the corresponding checkbox. Options are disabled when unchecked. The Options parameter settings allow for the custom configuration of the following: User Guidance 305

306 Ignore Archive Flag: When checked the CimTrak Network Device Agent will ignore any changes that occur to the archive flag. Not supported on network device monitoring. Ignore Read-only Flag: When checked the CimTrak Network Device Agent will ignore any changes that occur to the Read-only flag. Not supported on network device monitoring. Log Reads: When checked CimTrak has the capability to monitor specific files and folders for any form of access. Using this feature will generate audit events whenever a file is viewed or copied. Not supported on network device monitoring EVENT DETECTION METHOD The CimTrak Network Device Agent has the capability to monitor Object Group Policies in real-time (when supported) or on a polling interval. Configuration of the Event detection method is available in the Network Device Agent Watch Properties dialog. Figure 305: Event Detection Method parameter settings Available event detection methods include: Real-time Detection: Real-time Detection will report detected changes immediately when they are performed. The configured remediation mode will automatically initiate immediately upon the detection of a change. Only supported with Cisco IOS SNMPv3 Change Detection. Poll-based Detection: Poll-based Detection will report any changes that have occurred since the last poll-based scan. Acceptable values range between 0 (poll only when force-synced) and 1,440 minutes. Scheduled polling is accomplished by setting the Poll-based Detection interval to 0 and scripting the syncronization using the CimTrak Command Line Interface. These scripts can then be scheduled using Windows Task Scheduler or Linux/UNIX Cron jobs. The Command Line Interface is explained in subsequent sections CONNECTION LOSS Occasionally the CimTrak Master Repository may lose connectivity with attached Network Device Agents due to network errors or mobile devices. When this occurs the option exists to automatically perform Object Group 306 CIMCOR CimTrak Integrity & Compliance Suite

307 synchronization when the connection is re-established. Setting the Connection Loss settings are available through the Object Group Properties Watch Properties dialog. Figure 306: Connection Loss parameter settings To enable synchronization after a connection loss, select the User Approval on Sync checkbox. To disable synchronization, de-select the User Approval on Sync checkbox. When User Approval on Sync is enabled, the CimTrak Administrator is prompted for the desired action to take on detected changes made during the non-connectivity period. The CimTrak Administrator utilizes the Changes Pending Approval Management Console dialog to authorize or deny these changes. The Changes Pending Approval dialog is explained in a subsequent section. The User Approval on Sync dialog has the following default and customizable settings for each of the following corrective actions: Restore from Repository: Option can be enabled or disabled. By default this option is disabled. Log: Option is disabled by default and cannot be changed. Update Baseline: Option is disabled by default and cannot be changed. Prompt for Approval: Option is enabled by default and cannot be changed TUNING WATCH PROPERTIES When an operating system folder or configuration is selected in the Object Group Properties dialog, all children files, folders, and configurations are also selected. Often certain files need to be excluded or included in the particular watch policy. CimTrak has the capability to create exclude or include rules for files, folders, and configurations. Creating these advanced rules is accomplished in the selected Object Group s Watch Properties. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. User Guidance 307

308 Monitored folders, files, and configurations will display in the Object Group Properties Watch Properties section. Each displayed item will include the following information: Path: The operating system location of the parent folder or configuration. Object Type: The Object Type being monitored (i.e. Directory). Type: Action performed by the Watch Property detail (i.e. Watch, Exclude, etc.). Store Files: Indication of whether or not Authoritative Copy data will be stored in the CimTrak Master Repository. Corrective Action: The Corrective Action chosen during the creation of the Object Group Watch Policy. Detection: Indication of the mode of detection (Real-time, Polling). Ignore Archive Flag: Indication of whether or not changes to the Archive Flag will be ignored. Ignore Read-only Flag: Indication of whether or not changes to the Read-only Flag will be ignored. Comparison Method: Displays the comparison method selected in the Object Group s Watch Properties. Quarantine: Indication of whether or not Change Data will be stored in the CimTrak Master Repository. Figure 307: Watch Properties section showing monitored data Each column of information can be sorted by column criteria by clicking once on the column title. Right clicking on any item showing in the Watch Properties section results in a context menu to display showing additional configuration and navigation options. Context menu options include: Find In Tree: Locate the selected Watch data in the Object Group Properties dialog File System Tree. Properties: Modify the watch properties associated with the selected Watch data. Opens the Watch Properties dialog. Remove Watch: Disable the selected Watch data by unselecting it in the Object Group Properties dialog File System Tree. Add Regular Expression Exclude: Create customized excludes to prevent or enable of specific folder, file, or configuration criteria. 308 CIMCOR CimTrak Integrity & Compliance Suite

309 Remove Exclude(s): Delete the customized exclusion created in the Add Regular Expression Exclude EXCLUDING AND INCLUDING USING REGULAR EXPRESSIONS Occasionally a CimTrak Object Group Policy may need to exclude monitor or only monitor data based on file extensions, file names, folder names, configuration names, or various other types of information. Setting these custom watch rules is performed by creating Regular Express Excludes. The process of creating a Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. Figure 308: Add Regular Expression Exclude dialog The Add Regular Expression Exclude dialog has the capability to exclude files and folders. Additionally, the Add Regular Expression Exclude dialog can create inverse regular expressions excludes to only monitor certain files or folders based on the criteria entered EXCLUDING FOLDERS USING REGULAR EXPRESSIONS The process of creating a Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. To create a Regular Expression folder exclude, enter the folder information to exclude (i.e. \temp). Ensure that the Folders radio button is selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group User Guidance 309

310 Properties dialog. Note that the regular expression exclude is displayed in the Watch Properties data section. Regular expression excludes are displayed in blue text. Regular Expression Folder Excludes can become very complex. It is possible to create custom exclusions using regular expressions. For instance, a regular expression exclude can be created to ignore case: /Cisco IOS can be entered as //[Cc][Ii][Ss][Cc][Oo] [Ii][Oo][Ss]// Figure 309: Regular Expression Folder Exclude (blue text) To add additional Regular Express folder excludes, repeat the same steps. To remove Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes EXCLUDING FILES USING REGULAR EXPRESSIONS The process of creating a Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. To create a Regular Expression file exclude, enter the file type information to exclude (i.e..log). Ensure that the Files radio button is selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the regular expression exclude is displayed in the Watch Properties data section. Regular expression excludes are displayed in blue text. 310 CIMCOR CimTrak Integrity & Compliance Suite

311 Regular Expression Folder Excludes can become very complex. It is possible to create custom exclusions using regular expressions. For instance, a regular expression exclude can be created to ignore case: running-config can be entered as [Rr][Uu][Nn][Nn][Ii][Nn][Gg]-[Cc][Oo][Nn][Ff][Ii][Gg] Figure 310: Regular Expression File Exclude (blue text) To add additional Regular Express file excludes, repeat the same steps. To remove Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes INVERSE EXCLUDING OF FOLDERS USING REGULAR EXPRESSIONS The process of creating an Inverse Regular Expression Exclude is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. Inverse regular expressions can be used to include information to monitor. To create an Inverse Regular Expression folder exclude, enter the folder information to watch (i.e. \temp). Ensure that the Folders radio button and the Inverse checkbox are selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the Inverse regular expression exclude is displayed in the Watch Properties data section. Inverse Regular expression excludes are displayed in blue text. Inverse Regular Expression Folder Excludes can become very complex. It is possible to create custom inverse exclusions using inverse regular expressions. User Guidance 311

312 For instance, an inverse regular expression exclude can be created to ignore case: /Cisco IOS can be entered as //[Cc][Ii][Ss][Cc][Oo] [Ii][Oo][Ss]// Figure 311: Regular Expression Folder Exclude (blue text) To add additional Inverse Regular Express folder excludes, repeat the same steps. To remove Inverse Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes INVERSE EXCLUDING OF FILES USING REGULAR EXPRESSIONS The process of creating an Inverse Regular Expression to include specified files or extensions is performed through the Add Regular Expression Exclude dialog accessed by right-clicking Watch data and then selecting Add Regular Expression Exclude from the context menu. Accessing the Object Group Properties is accomplished during the creation or editing of an Object Group s Watch Policy. See section for more information on creating Watch Policies. To create an Inverse Regular Expression file exclude, enter the file type information to exclude (i.e..log). Ensure that the Files radio button and Inverse checkbox are selected and then click OK. Click Cancel to abort the changes and return to the Object Group Properties dialog. Clicking OK will automatically return to the Object Group Properties dialog. Note that the inverse regular expression exclude is displayed in the Watch Properties data section. Inverse Regular expression excludes are displayed in blue text. Inverse Regular Expression Folder Excludes can become very complex. It is possible to create custom exclusions using regular expressions. For instance, an inverse regular expression exclude can be created to ignore case: 312 CIMCOR CimTrak Integrity & Compliance Suite

313 running-config can be entered as [Rr][Uu][Nn][Nn][Ii][Nn][Gg]-[Cc][Oo][Nn][Ff][Ii][Gg] Figure 312: Regular Expression File Exclude (blue text) To add additional Inverse Regular Express file excludes, repeat the same steps. To remove Inverse Regular Expression Excludes, right-click on the Exclude information in the Watch Properties data section and then select Remove Exclude(s). When completed, click the OK button to save the changes. Click the Cancel button to abort the configuration and discard any changes SAVING OBJECT GROUP WATCH POLICIES TO TEMPLATES Once an Object Group Watch Policy has been created it is possible to save the policy configurations to a template. Using a template can assist in creating identical watch data for other CimTrak Network Device Agents. See section 4.7 for more information on CimTrak Templates. Network Device Templates cannot be transferred between Master Repositories. To create a template, right-click on the Object Group name in the CimTrak Management Console s Object Group Tree and then select Save to Template. The Save to Template dialog will display. Enter a unique name for the template. If you would like this template to be private to your CimTrak account be sure to select the Private option by selecting the Private checkbox. When completed entering the required information click the OK button. Click the cancel button to abort the template creation. A template name can be between 1 and 512 characters. User Guidance 313

314 Figure 313: Save to Template dialog In addition to being able to create Templates for single Object Groups CimTrak has the capability to create Templates for multiple Object Groups at the Network Device Agent level. To create a Network Device Agent template, right-click on the Network Device Agent name in the CimTrak Management Console s Object Group Tree and then select Save to Template. The Save to Template dialog will display. Enter a unique name for the template. If you would like this template to be private to your CimTrak account be sure to select the Private option by selecting the Private checkbox. When completed entering the required information click the OK button. Click the cancel button to abort the template creation. A template name can be between 1 and 512 characters CREATING OBJECT GROUP WATCH POLICIES USING TEMPLATES Once an Object Group Watch Policy has been created it is possible to save the policy configurations to a template. Using a template can assist in creating identical watch data for other CimTrak Network Device Agents. See section 4.7 for more information on CimTrak Templates. To create an Object Group from template (or multiple Object Groups from a single template) right-click on the Network Device Agent name in the CimTrak Management Console s Object Group Tree and then select New Object Group(s) from Template. The Select Template dialog will display. 314 CIMCOR CimTrak Integrity & Compliance Suite

315 Figure 314: Select Template dialog Select the template the Object Group will be based off of and then click OK. Click Cancel to abort the Object Group creation. If OK is selected the Select Template dialog will close and the newly created Object Group(s) will display in the CimTrak Management Consoles Object Group Tree DELETING OBJECT GROUP WATCH POLICIES Once an Object Group Watch Policy has been created it is possible to delete the Object Group. Once an Object Group is deleted it cannot be undone. To delete an Object Group Watch Policy right-click on its name in the CimTrak Management Console s Object Group Tree and then select Delete. The Confirm Delete dialog will display. Figure 315: Confirm Delete dialog Select Yes to delete the Object Group, select No to abort the deletion. Select the Do not show this again checkbox to suppress this message from future deletions. Clicking Yes results in the Object Group being deleted. User Guidance 315

316 The Object Group must be unlocked (monitoring disabled) before the Object Group can be deleted. Unlocking an Object Group is explained in a subsequent section ENABLING AND DISABLING OBJECT GROUP MONITORING Before a CimTrak Network Device Agent can monitor an Object Group Watch Policy the Object Group must be Locked. To disable monitoring the Object Group Watch Policy must be Unlocked. The monitoring status of an Object Group can be determined by the associated icon in the CimTrak Management Console s Object Group Tree. See section for more information on creating Object Group Watch Policies. Possible associated statuses are as follows: Unlocked: The Object Group Watch Policy is not currently being enforced. Locking: The Object Group Watch Policy is currently in the process of locking. Locked: The Object Group Watch Policy is currently enforcing the configured Corrective Action. Locking an Object Group is accomplished by selecting the Object Group to lock in the CimTrak Management Console s Object Group Tree, right-clicking and then selecting Lock and Digitally Sign. Additionally, on Object Group can be locked by selecting the Object Group to lock in the CimTrak Management Console s Object Group Tree and the clicking the Lock button in the Management Console s Toolbar. Lock All: Lock and enable monitoring of the selected Object Group Tree Component. When an Object Group is locked (or locking) it will show the locking and synchronization process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of locking and synchronization creates Information level events. 316 CIMCOR CimTrak Integrity & Compliance Suite

317 Figure 316: Object Group Lock Process (Event Log) Multiple Object Groups can be locked simultaneously by selecting the Network Device Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Lock and Digitally Sign in the context menu or by clicking the Lock button located in the Management Console s Toolbar. Locking the Object Group will instruct the Network Device Agent to create digital signatures for each file included in the watch policy. If a Restore from Repository or Update Baseline Corrective Action is assigned, the Network Device Agent will create Authoritative Copies of the monitored files. All digital signatures and Authoritative Copy data is compressed, encrypted, and then transmitted to the CimTrak Master Repository. While an Object Group is in the process of locking the lock process can be aborted by either right-clicking on the Object Group in the CimTrak Management Console s Object Group Tree and selecting Cancel Lock in the context menu or by clicking the Stop button in the CimTrak Management Consoles Toolbar. Unlock All: Unlock and disable monitoring of the selected Object Group Tree Component. User Guidance 317

318 When the locking of an Object Group is Stopped it will show the stop locking process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of Stopping creates error level events. Figure 317: Object Group Lock Process Stopped (Event Log) The Locking of Multiple Object Groups can be stopped simultaneously by selecting the Network Device Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Cancel Lock in the context menu or by clicking the Stop button located in the Management Console s Toolbar. Before configuration settings associated with an Object Group Watch Policy can be modified, an Object Group is deleted, or simply to temporarily disable Object Group monitoring the Object Group must be Unlocked. Unlocking an Object Group is accomplished by selecting the Object Group to unlock in the CimTrak Management Console s Object Group Tree, right-clicking and then selecting Unlock and Allow Changes. Additionally, on Object Group can be unlocked by selecting the Object Group to unlock in the CimTrak Management Console s Object Group Tree and the clicking the Unlock button in the Management Console s Toolbar. Cancel all Locks: Immediately stop and discontinue an initiated action associated with a selected Object Group Tree Component. When an Object Group is Unlocked it will show the unlock process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of unlocking creates error level events. Figure 318: Object Group Unlock Process (Event Log) Multiple Object Groups can be unlocked simultaneously by selecting the Network Device Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Unlock and Allow Changes in the context menu or by clicking the Unlock button located in the Management Console s Toolbar. 318 CIMCOR CimTrak Integrity & Compliance Suite

319 SYNCHRONIZING OBJECT GROUP DATA Data being monitored by a CimTrak Network Device Agent is monitored either in real-time or at a polling interval. To force the polling interval to expire immediately, CimTrak has the capability to synchronize monitored data on demand by means of Force Sync. Synchronizing an Object Group Watch Policy is performed by either right-clicking on the Object Group in the CimTrak Management Console s Object Group Tree and selecting Force Sync in the context menu or by clicking the Force Sync on All button in the CimTrak Management Consoles Toolbar. Force Sync on All: Synchronize monitored object node data with the Master Repository. Multiple Object Groups can be synchronized simultaneously by selecting the Network Device Agent in the Management Console s Object Group Tree and then either right-clicking and selecting Force Sync in the context menu or by clicking the Force Sync on All button located in the Management Console s Toolbar. When an Object Group is synchronized it will show the synchronization process in the Master Repository, Area, Agent, and Object Group Event Logs. The process of synchronizing creates information level events. Figure 319: Object Group Synchronization Process (Event Log) NETWORK DEVICE AGENT INFORMATION DISPLAY The CimTrak Management Console s Information Display Area displays information for the selected CimTrak Network Device Agent. The information displayed is often broken up into several tabbed viewing areas. Agent Settings: Settings and system information associated with the selected Network Device Agent. Event Log: Event audit log associated with the Network Device Agent and children Object Groups of the selected Network Device Agent. Stats: System statistics associated with the system hosting the Network Device Agent. Notes: Administrative notes associated with the Network Device Agent. Overview: Object Group status information for all Object Groups associated with the Network Device Agent. User Guidance 319

320 Figure 320: Network Device Agent Information Display Area (Agent Settings Tab Selected) The information associated with the Network Device Agent Information Display Area tabs is explained in subsequent sections REVIEWING NETWORK DEVICE AGENT SETTINGS The CimTrak Management Console s File System Information Display Area Agent Settings tab displays Settings and system information associated with the selected Network Device Agent. To show the Network Device Agent Settings select the Network Device Agent in the CimTrak Management Console s Object Group Tree and then click the Agent Settings tab in the Management Consoles Information Display Area. 320 CIMCOR CimTrak Integrity & Compliance Suite

321 Figure 321: Network Device Agent Information Display Area (Agent Settings tab selected) The Network Device Agent Settings tab shows information associated with the Network Device Agent and the Network Device Agent s host. Associated information includes: Version: The version and build number of the CimTrak Network Device Agent. Operating System: The operating system of the system hosting the CimTrak Network Device Agent. Agent IP: The IPv4 or IPv6 IP Address associated with the CimTrak Network Device Agent. System Uptime: The amount of time (days, minutes, seconds) the system hosting the CimTrak Network Device Agent has been running. Agent Uptime: The amount of time (days, minutes, seconds) the CimTrak Network Device Agent has been running. Agent Connected Time: The amount of time (days, minutes, seconds) the CimTrak Network Device Agent has been connected to the CimTrak Master Repository. Location: Location information associated with the CimTrak Network Device Agent. See section for information on setting the Location information. Description: Description information associated with the CimTrak Network Device Agent. See section for information on setting the Description information. User Guidance 321

322 AUDITING NETWORK DEVICE AGENT EVENTS The Network Device Agent Event Log provides audit information relating to events occurring in the Network Device Agent and Object Groups connected to the Network Device Agent. Accessing the Network Device Agent Event Log is accomplished by first clicking once on the Network Device Agent name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The Network Device Agent Event Log displays details of all events that have occurred on the Network Device Agent and Object Groups connected to the Network Device Agent. The level of detail displayed is dependent on the auditing level configured in the Master Repository Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the Network Device Agent Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Event: Brief description of the detected event. Absolute Path: File path affected by the detected event. Completion Date/Time: Date and time the correction response completed. Event Code: Internal CimTrak Event Code corresponding to the detected event. Path: Object Tree Path to the affected CimTrak object. Figure 322: Network Device Agent Event Log 322 CIMCOR CimTrak Integrity & Compliance Suite

323 Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section. Data displayed in the Network Device Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE NETWORK DEVICE AGENT EVENT LOG The Network Device Agent Event Log can be filtered to only show events matching the specified criteria. Accessing the Network Device Agent Event Log is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Network Device Agent Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. User Guidance 323

324 Filters can be instantly cleared by clicking the Clear Filters button on the Network Device Agent Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING NETWORK DEVICE AGENT EVENT LOG FILTERS The Area Event Log can be filtered to only show events matching the specified criteria. Accessing the Network Device Agent Event Log is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Network Device Agent Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. 324 CIMCOR CimTrak Integrity & Compliance Suite

325 Figure 323: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. Figure 324: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. User Guidance 325

326 Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 325: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Network Device Agent Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. 326 CIMCOR CimTrak Integrity & Compliance Suite

327 Figure 326: Filtered Event Log data SORTING THE NETWORK DEVICE AGENT EVENT LOG The Network Device Agent Event Log can be sorted by any column using the Filters dialog. Accessing the Network Device Agent Event Log is accomplished by first clicking once on the Network Device Agent name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To sort the information displayed in the Network Device Agent Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. User Guidance 327

328 Figure 327: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. The Network Device Agent Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. 328 CIMCOR CimTrak Integrity & Compliance Suite

329 Figure 328: Filtered Event Log data REVIEWING NETWORK DEVICE AGENT STATISTICS The Network Device Agent Stats tab provides system resource statistics relating to the host system of the CimTrak Network Device Agent. Accessing the Network Device Agent Stats tab is accomplished by first clicking once on the Network Device Agent name in the Object Group Tree to select it followed by clicking the Stats tab in the Management Console Information Display Area. The Network Device Agent Statistics Information tab is divided into two sections: Resource Graph: Displays graphs to show a timeline of Network Device Agent host resource consumption. Resource Summary: Displays category, description, minimum and maximum resource utilization, current resource utilization, and units for all Network Device Agent host resources. Information displayed in the Resource Graph and the Resource Summary section of the Network Device Agent Stats Tab varies based on the resources available on the host operating system. User Guidance 329

330 Figure 329: CimTrak Network Device Agent Stats tab The Resource Graph displays a graphical timeline of the selected Network Device Agent host resource since the Stats tab was selected. By default two graphs are displayed simultaneously. To display less or more graphs select the number of graphs to display by clicking either the 1, 2 or 4 # of graphs button. Figure 330: Graph Quantity button To select the resource(s) to display in the graph(s), select the resource dropdown located directly above each graph. The resource dropdown generally displays the following resources: Network Adapter Bandwidth Utilization CPU Processor Utilization Disk Space Utilization Memory Utilization The graph information is updated based on the specified statistics transmission interval. See section for information on configuring the statistics transmission interval. The Resource Summary section displays category, description, minimum and maximum resource utilization, current resource utilization, and units for all Network Device Agent host resources. The Resource Summary is updated 330 CIMCOR CimTrak Integrity & Compliance Suite

331 based on the specified statistics transmission interval. See section for information on configuring the statistics transmission interval NETWORK DEVICE AGENT NOTES The Network Device Agent Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the Network Device Agent Notes Tab is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 331: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. New: Create a new Network Device Agent Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Precede to the last, newest note. User Guidance 331

332 The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. Figure 332: Network Device Agent Notes dialog To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted NETWORK DEVICE AGENT OBJECT GROUP OVERVIEW The Network Device Agent Overview tab allows CimTrak Administrators the capability to quickly view the status of all associated Object Group Watch Policies. Accessing the Network Device Agent Overview Tab is accomplished by 332 CIMCOR CimTrak Integrity & Compliance Suite

333 first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Overview tab in the Management Console Information Display Area. Information displayed in the Network Device Agent Overview tab includes: Object Group: The name assigned to the Network Device Agent Object Group Watch Policy. Status: The status associated with the Network Device Agent Object Group Watch Policy (Lock, Locking, Unlocked). Date of Last Authorized Change: Date/Time the Object Group Watch Policy was enabled (locked) for monitoring. Date of Last Change Attempt: The Date/Time the Object Group Watch Policy last detected a violation against the specified policy. Figure 333: Network Device Agent Overview tab NETWORK DEVICE AGENT PERMISSIONS Network Device Agents can be configured restrict access based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the Network Device Agent. Accessing Network Device Agent permissions is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. By default each Network Device Agent will have the following permissions: User Guidance 333

334 Administrators Create Objects: Create Network Device Agent Object Groups. Edit: Edit Network Device Agent settings. Lock: Enable active monitoring of Object Group Data. Reports: View reports relating to the Network Device Agent contents. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to the Network Device Agent. Auditors Reports: View reports relating to Network Device Agent contents. View: View contents and configurations relating to the Network Device Agent. Installers Attach CimTrak Agents to a Master Repository. Figure 334: Network Device Agent Security Permissions dialog 334 CIMCOR CimTrak Integrity & Compliance Suite

335 Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section MODIFYING AN EXISTING USER/GROUP NETWORK DEVICE AGENT PERMISSIONS It is possible to modify existing user and group Network Device Agent Permissions and notification settings. Accessing Network Device Agent permissions is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create Network Device Agent Object Groups. Edit: Edit Network Device Agent/Object Group control contents. Lock: Enable active monitoring of Object Group Data Reports: View reports relating to Network Device Agent contents. Unlock: Disable active monitoring of Object Group Data View: View contents and configurations relating to the Network Device Agent. User Guidance 335

336 Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. Information: Receive alerts relating to information level notifications. To apply the permission settings to all children objects, ensure that the Apply permissions to children recursively checkbox is selected. When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the Master Repository) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object ADDING AND REMOVING USERS AND GROUPS TO NETWORK DEVICE AGENT PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that Network Device Agent Permissions and notification settings can be assigned or changed. Accessing Network Device Agent permissions is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. 336 CIMCOR CimTrak Integrity & Compliance Suite

337 Figure 335: Add Users dialog Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. User Guidance 337

338 Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. Figure 336: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 337: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information. 338 CIMCOR CimTrak Integrity & Compliance Suite

339 6.1.4 OBJECT GROUP INFORMATION DISPLAY The CimTrak Management Console s Information Display Area displays information for the selected CimTrak Network Device Agent Object Groups. The information displayed is often broken up into several tabbed viewing areas. Event Log: Event audit log associated with the selected Object Group. Change Log: Change audit log associated with the selected Object Group. Monitor Info: Monitoring information and configuration details associated with a selected Object Group. Pending Repair: Object group corrective action queue associated with the selected Object Group. Notes: Administrative notes associated with the Object Group. Figure 338: Object Group Information Display Area (Event Log Tab Selected) The information associated with the Object Group Information Display Area tabs is explained in subsequent sections AUDITING OBJECT GROUP EVENTS The Object Group Event Log provides audit information relating to events occurring in the Object Groups connected to the Network Device Agent. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. The Object Group Event Log displays details of all events that have occurred on the Object Groups connected to the Network Device Agent. The level of detail displayed is dependent on the auditing level configured in the Master Repository User Guidance 339

340 Properties Log Administrative DB Changes. See section for additional information. For each recorded event, the Object Group Event Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Event: Brief description of the detected event. Correction: The Corrective Action performed on the detected event. Performed By: The Network Device Agent detecting the event and performing the remediation. Modified By: The File System User responsible for the detected event. Absolute Path: File path affected by the detected event. Completion Date/Time: Date and time the correction response completed. Event Code: Internal CimTrak Event Code corresponding to the detected event. Figure 339: Network Device Agent Event Log Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. 340 CIMCOR CimTrak Integrity & Compliance Suite

341 Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section. Data displayed in the Object Group Event Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE OBJECT GROUP EVENT LOG The Object Group Event Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Network Device Agent Event Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order User Guidance 341

342 The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING OBJECT GROUP EVENT LOG FILTERS The Object Group Event Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Event Log is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 340: Filters dialog showing filter data 342 CIMCOR CimTrak Integrity & Compliance Suite

343 As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. Figure 341: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 342: Grouped filters User Guidance 343

344 Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Object Group Event Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 343: Filtered Event Log data SORTING THE NETWORK DEVICE AGENT EVENT LOG The Object Group Event Log can be sorted by any column using the Filters dialog. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Event Log tab in the Management Console Information Display Area. 344 CIMCOR CimTrak Integrity & Compliance Suite

345 To sort the information displayed in the Object Group Event Log, click the Filters button located in the Event Log tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 344: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. User Guidance 345

346 Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. The Object Group Event Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 345: Filtered Event Log data REVIEWING OBJECT GROUP MONITORED CHANGES The Object Group Change Log provides detailed change event audit information relating to change events occurring in the Object Groups connected to the Network Device Agent. Accessing the Object Group Change Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. The Object Group Change Log displays details of all addition, deletion, and change events that have occurred on the Object Groups connected to the Network Device Agent. For each recorded event, the Object Group Change Log will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. 346 CIMCOR CimTrak Integrity & Compliance Suite

347 Storage Status: Information indicating if the change is stored in the Master Repository. Absolute Path: File path affected by the detected event. Modified By: The File System User responsible for the detected event (Windows Network Device Agent with Driver only). Process: The process used to initiate the detected event (Windows Network Device Agent with Driver only). Process ID: Windows Process ID associated with the initiating process (Windows Network Device Agent with Driver only). Thread ID: Process Thread ID associated with the initiating process (Windows Network Device Agent with Driver only). Figure 346: Object Group Change Log Each Change Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. User Guidance 347

348 Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Generally change events are associated with the Error level. Specifics relating to message types are discussed in a subsequent section. Data displayed in the Object Group Change Log will not actively refresh as new events occur. Click the Refresh button to update the Event Log FILTERING AND SORTING THE OBJECT GROUP CHANGE LOG The Object Group Change Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Change Log is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Change Log, click the Filters button located in the Change Log tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Network Device Agent Change Log tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections. 348 CIMCOR CimTrak Integrity & Compliance Suite

349 CREATING OBJECT GROUP CHANGE LOG FILTERS The Object Group Change Log can be filtered to only show events matching the specified criteria. Accessing the Object Group Change Log is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. To filter the information displayed in the Object Group Change Log, click the Filters button located in the Change Log tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 347: Filters dialog showing filter data As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator User Guidance 349

350 intended for change to display the operator dropdown. Select the appropriate operator. Figure 348: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 349: Grouped filters Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. 350 CIMCOR CimTrak Integrity & Compliance Suite

351 Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Change log filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Object Group Change Log indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 350: Filtered Event Log data SORTING THE NETWORK DEVICE AGENT CHANGE LOG The Object Group Change Log can be sorted by any column using the Filters dialog. Accessing the Object Group Change Log is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Change Log tab in the Management Console Information Display Area. To sort the information displayed in the Object Group Change Log, click the Filters button located in the Change Log tab. The Filters dialog will display. By default there is no sorting enabled. User Guidance 351

352 Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 351: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. 352 CIMCOR CimTrak Integrity & Compliance Suite

353 Click the OK button to enable the sorting. Click Cancel to abort all changes. The Object Group Change Log indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 352: Filtered Event Log data ACCESSING THE CHANGE LOG TAB CONTEXT MENU Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. The Change Log Context Menu allows for additional actions to be taken on stored changes including: View: View the content and attributes associated with the stored change. View as Binary: View the content associated with the stored change in a hexadecimal format. View Forensic Data: View the IP Address and Port number associated with the change process. (Windows Network Device Agent with Driver only). Download: Download a copy of the stored intrusion. Compare with Authoritative Copy (at time of change): Compare the content of the detected change with the known, authoritative copy stored in the Master Repository at the time of the change. User Guidance 353

354 Compare with Authoritative Copy (current): Compare the content of the detected change with the current known, authoritative copy stored in the Master Repository currently. Add to Excludes: Disable monitoring of the selected file or configuration. Details associated with these context menu options are discussed in subsequent sections VIEWING CHANGE CONTENT Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting View from the context menu allows authorized CimTrak administrators the capability to review content associated with a detected change. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Figure 353: File View dialog Viewing of Change data requires the Object Group Policy is configured to store changes. Additionally, the change must not exceed the specified Keep Change Size (in KB) indicated in Object Group Properties Monitoring Information. See section for more information. Viewing the content of non-binary files is supported. Binary files cannot be viewed at this time. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. 354 CIMCOR CimTrak Integrity & Compliance Suite

355 Figure 354: Enter Private Key dialog Click the Close button to exit the File View dialog VIEWING CHANGE CONTENT IN BINARY Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting View as Binary from the context menu allows authorized CimTrak administrators the capability to review content associated with a detected change. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Figure 355: File View dialog (Binary) Viewing of Change data requires the Object Group Policy is configured to store changes. Additionally, the change must not exceed the specified Keep Change Size (in KB) indicated in Object Group Properties Monitoring Information. See section for more information. Viewing the content of non-binary files is supported. Binary files cannot be viewed at this time. User Guidance 355

356 If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 356: Enter Private Key dialog Click the Close button to exit the File View dialog VIEWING CHANGE FORENSIC DATA Viewing of Forensic Data is not supported on the Network Device Agent DOWNLOADING A COPY OF CHANGE DATA Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting Download from the context menu allows authorized CimTrak administrators the capability to download a copy of the actual change file. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. Clicking the Download option in the Change Log tab context menu results in the Save As dialog to display. Browse the file system for the desired download location and then click the Save button. Click the Cancel button to abort the download process. 356 CIMCOR CimTrak Integrity & Compliance Suite

357 Figure 357: Save As dialog If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 358: Enter Private Key dialog COMPARING CHANGE DATA WITH THE AUTHORITATIVE COPY AT THE TIME OF THE CHANGE Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting Compare with Authoritative Copy (at time of change) allows authorized CimTrak administrators the capability to perform a side-by-side comparison of the changed file with it authoritative copy stored in the Master Repository. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. User Guidance 357

358 Figure 359: File Comparison Results If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 360: Enter Private Key dialog Click the Close button to exit the File Comparison Results dialog UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between a detected change and the authoritative copy associated with watch properties. See section for more information on performing file comparisons. The File Comparison dialog is comprised of three primary sections. 358 CIMCOR CimTrak Integrity & Compliance Suite

359 Toolbar Information Display Area Tab Browser UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between a change and the authoritative copy associated with the watch properties. See section for more information on performing file comparisons. Figure 361: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by accessing the context menu and selected Compare with Authoritative Copy (at time of Change) in the Object Group Change Tab. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a detected change to the Master Repository Authoritative Copy. Lines that have been modified are highlighted in User Guidance 359

360 blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. Figure 362: File Comparison Results dialog Changes tab Click the Close button to exit the File Comparison Results dialog COMPARING CHANGE DATA WITH THE CURRENT AUTHORITATIVE COPY Right-clicking on any event listed in the Change Log tab provides a context menu allowing for change related actions. Selecting Compare with Authoritative Copy (Current) allows authorized CimTrak administrators the capability to perform a side-by-side comparison of the changed file with it authoritative copy stored in the Master Repository. The Change Log tab is accessed by selecting the Object Group in the Management Console s Object Group Tree and then selecting the Change Log tab in the Information Display Area. 360 CIMCOR CimTrak Integrity & Compliance Suite

361 Figure 363: File Comparison Results If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 364: Enter Private Key dialog Click the Close button to exit the File Comparison Results dialog UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between a detected change and the authoritative copy associated with watch properties. See section for more information on performing file comparisons. The File Comparison dialog is comprised of three primary sections. User Guidance 361

362 Toolbar Information Display Area Tab Browser UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between a change and the authoritative copy associated with the watch properties. See section for more information on performing file comparisons. Figure 365: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by accessing the context menu and selected Compare with Authoritative Copy (Current) in the Object Group Change Tab. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a detected change to the Master Repository Authoritative Copy. Lines that have been modified are highlighted in 362 CIMCOR CimTrak Integrity & Compliance Suite

363 blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. Figure 366: File Comparison Results dialog Changes tab Click the Close button to exit the File Comparison Results dialog REVIEWING OBJECT GROUP MONITORING INFORMATION The Object Group Monitor Info tab provides Object Group monitoring and status information relating to Object Groups connected to the Network Device Agent. Accessing the Object Group Monitor Info is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Monitor Info tab in the Management Console Information Display Area. The Object Group Monitor Info tab is comprised of two sections: Path Status Windows/Details User Guidance 363

364 Figure 367: Object Group Monitor Info tab The Path section displays watch path and exclude information pertaining to the select Object Group. Right clicking on any exclude provides a context menu with the following options: Convert to Regular Exclude: Change an auto-excluded file to a regular exclusion. Remove Excludes: Delete an exclusion from the select Object Group. Figure 368: Monitor Info Stats dialog See section for more information on excluding files, folders, and configuration data from the Object Group Watch Policy. The Status Window/Details section is comprised of two tabs: Status Window: Displays current lock status information associated with the Object Group Watch Policy. (i.e. Lock, Locking, Unlocked) Details: Displays details associated with the Object Group Watch Policy Configuration including: 364 CIMCOR CimTrak Integrity & Compliance Suite

365 Detection Mode: The change detection mode enabled (Real-time or polling). File Comparison Method: The hash type performed on monitored data. Type: Object Group policy type (generally Watch). Store Files: Store authoritative copy data in the Master Repository (True, False). Store Changes: Store change data in the Master Repository (True, False). Ignore Archive Flag: Monitor the archive flag associated with file system watch data. (True, False) Ignore Read-only Flag: Monitor the read-only flag associated with the file system watch data. (True, False) User Approval on Sync: Require user intervention for changes detected while the Network Device Agent was disconnected from the Master Repository. (True, False) Corrective Action (On Add, On Change, On Delete): The Corrective Action mode specified in the Object Group Watch Policy. (Restore, Update Baseline, Log, Prompt, Ignore) Run (On Add, On Change, On Delete): Custom script that is ran when an add, change, or delete action has occurred on monitored watch data. (Path/File Name) Wait (On Add, On Change, On Delete): Use remediation timeout period enforced on custom scripts that are ran when an add, change, or deleted action has occurred on the monitored watch data. (True, False) Timeout (On Add, On Change, On Delete): Remediation timeout period enforced on custom scripts that are ran when an add, change, or deleted action has occurred on the monitored watch data. Parameters (On Add, On Change, On Delete): Pass filed and action parameters to the attached script ran on add, change, or delete actions. User Guidance 365

366 Figure 369: Monitor Info Status Window tab Figure 370: Monitor Info Details tab REVIEWING OBJECT GROUP DATA PENDING REPAIR The Pending Repair tab displays queue information associated with the remediation of folder, file and configuration data. The Pending Repair tab will append the number of pending repairs to the tab title. As changes are repaired they are automatically removed from the Pending Repair tab. Accessing the Object Group Pending Repair tab is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. The Pending Repair tab also displays changes requiring CimTrak Administrator intervention. Intervention is required if the Prompt for Approval corrective action is enabled or the User Approval on Sync has been enabled and there was a 366 CIMCOR CimTrak Integrity & Compliance Suite

367 communication failure between the Network Device Agent and the Master Repository. Figure 371: Pending Repair tab showing 3 pending repairs For each recorded event, the Object Group Pending Repair tab will display information corresponding to the following: Event Date/Time: The exact date and time of the detected event. Absolute Path: File path affected by the detected event. Modified By: The File System User responsible for the detected event. Generally, the items contained in the Pending Repair tab will automatically cycle out as the folders, files, and configurations are remediated on the monitored system. The Pending Repair tab will automatically refresh based on the Pending Repair Refresh Interval specified in the Master Repository Preferences dialog. See section for additional information. In the event the Pending Repairs exist due to the Prompt for Approval Corrective Action or a triggered User Approval on Sync the Changes Pending Approval dialog must be referenced. See a subsequent section for additional information on the Changes Pending Approval dialog. Each Pending Repair message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. User Guidance 367

368 Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. Specifics relating to message types are discussed in a subsequent section FILTERING AND SORTING THE PENDING REPAIR TAB The Pending Repair Tab can be filtered to only show events matching the specified criteria. Accessing the Object Group Event Log is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. To filter the information displayed in the Pending Repair tab, click the Filters button located in the Pending Repair tab. The Filters dialog will display. By default there are no filters enabled. Filters can be instantly cleared by clicking the Clear Filters button on the Pending Repair tab. The Filters dialog is broken into three sections: Configuration Tabs Filter Criteria Sort Order 368 CIMCOR CimTrak Integrity & Compliance Suite

369 The Configuration Tabs section allows for the configuration of Filters and Sorting. Information added in either the Filter Criteria or Sort Order Configuration Tabs displays in the corresponding Filter Criteria or Sort Order sections CREATING PENDING REPAIR FILTERS The Pending Repair Tab can be filtered to only show events matching the specified criteria. Accessing the Pending Repair tab is accomplished by first clicking once on the Network Device Agent in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. To filter the information displayed in the Pending Repair tab, click the Filters button located in the Pending Repair tab. The Filters dialog will display. By default there are no filters enabled. Click the Filter Criteria tab to change the Filters dialog input to filter configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Comparison: Comparison operator Value: Dynamic message relating to the selected Field. Select the intended filter data and then click Add to create the filter. The newly created filter will display in the Filter Criteria section. Figure 372: Filters dialog showing filter data User Guidance 369

370 As each additional filter is added the corresponding filter data will display in the Filter Criteria section. Each additional filter will automatically have an and operator appended to the rule. To change the operator, click the operator intended for change to display the operator dropdown. Select the appropriate operator. Figure 373: Operator selection dropdown Additional operator types include: And Or And Not Or Not Filter rules can be organized in the Filter Criteria by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Filter rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all filters. Grouping of filter rules is accomplished by clicking once on the first rule in the Filter Criteria. Press the down arrow until the first rule in the group is reached. Hold the shift key while pressing the down arrow to select additional rules for the group. Once all intended group items are selected click the Group button to create the group. The items in the group will be surrounded by parenthesis to indicate their group members. Figure 374: Grouped filters 370 CIMCOR CimTrak Integrity & Compliance Suite

371 Grouped filters can be ungrouped by clicking any member of the group to select the group and then clicking the Ungroup button. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. Pending Repair filters can be saved by clicking the Save button located on the Filters dialog. Previously created and saved filters can be loaded by clicking the Load button. Click the OK button to enable the filter. Click Cancel to abort all changes. The Pending Repair Tab indicates a filter has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 375: Filtered Pending Repair data SORTING THE PENDING REPAIR TAB The Pending Repair Tab can be sorted by any column using the Filters dialog. Accessing the Pending Repair Tab is accomplished by first clicking once on the Object Group name in the Object Group Tree to select it followed by clicking the Pending Repair tab in the Management Console Information Display Area. User Guidance 371

372 To sort the information displayed in the Pending Repair tab, click the Filters button located in the Pending Repair tab. The Filters dialog will display. By default there is no sorting enabled. Click the Sort Order tab to change the Filters dialog input to sort configuration mode. When in filter configuration mode the following dropdowns are available: Field: Event Log column Order: Sort order Select the intended sort data and then click Add to create the sort. The newly created sort will display in the Sort Order section. Figure 376: Filters dialog showing sort data As each additional sort is added the corresponding sort data will display in the Sort Order section. Sort rules can be organized in the Sort Order by clicking a rule to select it and then moving it using either the Move Up or Move Down buttons. Sort rules can be deleted by clicking a rule to select it and then clicking the Remove button. Clicking the Remove All button will remove all sorts. Check the Recursive checkbox if the event log should display information from child objects. Unchecking this checkbox will only show events for the Parent Object. 372 CIMCOR CimTrak Integrity & Compliance Suite

373 Event sorts can be saved by clicking the Save button located on the Filters dialog. Previously created and saved sorts can be loaded by clicking the Load button. Click the OK button to enable the sorting. Click Cancel to abort all changes. The Pending Repair tab indicates a sort has been enabled by displaying Data Filtered at the bottom of the Information Display Area. Figure 377: Filtered Pending Repair data CHANGES PENDING APPROVAL The Changes Pending Approval dialog contains a list of modified folders, files, and configurations requiring CimTrak Administrator intervention. Accessing the Changes Pending Approval dialog is accomplished by clicking View Changes Pending Approval in the CimTrak Management Console s Toolbar. User Guidance 373

374 Figure 378: Changes Pending Approval dialog Folders, files, and configurations can be sorted by File, Event, Correction, and Path by clicking the associated column name. Available columns include: File: Name of the folder, file, or configuration that requires change approval. Event: Type of event that occurred on the monitored object (Added, Deleted, Changed). Correction: Corrective action to perform on the detected changed (Undo Changes, Accept Changes). Path: Complete path to the file or configuration that has been changed. To approve or deny a detected change, click once on the folder, file, or configuration in the Changes Pending Approval dialog to select the change item. Once selected, select the Corrective action to take by clicking the correction dropdown. Select Undo Changes to roll-back the detected change. Select Accept Changes to allow the change and update the monitored baseline. When finished, click Apply to apply the selected corrective actions. Click Exit to exit the Changes Pending Approval dialog. The selected corrective actions will be enforced and the selected change items will be removed from the Object Group s Pending Repair tab OBJECT GROUP GENERATIONS The Object Group Generation Tab provides revision information for changes occurring to files, folders, operating system configurations contained in a Network Device Agent Object Group. Accessing the Object Group Generations Tab is accomplished by first clicking once on the Object Group in the Object Group Tree 374 CIMCOR CimTrak Integrity & Compliance Suite

375 to select it followed by clicking the Generation tab in the Management Console Information Display Area. The Generation Tab is broken into two sections: Revisions Table Revision Details Figure 379: Object Group Generation Tab The Revisions Table displays overview information relating to each generation revision. Selecting a specific generation revision in the Revision Table will populate the corresponding information in the Revision Details section. Information in the Revisions Table includes: Revision: Primary revision number indicating the number of the generation. Sub-revision: Secondary revision number indicating the number of events that have occurred since the primary generation was created. Date/Time: Date and time associated with the creation of the revision or sub-revision. Changed by: The CimTrak User account responsible for the creation of the revision or sub-revision. # of Dirs: Quantity of directories contained in the revision or sub-revision. # of Files: Quantity of files contained in the revision or sub-revision. Total Size (bytes): The total amount of disk space utilized by the contents of the revision or sub-revision. User Guidance 375

376 The Revision Details section displays detailed information relating to a revision or sub-revision. The Revision Details section has three tabs: Revision Information: Details of the revision or sub-revision such as the date of the revision, revising user account, number of revisions, number of sub-revisions, number of files, number of directories, and notes. Details: Complete list of all files and folders contained in a generation. Files and folders indicate their generation status such as Added, Deleted, and Modified. Change from Previous: Partial file list showing what files were Added, Deleted or Modified in the selected generation DOWNLOADING GENERATION DATA Each file stored in an Object Group generation has the capability to be downloaded and copied to a local system. An Object Group generation can be accessed by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. Copies of generation data can be downloaded by right-clicking on the Revisions Table generation and selecting Download from the context menu. Additionally, copies of generation data can also be downloaded from the Revision Details Details tab or Change from Previous tab by right-clicking on the file or folder to download and then clicking Download. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. Figure 380: Enter Private Key dialog VIEWING AND COMPARING CONTENT OF OBJECT GROUP GENERATIONS Folders, files, and configurations monitored within an Object Group generation have the capability to be viewed and compared with other generations. An Object Group generation can be accessed by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. 376 CIMCOR CimTrak Integrity & Compliance Suite

377 To view the non-binary file contents associated with a file, select either the Details or Change from Previous tab in the Object Group Generation Revision Details section. Right-click on the file and then select View. The File View dialog will display. Figure 381: File View dialog (non-binary) To view the binary file contents associated with a file, right-click on the file and then select View as Binary. Figure 382: File View dialog (binary) Click Close to exit the File View dialog. If the Private Key feature has been enabled the viewing user will be prompted to enter a valid private key. See section for more information. User Guidance 377

378 Figure 383: Enter Private Key dialog The Object Group Generations tab has the capability to compare previous generations with the current state of the file stored within the Master Repository to the local system. To compare a generation, click the Object Group node in the Management Console Object Group Tree. Select the generations tab. To compare the file, from either the Details or Change from Previous tab, rightclick on the file and then select either Compare with Other Generation or Compare with Authoritative Copy (current). If Compare with Other Generation is selected the Select File to Compare Against dialog will display. Select the generation to compare with by clicking once on the revision. Click OK to perform the comparison or click Cancel to abort the comparison process. The File Comparison Results dialog will display. Figure 384: File to Compare Against dialog In the event Compare with Authoritative Copy (current) is selected the File Comparison Results will display comparing the current file content with the most current baseline. If the Private Key feature has been enabled the downloading user will be prompted to enter a valid private key. See section for more information. 378 CIMCOR CimTrak Integrity & Compliance Suite

379 Figure 385: Enter Private Key dialog Figure 386: File Comparison Results dialog Click the Close button to exit the File Comparison Results dialog. The File Comparison Results dialog is explained in detail in section UNDERSTANDING THE OBJECT GROUP CHANGE TAB FILE COMPARISON RESULTS DIALOG The File Comparison Results dialog displays anytime a comparison is performed between a detected change and the authoritative copy associated with watch properties. See section for more information on performing file comparisons. The File Comparison dialog is comprised of three primary sections. Toolbar Information Display Area Tab Browser User Guidance 379

380 UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG TOOLBAR The File Comparison Results dialog Toolbar allows authorized CimTrak users the capability to perform various on file generation comparison data. The File Comparison Results dialog is accessible by performing a file comparison between a change and the authoritative copy associated with the watch properties. See section for more information on performing file comparisons. Figure 387: File Comparison Results dialog Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the file comparison. File comparisons are saved in HTML and can be opened in a web browser. Print: Print a copy of the file comparison Print Preview: Display a visual representation of exactly what a printed copy of the file comparison would look like. Exit: Quit the File Comparison Results dialog and return to the CimTrak Management Console. Files saved on the local system may be accessible by other users of the system UNDERSTANDING THE FILE COMPARISON RESULTS DIALOG INFORMATION DISPLAY AREA AND TAB BROWSER The File Comparison Results dialog Tab Browser and Information Display Area allows authorized CimTrak users the capability visualize generation comparison data. The File Comparison Results dialog is accessible by accessing the context menu and selected Compare with Authoritative Copy (Current) in the Object Group Change Tab. See section for more information on performing file comparisons. The File Comparison Results dialog Information Display Area shows a side-byside comparison of one generation revision of a detected change to the Master Repository Authoritative Copy. Lines that have been modified are highlighted in blue, lines that have been added are highlighted in green, and lines that have been deleted are highlighted in red. 380 CIMCOR CimTrak Integrity & Compliance Suite

381 By default, the Complete tab is selected in the File Comparison Results Tab Browser. The Complete tab shows all lines of a selected comparison. Selecting the Changes tab displays only the lines that have differences between the compared generations. Figure 388: File Comparison Results dialog Changes tab Click the Close button to exit the File Comparison Results dialog DEPLOYING ROLLING BACK OBJECT GROUP GENERATIONS Depending on the remediation capabilities of the monitoring Object Group, the Generations tab may have the capability to deploy previous generations back to the File System. An Object Group generation can be accessed by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Generation tab in the Management Console Information Display Area. To deploy roll back a generation, select the generation in the Generation Tab Revisions Table, right-click, and then select Deploy. The Confirm Deploy dialog will display warning that deploying will overwrite everything in the Document Control with the content of this generation. Click Yes to proceed or No to cancel. User Guidance 381

382 Figure 389: Confirm Deploy dialog Upon clicking Yes on the Confirm Deploy dialog the Notes dialog will appear. Enter any administrative notes relating to this deployment and then click OK. Click Cancel to abort the deployment. Figure 390: Notes dialog A new generation revision will be created with the rolled-back content. This newly created generation is the current generation OBJECT GROUP NOTES The Object Group Notes Tab allows CimTrak users the capability to enter administrative notes. Accessing the Object Group Notes Tab is accomplished by first clicking once on the Object Group in the Object Group Tree to select it followed by clicking the Notes tab in the Management Console Information Display Area. The Notes Tab is broken into two sections: Toolbar Form 382 CIMCOR CimTrak Integrity & Compliance Suite

383 The Toolbar allows authorized CimTrak users to perform various management functions relating to administrative notes. Figure 391: CimTrak Notes Toolbar The functionality associated with each Toolbar option is as follows. Please note that the functionality associated with the Toolbar option is dependant on the quantity of notes and the selected note. New: Create a new Object Group Note Duplicate: Copy the current note and open the copy for editing. Save: Save the note. Cancel: Cancel the note. First: Proceed to the first, oldest note. Previous: Go back one note. Next: Go forward one note. Last: Precede to the last, newest note. The Form section allows for the CimTrak User to enter the note data. Notes may be between 1 and 4000 characters. Once the note has been entered it is necessary to save the note by clicking the Save button in the Notes Toolbar. Aborting the creation of a note is possible by clicking the Cancel button. Navigating previously saved notes is possible using the First, Previous, Next, and Last buttons. User Guidance 383

384 Figure 392: Object Group Notes dialog To create a note click the New button in the Notes Toolbar. Enter the note content in the Notes form box. When completed click the Save button. Viewing of a particular note can be made private to the creating user by selecting the Private checkbox in the Notes dialog. Once a note has been created it cannot be made private. Once a note has been created and saved it cannot be deleted OBJECT GROUP PERMISSIONS Object Groups can be configured restrict access based on permission settings. Additionally, event notifications can be configured to notify CimTrak Users about events relating to the Object Group. Accessing Object Group permissions is accomplished by first clicking once on the File Object Group in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. By default each Object Group will have the following permissions: Administrators Create Objects: Create Network Device Agent Object Groups. Edit: Edit Network Device Agent settings. 384 CIMCOR CimTrak Integrity & Compliance Suite

385 Lock: Enable active monitoring of Object Group Data. Reports: View reports relating to the Object Group contents. Unlock: Disable active monitoring of Object Group Data. View: View contents and configurations relating to the Object Group. Auditors Reports: View reports relating to Object Group contents. View: View contents and configurations relating to the Object Group.. Installers Attach CimTrak Agents to a Master Repository. (Not applicable for Object Groups). Figure 393: Object Group Security Permissions dialog Default access permissions associated with the Administrators, Auditors, and Installers User Groups cannot be changed. It is possible to modify alert notices for Administrator and Auditor user groups. Available alert types include: User Guidance 385

386 Emergency Alert Critical Error Warning Notice Information Additional information relating to these alert types is described in a subsequent section MODIFYING AN EXISTING USER/GROUP OBJECT GROUP PERMISSIONS It is possible to modify existing user and group Object Group Permissions and E- mail notification settings. Accessing Object Group permissions is accomplished by first clicking once on the Object Group in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. Select the existing user or group by clicking once on the CimTrak User or Group name in the Group or User Names section of the Security Permissions dialog. The Permissions section of the Security Permissions dialog will update to show the permissions currently assigned to the selected user or group. Selecting a group will apply the selected permissions and E- mail notification settings to all members of the group. Selecting a single user will apply the selected permissions and notification settings to only that single user account. To add or remove permissions click the Allow or Deny checkbox corresponding to the permission being configured. Available permissions include: Create Objects: Create Network Device Agent Object Groups. Edit: Edit Object Group control contents. Lock: Enable active monitoring of Object Group Data Reports: View reports relating to Object Group contents. Unlock: Disable active monitoring of Object Group Data View: View contents and configurations relating to the Object Group. Emergency: Receive alerts relating to emergency level notifications. Alert: Receive alerts relating to alert level notifications. Critical: Receive alerts relating to critical level notifications. Error: Receive alerts relating to error level notifications. Warning: Receive alerts relating to warning level notifications. Notice: Receive alerts relating to notice level notifications. 386 CIMCOR CimTrak Integrity & Compliance Suite

387 Information: notifications. Receive alerts relating to information level To apply the permission settings to all children objects, ensure that the Apply permissions to children recursively checkbox is selected. When completed, click OK to apply the permission and alert settings. Click Cancel to abort the security permission configuration. Permissions and notification settings can be inherited from parent objects (such as the Network Device Agent) if the permissions are created at a parent level. Permissions and notification settings are not automatically inherited for new objects. It will be necessary to manually assign the permissions and notification settings to the object ADDING AND REMOVING USERS AND GROUPS TO OBJECT GROUP PERMISSIONS It is possible to add additional users and groups to the Security Permissions dialog so that Object Group Permissions and notification settings can be assigned or changed. Accessing Object Group permissions is accomplished by first clicking once on the Object Group in the Object Group Tree to select it and then right-clicking and selecting Permissions or selecting the Permissions button on the Management Console Toolbar. The Security Permissions dialog will display. To add a new local CimTrak User or Group, click the Add button. The Add Users dialog will display listing all available local users and groups. Figure 394: Add Users dialog User Guidance 387

388 Select the local CimTrak User or Group to add by selecting the checkbox to the left of the name. Click OK to add the User or Group. Click Cancel to abort the addition process. The selected user or group will now display in the Group or User Names section of the Security Permissions dialog. The User or Group is now available to have permissions and notification settings assigned. See section for more information. To add a new Active Directory/LDAP user, click the Add LDAP button. The Search AD/LDAP Server dialog will display. Select the domain to add the user(s)/group(s) from by clicking the Domain drop down. If the user(s) intended for addition belong to a specific domain group, enter the appropriate domain group information in the Member of Group (optional) textbox. Select the Search Groups checkbox to indicate that only domain groups should be searched. Select the Search Users checkbox to indicate that only domain users should be searched. Select both the Search Groups and Search Users checkboxes to indicate that both domain groups and domain users should be searched. The Search String(s) textbox provides a space for entering the users or groups that should be searched for addition options. It is possible to search for multiple objects by separating each name/group with a semicolon. The following are syntax examples: Display Name: John Smith User Name: smith.john Group Name: Domain Admins Hovering over the blue example text will display syntax examples. Once completed entering the search criteria click Search. Clicking Cancel will abort the AD/LDAP user search. 388 CIMCOR CimTrak Integrity & Compliance Suite

389 Figure 395: Example AD/LDAP Server search information Available AD/LDAP user accounts/groups will display that match the search syntax provided. Click the checkbox located to the left of the user account/group intended for addition and then click OK to add the user/group. Clicking Cancel will abort the addition process. Figure 396: Add Users dialog Once the selected AD/LDAP user/group account has been added it will appear in the Group or User Names section of the Security Permissions dialog. The AD/LDAP User or Group is now available to have permissions and notification settings assigned. See section for more information. User Guidance 389

390 7. Configuring and Using the CimTrak Command Line Utility 7.1 ACCESSING THE CIMTRAK COMMAND LINE UTILITY The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. The Command Line utility is invoked by launching the CimTrakCLU.exe or CimTrakClilent.exe executable from the command line. The default installation locations include: Microsoft Windows (Command Line Tools Installed): C:\Program Files\Cimcor\CimTrak\CimTrakTools\CimTrakCommandLineUtility\CimTrakCLU.exe Microsoft Windows (Management Console): C:\Program Files\Cimcor\CimTrak\CimTrakManagementConsole\CimTrakClient.exe Linux/UNIX: /opt/cimcor/cimtrak/cimtraktools/cimtrakcommandlineutility/cimtrakclu/cimtrakclu.exe To view available Command Line utility commands include a -?. For instance: CimTrakClient.exe -? CimTrakCLU.exe -? The functionality associated with the Command Line Utility is explained in a subsequent section. 7.2 DISPLAYING THE CIMTRAK COMMAND LINE UTILITY PARAMETERS AND SYNTAX The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. To view available Command Line utility commands include a -?. For instance: CimTrakClient.exe -? CimTrakCLU.exe -? 390 CIMCOR CimTrak Integrity & Compliance Suite

391 Figure 397: CimTrak Command Line Utility Commands and Syntax The Command Line Utility can perform the following actions:?: Display all parameter values and syntax associated with the Command Line Utility. Lock: Perform a lock on the specified Object Group. Unlock: Perform an unlock on the specified Object Group. Status: View the status (locked, unlocked, locking, associated with the specified Object Group. List: List Object Groups on the specified CimTrak Master Repository. BackUpStart: Inform the CimTrak Master Repository Database that a backup is pending. BackUpStop: Inform the CimTrak Master Repository Database that the backup process has completed. VacuumDB: Optimize and defragment the CimTrak Master Repository Database. Sync: Synchronize the specified Object Group. Report: Run the specified CimTrak report. The syntax required for invoking the Command Line Utility is as follows: cimtrakclu -<action> -object=<objectname> -server={<nnn.nnn.nnn.nnn> <fully qualified server name>} [-port=nnnn] -user=<xxx> [-password=<yyy>] For example, displaying a list of all Object Groups is performed by invoking the following Command Line parameters: cimtrakclu.exe -List -server= port=3749 -user=admin -password=password When the Master Repository is configured to use the default port (3749), the port parameter and parameter value are not needed. If the port number is not the default, the port must be specified in the parameters. User Guidance 391

392 On Linux/UNIX systems Object Group names with spaces must be enclosed in quotations (i.e. Windows Directory ). Special characters (i.e. and >) must be escaped with a back slash \ so that the shell can properly interpret the command. Including the password parameter and parameter value in the Command Line syntax could expose password credentials. If password credentials are not included in the syntax the Command Line Utility will prompt for the associated password. When Logon Banners are enabled the logon banner will display for any command executed using the Command Line Utility. Specific parameter details and examples are explained in subsequent sections of this documentation. All invoked Command Line commands are logged in the corresponding component CimTrak Event Log. 7.3 LOCKING AND UNLOCKING OBJECT GROUPS FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to lock (enable) and unlock (disable) Object Group monitoring from the command line. Using the command line Lock and Unlock options is useful in automating monitoring processes of an Object Group. The Lock and Unlock functionality of the Command Line Utility is invoked using the -Lock and -Unlock action values. The syntax required for invoking the Command Line Utility Lock action: CimTrakClu.exe Lock Object= [Object Group Name] server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, locking a specified Object Groups is performed by invoking the following Command Line parameters: cimtrakclu.exe Lock Object= TSS-9910->CimTrak Agents->Windows-FSA->Windows ETC -server= port=3749 -user=admin -password=password 392 CIMCOR CimTrak Integrity & Compliance Suite

393 Figure 398: Locking an Object Group from the Command Line A successful Lock process is indicated by the returned Request to Lock Succeeded!. The syntax required for invoking the Command Line Utility S action: CimTrakClu.exe Unlock Object= [Object Group Name] server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, locking a specified Object Groups is performed by invoking the following Command Line parameters: cimtrakclu.exe Unlock Object= TSS-9910->CimTrak Agents->Windows-FSA->Windows ETC -server= port=3749 -user=admin -password=password Figure 399: Unlocking an Object Group from the Command Line A successful Unlock process is indicated by the returned Request to Unlock Succeeded!. 7.4 DISPLAYING THE STATUS OF OBJECT GROUPS FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to display the status (Locked, Locking, Unlocked) of the specified Object Group. Using the command line Status option is useful in automating monitoring processes of an Object Group. The Status functionality of the Command Line Utility is invoked using the - Status action value. The syntax required for invoking the Command Line Utility Status action: CimTrakClu.exe Status Object= [Object Group Name] server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, showing the status of a specified Object Groups is performed by invoking the following Command Line parameters: User Guidance 393

394 CimtrakClu.exe -Status -Object="TSS-9910->CimTrak Agents->Windows-FSA->Windows ETC" -server= port=3749 -user=admin -password=password Figure 400: Showing the Status of an Object Group from the Command Line The Status output will display the Object Group output. The expected output includes: Object is Unlocked Object is Locking Object is Locked 7.5 DISPLAYING A LIST OF ALL OBJECT GROUPS FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to display a list of all Object Groups on a specified Master Repository. Using the command line List option is useful in automating monitoring processes of an Object Group. The List functionality of the Command Line Utility is invoked using the -List action value. The syntax required for invoking the Command Line Utility List action: CimTrakClu.exe List server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, showing the List of Object Groups is performed by invoking the following Command Line parameters: CimtrakClu.exe -Status -server= port=3749 -user=admin - password=password 394 CIMCOR CimTrak Integrity & Compliance Suite

395 Figure 401: Showing the List of Object Groups from the Command Line 7.6 ENTERING AND EXITING DATABASE BACKUP MODE FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to notify the master repository of a database backup. Using the command line BackupStart and BackupStop options are useful in automating backup process of the Master Repository. The syntax required for invoking the Command Line BackupStart action: CimTrakClu.exe BackupStart server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, initiating the BackupStart is performed by invoking the following Command Line parameters: CimtrakClu.exe -BackupStart -server= port=3749 -user=admin - password=password The syntax required for invoking the Command Line BackupStop action: CimTrakClu.exe BackupStop server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, initiating the BackupStop is performed by invoking the following Command Line parameters: CimtrakClu.exe -BackupStop -server= port=3749 -user=admin - password=password User Guidance 395

396 The BackupStart and BackupStop parameters are obsolete and will be removed from future versions of CimTrak. 7.7 DEFRAGMENTING THE CIMTRAK DATABASE FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to defragment the CimTrak database. Using the command line VacuumDB option is useful in automating defragment processes for the Master Repository. The Vacuum functionality of the Command Line Utility is invoked using the -VacuumDB action value. The syntax required for invoking the Command Line BackupStart action: CimTrakClu.exe VacuumDB server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, initiating the Vacuum process is performed by invoking the following Command Line parameters: CimtrakClu.exe -VacuumDB -server= port=3749 -user=admin - password=password Figure 402: Defragmenting the CimTrak Database A successful database vacuum is indicated by the message Database Vacuum Successfully Started. 7.8 SYNCHRONIZING OBJECT GROUPS FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to Synchronize Object Group monitoring from the command line. Using the command line Sync options is useful in automating monitoring processes of an Object Group. The Sync functionality of the Command Line Utility is invoked using the -Sync action value. 396 CIMCOR CimTrak Integrity & Compliance Suite

397 The syntax required for invoking the Command Line Utility Sync action: CimTrakClu.exe Sync Object= [Object Group Name] server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] For example, Syncing a specified Object Groups is performed by invoking the following Command Line parameters: cimtrakclu.exe Sync Object= TSS-9910->CimTrak Agents->Windows-FSA->Windows ETC -server= port=3749 -user=admin -password=password Figure 403: Syncing an Object Group from the Command Line A successful Sync process is indicated by the returned Request to Sync Succeeded!. 7.9 RUNNING CIMTRAK REPORTS FROM THE COMMAND LINE The CimTrak Command Line Utility is a text-based version of the Management Console used in the Windows, Linux, and UNIX command line environments. The Command Line Utility is included within the CimTrak Tools package and is also accessible by launching the Management Console from the command line. See section 7.1 for information on accessing the Command Line Utility. The Command Line utility has the capability to run CimTrak Reports from the command line. Using the command line Report options is useful in automating auditing processes of an Object Group. The Report functionality of the Command Line Utility is invoked using the -Report action value in addition to the following additional report parameters: ReportName: Name of the report to run. ReportParam#: Parameter value required by the report. # indicates the parameter number (i.e. 1, 2, 3, 4, 5). ReportFile: Path and filename to save the report output to. For example, running the Variance By Quantity report graphically requires (or has the capability to include) parameter values. User Guidance 397

398 Figure 404: Available Reports (Variance by Quantity selected) In the Command Line Report Action the ReportName value is Variance By Quantity. 398 CIMCOR CimTrak Integrity & Compliance Suite

399 Figure 405: Variance by Quantity Parameters In the Command Line Report Action the ReportParam# values are populated in the order they are displayed in the Variance by Quantity Parameters dialog. The following syntax is required to run all CimTrak Reports from the command line: CimTrakClu.exe Report server= [Server IP or FQDN] port= [port number] user= [Admin Username] password= [Admin Password] ReportName= [Name of a Report] Object= [Object] ReportFile= [File to Save Report] ReportParam1= [Parameter 1] ReportParam2= [Parameter 2] The following examples show actual syntax for running command line reports for the Master Repository, Area, Agent, and Object Group levels. Master Repository Level: cimtrakclu.exe -Report -ReportName="Event Summary Report" - ReportParam1="06/01/ :00:00" ReportParam2="06/20/ :59:00" ReportParam3="Pie Chart" -ReportFile="C:\temp\out" -object="tss-9910" - server= port=3749 -user=admin -password=password Where TSS-9910 is the Master Repository name Area Level: cimtrakclu.exe -Report -ReportName="Event Summary Report" - ReportParam1="06/01/ :00:00" ReportParam2="06/20/ :59:00" ReportParam3="Pie Chart" -ReportFile="C:\temp\out" -object="tss-9910->cimtrak Agents" -server= port=3749 -user=admin -password=password Where TSS-9910 is the Master Repository Name and CimTrak Agents is the Area name. User Guidance 399

400 Agent Level: cimtrakclu.exe -Report -ReportName="Event Summary Report" - ReportParam1="06/01/ :00:00" ReportParam2="06/20/ :59:00" ReportParam3="Pie Chart" -ReportFile="C:\temp\out" -object="tss-9910->cimtrak Agents->Windows-FSA" -server= port=3749 -user=admin - password=password Where TSS-9910 is the Master Repository Name, CimTrak Agents is the Area name, and Windows-FSA is the File System Agent name. Object Group Level: cimtrakclu.exe -Report -ReportName="Event Summary Report" - ReportParam1="06/01/ :00:00" ReportParam2="06/20/ :59:00" ReportParam3="Pie Chart" -ReportFile="C:\temp\out" -object="tss-9910->cimtrak Agents->Windows-FSA->Windows ETC" -server= port=3749 -user=admin - password=password Where TSS-9910 is the Master Repository Name, CimTrak Agents is the Area name, Windows-FSA is the File System Agent name, and Windows ETC is the Object Group name. If the ReportFile parameter is not specified the report will be outputted to the standard output (generally the console screen). If the ReportFile parameter is specified the report will be saved in HTML format to the specified location. The report can then be opened in a Web browser such as Internet Explorer. Reports are explained in section 11. When Microsoft Internet Explorer is used to review saved report output Microsoft Internet Explorer 8 is required. Viewing of active content must be enabled to view the graphical portion of saved reports. Please refer to your Internet browsers documentation for more information. 400 CIMCOR CimTrak Integrity & Compliance Suite

401 8. Configuring and Using the CimTrak FTP Server Utility 8.1 ACCESSING AND USING THE CIMTRAK FTP SERVER UTILITY The CimTrak FTP Server provides FTP access to files and folders monitored by CimTrak File System Agents and Document Controls. This technique provides a simple way for System Administrators to modify the contents of files and folders that are monitored by the CimTrak application. Policy settings are still enforced on these accessible files and folders. To access information available via the FTP Server, connect to the FTP server using the IP Address specified during installation. CimTrak user credentials are required to connect to the FTP Server. Figure 406: Example FTP Connection To connect to the FTP interface: 1. Start a FTP client program. User Guidance 401

402 2. Connect the FTP client to the FTP server using the IP Address indicated during the FTP server installation. a. Use the IP address of the computer containing the FTP interface. b. For the username and password use the credentials of an authorized CimTrak user or administrator. c. Use the port that was chosen when the FTP was installed (default FTP port is 21). d. Use Passive (PASV) Mode 3. The root of the FTP directory lists all Objects that are in the Repository. For all Object Groups and Document Controls set to store an authoritative copy, the stored authoritative files can be copied to the computer containing the FTP client connected to the FTP server. For all Document Controls, files can be uploaded to the Document Control using an FTP client. Uploaded files will create a new Document Control generation (if creating new generations is indicated in the Document Control configuration. 402 CIMCOR CimTrak Integrity & Compliance Suite

403 9. Configuring and Using the CimTrak Ping Utility 9.1 ACCESSING AND USING THE CIMTRAK PING UTILITY The CimTrak Ping Utility is used to provide System Administrators a tool to troubleshoot connectivity issues between the system housing the CimTrak Ping Command Line Tool and the CimTrak Master Repository. The Ping utility performs the following tests: LogonTest: Logon Test SmallNoReplyTest: Small message sent with no reply expected SmallReplyTest: Small reply sent with no message sent LargeSmallReplyTest: Large message sent with small reply sent LargeReplyTest: Large message sent with large reply sent Viewing the CimTrak Ping Utility parameter usage is accomplished by typing CimTrakPing.exe without any parameters or values. By default, the CimTrak Ping utility is located at: Microsoft Windows: C:\Program Files\Cimcor\CimTrak\CimTrakTools\CimTrakPing\CimTrakPing.exe Linux/UNIX: /opt/cimcor/cimtrak/cimtraktools/cimtrakping/cimtrakping.exe Figure 407: CimTrak Ping Parameters and Syntax Running the CimTrak Ping Utility is accomplished by providing parameter values to specified parameters. The Server value and the Port number are the IP Address and Port Number associated with the Master Repository. A sample of a communication test with default parameter values is as follows: CimTrakPing.exe Server= ,Port=3749,User=admin,Password=pwd Using the above string will run all test types 10 times each. User Guidance 403

404 Figure 408: Example CimTrak Ping Standard Output It is possible to modify the amount of times each test type runs by specifying a numeric value for each parameter. Additionally, it is possible to exclude tests by specifying the numeric value as 0. CimTrakPing.exe Server= , Port=3749, User=admin, Password=pwd, LogonTest=5, SmallNoReplyTest=5, SmallReplyTest=5, LargeSmallReplyTest=5, LargeReplyTest=5 A successful connection will provide transfer times for each test performed. Additionally return code value results are displayed after each test is performed. Applicable return codes include: Logon Test: 0: Test passed -1: Test failed due to being unable to connect to CimTrak Repository -2: Test failed due to being unable to perform handshake with CimTrak Repository -3: Test failed due to being unable to log on to CimTrak Repository Small Message No Reply Test: 0: Test passed -1: Test failed Small Message Reply Test: 0: Test passed -1: Test failed Large Message Small Reply Test: 0: Test passed -1: Test failed Large Message Reply Test: 0: Test passed -1: Test failed 404 CIMCOR CimTrak Integrity & Compliance Suite

405 10. Configuring and Using the CimTrak Proxy Utility 10.1 ACCESSING AND USING THE CIMTRAK PROXY UTILITY The CimTrak Proxy Utility is an intermediary for requests to the Master Repository by CimTrak Agents and the Management Console. The connecting entity may connect to the Proxy IP Address and Port number. This connection provides a intermediary connection to the IP Address and Port Number of the Master Repository. The Proxy Application is a stand-alone command line utility that must be left running to provide its service. Launching the utility to determine required and optional parameters is accomplished by typing CimTrakProxy.exe. Microsoft Windows: C:\Program Files\Cimcor\CimTrak\CimTrakTools\CimTrakProxy\CimTrakProxy.exe Linux/UNIX: /opt/cimcor/cimtrak/cimtraktools/cimtrakproxy/cimtrakproxy.exe Figure 409: CimTrak Proxy Parameters and Syntax The Proxy Utility is launched with the following command where RemoteServer is the IP Address associated with the Master Repository, RemotePort is the Port Number associated with the Master Repository, Local Port is the port utilized by the CimTrak Proxy tool, and Log Message is the indicator to enable or disable logging of CimTrak messages. CimTrakProxy.exe RemoteServer= , RemotePort=3749, LocalPort=1234, LogMessage=1 Once the Proxy has started it is possible to toggle and enable additional Proxy Utility console display parameters by indicating toggle values. Toggle parameters include: User Guidance 405

406 M: Toggle Logging of Messages D: Toggle Logging of Debug Messages C: Enable Console Output of Debug Messages V: Enable Console Output of Messages Q: Quit the Proxy Utility Figure 410: CimTrak Proxy Toggle Parameters Figure 411: Example Proxy Console Output 406 CIMCOR CimTrak Integrity & Compliance Suite

407 11. CimTrak Integrated Reporting 11.1 ACCESSING CIMTRAK REPORTING Authorized CimTrak Administrators, Users, and Auditors have the capability to execute and download reports to display audit log and event information. Reports can be executed via the CimTrak Management Console Graphical User Interface or using the CimTrak Command Line Tool. See section 7.9 for information explaining running reports from the Command Line Tool. Reports are accessible for each level of Object listed in the Management Console s Object Group Tree. Information on accessing CimTrak Reports based on the Object level is as follows. Executing each of these methods will display the corresponding Available Reports dialog. CimTrak Master Repository: On the Management Console Menu Bar click Reports View Reports CimTrak Area: Right-click on the Area name in the Object Group tree and select Reports in the context menu. CimTrak File System/Network Device Agent: Right-click on the CimTrak Agent name in the Object Group tree and select Reports in the context menu. CimTrak Object Group: Right-click on the Object Group name in the Object Group tree and select Reports in the context menu. CimTrak Document Control: Right-click on the Document Control name in the Object Group tree and select Reports in the context menu. Additionally, other CimTrak components not listed execute reports using the methods outlined above. Reports run or downloaded for a selected Object level show results for all children object of the corresponding level. For instance, reports run or downloaded at the Master Repository level display information associated to all children Objects including: CimTrak Master Repository All CimTrak Areas User Guidance 407

408 All CimTrak File System/Network Device Agents All CimTrak Object Groups All CimTrak Document Controls Reports run at an Area Level will display information associated to all children Objects of the specified Area including: Specified CimTrak Area CimTrak File System/Network Device Agents contained in the specified Area CimTrak Object Groups contained in the specified Area CimTrak Document Controls contained in the specified Area Reports run at an Agent Level will display information associated to all children Objects of the specified Agent including: Specified CimTrak File System/Network Device Agent CimTrak Object Groups contained in the specified CimTrak Agent CimTrak Document Controls contained in the specified CimTrak Agent Reports run at an Object Group Level will only display information for the selected Object Group. Reports run at a Document Control level only display information for the selected Document Control. The Available Reports dialog is explained in section NAVIGATING THE AVAILABLE REPORTS DIALOG AND EXECUTING REPORTS Authorized CimTrak Administrators, Users, and Auditors have the capability to execute and download reports to display audit log and event information. Executing reports from the Management Console is performed using the Available Reports dialog. Reports are accessible for each level of Object listed in the Management Console s Object Group Tree. Information on accessing CimTrak Reports based on the Object level is explained in section CIMCOR CimTrak Integrity & Compliance Suite

409 Figure 412: Available Reports dialog (Master Repository Level) The Available Reports dialog displays all reports available for the selected Object level. Each report is classified into a general level or a specific compliance level. Compliance levels allow for the reporting of only Object data that is applicable to the compliance level specified. Specification of compliance levels is performed using the Compliance Flags. Compliance Flags are explained in section of this documentation. General Reports are contained in the CimTrak Reports and Enhanced Reporting Report Groups. Expanding Report Groups is possible by clicking the corresponding +. Clicking the corresponding - will collapse the selected Report Group. Compliance Flag reports contain identical reports that exist in the Enhanced Reporting group but require a compliance flag is specified. Reports included in the CimTrak Reports level are used to audit CimTrak Management Console and Master Repository health, access, and user accounts. Reports included in the Enhanced Reporting level are used to audit change events detected (and optionally remediated) by CimTrak. Details of these associated reports are explained in a section User Guidance 409

410 To execute a report navigate the Available Reports dialog to find the intended report. Select the report by clicking it once and then clicking the Generate Report button. The selected report will display. CimTrak support staff has the capability to generate reports to perform custom functions for customer-specific requests. Additionally CimTrak Administrators with a programming background can modify reports. Generally CimTrak Reports consist of embedded HTML, SQL, JavaScript and LUA. To download the reports unexecuted code, navigate the Available Reports dialog to find the intended report. Select the report by clicking it once and then clicking the Download button. The Save As dialog will display. Select the location to save the report to. Once the report is modified it must be uploaded to the Master Repository. Uploading reports to the Master Repository is described in a section When executing some reports a parameters dialog will display. The Parameters dialog allows for the specification of report parameters such as the date range, private key, chart type, and optional query criteria. Populate the parameters dialog with appropriate information relating to the intended report criteria. Figure 413: Report Parameters dialog Once the report parameters are specified and the Continue button is clicked the selected report will generate. 410 CIMCOR CimTrak Integrity & Compliance Suite

411 Figure 414: Sample CimTrak Report (Page 1 of 2) User Guidance 411

412 Figure 415: Sample CimTrak Report (Page 2 of 2) CimTrak Utilizes Microsoft Windows Internet Explorer installed on the Management Console s operating system. Graphical information will not display in Internet Explorer versions less than 8.0. The displayed report dialog Toolbar allows authorized CimTrak users the capability to perform various functions on the displayed report. 412 CIMCOR CimTrak Integrity & Compliance Suite

413 Figure 416: File Report Toolbar The functionality associated with each Toolbar option is as follows. Save: Save a local copy of the completed report. Completed reports are saved in HTML and can be opened in a web browser. Print Options: Print a copy of the completed report or enable/disable printing of background colors. Print: Print a copy of the completed report Print Preview: Display a visual representation of exactly what a printed copy of the completed report would look like. Exit: Quit the completed report dialog.. Files saved on the local system may be accessible by other users of the system EXPLAINING AVAILABLE CIMTRAK REPORTS Authorized CimTrak Administrators, Users, and Auditors have the capability to execute and download reports to display audit log and event information. Executing reports from the Management Console is performed using the Available Reports dialog. Reports are accessible for each level of Object listed in the Management Console s Object Group Tree. Information on accessing CimTrak Reports based on the Object level is explained in section General Reports are contained in the CimTrak Reports and Enhanced Reporting Report Groups. Expanding Report Groups is possible by clicking the corresponding +. Clicking the corresponding - will collapse the selected Report Group. Compliance Flag reports contain identical reports that exist in the Enhanced Reporting group but require a compliance flag is specified. Compliance flags are explained in section Enhanced CimTrak Reports: Diagnostic Analysis: The Diagnostic Analysis is intended for support purposes to determine database availability/integrity, version information, process information, incident totals. User Guidance 413

414 Object Group Configuration: The Object Group Configuration report displays configuration settings for all Objects in the Object Group tree. Active User Listing: The Active User Listing Report lists all CimTrak users that are currently active. Added User Listing: The Added User Listing Report lists all added CimTrak users that are currently active. Deleted User Listing: The Deleted User Listing Report lists all deleted CimTrak users. Failed Logon Attempts: The Failed Logon Attempts Report provides a detail listing of failed logon attempts over a user specified period of time. Locked Out Users: The Locked Out Users Report provides a detailed listing of all locked out CimTrak user accounts. Successful Logons (Administrators): The Successful Logons (Administrators) Report provides a detailed listing of successful authentications with the CimTrak Master Repository by CimTrak user accounts. Successful Logons (All Users): The Successful Logons (All Users) Report provides a detailed listing of successful authentications with the CimTrak Master Repository by CimTrak user accounts. Successful Logons (Auditors): The Successful Logons (Auditors) Report provides a detailed listing of successful authentications with the CimTrak Master Repository by CimTrak user accounts. Successful Logons (Installers): The Successful Logons (Installers) Report provides a detailed listing of successful authentications with the CimTrak Master Repository by CimTrak user accounts. Successful Logons (Other Users): The Successful Logons (Other Users) Report provides a detailed listing of successful authentications with the CimTrak Master Repository by CimTrak user accounts. Enhanced Reporting: Disabled Object Group Policies: The Disabled Object Group Policies report displays all Object Group Policies that are currently unlocked. Additionally, this report shows when the Object Group Policy was unlocked, the responsible party, and a timer indicating the length of time. Event Summary Report: The Event Summary Report displays a summary of all events recorded by CimTrak for a specified date range. Data is displayed relating to event priority, criteria, and action. Generation Elements: The Generation Elements Report displays individual Object Group generation and sub-revision details. For each result, the Generation Elements Report is capable of displaying a variety of generation and sub-revision information such as the CimTrak user responsible for creating a generation and any additional note details. Groups by Compliance: The Groups by Compliance Report lists all groups based on their configured compliance type. 414 CIMCOR CimTrak Integrity & Compliance Suite

415 Incidents by Object: The Incidents by Object report displays a quantity of variances over a period of time in addition to summary information of the last reported variance. Incident Summary Report: The Incident Summary Report displays a numeric total for all additions, modifications, and deletions for all Object Group Policies. Variance by Quantity: The Variance by Quantity Report displays a total of Object Group contents that have been added, modified, and/or removed from the monitored system. Variance Detail Report: The Variance Detail Report displays Object Group contents that have been added, modified, and/or removed from the monitored system. For each result, the Variance Detail Report is capable of displaying a variety of forensic-assisting information such as the operating system user responsible for the change, the responsible process, and associated change details. Variance Summary Report: The Variance Summary Report displays Object Group contents that have been added, modified, and/or removed from the monitored system. For each result, the Variance Detail Report is capable of displaying a variety of forensic-assisting information such as the operating system user responsible for the change and the responsible process. Variance Window Report: The Variance Window Report calculates the quantity of detected intrusions on locked objects during a specified period of time. Baseline Comparison Report: Only available at the Object Group Level, the Baseline Comparison report evaluates files/directories contained in one object group against the object group specified. The Baseline Comparison report requires that the original, authoritative baseline Object Group has the Audit Baseline Compliance Flag selected EXPLAINING CIMTRAK COMPLIANCE FLAGS Authorized CimTrak Administrators, Users, and Auditors have the capability to execute and download reports to display audit log and event information. Executing reports from the Management Console is performed using the Available Reports dialog. Reports are accessible for each level of Object listed in the Management Console s Object Group Tree. Information on accessing CimTrak Reports based on the Object level is explained in section Compliance Flag reports contain identical reports that exist in the Enhanced Reporting group but require a compliance flag is specified. Compliance Flags are set by right clicking the Object in the Object Group tree and selecting Compliances. The Compliances dialog will display. User Guidance 415

416 Figure 417: Compliances dialog Compliance flags are selected/deselected by selecting the checkbox corresponding with the Compliance flag. Selecting the Apply compliances to children recursively checkbox will apply the compliance flag(s) selected to all children of the selected Object. Once the compliance flag(s) are selected, click the OK button to accept the changes. Click the Cancel button to discard changes and abort the compliance flag designation. Available compliances vary based on the CimTrak release and installed report packages. Contact an authorized CimTrak sales representative to acquire additional reporting packages WORKING WITH CIMTRAK REPORT PACKAGES Authorized CimTrak Administrators have the capability to add additional report packages to the CimTrak Master Repository. Additional report packages are often distributed with additional CimTrak components. 416 CIMCOR CimTrak Integrity & Compliance Suite

417 To add additional report packages, log into the CimTrak Management Console using an Administrator account. Navigate to the Report Package Manager by clicking Reports Report Packages in the Management Console s Menu Bar. Figure 418: Report Packages dialog By default, the CimTrak reporting package is installed. Click the Add button to navigate the Management Console host file system to select additional report packages to install. Select the appropriate report package and then click Open. The selected report package will now be displayed in the Report Packages dialog. Click the OK button to complete the report package installation. Removing a report package is achieved by selecting the Report package name in the Report Packages dialog and then clicking the Remove button. Click the OK button to complete the report package removal. Additional report packages may be available in your region. Contact an authorized CimTrak sales representative to acquire additional reporting packages UPLOADING ADDITIONAL CIMTRAK REPORTS Authorized CimTrak Administrators have the capability to add additional individual reports to the CimTrak Master Repository. Additional reports are often distributed with additional CimTrak components. Log into the CimTrak Management Console using an Administrator account. Navigate to the Report Package Manager by clicking Reports Upload Report in the Management Console s Menu Bar. The Open dialog will display. Browse the Management Console s host operating system and select the report to upload. User Guidance 417

418 Click Open to upload the report to the Master Repository. Click Cancel button to abort the upload process. 418 CIMCOR CimTrak Integrity & Compliance Suite

419 Appendix A: Document Versioning A.1 CIMTRAK USER GUIDANCE DOCUMENTATION HISTORY The following table outlines the history of this documentation. Date Version Editor Modification 15 June 2011 DOC_2.0.0 David Wheeler, CIMCOR Technical Support Document Creation 5 June 2011 DOC_2.0.1 Sam Conley CIMCOR Support Engineer Minor editing Table 3: Document Versioning User Guidance 419

420 Appendix B: File System Agent Object Group Worksheet B.1 OBJECT GROUP WORKSHEET The following worksheet can be used to keep a physical log of Object Group configurations. Object Group Name: Location: Description: Contact: URL: Notes: A zero in any of the following fields means no limit: Number of Revisions to Keep: o Default is 250 Number of Changes to Keep: o Default is 250 Number of Event to Keep: o Default is 250 Stored Change Size (in KB): o Default is CIMCOR CimTrak Integrity & Compliance Suite

421 Appendix C: Network Device Agent Object Group Worksheet C.1 OBJECT GROUP WORKSHEET The following worksheet can be used to keep a physical log of Object Group configurations. Object Group Name: Device Type: IP Address of Device: Location: Description: Contact: URL: Notes: A zero in any of the following fields means no limit: Number of Revisions to Keep: o Default is 250 Number of Changes to Keep: o Default is 250 Number of Event to Keep: o Default is 250 Stored Change Size (in KB): o Default is 250 User Guidance 421

422 Appendix D: Message Levels and Examples D.1 OBJECT GROUP WORKSHEET Each Event Log message type has a corresponding icon that allows for quick visual reference to the urgency level of the event. These urgency levels are important to note when configuring alert permissions. alert permissions are explained in a subsequent section. Emergency: System is unusable. Highest level of event. Alert: Take action immediately. Critical: Critical conditions have occurred. Error: Error conditions. Warning: Warning conditions. Notice: Normal condition that requires attention. Information: Informational message. Debug: Debug-level message. Lowest level of event. The following table contains examples of common log messages and their associated message levels. 422 CIMCOR CimTrak Integrity & Compliance Suite

423 Message CimTrak Repository Loading Startup Values Failed Attributes Reset Baseline Update Baseline Updated CimTrak Repository Unable to Close Sockets during shutdown Directory Added Directory Modified Directory Removed Failed To Start Deploy File Added File Deleted File Modified File Removed File Removed And Stored Lock Cancelled By User Lock Failed. Monitor Only Pending Repair Pending User Approval Repair Aborted Replaced From Repository Unlocked object Message Level LOG_CRITICAL LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_ERROR LOG_WARNIN G Repaired by later event %s ''%s'' was %s. LOG_NOTICE %s ''%s'' was added to Object ''%s''. LOG_NOTICE %s ''%s'' was deleted from Object ''%s''. LOG_NOTICE Agent ''%s'' was %s. An Object Note was added for Object ''%s''. IP: %s, Subnet Mask: %s was added to the grant/deny access list. IP: %s, Subnet Mask: %s was removed from the grant/deny access list. Object ''%s'' was deleted. Permissions for user ''%s'' on Object ''%s'' were revoked. Permissions for user ''%s'' were modified for Object ''%s''. Properties of %s ''%s'' on Object ''%s'' were modified. Properties of %s %s were modified. Properties of Master Repository were modified. Properties were modified for Agent ''%s''. Properties were modified for Object ''%s''. User %s was granted permissions on Object ''%s''. LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE LOG_NOTICE User Guidance 423

424 %s Checked In LOG_INFO %s Checked Out LOG_INFO %s was moved to %s LOG_INFO CimTrak File System Agent Connected Username %s LOG_INFO CimTrak File System Agent Failed Connecting Username %s LOG_INFO CimTrak File System Agent Logoff Requested LOG_INFO CimTrak Client Connected Username %s LOG_INFO CimTrak Client Failed Connecting Username %s LOG_INFO CimTrak Client Logoff Requested LOG_INFO CimTrak Repository Accepting A Remote Connection from %s. LOG_INFO CimTrak Repository Loading Startup Values LOG_INFO CimTrak Repository Loading Startup Values Completed LOG_INFO CimTrak Repository rejected A Remote Connection from %s. LOG_INFO CimTrak Repository Starting LOG_INFO CimTrak Repository Stopped LOG_INFO CimTrak Repository Stopping LOG_INFO File Added LOG_INFO File Deleted LOG_INFO File Modified LOG_INFO Lock Completed LOG_INFO Lock Started LOG_INFO Remote Connection Close Abnormally from %s. LOG_INFO Remote Connection Close Normally from %s. LOG_INFO Sync Complete LOG_INFO Sync Started LOG_INFO System being deployed LOG_INFO User %s has exceeded maximum logon attempts and the account has been locked. LOG_INFO User %s uploaded file ''%s'' to the repository. LOG_INFO Table 4: Common Log Messages 424 CIMCOR CimTrak Integrity & Compliance Suite

425 Appendix E: Support Contact Information E.1 CIMTRAK TECHNICAL SUPPORT SERVICES CimTrak Technical Support Services are here to help. Should you have any problems or questions please contact us using one of the following contact methods. E.2 SUPPORT VIA ELECTRONIC MAIL CimTrak Technical Support electronic mail: Please be sure to include the following information in your message: Product name, version, and serial number Operating system, version, and service pack number Description of what you were doing when the error message occurred and exactly what the error message stated. Any other pertinent information E.3 SUPPORT VIA FAX Should you choose this method, fax the same information as above to: CIMCOR, Inc. (219) In addition to the above information please be sure to include the following: Your name and organization Return phone number Return fax number Your address E.4 SUPPORT VIA PHONE Call CimTrak Technical Support at (877) Ext. 2 Hours: Monday thru Friday 9 AM 5 PM Central Standard Time Voice Mail: Leave a voice mail during off hours Include in your voice mail: Your name and organization Your phone number Your question or a description of the problem Your address Our technical support staff will contact you with an answer as soon as possible. User Guidance 425