Compliant Product - Axonius Cybersecurity Asset Management Platform v4.0-f
Certificate Date: 2022.03.04CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11201-2022
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
Extended Package for Secure Shell (SSH) Version 1.0
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is Axonius Cybersecurity Asset Management Platform v4.0-f, a containerized software application designed to provide an organization a comprehensive inventory of its IT assets, uncover cybersecurity coverage gaps, and enforce security policies. The TOE uses integration-specific code, termed “adapters”, to connect to the organization’s existing IT systems to retrieve information about assets such as devices and users.
The specific tested version of the TOE is 4.0.11-f. In its evaluated configuration, the TOE is a containerized application executing on a platform comprising:
· Docker runtime engine v19.0.3
· Ubuntu 16.04
· VMware ESXi 6.5
· AMD Ryzen Threadripper 1950X (Zen microarchitecture)
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, September 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Axonius Cybersecurity Asset Management Platform v4.0-f Security Target. The evaluation was completed in March 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE implements cryptography to protect data at rest and in transit.
For data at rest, the TOE securely stores the credential data used to log in to the TOE, private keys, and the credentials the TOE uses to authenticate to adapter data sources. This stored data is protected using either PBKDF2_HMAC with SHA512 and 100,000 rounds in conjunction with LUKS or using MongoDB’s Client-Side Field Level Encryption (AES-256-CBC).
For data in transit, the TOE implements HTTPS and TLS as both a client and a server. The TOE implements a HTTPS/TLS server for its administrative interface, while it implements either an SSH Client or a HTTPS/TLS client to communicate with any data sources connected to it. The TOE does not support mutual authentication.
The TOE implements all cryptography used for these functions using its own OpenSSL with CAVP validated algorithms. The TOE’s DRBG is seeded using entropy from the underlying OS platform.
User Data Protection
The TOE protects sensitive data in non-volatile memory using approved cryptographic algorithms and by leveraging LUKS functionality provided by the host platform.
The TOE relies on the network connectivity capabilities of its host OS platform. The TOE supports user-initiated and application-initiated uses of the network.
The TOE does not access any of the sensitive information repositories on the host platform.
Identification and Authentication
The TOE supports X.509 certificate validation as part of establishing TLS and HTTPS connections. The TOE supports various certificate validity checks and checks certificate revocation status using OCSP. If the certificate is invalid or the revocation status of a certificate cannot be determined, the certificate will not be accepted.
The TOE itself and the configuration settings it uses are stored in locations recommended by the Linux platform vendor.
The TOE includes a web GUI. This interface enforces username/password authentication using locally stored credentials that are created using the TOE. The TOE does not include a default user account to access its management interface.
The security-relevant management functions supported by the TOE relate to configuration of adapters and certificates.
The TOE does not collect or transmit personally identifiable information (PII) of any individuals.
Protection of the TSF
The TOE has a mechanism to determine its current software version. Software updates to the TOE can be acquired by leveraging its OS platform. All updates are digitally signed to guarantee their authenticity and integrity.
The TOE developer has internal mechanisms for receiving reports of security flaws, tracking product vulnerabilities, and distributing software updates to customers in a timely manner.
The TOE encrypts sensitive data in transit between itself and its operational environment using TLS, HTTPS, or SSH.
Axonius Federal Systems LLC