NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - BeyondTrust PowerBroker ® UNIX® + Linux® Edition V9.1

Certificate Date:  2016.08.30

Validation Report Number:  CCEVS-VR-VID10691-2016

Product Type:    Network Access Control
   Network Management
   Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management-Access Control Version 2.1
  Protection Profile for Enterprise Security Management - Policy Management Version 2.1

CC Testing Lab:  Leidos Common Criteria Testing Laboratory

Maintenance Releases:
CC Certificate [PDF] Security Target [PDF] * Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Product Description

BeyondTrust PowerBroker is an Enterprise Security Management product that provides the capability to delegate access to operating system functions available to specific privileged accounts (e.g., ‘root’) and offer those functions in a controlled and granular fashion to other specific and suitably trusted users.  PowerBroker is a software-only product suite that runs on numerous UNIX and Linux operating systems without modifying the kernel.  It provides both Enterprise Security Policy Management and Access Control functions which includes access control policy management and enforcement, protection of communication channels, reliance on enterprise authentication, and auditing of security-relevant events. To achieve this, the PowerBroker security policy is consulted each time the user attempts to run a privileged command through PowerBroker. The product provides two mechanisms through which this can be accomplished: the pbrun command and the PB Shells. 


Evaluated Configuration

PowerBroker is a software-only product suite that runs on numerous UNIX and Linux operating systems without modifying the kernel.  The purpose of the product is to act as the “broker” between the user and the privileged operations on the system. To achieve this, the PowerBroker security policy is consulted each time the user attempts to run a privileged command through PowerBroker. The product provides two mechanisms through which this can be accomplished: the pbrun command and the PB Shells. 

The following hardware and software components were included in the evaluated configuration during testing:

·         TOE Components

o   PowerBroker UNIX + Linux v 9.1 running on the following platforms;

§  HP-UX 11i v3

§  Solaris 11

§  AIX v6.1

§  Ubuntu 14.4

·         Non-TOE Components

o   Test Client Used for Administration

o   Server 2008 running Active Directory for LDAP communication

o   Radius Server

o   OpenSSL FIPS Object Module SE v2.0.12, CMVP #2398


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the BeyondTrust PowerBroker UNIX® + Linux® Edition V9.1 were judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.   The product, when delivered and configured as identified in the PowerBroker for Unix & Linux Common Criteria Supplementary Guide, satisfies all of the security functional requirements stated in the BeyondTrust PowerBroker UNIX® + Linux® Edition V9.1 Security Target, Version 1.0, 3 August 2016.  The project underwent CCEVS Validator review.  The evaluation was completed in August 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

Enterprise Security Management

The TOE provides the ability to define access control policies for consumption by a compatible Access Control product: i.e. the TOE itself.  Access control policies consist of subject, object, and attributes; policies are uniquely identified. The TOE ensures that policies are available to the TOE’s Access Control component immediately following creation of a new or updated policy.

The TOE relies on LINUX/UNIX host, Lightweight Directory Access Protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), and optionally Pluggable Authentication Module (PAM), in the operational environment for subject identification and authentication; and requires each subject to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that subject.

Security Audit

The TOE is designed to be able to generate logs for security relevant events including the events specified in ESM PPs. The TOE can be configured to store the logs locally.  The audit records identify the date/time, event type, outcome of the event, responsible subject/user.

Selective audit capability is exercised by the Policy Management portion of the TOE that configures the access-control related auditing functions by Administrator defined policy variables and by event type.

The TOE transmits audit records to TOE internal storage and uses TLS for distributed communications.  The TOE protects the stored audit records in the TOE-internal audit trail from unauthorized deletion and modification.  The cryptographic algorithms used in TLS are provided by the OpenSSL FIPS validated modules in the operational environment.

Communication

The TOE is both a Policy Management and Access Control product where policies are centralized and never transmitted.  Policies are defined on a Master Host and available immediately as soon as it is saved. The policy files never leave this location or otherwise traverse across the TOE or outside the TOE.  The administrator can verify the existence of the policy by performing a policy lookup using the policy file name; and can verify the location (Master Host) of the policy by viewing the Master Host field/attribute.  

User Data Protection

The TOE controls access to commands that have been defined to be controlled on target hosts.  The TOE’s self-protection Security Function Policy restricts access to objects that reside in the Operational Environment that impact the TOE’s behavior.

Identification and Authentication

The TOE associates the uid and gid user security attributes with subjects acting on the behalf of a user.  The TOE uses an external LDAP or RADIUS server to authenticate users and enforces the result.  The TOE determines the uid from the credentials presented at authentication and associates the gid retrieved from the authentication server with the corresponding uid.

Security Management

The TOE provides administrative functions available from a command line interface (CLI) and a graphical user interface (GUI) to access the management functions and for administrators to change their own passwords. Security management commands are limited to authenticated users with root access.  The TOE provides the AdminUser role which provides root access.

The TOE also provides the ability for the Policy Management components to manage the Access Control components of the TOE.  The TOE components must be configured to communicate with one another using TLS or HTTPS and as such can trust one another.  The default values for security attributes used in the access control policies are restrictive and the Policy Management component can change these defaults. The TOE’s policy management engine defines an unambiguous hierarchical method of implementing a policy such that no contradictions occur.

Protection of the TSF

The TOE uses external Identity and Credential Management products to define its administrator authentication data, the TOE does not store or cache the data.  The TOE does not offer any functions that will disclose to any users a stored cryptographic key; and all keys are stored encrypted using AES-256. 

Should the TOE or a TOE component encounter a failure state; all access control requests are denied.   The TOE is both an Access Control and Policy Management product.  If the TOE is in a failed state then no access control requests or decisions can be made.  Policies are defined in a central location and are never transmitted.  The TOE detects replay attacks for secured and rejects the secured task when replay is detected.  The TOE relies on the implementation of TLS in the operational environment to provide secure transmission, including replay detection, of secured tasks.

Resource Utilization

The TOE is both an Access Control and Policy Management product.  The most recent policy will always be enforced even in the event of a TOE failure.  Should the TOE experience a failure, no access control is permitted until the system comes back up.   Policies are defined and enforced on the same component and therefore it is not possible to lose communication during a policy transmission.

Trusted Path/Channels

The TOE protects interactive communication with remote administrators using HTTP over TLS. TLS ensures both integrity and disclosure protection.

The TOE protects communication with external LDAP servers and internal distributed TOE components using TLS connections to prevent unintended disclosure or modification of the transferred data.

The TOE uses FIPS capable OpenSSL v1.0.2a and requires FIPS mode to disable non FIPS algorithms. Customers are instructed to choose their own validated FIPS Object Module and link that with the provided FIPS capable OpenSSL v1.0.2a.  The validated Object Module and FIPS capable OpenSSL are in the operational environment.


Vendor Information

Logo
BeyondTrust Software, Inc.
Rod Simmons
1-800-234-9072
1-480-405-9132
rsimmons@beyondtrust.com

www.beyondtrust.com
Site Map              Contact Us              Home