NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Splunk Enterprise 6.4.5

Certificate Date:  2017.03.22

Validation Report Number:  CCEVS-VR-VID10807-2017

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.2

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is Splunk Enterprise 6.4.5, which is an application on an operating system. In its evaluated configuration, the TOE is a self-contained instance of Splunk Enterprise 6.4.5. In the evaluated configuration, there will be two or more instances of Splunk Enterprise 6.4.5 deployed and communicating with each other. One instance serves as an indexer that is responsible for aggregating non-TSF system generated data and one or more instances are configured as a forwarder that is responsible for collecting non-TSF system generated data on its underlying OS platform.

The logical boundary of the TOE includes only the relevant security functionality that is defined by the claimed Protection Profile. The logical boundary of the TOE includes its cryptography, user data protection, I&A, management, privacy, self-protection, and trusted path/channel functionality.

Evaluated Configuration

The TOE is Splunk Enterprise 6.4.5 (“Splunk”) software, which includes the Splunkd process and the Splunk Web and Splunk CLI administrative interfaces.

The following lists components and applications in the environment that the TOE relies upon in order to function properly:

  • Host Platform(s) – A general-purpose computer on which the TOE is installed. In the evaluated configuration, at least two host platforms are used. The minimum system requirements for the host platforms in the evaluated configuration are:
    • Red Hat Enterprise Linux 6.5, 64 bit
    • 2x six-core, 2 GHz CPU (Intel Xeon x64)
    • 12 GB RAM
    • RAID 0 or 1+0
    • 5 GB of free disk space
  • Management Workstation – Any general-purpose computer that is used by an administrator to manage the TOE remotely via a web browser. Note that the host platform can also be used to administer the TOE locally.
  • SMTP Server – An email server that can receive alerts from the TOE and distribute them to users in the Operational Environment via email.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Splunk was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Splunk Enterprise 6.4.5 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2017. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (CCEVS-VR-VID10807-2017, dated 22 March 2017) prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The TOE uses NIST-validated cryptographic algorithm implementations to support the establishment of trusted channels and paths to protect data in transit. In the evaluated configuration, the TOE will act as a server for TLS/HTTPS to facilitate trusted remote communications. As an application on an operating system, the TOE interfaces with the operating system’s key storage to securely store key data related to secure communications. The TOE also relies on the underlying platform to generate entropy that is used as input data for the TOE’s deterministic random bit generator (DRBG).

User Data Protection

In the evaluated configuration, the TOE will reside on an encrypted disk partition on the underlying platform to secure its data at rest. The TOE protects data stored on the underlying platform by minimizing its use of platform resources. Specifically, the TOE will only use the underlying platform’s network connectivity for administrative activities, email alerts that are generated with user approval, and administratively-configured transmission of system generated data from a forwarder instance of Splunk to an indexer.

Identification and Authentication

In order to facilitate secure communications using HTTPS, the TOE provides a mechanism to validate X.509 certificates. The TOE uses a CRL to check certificate expiration status but will permit certificates to be used (with a warning) when the CRL is unavailable.

Security Management

The TOE provides a default credential that is used for initial authentication that must be reset prior to any other TSF-mediated action being authorized. The files and directories that comprise the TOE are protected against unauthorized access by only permitting write access to the user that performed the installation.

The TOE provides several security-relevant management functions. Specifically, the TOE has the ability to configure how information about the underlying platform is transmitted over the network. The TOE also provides administrators with the ability to configure the behavior of the TLS/HTTPS trusted channel. Any changes to the TOE’s configuration will be logged.


The TOE ensures the privacy of its administrators and users by not providing any ability to transmit personally identifiable information (PII) over the network.

Protection of the TSF

The TOE protects against exploitation by implementing address space layout randomization (ASLR) and only allocating memory for both writing and execution for just-in-time (JIT) compilation. The TOE is also compatible with SELinux and is compiled with stack-based buffer overflow protection. It also prevents the writing of user-modifiable files to directories that contain executable files.

The TOE uses standard platform APIs and includes only the third-party libraries it needs to perform its functionality. The TOE version can be checked either through its management interfaces or through the underlying platform’s package manager. Updates must be manually downloaded to the platform’s file system and installed using the platform’s package manager. In the evaluated configuration, the administrator will download and install a public key from the TOE’s developer that is installed into the package manager and used to verify the integrity of any updates to the TOE.

Trusted Path/Channels

The TOE protects all data in transit using HTTPS over TLS or standalone TLS. TLS/HTTPS protocol is used to secure remote administration using the web GUI. It can also be used to securely send alerts to a remote SMTP server in the Operational Environment. TLS is used to secure communications between separate instances of Splunk, where the forwarder instance(s) act as the client and the indexer acts as a server.

Vendor Information

Splunk Inc.
Thomas Chimento
Site Map              Contact Us              Home