The Target of Evaluation (TOE) is LogRhythm 6.0.4 with Microsoft SQL Server 2008 R2 Enterprise Edition. The TOE collects, categorizes, identifies, and normalizes log data from log sources such as Windows events, syslog, flat file, NetFlow, sFlow, databases, and applications, and provides automated alerting capabilities. The TOE can detect security and compliance issues, such as anomalies in authentication activity, and brute force attacks on monitored servers.
\r\nThe TOE provides automated centralization of log collection, archival and recovery, automated reporting, forensic investigation abilities, anomaly and insider threat detection, turnkey appliance configuration, and a console management interface. Communications between the TOE components are protected by FIPS 140-2 validated TLSv1—each of the TOE components that contributes to a TLSv1 channel has been FIPS 140-2 validated.
\r\nA deployment of LogRhythm consists of:
\r\nThe Event Manager (EM) and Log Manager (LM) can reside on the same server for low-volume deployments, or on dedicated servers for high volume deployments. Each AI Engine Server is always a standalone server. An SQL Server instance resides on each Log Manager server and on the Event Manager server. The System Monitor Agents can be deployed on Windows, Linux, Solaris, HP-UX or AIX systems. The Console is a Windows application that runs on an administrator’s workstation.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the LogRhythm TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2. The product, when delivered and configured as identified in the LogRhythm v6.0.4 Common Criteria Guide, satisfies all of the security functional requirements stated in the LogRhythm Integrated Solution Security Target, Version 1.1.
\r\nA validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in March 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10389-2012), prepared by CCEVS.
","environmental_strengths":"LogRhythm 6.0.4 with Microsoft SQL Server 2008 R2 Enterprise Edition provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.
\r\nLogRhythm 6.0.4 with Microsoft SQL Server 2008 R2 Enterprise Edition supports the following security functions:
\r\nThe TOE recognizes the following events and is capable of collecting them: startup and shutdown of the TOE’s auditing function; successful and unsuccessful attempts to read the audit records; access to the TOE, the log records collected by the TOE, and events identified by the TOE; all use of identification and authentication mechanisms; modifications in the behavior of the TOE security functions; modifications to the values of TSF data; and modifications to a user’s security management role.
\r\nThe TOE records various information about each audit record collected such as: the date and time of the event; the type of event; the subject identity; the outcome of the event; and other information specific to the event type. All security audit events are generated from the LogRhythm console. Other TOE components generate only operational and error logs.
\r\nThe TOE provides an interface to authorized users to read audit records from the audit trail and this interface is restricted to authorized roles. The TOE provides the ability to sort audit records on various fields in the audit data, and to include or exclude auditable events from the set of audited events based on “event type”. The TOE prevents unauthorized modifications and deletions to the stored audit records by minimizing the available interfaces and restricting these interfaces to the authorized authenticated administrator. In addition, the TOE prevents the loss of audit data in the event the space available for storing audit records is exhausted.
\r\nThe TOE is a software only implementation and therefore relies on the operational environment to provide a reliable timestamp. Additionally, the audit logs are stored in the file system and therefore rely on the operational environment for protection of the logs due to file permission enforcement.
\r\nLogRhythm requires all users to be identified and authenticated before accessing any TOE functionality through the Console. Users and roles are defined in the TOE, operating at the application layer. When a user logs in to the TOE, Windows Active Directory or the local Windows operating system authenticates the claimed user identity. Windows Active Directory and the local Windows operating system support both password and Common Access Card (CAC) credentials for user authentication. The TOE enforces the result. If authentication is successful then the application table is checked for the user’s rights. If the user is not in the table then access is denied.
\r\nThe console provides the capability to manage the auditing, analysis and reaction functions. The management functions are restricted to administrative roles.
\r\nThe TOE comes with two pre-defined administrative roles: Global Admin and Global Analyst. The TOE supports a customer-defined Restricted Analyst role (that is, subset of the Global Analyst privileges). These roles, when assigned to users, provide varying levels of access to the TOE interfaces and functions.
\r\nAll communication channels between TOE components are protected by FIPS 140-2 certified TLSv1. The TOE supports both self-signed certificates and user-supplied certificates for establishing TLS-protected communication. This includes the following communication channels:
\r\nThe integrity of LogRhythm archives is protected by SHA-1 hashing and compression. Logs received by the Log Manager are stored in an archive, which is a file on the file system of the Log Manager that is subsequently hashed and compressed by the Mediator Service. This protection is provided to inactive archived files for use in verifying integrity during archive restoration and other operations. The collected logs are formatted as ASCII text strings and can be encrypted before forwarding across untrusted networks (e.g. Internet). Modification of the archived logs can be detected by rehashing and comparing the values. Note that the SHA-1 hash values are stored in the EM database. Timestamps are provided by the operational environment. The TOE normalizes time stamps to account for time zone differences.
\r\nThe System Monitor Agents are able to collect relevant information from multiple sources. The Log Manager performs analysis on the collected information by processing the data against known signatures. The Log Manager forwards log metadata to the AI Engine Server. The AI Engine Server can analyze sets of logs for more complex signatures. For example, together the Log Manager and AI Engine Server can detect security event/violations based on integrity checks and signature definitions. The Event Manager can take the appropriate action such as writing the event to a log file or send an alert to an administrator.
\r\nThe analyzer and system logs and events can be viewed from the Console. A potential loss of logs can be prevented by the TOE’s layered architecture by providing administrative interfaces to configure database sizes and automatic purging scripts.
\r\nEach log or event collected by the System Monitor Agent contains the date and time of the event (or log), subject identity, and the outcome of the event. In addition some logs contain location, service, protocol information; source and destination addresses; and other information specific to the type of log collected.
\r\nThe System Monitor Agent is capable of collecting the following events: startup and shutdown; identification and authentication events; data accesses; service requests; network traffic; security configuration changes; data introduction; detected malicious code; access control configuration; service configuration; authentication configuration; accountability policy configuration; and detected known vulnerabilities.
\r\nA syslog server is included in each System Monitor Agent however the operational environment may be required to provide additional syslog servers to support additional log sources.
","features":[]}