Compliant Product - CIMCOR CimTrak for Servers Version 2.0.6 (F)
Certificate Date: 26 July 2010
Validation Report Number: CCEVS-VR-10303-2010
Product Type: Sensitive Data Protection
Conformance Claim: EAL4 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: InfoGard Laboratories, Inc.
The CIMCOR® CimTrak® Integrity Suite application provides a flexible file-based security solution that allows Administrators (Administrator, Standard User roles) to protect selected files from unauthorized changes from a centralized location within the network. CimTrak immediately identifies the change, determines if it is authorized and optionally institutes corrective action based on application configuration. Since CimTrak maintains a master set of protected files, unauthorized changes can immediately be reversed to mitigate malicious activity or human error. The CimTrak Integrity Suite combines CimTrak for Network Devices and CimTrak for Servers into an integrated application suite.
CimTrak presents a multifaceted approach to protecting key network resources and provides comprehensive change control tracking. The application suite consists of 3 major elements: CimTrak Master Repository software acting as a central application server, CimTrak Agent software which is installed on monitored servers within the network and CimTrak management console software.
The CimTrak Master Repository component maintains a centralized store of protected files and change history within a centralized server. This provides an isolated, encrypted copy of critical files that allows for restoration in the event of unauthorized change, and provides a basis for identifying changes made to protected files within the network. The application also supports a rollback capability which allows previous versions of a protected file to be restored at a later date. The TOE maintains 10 generations of file baselines by default.
Deployment of the TOE includes the installation of a CimTrak Agent component on protected resources within the operational environment. The Agent provides real-time or poll based monitoring of protected files and identifies changes made to protected files. When a change is detected, the Agent communicates with the CimTrak Repository to report change status and/or transfer the master file (authoritative copy) from the Master Repository to the Agent server/Network Host server to overwrite unauthorized changes. The Agent utilizes CimTrak configuration data to determine if the change is allowed based on [Administrator] policy settings for the subject file. The Agent can then institute one of the following actions on the change: Allow the change and log the event, Update the master file baseline stored within the Master Repository, Disallow the change and immediately overwrite the change with the master file copy from the Master Repository, or Prompt the authorized user to either allow or disallow the file change attempt. Communication between the Agent components and the Master Repository is secured using FIPS 140-2 Level 2 validated cryptography using a proprietary CIMCOR communications protocol.
The CimTrak software solution includes a Management Console which features a Graphic User Interface (GUI) that allows Administrators (Administrator, Standard User roles) to manage/configure the application from a separate Administrator management workstation within the network. The management console supports the selection of files on Agent servers/Network Host servers to protect or “lock”, configure action to take in the event a change is detected and access a series of reports that detail changes made based on a series of saved baselines stored in the Master Repository. This capability can be used to superimpose changes over the stored baselines to immediately identify what aspects of the “locked” file were changed. In addition, the application logs the identity of the user making the change, when the change was made, and the history of previous changes made to the file. The Management Console communicates with the Master Repository over a cryptographically secured session using FIPS 140-2 Level 2 validated cryptography over a proprietary communication protocol.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE (CIMCOR® CimTrak Integrity Suite 220.127.116.11 F) was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1R2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1R2. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. InfoGard determined that the evaluation assurance level (EAL) for the product is EAL 4+. The Validators observed that the evaluation carried out by InfoGard and all of its activities were in accordance with the Common Criteria, the Common Evaluation Methodology, and the CCEVS. The Validators therefore conclude that the evaluation team’s results are correct and complete. The evaluation was completed in May 2010. Results of the evaluation can be found in the non-proprietary Evaluation Technical Report Cimcor® Cimtrak Integrity Suite 18.104.22.168 F prepared by InfoGard.
The CIMCOR® CimTrak Integrity Suite 22.214.171.124 F provides the following security features:
The Security Audit security function within the CimTrak application generates audit records for security related events including: application configuration, file change detection & remediation, and Administrative-user access to TSF/User Data.
Security Audit events generated from the Agent Components include the success/failure of Agent login/initialization to the Master Repository, synchronization of file data between the Agent and the Master Repository, success/failure of file locking operations and file change/remediation action taken upon detection of changes to locked files.
The Master Repository, in conjunction with the Management Console, generates security audit records for application configuration actions taken by Administrative-users such as installation processes, account management configuration, management of Agent server/Network Host server accounts & object groups, cryptographic algorithm/key size selection, watch list creation defining file objects to be protected and configuration of watch properties (action to be taken upon detection of a Agent file change).
Audit records may only be accessed by authorized Administrative-users through properly authenticated CimTrak Management Console sessions and may not be modified by any user.
Identification and Authentication:
The Identification and Authentication security function provides the method by which the TOE assures that entities communicating with the Master Repository are identified and authenticated prior to being granted access to TSF resources. ID & Authentication polices are also enforced against all external entities attempting to communicate with the Master Repository (i.e. Agents as well as human users via the CimTrak Management Console).
The Cryptographic Operations security function provides cryptographic support for securing communications, data transfer and data storage within the CimTrak TOE. The TOE utilizes the FIPS 140-2 Level 2 validated Cimcor Cryptographic Module.
The Change Management security function provides the ability for the TOE to detect changes made to files/configuration data set as locked through the CimTrak application. Once such changes are identified, CimTrak implements the configured corrective action (remediation).
The Agent component of the CimTrak application is installed on selected machines within the network environment. During application configuration, a series of file objects or object groups are selected for each machine or network device and are thereby designated for monitoring. This information is downloaded by the Agent from the Master Repository during each Agent startup and initialization sequence.
Filesystem Agents are installed on the server they are monitoring and work in conjunction with the underlying Operating System to detect when a change is attempted to a file configured as “locked”.
Network Agents are installed on a Host Server, since an Agent cannot be installed directly on a router. The Network Agent polls configuration data from the monitored Network device(s).
If a change is detected by a Filesystem or Network Agent, CimTrak performs the configured corrective action. The corrective action can be configured to be Log Only, Prompt, Update Baseline, Restore, or Custom.
The Security Management security function provides CimTrak Administrative-users with the functions and features necessary for the configuration, deployment and management of CimTrak. The Management Console provides a comprehensive Graphic User Interface which is used by CimTrak Administrative-users for configuring the application and reviewing reports/audit records produced during operation.
To initiate communications between the CimTrak management console/Server Agent and the Master Repository, the applicable Agent contacts the Master Repository to establish a TLS secure session. A Diffie-Hellman or RSA based key exchange is conducted using an asymmetric key size of 512, 1024 or 2048 bits. Subsequent to the successful key exchange, a private key is created using the Cimcor Cryptographic Module software RNG.
The CimTrak TOE supports encrypted sessions using SSHv2 between the Agent component installed on the Network host computer and network devices managed by CimTrak. These sessions leverage LibSSH “C” libraries within the Network Device Interaction Module that supports SSH session establishment using the SSHv2 protocol and AES or 3DES encryption algorithms.
Protection of the TOE Functions:
The Agent component executes an integrity check of the full executable during startup processes to assure that the integrity of the Agent has not been compromised. If the integrity check fails, the Agent will not start.
Agents do not listen on any ports, only the Master Repository machine is allowed to listen for Agent communication requests. Agents must initiate communication with the Master Repository via TLS secure sessions. Agent passwords are generated during initial configuration using an RNG in a form that is not accessible by human entities (including the Administrator role) and this value is stored as a hash.
The TOE stores authentication data used to log on to Network Devices in encrypted form within the CimTrak Master Repository.