Target of Evaluation (TOE)
LogRhythm Help provides LogRhythm product guidance. It covers security features of the Target of Evaluation (TOE), product security features excluded from evaluation, and general product features. This section identifies guidance specific to the TOE and its evaluated configuration.
TOE Secure Acceptance
LogRhythm ships appliances (hardware with software components preinstalled) directly to customers via Federal Express with tracking. Each appliance box is wrapped with security tape. An appliance box includes a LogRhythm Appliance Installation Guide booklet and packing list. If the security tape is broken, a customer should verify the package contents using the packing list.
TOE Installation Guidance
The following sections of LogRhythm Help are available to provide TOE installation guidance:
- Using Integrated Security describes scenarios for deploying the TOE in a variety of environments. The scenarios range from basic deployment in a low-volume environment to complex deployment in a high-volume environment that includes remote networks.
- The Glossary provides basic definitions and identifies product components.
- Deployment Architecture covers deploying the TOE in different arrangements to address distinct needs.
- Networking and Communication details the communication settings among TOE components and between the TOE and its environment. Product features supporting redundancy are not within the scope of evaluation.
- Using Integrated Security covers hardware installation for LogRhythm appliances as well as basic software setup for the TOE.
- Hardware for AIE includes technical specifications for TOE hardware platforms (for example, processor type, bus type, memory capacity). For each appliance, a section provides instructions for unpacking and installing the hardware.
- AI Engine covers initial start-up of TOE components, along with necessary configuration settings.
- New Deployment Wizard describes a wizard application that guides an administrator through completing required pre-initialization steps. The TOE displays the wizard the first time an administrator accesses an appliance from the LogRhythm Console.
- Device Configuration Guides illustrates the use of third-party devices in log generation and collection. It describes how to configure third-party devices to generate logs and how to configure the TOE to collect the logs. The third-party devices are not within the scope of evaluation.
TOE Operational Guidance
LogRhythm Help provides an introduction to the product, including architecture, licensing, data flow, and processing. The Administrator’s Guide describes the tools available to an administrator for configuring and administering a TOE. The guide covers tools for deployment, Active Directory integration, and log archiving and restoration. It also provides information on LogRhythm risk-based priority for logs. Some sections in the guide address product features outside the scope of the evaluation, such as non-security features and features excluded from LogRhythm Security Target. Sections not applicable to evaluation include:
- User Activity Monitor (UAM)
- Data Loss Defender
- File Integrity Monitor
- LogRhythm Backup and Recovery Procedures
- Performance Counters
- Log Processing Report
LogRhythm Security Target places additional restrictions on the operation of the TOE and requires additional steps to establish an evaluated configuration. LogRhythm Security Target specifies Windows authentication, protected communication between TOE components, and security audit. LogRhythm must use Windows authentication (Active Directory or operating system local to each appliance) in the evaluated configuration. Using Integrated Security covers the setup and configuration. The evaluated configuration requires an administrator to configure protected communication (that is, TLS) between distributed LogRhythm components (for example, between Data Processors and the Platform Manager). For more information, see Networking and Communication.
LogRhythm Help section Audit Data Generation provides the following guidance for the TOE audit functions.
- Required Scripts and Set up the Audit Functionality cover configuring the audit functions.
- Set up Discretionary Access Controls on the Trace Folder on an NTFS File System describes configuration in the operational environment that is needed to protect the TOE security audit trail.
- Audited Events lists the security-relevant events the TOE can audit, as well as those events audited by default.
- View Audit Logs contains instructions for viewing the audit trail.
- Configure Windows Task to Alarm on Audit Trace Failure addresses audit storage exhaustion.
The User Guide describes tools for monitoring the TOE, managing alarms, and analyzing information provided by the TOE. It covers:
- Logistics of logging in to the Console
- Password changes
- Viewing TOE status using Personal Dashboard
- Managing alarms (such as viewing and changing status)
- Working with filters
- Searching logs and events using Investigator
- Tracking real-time and near-real-time logs and events using Tail
As with the Administrator Guide, the User Guide includes sections for features outside the scope of evaluation:
- Network Visualization
- Save Investigation as a Report
- Reporting Center
- Customizing Reports
LogRhythm components can be configured to use either self-signed or user-provided server and client SSL certificates for their communications with each other and SQL server. The following table shows the various configurations that can be used with respect to client and server SSL certificates.
The following figure shows where each client server certificate is employed in the LogRhythm deployment. LogRhythm recommends running the deployment in the most secure configuration: using mutual SSL authentication for all components. In this configuration, each component presents its certificates during the TLS handshake that occurs when the communication channel is being established. Mutual authentication helps prevent man-in-the-middle attacks and other spoofing and authentication attacks.
|Software Component||TLS Connection Type||No Certificate||Self-Generated/Signed Certificate||User-Provided Certificate|
|SQL Server||SQL/TLS Server||X||X|
|AIE Data Provider||TLS Client||X||X|
|AIE Com Mgr||TLS Server||X||X|
LogRhythm uses two methods to secure the packages used by our customers: Digital Signature and Checksum. Digital Signature is an embedded process that checks the file before it is installed. Checksum is a manual process that verifies the file's integrity after it is received.
LogRhythm provides a digital certificate from a trusted authority. The digital certificate is used to ensure that the package being used by a customer has not been tampered with. When the user initiates the installer, the installer checks the digital signature embedded within it. The digital signature represents the byte size of the file. If the digital signature is different, the installation process stops, because any change in the byte count could represent a problem with the file (for example, malicious activity or file corruption). When the digital signature has been determined to be different, the installation process exits.
The digital signature is procured from a trusted authority. When the file is compiled, a digital signature is acquired from a trusted authority and embedded into the file. When the installation process is initiated, the application connects to the trusted authority to ensure that the digital signature embedded into the application matches what the trusted authority has on record. If the two signatures match, the installation process continues. If the two signature do not match, the installation process exits.
The digital signature is a sum derived from the hash in the system. When the installation process starts, the application performs an algorithm against the byte total of the application. If the byte sum calculated from the byte total by the algorithm is different from what is stored at the trusted authority, the installation processes exits. Because the application needs to connect to the trusted authority, the machine on which the application is being run must have internet access.
LogRhythm employs two Checksum formats that can be used to ensure the integrity of the packages being used by its clients: Message Digest Algorithm-5 (MD5) and Secure Hash Algorithm-1 (SHA-1). These two formats can be used to manually check the package after it was received from LogRhythm Support or downloaded from the LogRhythm Support Portal to ensure the package has not been compromised.
- LogRhythm Security Target, LogRhythm ST V0.6 20110927, LogRhythm, Inc., version 0.6, 27 September 2011
- LogRhythm Help, LogRhythm, Inc., version 6.0.2, 31 October 2011 (PDF format)
|ARM||Alarming and Response Manager|
|DLD||Data Loss Defender|
|FIM||File Integrity Monitor|
|RIM||Registry Integrity Monitor|
|IDS||Intrusion Detection System|
|LEA||Log Export API|
|ODBC||Open Database Connectivity|
|OPSEC||Open Platform for Security|
|SDEE||Security Device Event Exchange|
|SFR||Security Functional Requirements|
|SMTP||Simple Mail Transfer Protocol|
|SNMP||Simple Network Management Protocol|
|TOE||Target of Evaluation|
|TSF||TOE Security Functionality|
|TSFI||TOE Security Functionality Interface|
|UAM||User Activity Monitor|
Running External Storage Under Common Criteria
Any external storage being used for LogRhythm data must have a secure connection to the LogRhythm Console. To ensure the connection is secure, the external storage must:
- Be running in FIPS mode.
- Use Windows authentication using an Active Directory account.
To set up an external storage unit in FIPS mode, follow these steps:
- Set up the external machine following the Using Integrated Security steps.
- Use the Configuring IPsec instructions to create a secure connection between the two machines—the one running LogRhythm Console and the machine hosting the external storage.