CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The TOE is the Splunk Enterprise 9.0.4 (“Splunk”) application executing on a Linux OS. In the evaluated configuration, Splunk Enterprise 9.0.4 is installed on top of the RHEL OS 8.2 and 7.9. The TOE was configured with either the indexer or the forwarder functionality enabled. The administrative interfaces include a local CLI and a web UI for remote access.

The TOE indexer was configured to securely communicate with the following external IT entities: SMTP server (TOE acts as client only), external a trusted data feed (TOE acts as server), and a management workstation (TOE acts as server). The external trusted data feed was an instantiation of Splunk software configured as a forwarder and is considered part of the operational environment for the TOE indexer.

The TOE forwarder was configured to securely communicate with the following external IT entities: external a trusted data receiver (TOE acts as client). The external trusted data feed receiver was an instantiation of Splunk software configured as an indexer and is considered part of the operating environment for the TOE forwarder.

In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:

• Host Platform:     A general-purpose computer on which the Linux operating system and the TOE is installed. The TOE requires network resources from the host platform. Note that the host platform can also be used to administer the TOE locally.
• Management Workstation: Any general-purpose computer that is used by a security administrator to manage the TOE remotely via a web browser.
• SMTP Server:      An email server that can receive alerts from the TOE and deliver them to users in the Operational Environment via email.
• External Trusted Data Feed: External data source for transmitting non-TSF related data to the TOE indexer for populating Splunk’s datastore (indexes). The external data source must use HTTPS/TLS to communicate with the TOE.
• External Trusted Data Feed Receiver: External data source for receiving non-TSF related data from the TOE forwarder. The external data source must use HTTPS/TLS to communicate with the TOE.
• CRL Distribution Point: A server that provides updated revocation lists for the TOE’s certificate validation functionality.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Splunk Enterprise 9.0.4 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Splunk Enterprise 9.0.4 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11330-2023 prepared by CCEVS.

Cryptographic Support

The TOE software includes OpenSSL which performs the TOE’s cryptographic operations required to support the establishment of trusted channels and paths to protect data in transit. As an application on an operating system, the TOE interfaces with the operating system’s key storage to securely store key data related to secure communications. The TOE also relies on the underlying platform to generate entropy that is used as input data for the TOE’s deterministic random bit generator (DRBG).

User Data Protection

In the evaluated configuration, the TOE will reside on an encrypted disk partition on the underlying platform to secure its data at rest. The TOE protects data stored on the underlying platform by minimizing its use of platform resources. Specifically, the TOE only requires the use of the underlying platform’s network connectivity for administrative activities, email alerts, receipt and transmission of non-TSF related data from/to external trusted data feeds.

Identification and Authentication

In order to facilitate secure communications using HTTPS/TLS, the TOE provides a mechanism to validate X.509 certificates. While the HTTPS/TLS implementation will automatically reject a certificate if it is found to be invalid, a certificate with unknown revocation status is accepted.

Security Management

The TOE does not provide any default credentials for use with initial authentication and requires the security administrator to define their username and password during installation. The files and directories that comprise the TOE are protected against unauthorized access by only permitting write access to the user that performed the installation. The TOE uses the underlying platform’s recommended methods for storing and setting configuration options. The TOE also provides the security administrators with the ability to configure the supported TLS cipher suites of the trusted channels and query the existing TOE software version.

Privacy

The TOE ensures the privacy of its security administrators and users by not providing any capability to transmit personally identifiable information (PII) over the network.

Protection of the TSF

The TOE protects against exploitation by implementing address space layout randomization (ASLR) and not allocating any memory region with both write and execute permissions. The TOE is also compatible with SELinux and is built with stack-based buffer overflow protection. It also prevents the writing of user-modifiable files to directories that contain executable files.

The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE version can be checked either through its management interfaces or through the underlying platform’s package manager. The TOE is also versioned with SWID tags. The TOE’s initial installation package and software updates must be manually downloaded to the platform’s file system and installed using the platform’s package manager. In the evaluated configuration, the security administrator will download and install a public key from the TOE’s developer that is installed into the package manager and used to verify the integrity of the TOE package prior to installation.

Trusted Path/Channels

The TOE protects all data in transit using HTTPS over TLS or standalone TLS. HTTPS/TLS protocol is used to secure remote administration using the web UI. The TOE, acting as an indexer, uses TLS to securely send alerts to a remote SMTP server in the Operational Environment. HTTPS/TLS is used to secure communications between the TOE operating as an indexer and external trusted data feeds. Additionally, the TOE operating as a forwarder requires the use of HTTPS/TLS to secure communications for transmitting data to an external trusts data feed receiver.

Vendor Information