The Security Target (ST) defines the Information Technology (IT) security requirements for the Splunk 4.1.7. Splunk collects IT data logs from various configured machines, stores the logs on disk, and indexes the data it collects. Splunk features broad search functionality to query these logs at based on user requests. Multiple instances of the Splunk process can be utilized in synchronization to optimize the functionality, with different Splunk processes focusing on collecting and forwarding IT data, storing and indexing IT data, and searching IT data and providing a collaborative user interface.
","evaluation_configuration":"The TOE was evaluated on the following platforms:
\r\nWindows 7 (64 bit)
\r\n| \r\n Processor \r\n | \r\n\r\n 2x quad-core Xeon or equivalent at 3 Ghz \r\n | \r\n
| \r\n Disk space \r\n | \r\n\r\n 200 GB \r\n | \r\n
| \r\n RAM \r\n | \r\n\r\n 8 GB \r\n | \r\n
\r\n
Windows XP (32 bit)
\r\n| \r\n Processor \r\n | \r\n\r\n 2x quad-core Xeon or equivalent at 3 Ghz \r\n | \r\n
| \r\n Disk space \r\n | \r\n\r\n 200 GB \r\n | \r\n
| \r\n RAM \r\n | \r\n\r\n 8 GB \r\n | \r\n
\r\n
Windows Server 2008 R2 (64 bit)
\r\n| \r\n Processor \r\n | \r\n\r\n 2x quad-core Xeon or equivalent at 3 Ghz \r\n | \r\n
| \r\n Disk space \r\n | \r\n\r\n 200 GB \r\n | \r\n
| \r\n RAM \r\n | \r\n\r\n 8 GB \r\n | \r\n
\r\n
Windows Server 2003 (64 bit)
\r\n| \r\n Processor \r\n | \r\n\r\n 2x quad-core Xeon or equivalent at 3 Ghz \r\n | \r\n
| \r\n Disk space \r\n | \r\n\r\n 200 GB \r\n | \r\n
| \r\n RAM \r\n | \r\n\r\n 8 GB \r\n | \r\n
\r\n
Solaris 10 (64 bit)
\r\n| \r\n Processor \r\n | \r\n\r\n 2x quad-core Xeon or equivalent at 3 Ghz \r\n | \r\n
| \r\n Disk space \r\n | \r\n\r\n 200 GB \r\n | \r\n
| \r\n RAM \r\n | \r\n\r\n 8 GB \r\n | \r\n
Red Hat 5.3 (64 bit)
\r\n| \r\n Processor \r\n | \r\n\r\n 2x quad-core Xeon or equivalent at 3 Ghz \r\n | \r\n
| \r\n Disk space \r\n | \r\n\r\n 200 GB \r\n | \r\n
| \r\n RAM \r\n | \r\n\r\n 8 GB \r\n | \r\n
","security_evaluation_summary":"
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Splunk 4.1.7 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL2 augmented with ALC_FLR.1. Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in March 2011.
","environmental_strengths":"IT Data Indexing
\r\nThe TOE is able to collect and index IT data from the following log sources: Windows event logs, UDP and TCP syslog, Active Directory, generic scripted inputs, local disk logs, file system changes, and Windows registry changes. Each IT data event has at least the date/time of the event, source, source type, and host name. Only authorized users are able to read the indexed IT data by performing searches on the TOE. Authorized users are able to use the search functionality to search indexed audit logs based upon the data collected during indexing. All IT data logs indexed are protected from deletion or modification. In the evaluated configuration, the TOE is configured to stop indexing and begin to overwrite the oldest IT data records when storage reaches the configured limit, which is synonymous with the storage being full. The TOE also sends an alarm in the form of a user interface banner. In addition, the most recent stored IT records are maintained if storage runs out.
\r\nSecurity Audit
\r\nThe TOE collects audit logs on TOE startup and shutdown, user login, and any user action on the system, including editing users and configuration. A timestamp is provided, as well as the user who performed the action (if applicable), the action itself, and a success or failure determination. Only authorized users are able to read this audit information by performing searches. The audit data collected is added to the index and is read in the same manner as IT data. The search functionality in the TOE allows authorized users the ability to read audit data to sort and filter the audit data returned to them based upon date/time of the event, type of event, subject identity, and outcome of the event, along with any other search parameters entered. All audit data logs are protected from deletion or modification. The most recent stored audit records are maintained if storage runs out.
\r\nCryptographic Support
\r\nThe TOE utilizes OpenSSL packages to generate cryptographic keys utilizing the RSA algorithm with 1024-bit keys. The TOE will overwrite old keys whenever a new key is generated. All sensitive interfaces are protected utilizing these encryption standards, including the user interface connections, connections between TOE components in the deployment, and the optional LDAP server.
\r\nIdentification and Authentication
\r\nThe TOE provides user accounts that have the following attributes: username, password, and roles. All users must successfully identify and authenticate themselves utilizing their username and password combination before they can make any TSF-related actions. There are two authentication mechanisms utilized in the TOE: Splunk authentication and LDAP authentication. Authorized users are able to select the authentication method used within the configuration options of the TOE. Upon authentication, users are bound to their role and other user attributes within a session object. A user session is terminated if the user is deleted or if all roles have been removed for the user. In addition, sessions will be terminated due to inactivity.
\r\nSecurity Management
\r\nThe security management of the TOE is controlled by user actions that are authorized by the TOE’s RBAC policy. Every function within the system, along with the objects it affects, is controlled by specific capabilities, indexes, or ACLs (Access Control Lists) available to the user performing the action. The security attributes are edited and assigned using this same RBAC policy. The primary security attributes within the system are roles. The default roles in the system are the following: admin, power, user, and can_delete. Additional roles can be generated by authorized users. One or more roles must be assigned to a user before the user can perform any TSF-related action on the TOE.
\r\nUser Data Protection
\r\nThe TOE utilizes an RBAC Policy which requires roles to be assigned to users to perform anything but the most basic functions of the TOE. Roles are assigned a collection of capabilities which are operations that can be performed on specific objects. Roles are also assigned indexes which allow the searching of specific IT/audit data. Additionally, some objects created in the TOE also contain Access Control Lists (ACLs) that define which roles have read and/or write privileges.
\r\nHigh Availability
\r\nThe TOE also provides mechanisms for high availability. The TOE will maintain a secure state whenever an indexer fails. The TOE will also ensure that the indexing functionality of the product will still operate if a single indexer fails.
\r\nProtection of the TSF
\r\nThe TOE utilizes OpenSSL to prevent unauthorized disclosure of data and detect modification of TSF data sent to the LDAP store. Detected modifications of TSF data will result in the packet being dropped. Additionally, OpenSSL is utilized to protect data being transferred between TOE components. OpenSSL is also used to create a logically distinct trusted path between remote users and the TOE, and will protect the TSF data in transit from unauthorized modification or disclosure. Remote users initiate the trusted path to the TOE. The trusted path is required to be used for user authentication, management actions, and data transfer.
","features":[]}