Common Criteria

Target of Evaluation (TOE)

LogRhythm Help provides LogRhythm product guidance. It covers security features of the Target of Evaluation (TOE), product security features excluded from evaluation, and general product features. This section identifies guidance specific to the TOE and its evaluated configuration.

TOE Secure Acceptance

LogRhythm ships appliances (hardware with software components preinstalled) directly to customers via Federal Express with tracking. Each appliance box is wrapped with security tape. An appliance box includes a LogRhythm Appliance Installation Guide booklet and packing list. If the security tape is broken, a customer should verify the package contents using the packing list.

TOE Installation Guidance

The following sections of LogRhythm Help are available to provide TOE installation guidance:

Using Integrated Security describes scenarios for deploying the TOE in a variety of environments. The scenarios range from basic deployment in a low-volume environment to complex deployment in a high-volume environment that includes remote networks.
The Glossary provides basic definitions and identifies product components.
Deployment Architecture covers deploying the TOE in different arrangements to address distinct needs.
Networking and Communication details the communication settings among TOE components and between the TOE and its environment. Product features supporting redundancy are not within the scope of evaluation.
Using Integrated Security covers hardware installation for LogRhythm appliances as well as basic software setup for the TOE.
Hardware for AIE includes technical specifications for TOE hardware platforms (for example, processor type, bus type, memory capacity). For each appliance, a section provides instructions for unpacking and installing the hardware.
AI Engine covers initial start-up of TOE components, along with necessary configuration settings.
New Deployment Wizard describes a wizard application that guides an administrator through completing required pre-initialization steps. The TOE displays the wizard the first time an administrator accesses an appliance from the LogRhythm Console.
Device Configuration Guides illustrates the use of third-party devices in log generation and collection. It describes how to configure third-party devices to generate logs and how to configure the TOE to collect the logs. The third-party devices are not within the scope of evaluation.

TOE Operational Guidance

LogRhythm Help provides an introduction to the product, including architecture, licensing, data flow, and processing. The Administrator’s Guide describes the tools available to an administrator for configuring and administering a TOE. The guide covers tools for deployment, Active Directory integration, and log archiving and restoration. It also provides information on LogRhythm risk-based priority for logs. Some sections in the guide address product features outside the scope of the evaluation, such as non-security features and features excluded from LogRhythm Security Target. Sections not applicable to evaluation include:

User Activity Monitor (UAM)
Data Loss Defender
File Integrity Monitor
LogRhythm Backup and Recovery Procedures
Performance Counters
Log Processing Report

LogRhythm Security Target places additional restrictions on the operation of the TOE and requires additional steps to establish an evaluated configuration. LogRhythm Security Target specifies Windows authentication, protected communication between TOE components, and security audit. LogRhythm must use Windows authentication (Active Directory or operating system local to each appliance) in the evaluated configuration. Using Integrated Security covers the setup and configuration. The evaluated configuration requires an administrator to configure protected communication (that is, TLS) between distributed LogRhythm components (for example, between Data Processors and the Platform Manager). For more information, see Networking and Communication.

LogRhythm Help section Audit Data Generation provides the following guidance for the TOE audit functions.

Required Scripts and Set up the Audit Functionality cover configuring the audit functions.
Set up Discretionary Access Controls on the Trace Folder on an NTFS File System describes configuration in the operational environment that is needed to protect the TOE security audit trail.
Audited Events lists the security-relevant events the TOE can audit, as well as those events audited by default.
View Audit Logs contains instructions for viewing the audit trail.
Configure Windows Task to Alarm on Audit Trace Failure addresses audit storage exhaustion.

The User Guide describes tools for monitoring the TOE, managing alarms, and analyzing information provided by the TOE. It covers:

Logistics of logging in to the Console
Password changes
Viewing TOE status using Personal Dashboard
Managing alarms (such as viewing and changing status)
Working with filters
Searching logs and events using Investigator
Tracking real-time and near-real-time logs and events using Tail

As with the Administrator Guide, the User Guide includes sections for features outside the scope of evaluation:

Network Visualization
Save Investigation as a Report
Reporting Center
Customizing Reports

SSL Authentication

LogRhythm components can be configured to use either self-signed or user-provided server and client SSL certificates for their communications with each other and SQL server. The following table shows the various configurations that can be used with respect to client and server SSL certificates.

The following figure shows where each client server certificate is employed in the LogRhythm deployment. LogRhythm recommends running the deployment in the most secure configuration: using mutual SSL authentication for all components. In this configuration, each component presents its certificates during the TLS handshake that occurs when the communication channel is being established. Mutual authentication helps prevent man-in-the-middle attacks and other spoofing and authentication attacks.

Software Component	TLS Connection Type	No Certificate	Self-Generated/Signed Certificate	User-Provided Certificate
Agent	TLS Client	X		X
Mediator	TLS Server		X	X
SQL Server	SQL/TLS Server		X	X
AIE Data Provider	TLS Client	X		X
AIE Com Mgr	TLS Server		X	X

Trusted Updates

LogRhythm uses two methods to secure the packages used by our customers: Digital Signature and Checksum. Digital Signature is an embedded process that checks the file before it is installed. Checksum is a manual process that verifies the file's integrity after it is received.

Digital Signature

LogRhythm provides a digital certificate from a trusted authority. The digital certificate is used to ensure that the package being used by a customer has not been tampered with. When the user initiates the installer, the installer checks the digital signature embedded within it. The digital signature represents the byte size of the file. If the digital signature is different, the installation process stops, because any change in the byte count could represent a problem with the file (for example, malicious activity or file corruption). When the digital signature has been determined to be different, the installation process exits.

The digital signature is procured from a trusted authority. When the file is compiled, a digital signature is acquired from a trusted authority and embedded into the file. When the installation process is initiated, the application connects to the trusted authority to ensure that the digital signature embedded into the application matches what the trusted authority has on record. If the two signatures match, the installation process continues. If the two signature do not match, the installation process exits.

The digital signature is a sum derived from the hash in the system. When the installation process starts, the application performs an algorithm against the byte total of the application. If the byte sum calculated from the byte total by the algorithm is different from what is stored at the trusted authority, the installation processes exits. Because the application needs to connect to the trusted authority, the machine on which the application is being run must have internet access.

Checksum

LogRhythm employs two Checksum formats that can be used to ensure the integrity of the packages being used by its clients: Message Digest Algorithm-5 (MD5) and Secure Hash Algorithm-1 (SHA-1). These two formats can be used to manually check the package after it was received from LogRhythm Support or downloaded from the LogRhythm Support Portal to ensure the package has not been compromised.

References

LogRhythm Security Target, LogRhythm ST V0.6 20110927, LogRhythm, Inc., version 0.6, 27 September 2011
LogRhythm Help, LogRhythm, Inc., version 6.0.2, 31 October 2011 (PDF format)

Acronyms

Acronym	Description
ARM	Alarming and Response Manager
DLD	Data Loss Defender
PM	Platform Manager
FIM	File Integrity Monitor
RIM	Registry Integrity Monitor
IDS	Intrusion Detection System
LEA	Log Export API
DP	Data Processor
ODBC	Open Database Connectivity
OPSEC	Open Platform for Security
SDEE	Security Device Event Exchange
SFR	Security Functional Requirements
SMTP	Simple Mail Transfer Protocol
SNMP	Simple Network Management Protocol
TOE	Target of Evaluation
TSF	TOE Security Functionality
TSFI	TOE Security Functionality Interface
UAM	User Activity Monitor

Running External Storage Under Common Criteria

Any external storage being used for LogRhythm data must have a secure connection to the LogRhythm Console. To ensure the connection is secure, the external storage must:

Be running in FIPS mode.
Use Windows authentication using an Active Directory account.

To set up an external storage unit in FIPS mode, follow these steps:

Set up the external machine following the Using Integrated Security steps.
Use the Configuring IPsec instructions to create a secure connection between the two machines—the one running LogRhythm Console and the machine hosting the external storage.