Compliant Product - Splunk Enterprise 8.1
Certificate Date: 2021.01.26CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11108-2021
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
CC Testing Lab: Acumen Security
The Target of Evaluation (TOE) is the Splunk Enterprise v8.1 which runs on Red Hat Linux Enterprise (RHEL) v7.7 and v8.2 operating systems. Splunk collects data from various sources such as systems, devices, and interactions and presents the data for real time visibility and analysis. The TOE can be configured as a forwarder and an indexer. When the TOE is configured as the indexer, it will receive data from external sources such as web services, databases, and one or more instance of Splunk configured as a Forwarder. In Forwarder configuration, it will transmit all system generated data to the other instance of Splunk configured as an Indexer.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Splunk Enterprise 8.1 is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation is a Protection Profile for Application Software, Version 1.3 [SWAPP] and Functional Package for Transport Layer Security (TLS), Version 1.1 [TLS-PKG]. The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in January 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE provides the security functionality required by [SWAPP] and [TLS v1.1 package].
The TOE platform provides HTTPS/TLS functionality to securely communicate with trusted entities. TOE is shipped with the OpenSSL which performs the TOE’s cryptographic operations. TOE leverages the services of the underlying platform to generate entropy for deterministic random bit generator and key store to store the key data. (The CAVP algorithm certificates is identified in Table 3 CAVP Certificate References in the ST).
The TOE is installed on the encrypted partition of the underlying host platform to secure its data. The private key data for the certificates is stored on the secret storage that can be accessed with the password set to encrypt the partition. Prior to the installation of TOE, the hard drive on the host machine should be encrypted using LUKS. The TOE depends on the underlying platform's network connectivity for its management purpose, sending email alerts to the SMTP server and sending data to the external trusted data feed receiver (TOE Indexer) or receiving the data from the external trusted data feed (TOE Forwarder).
The TOE relies on X.509v3 certificate validation functions provided by the platform to authenticate the
certificate(s) during the establishment of the HTTPS/TLS trusted channel. If the certificate is found to be
invalid the TOE rejects such certificate. Certificate with the unknown revocation status is accepted if the TOE is unable to validate the certificate through CRL.
The TOE is not shipped with the default credentials used for the Initial authentication. Once the TOE is installed on the RHEL server all the directories and configuration files that are related to the TOE are protected and has the write access to only the user that performed the installation. The TOE has several configuration files that makes communication possible between the other network entities. An administrator can configure the supported TLS cipher suites and curves in these files for the secure communication with the entities and can also query the TOE version.
The TOE does not request any personally identifiable information (PII) with the intent to transmit the data over the network, thus maintaining privacy of the security administrators and the users.
The TOE’s platform performs cryptographic self-tests at startup which ensures the TOE’s ability to properly operate. The updates must be downloaded manually and installed using the platform’s package manager. The TOE platform also verifies all software updates via digital signature wherein the administrator must install the public key of the TOE's developer to check the integrity of any available updates. The TOE uses platform APIs and includes only 3rd party libraries. It also implements stack-based buffer overflow protection along with ASLR (address space layout randomization) and allocating memory for both writing and execution for just-in-time compilation. The TOE supports SElinux and is one of the pre-requisites before installing the TOE application.
The TOE is a software application. It supports HTTPS/TLS for secure remote administration communication for WebUI. HTTPS/TLS is used for secure communication channel between the TOE indexer and external trusted data feeds (TOE Forwarder), the TOE acting as an Indexer uses TLS to securely send email alerts to a remote SMTP server. The TOE when configured as a Forwarder uses HTTPS/TLS for sending a data to an external data feed receiver (TOE Indexer).