The Target of Evaluation (TOE) is Tenable Security Center 6.2.0. It is a vulnerability management product that is designed to provide visibility into network and system assets. The product is used to discover and scan assets such as servers, endpoints, network devices, operating systems, databases, and applications. Information collected by Tenable Security Center through its various connections to its operational environment and aggregated into the product can be presented in various customizable dashboards and analyzed by the product to determine the risk levels of findings or non-compliance with organizational security policies.
\r\nThe product integrates three separate capabilities:
\r\nTenable Security Center functions as a central point where all of the collected data is aggregated, analyzed, and displayed to administrators in various customizable views. It can also be used to orchestrate the data collection performed by the various environmental components via customizable scheduling. The aggregated data can be used to provide information on vulnerabilities, misconfiguration, and malware. Tenable Security Center also provides configurable workflows and alerts to automatically take corrective action based on specific findings.
","evaluation_configuration":"","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4 and the Functional Package for Transport Layer Security (TLS), Version 1.1. The criteria against which Tenable Security Center 6.2.0 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.
\r\nThe product, when delivered and configured as identified in the evaluated configuration guidance documentation, satisfies all of the security functional requirements stated in the Tenable Security Center 6.2.0 Security Target. The evaluation was completed in October 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"Timely Security Updates
\r\nThe TOE developer has internal mechanisms for receiving reports of security flaws, tracking product vulnerabilities, and distributing software updates to customers in a timely manner.
\r\nCryptographic Support
\r\nThe TOE implements cryptography to protect data at rest and in transit.
\r\nFor data at rest, the TOE stores credential data (both to log in to the TOE and to log in to remote systems for the purpose of conducting authenticated configuration scanning) as well as passphrase data used to protect PKI certificates that the TOE uses to authenticate to environmental components. This stored data is encrypted using AES or a PBKDF, depending on the data that is being stored.
\r\nFor data in transit, the TOE implements TLS/HTTPS as both a client and a server. The TOE implements a TLS server for its administrative interface while it implements a TLS client to communicate with environmental components, including other Tenable products. The TOE supports mutual authentication as a TLS client.
\r\nThe TOE implements all cryptography used for these functions using its own implementations of OpenSSL with NIST-approved algorithms. The TOE’s DRBG is seeded using entropy from the underlying OS platform.
\r\nSome product functionality requires the use of SSH; the TOE does not claim SSH functionality as it invokes its platform to implement this.
\r\nUser Data Protection
\r\nThe TOE uses cryptographic mechanisms to protect sensitive data at rest. Credential data is protected through the use of a PBKDF while all other sensitive data is protected by the TOE platform’s use of full disk encryption.
\r\nThe TOE relies on the network connectivity and system log capabilities of its host OS platform. The TOE supports user-initiated and application-initiated uses of the network.
\r\nIdentification and Authentication
\r\nThe TOE supports X.509 certificate validation as part of establishing TLS and HTTPS connections. The TOE supports various certificate validity checking methods and can also check certificate revocation status using OCSP. If the validity status of a certificate cannot be determined, the certificate will be accepted. All other cases where a certificate is found to be invalid will result in rejection without an administrative override.
\r\nSecurity Management
\r\nThe TOE itself and the configuration settings it uses are stored in locations recommended by the platform vendor.
\r\nThe TOE includes a web GUI. The web GUI enforces username/password authentication using locally-stored credentials that are created using the TOE. The TOE does not include a default user account to access its management interface.
\r\nThe security-relevant management functions supported by the TOE relate to the configuration of how frequently the various environmental components access network resources and for the transmission and presentation of system, network, and log data that the TOE obtains from its operational environment.
\r\nPrivacy
\r\nThe TOE does not handle personally identifiable information (PII) of any individuals.
\r\nProtection of the TSF
\r\nThe TOE enforces various mechanisms to prevent itself from being used as an attack vector to its host OS platform. The TOE implements address space layout randomization (ASLR), does not allocate any memory with both write and execute permissions, does not write user-modifiable files to directories that contain executable files, is compiled using stack overflow protection, and is compatible with the security features of its host OS platform.
\r\nThe TOE contains libraries and invokes system APIs that are well-known and explicitly identified.
\r\nThe TOE has a mechanism to determine its current software version. Software updates to the TOE can be acquired by leveraging its OS platform. All updates are digitally signed to guarantee their authenticity and integrity.
\r\nTrusted Path/Channels
\r\nThe TOE encrypts sensitive data in transit between itself and its operational environment using TLS and HTTPS. It facilitates the transmission of sensitive data from remote users over TLS and HTTPS.
\r\nThe TOE may also invoke OS platform functionality to establish SSH communications with an instance of LCE in its operational environment.
","features":[{"id":1760,"feature_name":"Certificate Authentication"},{"id":1761,"feature_name":"Certificate Validation"},{"id":1762,"feature_name":"Credential Storage"},{"id":1763,"feature_name":"DRBG"},{"id":1764,"feature_name":"DTLS 1.0"},{"id":1765,"feature_name":"DTLS Server with Mutual Authentication"},{"id":1766,"feature_name":"HTTPS Client"},{"id":1767,"feature_name":"HTTPS Server with Mutual Authentication"},{"id":1768,"feature_name":"PBKDF"},{"id":1769,"feature_name":"TLS 1.1"}]}