Compliant Product - Splunk Enterprise Version 7.3
Certificate Date: 2020.01.27CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11016-2020
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.2
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
Splunk Enterprise collects system generated data from various types of platform systems and aggregates it in a centralized location for real-time visibility and analysis of system behavior. Additional operational functional behavior is dependent on whether the TOE has been configured to use the indexer or forwarder functionality. The indexer functionality is responsible for receiving data from trusted external sources such as databases, web services, and one or more additional instances of Splunk configured with the forwarder functionality enabled via HTTPS/TLS. Whereas, the forwarder functionality is responsible for transmitting the system-generated data to an external trusted entity such as an additional instance of Splunk configured with the indexer functionality enabled via HTTPS/TLS.
The Target of Evaluation (TOE) is the Splunk Enterprise 7.3 (“Splunk”) application executing on a Linux operating system (OS). While the product vendor provides multiple versions of the product, only the full Linux version of Splunk Enterprise 7.3, operating on Red Hat Enterprise Linux (RHEL), is considered to be the TOE – other product versions or platforms were not evaluated, and no security claims are made for them.
In the evaluated configuration, Splunk Enterprise 7.3 is installed on top of the RHEL OS and configured with either the indexer or forwarder functionality enabled. The administrative interfaces include a local CLI and a web UI for remote access. The TOE is configured to securely communicate with the following external IT entities: SMTP server (TOE is TLS client only), external trusted data feed (TOE is TLS server), and an external trusted data feed receiver (TOE is TLS client). All claimed PP related functionality is contained whether Splunk is configured as an indexer or a forwarder.
The following list identifies the components and applications in the environment that the TOE relies upon in order to function properly:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Splunk Enterprise 7.3 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Splunk Enterprise 7.3 Security Target Version 1.2, January 23, 2020. The evaluation underwent CCEVS Validator review. The evaluation was completed in January 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR- VID11016-2020 prepared by CCEVS.
The TOE software includes OpenSSL which performs the TOE’s cryptographic operations required to support the establishment of trusted channels and paths to protect data in transit. As an application on an operating system, the TOE interfaces with the operating system’s key storage to securely store key data related to secure communications. The TOE also relies on the underlying platform to generate entropy that is used as input data for the TOE’s deterministic random bit generator (DRBG).
User Data Protection
In the evaluated configuration, the TOE will reside on an encrypted disk partition on the underlying platform to secure its data at rest. The TOE protects data stored on the underlying platform by minimizing its use of platform resources. Specifically, the TOE only requires the use of the underlying platform’s network connectivity for administrative activities, email alerts, receipt and transmission of non-TSF related data from/to external trusted data feeds.
In order to facilitate secure communications using HTTPS/TLS, the TOE provides a mechanism to validate X.509 certificates. While the HTTPS/TLS implementation will automatically reject a certificate if it is found to be invalid, a certificate with unknown revocation status (because the TSF is unable to read the CRL) is accepted.
The TOE does not provide any default credential used for initial authentication. The files and directories that comprise the TOE are protected against unauthorized access by only permitting write access to the user that performed the installation. The TOE uses the underlying platform’s recommended methods for storing and setting configuration options. The TOE also provides the security administrators with the ability to configure the supported TLS cipher suites of the trusted channels and query the existing TOE software version.
The TOE ensures the privacy of its security administrators and users by not providing any capability to transmit personally identifiable information (PII) over the network.
Protection of the TSF
The TOE protects against exploitation by implementing address space layout randomization (ASLR) and only allocating memory for both writing and execution for just-in-time (JIT) compilation. The TOE is also compatible with SELinux and is compiled with stack-based buffer overflow protection. It also prevents the writing of user-modifiable files to directories that contain executable files.
The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE version can be checked either through its management interfaces or through the underlying platform’s package manager. Updates must be manually downloaded to the platform’s file system and installed using the platform’s package manager. In the evaluated configuration, the security administrator will download and install a public key from the TOE’s developer that is installed into the package manager and used to verify the integrity of any updates to the TOE.
The TOE protects all data in transit using HTTPS over TLS or standalone TLS. HTTPS/TLS protocol is used to secure remote administration using the web UI. The TOE, acting as an indexer, uses TLS to securely send alerts to a remote SMTP server in the Operational Environment. HTTPS/TLS is used to secure communications between the TOE indexer and external trusted data feeds. Additionally, the TOE forwarder requires the use of HTTPS/TLS to secure communications for transmitting data to an external trusts data feed receiver.