Compliant Product - MarkLogic Server Enterprise Edition Version 4.0
Certificate Date: 15 July 2010
Validation Report Number: CCEVS-VR-VID10306-2010
Product Type: DBMS
Conformance Claim: EAL3 Augmented with ALC_FLR.3
CC Testing Lab: SAIC Common Criteria Testing Laboratory
MarkLogic Server is an enterprise-class database or “contentbase” that provides a set of services used to build both content and search applications which query, manipulate and render Extensible MarkUp Language (XML) content.
The MarkLogic Server TOE is built with a blend of search engine and database architecture approaches specifically designed to index and retrieve XML content. The TOE’s native data format is XML and XML is accepted in an ‘as is’ form, while content in other formats can be converted to an XML representation or stored as is (in binary or text formats) when loaded into the server. As an XML content server, it manages its own content repository and is accessed using the W3C standard XQuery language, just as a relational database is a specialized server that manages its own repository and is accessed through Structured Query Language (SQL).
The TOE is fully transactional, runs in a distributed environment and can scale to terabytes of indexed content. It is schema independent and all loaded documents can be immediately queried without normalizing the data in advance. Like a relational database, it provides developers with the functionality and programmability, using XQuery as its query language, to build content-centric applications. Developers build applications using XQuery both to search the content and as a programming language in which to develop applications. It is possible to create entire applications using only MarkLogic Server, and programmed entirely in XQuery.
The security management functions of the TOE are performed via the Admin Interface,, which is a web based browser GUI implemented as a MarkLogic Server web application. This interface allows authorized administrators to manage audit events, user accounts, access control and TOE sessions. It also provides the ability to control the creation, management, and configuration of databases, forests, servers, and hosts. Documents are stored in forests. The name forests comes from the fact that XML documents are tree structures and a collection of trees is a forest. One or more forests are gathered together to form a database. Databases are logical units against which you can assign HTTP and XDBC servers and set various runtime configuration options. A host is a single instance of MarkLogic Server running on a single machine. Databases exist as a logical abstraction because in a distributed environment it can be useful to have the same logical database spread across different hosts, perhaps one host with two forests and another with three.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the MarkLogic Server Enterprise Edition 4.0 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, September 2007. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2, September 2007. In addition, the TOE is further conformant to the following Protection Profile (PP): the U.S. Government Protection Profile for Database Management Systems in Basic Robustness Environments, Version 1.2, July 25, 2007. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL3 augmented with ALC_FLR.3 family of assurance requirements. The product, when configured as specified in the MarkLogic Server Installation Guide for All Platforms, MarkLogic Server Administrator’s Guide, and MarkLogic Common Criteria Evaluated Configuration Guide satisfies all of the security functional requirements stated in the MarkLogic Server Enterprise Edition 4.0 Security Target, Version 1.0, June 29, 2010. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in June 2010. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10306-2010, dated 15July 2010.
Mark Logic has elected to pursue a more rigorous assurance level, increased from EAL2 as specified in the DBMS PP to EAL3, as specified in section 1.2 of this ST. EAL3 was selected as the assurance level because the TOE is a commercial product whose users require a moderate to high level of independently assured security. The TOE is targeted at a relatively benign environment with good physical access security and competent administrators. Within such environments it is assumed that attackers will have little attack potential. MarkLogic Server Enterprise Edition, Version 4.0 supports the following six security functions:
Security Audit: The TOE generates audit records that include date and time of the event, subject identity and outcome for security events. The TOE provides authorized administrators with the ability to include and exclude auditable events based on group identity, event type, object identity and success and failure of auditable security events. When appropriate, the TOE also associates audit events with the identity of the user that caused the event. The IT environment stores the audit records and also provides the system clock information that is used by the TOE to timestamp each audit record.
User Data Protection: The TOE enforces a Discretionary Access Control (DAC) policy which restricts access to DBMS-controlled object(s). Users of the TOE are identified and authenticated by the TOE before any access to the system is granted. Once access to the system is granted, authorization provides the mechanism to control what functions a user is allowed to perform based on the user’s group membership. Access to all DBMS-controlled objects is denied unless access, based on group membership, is explicitly allowed. The authorized administrator role shall be able to bypass the DAC policy. The TOE also provides amplifications or “amps” which temporarily grant roles to a user only for the execution of a specific function. Therefore, the DAC policy can also be bypassed by a user who is temporarily granted the authorized administrator role in order to perform a specific “amped” function. The TOE also ensures that any previous information content of a resource is made unavailable upon the allocation of the resource to an object. Memory or disk space is only allocated when the size of the new data is first known, so that all previous data is overwritten by the new data.
Identification and Authentication: The TOE requires users to provide unique identification and authentication data before any access to the system is granted and further restricts access to DBMS-controlled objects based on group membership. The TOE maintains the following security attributes belonging to individual users: group membership, security-relevant database role and password. The TOE uses these attributes to determine access.
Security Management: The security functions of the TOE are managed by authorized administrators via the web based Admin Interface. The TOE defines the security role of ‘authorized administrator’. Authorized administrators perform all security functions of the TOE including managing audit events, user accounts, access control and TOE sessions.
Protection of the TSF: The TOE provides protection mechanisms for its security functions. One of the protection mechanisms is that users must authenticate and have the appropriate permissions before any administrative operations or access to TOE data and resources can be performed on the system. The TOE also maintains a security domain that protects it from interference and tampering by untrusted subjects within the TOE scope of control. Additionally, the TOE ensures that TSF data is consistent between parts of the TOE with a mechanism that brings inconsistent data into a consistent state.
TOE Access: The TOE restricts the maximum number of concurrent sessions that belong to the same user by enforcing an administrator configurable number of sessions per user. The TOE also denies session establishment based on attributes that can be set explicitly by authorized administrators including group identity, time of day and day of week. Upon successful session establishment, the TOE stores and retrieves the date and time of the last successful session establishment to the user. It also stores and retrieves the date and time of the last unsuccessful session establishment and the number of unsuccessful attempts since the last successful session establishment.