Skip to main content
Skip table of contents

Common Criteria

Target of Evaluation (TOE)

LogRhythm Help provides LogRhythm product guidance. It covers security features of the Target of Evaluation (TOE), product security features excluded from evaluation, and general product features. This section identifies guidance specific to the TOE and its evaluated configuration.

TOE Secure Acceptance

LogRhythm ships appliances (hardware with software components preinstalled) directly to customers via Federal Express with tracking. Each appliance box is wrapped with security tape. An appliance box includes a LogRhythm Appliance Installation Guide booklet and packing list. If the security tape is broken, a customer should verify the package contents using the packing list.

TOE Installation Guidance

The following sections of LogRhythm Help are available to provide TOE installation guidance:

  • Using Integrated Security describes scenarios for deploying the TOE in a variety of environments. The scenarios range from basic deployment in a low-volume environment to complex deployment in a high-volume environment that includes remote networks.
  • The Glossary provides basic definitions and identifies product components.
  • Deployment Architecture covers deploying the TOE in different arrangements to address distinct needs.
  • Networking and Communication details the communication settings among TOE components and between the TOE and its environment. Product features supporting redundancy are not within the scope of evaluation.
  • Using Integrated Security covers hardware installation for LogRhythm appliances as well as basic software setup for the TOE.
  • Hardware for AIE includes technical specifications for TOE hardware platforms (for example, processor type, bus type, memory capacity). For each appliance, a section provides instructions for unpacking and installing the hardware.
  • AI Engine covers initial start-up of TOE components, along with necessary configuration settings.
  • New Deployment Wizard describes a wizard application that guides an administrator through completing required pre-initialization steps. The TOE displays the wizard the first time an administrator accesses an appliance from the LogRhythm Console.
  • Device Configuration Guides illustrates the use of third-party devices in log generation and collection. It describes how to configure third-party devices to generate logs and how to configure the TOE to collect the logs. The third-party devices are not within the scope of evaluation.

TOE Operational Guidance

LogRhythm Help provides an introduction to the product, including architecture, licensing, data flow, and processing. The Administrator’s Guide describes the tools available to an administrator for configuring and administering a TOE. The guide covers tools for deployment, Active Directory integration, and log archiving and restoration. It also provides information on LogRhythm risk-based priority for logs. Some sections in the guide address product features outside the scope of the evaluation, such as non-security features and features excluded from LogRhythm Security Target. Sections not applicable to evaluation include:

  • User Activity Monitor (UAM)
  • Data Loss Defender
  • File Integrity Monitor
  • LogRhythm Backup and Recovery Procedures
  • Performance Counters
  • Log Processing Report

LogRhythm Security Target places additional restrictions on the operation of the TOE and requires additional steps to establish an evaluated configuration. LogRhythm Security Target specifies Windows authentication, protected communication between TOE components, and security audit. LogRhythm must use Windows authentication (Active Directory or operating system local to each appliance) in the evaluated configuration. Using Integrated Security covers the setup and configuration. The evaluated configuration requires an administrator to configure protected communication (that is, TLS) between distributed LogRhythm components (for example, between Data Processors and the Platform Manager). For more information, see Networking and Communication.

LogRhythm Help section Audit Data Generation provides the following guidance for the TOE audit functions.

  • Required Scripts and Set up the Audit Functionality cover configuring the audit functions.
  • Set up Discretionary Access Controls on the Trace Folder on an NTFS File System describes configuration in the operational environment that is needed to protect the TOE security audit trail.
  • Audited Events lists the security-relevant events the TOE can audit, as well as those events audited by default.
  • View Audit Logs contains instructions for viewing the audit trail.
  • Configure Windows Task to Alarm on Audit Trace Failure addresses audit storage exhaustion.

The User Guide describes tools for monitoring the TOE, managing alarms, and analyzing information provided by the TOE. It covers:

  • Logistics of logging in to the Console
  • Password changes
  • Viewing TOE status using Personal Dashboard
  • Managing alarms (such as viewing and changing status)
  • Working with filters
  • Searching logs and events using Investigator
  • Tracking real-time and near-real-time logs and events using Tail

As with the Administrator Guide, the User Guide includes sections for features outside the scope of evaluation:

  • Network Visualization
  • Save Investigation as a Report
  • Reporting Center
  • Customizing Reports

SSL Authentication

LogRhythm components can be configured to use either self-signed or user-provided server and client SSL certificates for their communications with each other and SQL server. The following table shows the various configurations that can be used with respect to client and server SSL certificates.

The following figure shows where each client server certificate is employed in the LogRhythm deployment. LogRhythm recommends running the deployment in the most secure configuration: using mutual SSL authentication for all components. In this configuration, each component presents its certificates during the TLS handshake that occurs when the communication channel is being established. Mutual authentication helps prevent man-in-the-middle attacks and other spoofing and authentication attacks.

Software ComponentTLS Connection TypeNo CertificateSelf-Generated/Signed CertificateUser-Provided Certificate
AgentTLS ClientX X
MediatorTLS Server XX
SQL ServerSQL/TLS Server XX
AIE Data ProviderTLS ClientX X
AIE Com MgrTLS Server XX

Trusted Updates

LogRhythm uses two methods to secure the packages used by our customers: Digital Signature and Checksum. Digital Signature is an embedded process that checks the file before it is installed. Checksum is a manual process that verifies the file's integrity after it is received.

Digital Signature

LogRhythm provides a digital certificate from a trusted authority. The digital certificate is used to ensure that the package being used by a customer has not been tampered with. When the user initiates the installer, the installer checks the digital signature embedded within it. The digital signature represents the byte size of the file. If the digital signature is different, the installation process stops, because any change in the byte count could represent a problem with the file (for example, malicious activity or file corruption). When the digital signature has been determined to be different, the installation process exits.

The digital signature is procured from a trusted authority. When the file is compiled, a digital signature is acquired from a trusted authority and embedded into the file. When the installation process is initiated, the application connects to the trusted authority to ensure that the digital signature embedded into the application matches what the trusted authority has on record. If the two signatures match, the installation process continues. If the two signature do not match, the installation process exits.

The digital signature is a sum derived from the hash in the system. When the installation process starts, the application performs an algorithm against the byte total of the application. If the byte sum calculated from the byte total by the algorithm is different from what is stored at the trusted authority, the installation processes exits. Because the application needs to connect to the trusted authority, the machine on which the application is being run must have internet access.

Checksum

LogRhythm employs two Checksum formats that can be used to ensure the integrity of the packages being used by its clients: Message Digest Algorithm-5 (MD5) and Secure Hash Algorithm-1 (SHA-1). These two formats can be used to manually check the package after it was received from LogRhythm Support or downloaded from the LogRhythm Support Portal to ensure the package has not been compromised.

References

  • LogRhythm Security Target, LogRhythm ST V0.6 20110927, LogRhythm, Inc., version 0.6, 27 September 2011
  • LogRhythm Help, LogRhythm, Inc., version 6.0.2, 31 October 2011 (PDF format)

Acronyms

AcronymDescription
ARMAlarming and Response Manager
DLDData Loss Defender
PMPlatform Manager
FIMFile Integrity Monitor
RIMRegistry Integrity Monitor
IDSIntrusion Detection System
LEALog Export API
DPData Processor
ODBCOpen Database Connectivity
OPSECOpen Platform for Security
SDEESecurity Device Event Exchange
SFRSecurity Functional Requirements
SMTPSimple Mail Transfer Protocol
SNMPSimple Network Management Protocol
TOETarget of Evaluation
TSFTOE Security Functionality
TSFITOE Security Functionality Interface
UAMUser Activity Monitor

Running External Storage Under Common Criteria

Any external storage being used for LogRhythm data must have a secure connection to the LogRhythm Console. To ensure the connection is secure, the external storage must:

  • Be running in FIPS mode.
  • Use Windows authentication using an Active Directory account.

To set up an external storage unit in FIPS mode, follow these steps:

  • Set up the external machine following the Using Integrated Security steps.
  • Use the Configuring IPsec instructions to create a secure connection between the two machines—the one running LogRhythm Console and the machine hosting the external storage.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.