Transcription
Splunk Inc. Splunk 4.1.7 Security TargetVersion 2.0February 1, 2011Prepared for:Splunk Inc.250 Brannan Street, 2nd Floor,San Francisco, CA 94107Prepared by:Booz Allen HamiltonCommon Criteria Testing Laboratory900 Elkridge Landing Road, Suite 100Linthicum, MD 21090-2950Booz Allen Hamilton CCTL – Splunk Inc., ProprietaryPage 1
Table of Contents1Security Target Introduction . 91.1ST Reference . 91.1.1ST Identification.91.1.2Document Organization . 91.1.3Terminology . 101.1.4Acronyms . 111.1.5References . 121.1.6CC Concepts . 131.2TOE Reference . 131.3TOE Overview . 131.4TOE Type . 162TOE Description . 172.1Evaluated Components of the TOE . 172.2Components and Applications in the Operational Environment . 172.3Excluded from the TOE . 182.3.1Not Installed . 182.3.2Installed but Requires a Separate License . 182.3.3Installed But Not Part of the TSF . 182.4Physical Boundary . 182.4.1Hardware. 182.4.2Software . 192.5Logical Boundary . 192.5.1IT Data Indexing . 202.5.2Security Audit . 202.5.3Cryptographic Support . 202.5.4User Data Protection . 20Booz Allen Hamilton – Splunk Inc., ProprietaryPage 2
2.5.5Identification and Authentication . 212.5.6Security Management . 212.5.7Protection of the TSF. 212.5.8High Availability . 223.1CC Version . 233.2CC Part 2 Conformance Claims . 233.3CC Part 3 Conformance Claims . 233.4PP Claims . 233.5Package Claims. 233.6Package Name Conformant or Package Name Augmented . 233.7Conformance Claim Rationale . 234Security Problem Definition . 244.1Threats . 244.2TOE Threats . 244.3Organizational Security Policies . 244.4Assumptions . 254.4.1Personnel Assumptions. 254.4.2Connectivity Assumptions . 254.4.3Physical Assumptions . 255Security Objectives . 265.1IT Security Objectives . 265.2Security Objectives for the operational environment of the TOE . 276Extended Security Functional and Assurance Requirements. 286.1Extended Security Functional Requirements for the TOE . 286.1.1Class FAU EXT: IT Data Indexing . 286.1.1.1FAU GEN EXT.1 Component Definition . 286.1.1.2FAU GEN EXT.1 IT Data Collection . 286.1.1.3FAU SAR EXT.1 Component Definition . 29Booz Allen Hamilton – Splunk Inc., ProprietaryPage 3
6.276.1.1.4FAU SAR EXT.1 IT Data Review . 296.1.1.5FAU SAR EXT.2 Component Definition . 296.1.1.6FAU SAR EXT.2 Restricted IT data review . 296.1.1.7FAU SAR EXT.3 Component Definition . 306.1.1.8FAU SAR EXT.3 Selectable IT Data Review . 306.1.1.9FAU STG EXT.2 Component Definition . 306.1.1.10FAU STG EXT.2 Guarantees of IT Data Availability . 306.1.1.11FAU STG EXT.3 Component Definition . 316.1.1.12FAU STG EXT.3 Action in Case of IT Data Loss . 316.1.1.13FAU STG EXT.4 Component Definition . 316.1.1.14FAU STG EXT.4 Prevention of IT Data Loss . 32Extended Security Assurance Requirements . 32Security Functional Requirements . 337.1Security Functional Requirements for the TOE . 337.1.1Class FAU: Security Audit . 337.1.27.1.37.1.1.1FAU GEN.1 Audit data generation . 337.1.1.2FAU GEN.2 User identity association . 357.1.1.3FAU SAR.1 Audit review . 357.1.1.4FAU SAR.2 Restricted audit review . 367.1.1.5FAU SAR.3 Selectable Audit Review. 367.1.1.6FAU STG.2 Guarantees of audit data availability . 367.1.1.7FAU STG.3 Action in case of audit data loss . 377.1.1.8FAU STG.4 Prevention of audit data loss . 37Class FCS: Cryptographic Support . 377.1.2.1FCS CKM.1 Cryptographic key generation . 377.1.2.2FCS CKM.4 Cryptographic key destruction . 377.1.2.3FCS COP.1 Cryptographic operation . 38Class FDP: User Data Protection . 38Booz Allen Hamilton – Splunk Inc., ProprietaryPage 4
7.1.47.1.57.1.67.1.77.1.3.1FDP ACC.1 Access control policy . 387.1.3.2FDP ACF.1 Access control functions . 38Class FIA: Identification and Authentication . 397.1.4.1FIA ATD.1 User attribute definition . 397.1.4.2FIA UAU.2 User authentication before any action . 397.1.4.3FIA UAU.5 Multiple authentication mechanisms . 397.1.4.4FIA UAU.6 Re-authentication . 407.1.4.5FIA UID.2 User identification before any action. 407.1.4.6FIA USB.1 User-subject binding . 40Class FMT: Security Management . 407.1.5.1FMT MOF.1 Management of security functions behavior . 407.1.5.2FMT MSA.1 Management of security attributes . 447.1.5.3FMT MSA.3 Static attribute initialization . 447.1.5.4FMT MTD.1 Management of TSF data . 457.1.5.5FMT REV.1 Revocation . 457.1.5.6FMT SMF.1 Specification of Management Functions . 457.1.5.7FMT SMR.1 Security roles . 46Class FPT: Protection of the TOE Security Functions . 467.1.6.1FPT FLS.1 Failure with preservation of secure state . 467.1.6.2FPT ITC.1 Confidentiality of Exported TSF Data . 467.1.6.3FPT ITI.1 Integrity of Exported TSF Data . 467.1.6.4FPT ITT.1 Basic internal TSF data transfer protection . 47Class FRU: Resource Utilization . 477.1.7.17.1.8Class FTP: Trusted Paths/Channels . 477.1.8.17.28FRU FLT.1 Fault Tolerance . 47FTP TRP.1 Trusted Paths . 47Operations Defined . 48Security Assurance Requirements . 49Booz Allen Hamilton – Splunk Inc., ProprietaryPage 5
8.1Security Architecture . 498.1.1Security Architecture Description (ADV ARC.1) . 498.1.2Security-enforcing functional specification (ADV FSP.2) . 498.1.3Basic Design (ADV TDS.1) . 508.2Guidance Documents . 518.2.1Operational user guidance (AGD OPE.1) . 518.2.2Preparative Procedures (AGD PRE.1) . 518.3Lifecycle Support . 528.3.1Use of a CM system (ALC CMC.2) . 528.3.2Parts of the TOE CM coverage (ALC CMS.2) . 528.3.3Delivery Procedures (ALC DEL.1) . 528.3.4Flaw reporting procedures (ALC FLR.1) . 538.4Security Target Evaluation . 538.4.1Conformance Claims (ASE CCL.1) . 538.4.2Extended Components Definition (ASE ECD.1) . 548.4.3ST Introduction (ASE INT.1) . 558.4.4Security objectives (ASE OBJ.2) . 558.4.5Derived security requirements (ASE REQ.2) . 568.4.6Security Problem Definition (ASE SPD.1). 568.4.7TOE Summary Specification (ASE TSS.1) . 578.5Tests . 578.5.1Evidence of Coverage (ATE COV.1) . 578.5.2Functional Testing (ATE FUN.1) . 578.5.3Independent Testing - Sample (ATE IND.2) . 588.6Vulnerability Assessment . 588.6.1Vulnerability Analysis (AVA VAN.2) . 5899.1TOE Summary Specification . 59TOE Security Functions . 59Booz Allen Hamilton – Splunk Inc., ProprietaryPage 6
9.1.1IT Data Indexing . 599.1.2Security Audit . 629.1.3Cryptographic Support . 649.1.4User Data Protection . 659.1.5Identification and Authentication . 709.1.6Security Management . 729.1.7Protection of the TSF. 739.1.8High Availability . 739.1.9Security Architecture . 749.2TOE Summary Specification Rationale . 759.2.1IT Data Indexing . 769.2.2Security Audit . 769.2.3Cryptographic Support . 769.2.4User Data Protection . 769.2.5Identification and Authentication . 779.2.6Security Management . 779.2.7Protection of the TSF. 779.2.8High Availability . 7810Security Problem Definition Rationale . 7910.1Security Objectives Rationale . 7910.2Operational Security Policy Rationale . 8410.3Security Functional Requirements Rationale . 8410.4EAL2 Justification . 8910.5Requirement Dependency Rationale. 8910.6Assurance Measures. 90Booz Allen Hamilton – Splunk Inc., ProprietaryPage 7
List of FiguresFigure 1 – Splunk TOE Boundary . 14Figure 2 – TOE Deployment . 16List of TablesTable 1-1: Customer Specific Terminology . 11Table 1-2: CC Specific Terminology . 11Table 1-3: Acronym Definitions . 12Table 2-1: Evaluated Components of the TOE . 17Table 2-2: Evaluated Components of the Operational Environment . 17Table 2-3: Minimum Hardware Requirements of the TOE . 19Table 6-1: Extended Security Functional Requirements for the TOE . 28Table 7-1: Security Functional Requirements for the TOE . 33Table 7-2: Auditable Events . 35Table 7-3: Management Functions of the TOE . 44Table 7-4: Assignment of Security Attributes . 44Table 9-1: Fields of Indexed IT Data Logs . 61Table 9-2: Capabilities Within the TOE . 65Table 9-3: Capabilities Within the TOE . 67Table 9-4: Capabilities Within the TOE . 69Table 9-5: Security Functional Components for the TOE . 75Table 10-1: Assumption to Objective Mapping. 80Table 10-2: Threat to Objective Mapping . 84Table 10-3: Security Functional Requirements Rationale . 89Table 10-4: Requirement Dependencies . 90Table 10-5: Assurance Requirements Evidence . 93Booz Allen Hamilton – Splunk Inc., ProprietaryPage 8
1Security Target IntroductionThis chapter presents the Security Target (ST) identification information and anoverview. An ST contains the Information Technology (IT) security requirements of anidentified Target of Evaluation (TOE) and specifies the functional and assurance securitymeasures offered by the TOE.1.1ST ReferenceThis section provides information needed to identify and control this ST and its Target ofEvaluation. This ST targets Evaluation Assurance Level 2 (EAL2) augmented withALC FLR.1.1.1.1 ST IdentificationST Title:Splunk Inc. Splunk 4.1.7 Security TargetST Version:2.0ST Publication Date: February 1, 2011ST Author:Booz Allen Hamilton1.1.2 Document OrganizationChapter 1 of this ST provides identifying information for the TOE. It includes an STIntroduction, ST Reference, ST Identification, TOE Reference, TOE Overview, and TOEType.Chapter 2 describes the TOE Description, which includes the physical and logicalboundaries, and describes the components and/or applications that are excluded from theevaluated configuration.Chapter 3 describes the conformance claims made by this ST.Chapter 4 describes the Security Problem Definition as it relates to threats, OperationalSecurity Policies, and Assumptions met by the TOE.Chapter 5 identifies the Security Objectives of the TOE and of the OperationalEnvironment.Chapter 6 describes the Extended Security Functional Requirements (SFRs) and SecurityAssurance Requirements (SARs).Chapter 7 describes the Security Functional Requirements.Chapter 8 describes the Security Assurance Requirements.Chapter 9 is the TOE Summary Specification (TSS), a description of the functionsprovided by the TOE to satisfy the SFRs and SARs.Booz Allen Hamilton – Splunk Inc., ProprietaryPage 9
Chapter 10 is the Security Problem Definition Rationale and provides a rationale orpointers to a rationale, for security objectives, assumptions, threats, requirements,dependencies, and PP claims for the chosen EAL, any deviations from CC Part 2concerning SFR dependencies, and a mapping of threats to assumptions, objectives, andSFRs. It also identifies the items used to satisfy the Security Assurance Requirements forthe evaluation.1.1.3 TerminologyThis section defines the terminology used throughout this ST. The terminology usedthroughout this ST is defined in Table 1-1 and 1-2. These tables are to be used by thereader as a quick reference guide for terminology definitions.TerminologyDefinitionAccess Control ListsThe owner of each created object specifies the read/write access available toeach role within the system. Obviously, the owner of an object hasunrestricted access to the objects it controls.Authorized UserA user that has been assigned a role with the attributes that allow an actionon an object as defined in Table 7-3. This essentially means ―any user that iscapable of performing the action in question.‖CapabilityAn action in the TOE that can be added to a role to grant the role the abilityto perform said action.Deployment ClientThis refers to all Splunkd processes that are sent configuration updates bythe Deployment Server.Deployment ServerAn instance of the Splunkd process that is configured solely to deployconfiguration updates to the other Splunkd processes within the TOEdeployment.ForwarderAn instance of the Splunkd process that is configured solely to collect rawIT data logs, parse them, formulate indexed logs, and then forward both theraw data and the indexed logs to another configured Splunkd process.IndexWhen used as a verb, this refers to the actual process of parsing raw datalogs, extracting fields, and storing the parsed data. When used as a noun,this refers to where said parsed data is stored upon Splunkd processesconfigured as indexers.Indexed DataThis refers to parsed IT data that is stored in an indexer.IndexerAn instance of the Splunkd process that is configured to collect parsed datalogs as well as raw data logs from a forwarder and to store said data.IT DataAll data that the TOE collects and indexes.ParsingSpecifically to Splunk, this is the act of utilizing Splunk‘s indexingfunctionality to process raw data and extract specific default and userdefined fields. The output of this process is indexed data.Raw DataUnprocessed IT data the TOE collects from any configured source.Booz Allen Hamilton – Splunk Inc., ProprietaryDeleted: uDeleted: dDeleted: dPage 10
ReceiverAny Splunkd process that receives data from one or more forwarders.RoleA named bundle of capabilities and allowed indexes that determines theamount of access specific users are allowed within the TOE. There aredefaults, but additional roles can be user-generated. Roles are assigned tousers.Search-headAn instance of the Splunkd process that is configured solely to be theprimary component for searching. It is also the only Splunkd process withinthe evaluated configuration to interface with users via the Splunk Web andSplunk CLI processes. This means that most of the general TOEmanagement is utilized through this process exclusively.Server ClassA deployment configuration shared by a group of deployment clients. Adeployment client can belong to multiple server classes.Deleted: cSplunk ObjectA Splunk object is an object within the system that has an ACL defined forit.Deleted: oTable 1-1: Customer Specific TerminologyTermDefinitionAuthorized UserA user who, in accordance with proper authentication/authorization, is allowed toperform an operation.Deleted: uExternal IT EntityAny IT product or system, trusted or not, outside of the TOE that interacts with theTOE.Deleted: eTOESecurityFunctions (TSF)A set consisting of all hardware, software, and firmware of the TOE that must berelied upon for the correct enforcement of the TSP.UserAny entity (human user or external IT entity) outside the TOE that interacts withthe TOE.Table 1-2: CC Specific Terminology1.1.4 AcronymsThe acronyms used throughout this ST are defined in Table 1-3. This table is to be usedby the reader as a quick reference guide for acronym definitions.AcronymDefinitionADActive DirectoryACLAccess Control ListCACertificate AuthorityCCCommon CriteriaCCEVSCommon Criteria Evaluation and ValidationSchemeCCIMBCommon Criteria Interpretations ManagementBoardBooz Allen Hamilton – Splunk Inc., ProprietaryPage 11
CLICommand-line InterfaceCPUCentral Processing UnitEALEvaluation Assurance LevelGUIGraphical User InterfaceHTTPHypertext Transfer ProtocolHTTPSHypertext Transfer Protocol SecureIPInternet ProtocolITInformation TechnologyLDAPLightweight Directory Access ProtocolNIAPNational Information Assurance PartnershipOSOperating SystemPPProtection ProfileRAIDRedundant Array of Independent DisksRBACRole Based Access ControlSARSecurity Assurance RequirementSFRSecurity Functional RequirementSMTPSimple Mail Transfer ProtocolSSLSecure Sockets LayerSTSecurity TargetTCPTransmission Control ProtocolTOETarget of EvaluationTSFTOE Security FunctionUDPUser Datagram ProtocolUIUser InterfaceURLUniform Resource LocatorX.509X.500 Series Standard for Public-key andAttribute and Certificate FrameworksTable 1-3: Acronym Definitions1.1.5 References[1] Common Criteria for Information Technology Security Evaluation, CCMB-200907-004, Version 3.1 Revision 3, July 2009Booz Allen Hamilton – Splunk Inc., ProprietaryPage 12
[2] Splunk Admin Manual Version 4.1.7[3] Splunk User Manual Version 4.1.7[4] Splunk Installation Manual Version 4.1.7[5] Splunk Knowledge Manager Manual Version 4.1.7[6] Splunk Developer Manual Version 4.1.7[7] Splunk Search Reference Version 4.1.7[8] Splunk Release Notes Version 4.1.7[9] Splunk Application Management Version 4.1.71.1.6 CC ConceptsThe following are CC concepts as used in this document. A Subject is any user of theTOE (account, user, administrative user). An Object (i.e., resource or entity) can be adataset, volume, command issued by a user, etc. An Operation is any action on a resource(e.g. read, write, create, fetch, update, control, alter, or scratch). A Security Attribute isinformation such as username, groups, profiles, facilities, passwords, etc. that is kept inthe security file for the user. An External Entity is anything outside of the TOE thataffects the TOE.1.2TOE ReferenceSplunk 4.1.71.3TOE OverviewSplunk 4.1.7, (herein referred to as Splunk or the TOE), collects IT data logs fromvarious configured machines, stores the logs on disk, and indexes the data it collects.Splunk features broad search functionality to query these logs at based on user requests.Multiple instances of the Splunk process can be utilized in synchronization to optimizethe functionality, with different Splunk processes focusing on collecting and forwardingIT data, storing and indexing IT data, and searching IT data and providing a collaborativeuser interface.The TOE: Collects IT data logs from configured machines Stores and indexes collected IT data logs in indexers Allows users to perform comprehensive search actions to query IT data logsBooz Allen Hamilton – Splunk Inc., ProprietaryPage 13
LegendTOE SubsystemWeb BrowserEnvironment ObjectSSLEnvironment O/SCommand LineSMTPServerLDAPStoreSSLSplunk WebSplunk x 1Index 2etc.IndexesO/SFigure 1 – Splunk TOE BoundaryAs illustrated in Figure 1, the TOE boundary contains 3 subsystems: Splunk Web,Splunk, and Splunkd. Each TOE component is a distinct process running on the hostmachine. Splunk Web and Splunk are accessed through a supported web browser orcommand-line interface, respectively. Splunkd is the process that provides most of theTOE functionality. In addition to the TOE subsystems and user interfaces, the TOEreceives data from configured data sources, be it from the local machine or othermachines on the network. It can also connect to an LDAP Store for LDAP authentication.The indexes and search job results are stored on the local f
Booz Allen Hamilton CCTL - Splunk Inc., Proprietary Page 1 Version 2.0 February 1, 2011 Splunk Inc. Splunk 4.1.7 Security Target Prepared for: Splunk Inc. 250 Brannan Street, 2nd Floor, San Francisco, CA 94107 Prepared by: Booz Allen Hamilton Common Criteria Testing Laboratory 900 Elkridge Landing Road, Suite 100 Linthicum, MD 21090-2950
