Xylok Security Suite 20.x V1R1

b

Xylok Security Suite must protect application-specific data.

CM-5 - Medium - CCI-001813 - V-269569 - SV-269569r1053482_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

XYLK-20-000334

Vuln IDs

V-269569

Rule IDs

SV-269569r1053482_rule

The /var/lib/xylok directory is essential for storing various types of data necessary for the operation and functionality of the Xylok Security Suite. It acts as a central repository for application data, ensuring that the suite can function effectively and maintain state and configuration between sessions. Proper management and protection of this directory is crucial to ensure the security and stability of the application.

Checks: C-73602r1053480_chk

Check the Xylok lib file permissions with the following command: $ ls -l /var/lib/xylok If "db" file has permissions greater than "0700", this is a finding. If any other file or directory has permissions greater than "0755", this is a finding.

Fix: F-73503r1053481_fix

As root, correct permissions for xylok.conf by running: # chmod -R 0755 /var/lib/xylok # chmod -R 0700 /var/lib/xylok/data/db

b

Xylok Security Suite must limit system resources consumed by the application.

AC-10 - Medium - CCI-000054 - V-269570 - SV-269570r1053485_rule

RMF Control

AC-10

Severity

M

CCI

CCI-000054

Version

XYLK-20-000001

Vuln IDs

V-269570

Rule IDs

SV-269570r1053485_rule

Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of background tasks. Open sessions, even sessions not being actively used, consume a small amount of server resources and could result in Xylok becoming slow or entirely responsive. In addition, this risk impacts the host system for the container by consuming excessive CPU, allowing a DoS attack on Xylok to also impact other software hosted on the same physical machine. Satisfies: SRG-APP-000001, SRG-APP-000435

Checks: C-73603r1053483_chk

Determine if Xylok is configured to limit its maximum CPU and memory usage with the following command, run from the host machine as a normal user: $ grep LIMIT_ /etc/xylok.conf Verify the following settings are configured: - LIMIT_MEM set to less than 100 percent of the host machine's memory. - LIMIT_CPU set to less than 1000. If any of the above settings are not present or are blank, this is a finding.

Fix: F-73504r1053484_fix

Configure the Xylok Security Suite to limit CPU and memory usage using this procedure on the host machine. As root, open /etc/xylok.conf in a text editor. 1. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting might appear as "LIMIT_MEM=4096m" in the configuration file, with no quotes. - LIMIT_MEM: Set to 2048m or greater, and less than 100 percent of the host machine's memory. - LIMIT_CPU: Set to 128 or greater, not to exceed 1000. This value can range from 1 to 1024, where 1024 allows usage of 100 percent of the CPU. 2. Save configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok

b

Xylok Security Suite must initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-269571 - SV-269571r1053488_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

XYLK-20-000003

Vuln IDs

V-269571

Rule IDs

SV-269571r1053488_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined and/or controlled. This is handled at the operating system-level and results in a system lock. Satisfies: SRG-APP-000003, SRG-APP-000190

Checks: C-73604r1053486_chk

Verify session is configured to lock after 15 minutes of inactivity. Execute the following: $ grep SESSION_LENGTH /etc/xylok.conf SESSION_LENGTH=900 If "SESSION_LENGTH" is set to more than15 minutes or is missing, this is a finding. Note: The setting is in seconds. 900 sec = 15 min.

Fix: F-73505r1053487_fix

Set the session length: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "SESSION_LENGTH=900" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok

c

Xylok Security Suite must expire a session upon browser closing.

AC-11 - High - CCI-000056 - V-269572 - SV-269572r1053491_rule

RMF Control

AC-11

Severity

H

CCI

CCI-000056

Version

XYLK-20-000005

Vuln IDs

V-269572

Rule IDs

SV-269572r1053491_rule

When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser. Leaving a session open in the browser even after it is closed could expose the system to various types of attacks, like cross-site scripting (XSS) or malware designed to steal session cookies. Automatically expiring sessions mitigates this risk. Satisfies: SRG-APP-000005, SRG-APP-000220, SRG-APP-000295, SRG-APP-000413

Checks: C-73605r1053489_chk

Verify session expires after browser is closed. Execute the following: $ grep SESSION_EXPIRE_AT_BROWSER_CLOSE /etc/xylok.conf SESSION_EXPIRE_AT_BROWSER_CLOSE=True If "SESSION_EXPIRE_AT_BROWSER_CLOSE" is not set to "True" or is missing, this is a finding.

Fix: F-73506r1053490_fix

Set the session expiration: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "SESSION_EXPIRE_AT_BROWSER_CLOSE=True" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok

c

Xylok Security Suite must prevent access except through HTTPS.

AC-17 - High - CCI-000068 - V-269573 - SV-269573r1054093_rule

RMF Control

AC-17

Severity

H

CCI

CCI-000068

Version

XYLK-20-000006

Vuln IDs

V-269573

Rule IDs

SV-269573r1054093_rule

Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. This must be set to false. HTTPS encrypts data transmitted between the client (browser) and the server. Sensitive information, such as login credentials, personal data, and session cookies, is protected from being intercepted by malicious actors (e.g., through man-in-the-middle attacks) during transmission. When data is sent over HTTP (unencrypted), it can be intercepted and altered. HTTPS mitigates this by encrypting the communication. HTTPS uses digital certificates (SSL/TLS certificates) to authenticate the server’s identity. This ensures that users are connecting to the legitimate server rather than a malicious entity attempting to impersonate the site. HTTPS-only policies enable the use of HSTS, which forces browsers to only interact with the site using HTTPS and prevents users from being redirected to an HTTP version of the site. This can defend against certain attacks, like SSL stripping, which downgrade connections to HTTP. Satisfies: SRG-APP-000014, SRG-APP-000142, SRG-APP-000219, SRG-APP-000411, SRG-APP-000412, SRG-APP-000439, SRG-APP-000440, SRG-APP-000442, SRG-APP-000514, SRG-APP-000555, SRG-APP-000645

Checks: C-73606r1054093_chk

Verify HTTP_ONLY is set to "false": $ grep HTTP_ONLY /etc/xylok.conf HTTP_ONLY=false If "HTTP_ONLY=true" or is not configured, this is a finding.

Fix: F-73507r1053493_fix

Add/Amend HTTP_ONLY to the configuration files: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend the following to the configuration file: HTTP_ONLY=false 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok

c

Xylok Security Suite must use a centralized user management solution.

AC-2 - High - CCI-000015 - V-269574 - SV-269574r1053497_rule

RMF Control

AC-2

Severity

H

CCI

CCI-000015

Version

XYLK-20-000009

Vuln IDs

V-269574

Rule IDs

SV-269574r1053497_rule

Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns Xylok Security Suite with enterprise standards and contributes to a more efficient and secure environment. Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000033, SRG-APP-000065, SRG-APP-000080, SRG-APP-000089, SRG-APP-000090, SRG-APP-000149, SRG-APP-000150, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000180, SRG-APP-000185, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000345, SRG-APP-000391, SRG-APP-000392, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000503, SRG-APP-000505, SRG-APP-000506, SRG-APP-000508, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000910

Checks: C-73607r1053495_chk

Determine if Xylok is configured to use Active Directory (AD) authentication with the following command, run from the host machine as a normal user: $ grep -e "AD_SIGN_IN" -e "XYLOK_HOST" -e "AD_CLIENT_ID" /etc/xylok.conf Verify the following settings are present: - AD_SIGN_IN - XYLOK_HOST - AD_CLIENT_ID If any of the above settings are not present, blank, or "false" (case insensitive), this is a finding.

Fix: F-73508r1053496_fix

The below procedure assumes an AD server hosted on Windows Server. For AD login using Azure AD, refer to the current Xylok Security Suite manual. Additional advice for AD configuration can also be found in the Xylok manual. Configure the Xylok Security Suite to use Active Directory login using this procedure on the host machine: 1. As root, open /etc/xylok.conf in a text editor. 2. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting will appear as "AD_SIGN_IN=True" in the configuration file, with no quotes. - AD_SIGN_IN: use the value "True" - XYLOK_HOST: set to domain name used to access server on network - AD_CLIENT_ID: This is the value displayed on the ADFS server as ClientId when executing the Add-AdfsClient command - AD_SERVER: The fully qualified domain name (FQDN) of the ADFS server - AD_AUDIENCE: Set this to the value of the aud claim your ADFS server sends back in the JWT token. If this is a URL, it will be the same as the RELYING_PARTY_ID . - AD_RELYING_PARTY_ID: Set this to the Relying Party Trust identifier value of the Relying Party Trust (2012) or Web application (2016) configured in ADFS. 3. Save the configuration file. 4. Restart Xylok to apply settings: # systemctl restart xylok 5. In a web browser on a system with access to Xylok, go to https://<your xylok host>/oauth2/login. If SSO is configured correctly, it will redirect to the organization's sign-on page.

b

Xylok Security Suite must display the Standard Mandatory DOD Notice and Consent Banner before granting access.

AC-8 - Medium - CCI-000048 - V-269575 - SV-269575r1054094_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

XYLK-20-000020

Vuln IDs

V-269575

Rule IDs

SV-269575r1054094_rule

Users accessing Xylok must be informed their actions might be monitored, potentially opening the organization up to legal challenges. Implementing a Consent Banner helps Xylok Security Suite remain compliant with legal requirements and protect user privacy while informing users of their rights regarding their data. Satisfies: SRG-APP-000068, SRG-APP-000069

Checks: C-73608r1054094_chk

Verify the Standard Mandatory DOD Notice and Consent Banner has been configured: $ grep BANNER /etc/xylok.conf If the Standard Mandatory DOD Notice and Consent Banner is not displayed, this is a finding.

Fix: F-73509r1053499_fix

Add banner to the configuration files: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend the following to the configuration file: BANNER=You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n- At any time, the USG may inspect and seize data stored on this IS.\n\n- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n- This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy.\n\n- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok

b

Xylok Security Suite must protect audit information from any type of unauthorized access.

AU-9 - Medium - CCI-000162 - V-269576 - SV-269576r1053503_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

XYLK-20-000043

Vuln IDs

V-269576

Rule IDs

SV-269576r1053503_rule

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage. To ensure the veracity of audit data, the information system and/or the Xylok Security Suite must protect audit information from any and all unauthorized access. This includes read, write, and copy access. Satisfies: SRG-APP-000118, SRG-APP-000119, SRG-APP-000120, SRG-APP-000121, SRG-APP-000122, SRG-APP-000123

Checks: C-73609r1053501_chk

Check the Xylok log file directory permissions with the following command: $ ls -l /var/log/xylok If any of the directories have permissions greater than "0770", this is a finding.

Fix: F-73510r1053502_fix

As root, remove all global permissions for Xylok's log files by running: # chmod -R 0770 /var/log/xylok/

c

Xylok Security Suite must be running a supported version.

High - CCI-003992 - V-269577 - SV-269577r1053506_rule

RMF Control

Severity

H

CCI

CCI-003992

Version

XYLK-20-000051

Vuln IDs

V-269577

Rule IDs

SV-269577r1053506_rule

It is critical to the security and stability of Xylok to ensure that updates and patches are deployed through a trusted software supply chain. Key elements to having a trusted supply chain include ensuring that versions deployed come from known, trusted sources. Additionally, it is important to check for and apply security-relevant updates in a timely manner. To help users manage updates, Xylok manages versions via their internal portal. Satisfies: SRG-APP-000131, SRG-APP-000456

Checks: C-73610r1053504_chk

Verify the latest install is being used. Log on to the GUI and locate the version from the lower left corner. Compare this version with the latest release on the Xylok portal (https://downloads.xylok.io). If the current version is not the latest version from the Xylok portal, this is a finding.

Fix: F-73511r1053505_fix

Update Xylok Security Suite to the latest version. Follow the instructions found here: https://app.xylok.io/docs/01-server-admin/installation/updating/.

b

The Xylok Security Suite READONLY configuration must be True.

CM-5 - Medium - CCI-001499 - V-269578 - SV-269578r1054098_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001499

Version

XYLK-20-000052

Vuln IDs

V-269578

Rule IDs

SV-269578r1054098_rule

By default, the Xylok container is created not allowing users to modify any files inside the container. The only paths that can be altered are mounted from the host. Mount the database files from the host, so that the database server running inside the container can write data. If READONLY=false, then a user could go into the container as root and change other files. This approach helps protect the application from both external attacks and internal threats.

Checks: C-73611r1053507_chk

Verify that Xylok's default read-only status is disabled by using the following command: $ grep READONLY /etc/xylok.conf If "READONLY" is set to False (case insensitive), is commented out or is missing, this is not a finding.

Fix: F-73512r1053508_fix

Revert Xylok to its default read-only configuration: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "READONLY=True" to the configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok

b

Xylok Security Suite must disable nonessential capabilities.

CM-7 - Medium - CCI-000381 - V-269579 - SV-269579r1053512_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000381

Version

XYLK-20-000053

Vuln IDs

V-269579

Rule IDs

SV-269579r1053512_rule

If Xylok has unnecessary functionality enabled, the server may allow arbitrary code to run within the Xylok container. This would allow the user to potentially launch malicious acts against other hosts from inside the Xylok container. ENABLE_PP_TEST_API setting in the Xylok Security Suite refers to a configuration flag that enables a specific test API related to the policy processing (PP) functionalities of the suite. This setting is used primarily in development or testing environments to enable specific testing functionalities. Satisfies: SRG-APP-000141, SRG-APP-000246, SRG-APP-000247, SRG-APP-000384

Checks: C-73612r1053510_chk

Verify that Xylok's default ENABLE_PP_TEST_API status is disabled by using the following command: $ grep ENABLE_PP_TEST_API /etc/xylok.conf If "ENABLE_PP_TEST_API" exists (case insensitive), this is a finding.

Fix: F-73513r1053511_fix

Revert Xylok to its default configuration, which disables the post-processing test API: 1. As root, open /etc/xylok.conf in a text editor. 2. Delete any ENABLE_PP_TEST_API lines from configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok

b

The Xylok Security Suite configuration for DEBUG must be False.

SI-11 - Medium - CCI-001312 - V-269580 - SV-269580r1053515_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001312

Version

XYLK-20-000109

Vuln IDs

V-269580

Rule IDs

SV-269580r1053515_rule

Providing too much information in error messages risks compromising the data and security of the Xylok Security Suite and system. If DEBUG is set to True, it will show stack traces in error messages to assist with contact Xylok Support, but potentially reveal secure information.

Checks: C-73613r1053513_chk

Verify DEBUG is configured. Execute the following: $ grep DEBUG /etc/xylok.conf DEBUG=False If "DEBUG" is not set to False or is missing, this is a finding.

Fix: F-73514r1053514_fix

Set DEBUG: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "DEBUG=False" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok

b

Xylok Security Suite must not allow local user or groups.

AC-3 - Medium - CCI-002165 - V-269581 - SV-269581r1054095_rule

RMF Control

AC-3

Severity

M

CCI

CCI-002165

Version

XYLK-20-000137

Vuln IDs

V-269581

Rule IDs

SV-269581r1054095_rule

Active Directory’s (AD's) design to create but not delete local groups supports operational efficiency, system integrity, and compliance needs. Manual checks will help identify user accounts that are no longer active or orphaned accounts which could pose security risks. Within Xylok there must not be a local users/groups. Manually verifying local users and groups ensures that unauthorized users do not gain access to sensitive resources. Satisfies: SRG-APP-000328, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735

Checks: C-73614r1054095_chk

Verify the local accounts and groups are associated with AD and that user privileges are correct. Check accounts as a logged in administrator in Xylok. 1. Verify there are no local users. Navigate to User Menu <username> >> Database Admin >> Users. If any local user(s) exist or users(s) are not current in AD, this is a finding. If any users have privileged access that do not require that access, this is a finding. 2. Verify there are no removed or local groups. Navigate to User Menu <username> >> Database Admin >> Groups . Verify the only groups exist are created by AD and are currently being used by AD. If any groups exist that are not actively being used by AD, this is a finding.

Fix: F-73515r1053517_fix

Delete unused or local groups/users. 1. As a logged in administrator in Xylok, navigate to User Menu <username> >> Database Admin >> Users. 2. Select User(s) to delete. 3. Click on down arrow in "Action". 4. Select "Delete selected users" 5. Click "Go". 6. Click "Yes, I'm sure". 7. Delete Group. 8. As a logged in administrator in Xylok, navigate to User Menu <username> >> Database Admin >> Groups. 9. Select Group(s) to delete. 10. Click on down arrow in "Action". 11. Select "Delete selected users". 12. Click "Go". 13. Click "Yes, I'm sure".

b

The Xylok Security Suite configuration file must be protected.

CM-5 - Medium - CCI-001813 - V-269582 - SV-269582r1053521_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001813

Version

XYLK-20-000161

Vuln IDs

V-269582

Rule IDs

SV-269582r1053521_rule

Protecting the configuration file is a fundamental aspect of maintaining the security, integrity, and stability of Xylok Security Suite. By implementing robust protection mechanisms, Xylok can safeguard sensitive information, ensure compliance, and enhance operational reliability while minimizing the risks associated with unauthorized access and misconfigurations.

Checks: C-73615r1053519_chk

Check the Xylok configuration file permissions with the following command: $ ls -l /etc/xylok.conf If this file has permissions greater than "0644", this is a finding.

Fix: F-73516r1053520_fix

As root, correct permissions for xylok.conf by running: # chmod 0644 /etc/xylok.conf

b

Xylok Security Suite must audit the enforcement actions used to restrict access associated with changes to it.

Medium - CCI-003938 - V-269583 - SV-269583r1053524_rule

RMF Control

Severity

M

CCI

CCI-003938

Version

XYLK-20-000162

Vuln IDs

V-269583

Rule IDs

SV-269583r1053524_rule

By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critical security practice for Xylok. It enhances security monitoring, ensures accountability, supports compliance, maintains operational integrity, mitigates risks, and improves integration with security monitoring tools. Without auditing the enforcement of access restrictions against changes to the Xylok Security Suite configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions.

Checks: C-73616r1053522_chk

From the host machine as a normal user, verify the host OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/xylok.conf" with the following command: Note: Directions are for Red Hat Enterprise Linux (RHEL) 8 and similar. If using a different OS, the steps may vary. $ sudo grep /etc/xylok.conf /etc/audit/audit.rules -w /etc/xylok.conf -p warx -k xylok_config If the command does not return a line, or the line is commented out, this is a finding

Fix: F-73517r1053523_fix

Setting up auditing of a file in RHEL 8 involves using the auditd service and creating specific audit rules. Below are the steps to set up auditing for /etc/xylok.conf: 1. Ensure that the audit package is installed on your system by running the following: sudo dnf install audit 2. Start the auditd service if it is not already running: sudo systemctl start auditd 3. Enable the service to start automatically on boot: sudo systemctl enable auditd 4. Create an Audit Rule for the /etc/xylok.conf File: sudo auditctl -w /etc/xylok.conf -p warx -k xylok_config 5. Make the Audit Rule Persistent (optional): The rule set using auditctl will be active only until the next reboot. To make it persistent, add it to the /etc/audit/rules.d/audit.rules file. Open the file in a text editor: sudo vi /etc/audit/rules.d/audit.rules Add the rule at the end of the file: -w /etc/xylok.conf -p warx -k xylok_config 6. After making the rule persistent, restart the audit service to apply the changes: sudo systemctl restart auditd 7. The events related to the audited file will be recorded in /var/log/audit/audit.log. To view the logs, use the ausearch command: sudo ausearch -k xylok_config 8. To confirm that the rule is in place, list all current audit rules with: sudo auditctl -l

b

Xylok Security Suite must only allow the use of DOD Public Key Infrastructure (PKI) established certificate authorities (CAs) for verification of the establishment of protected sessions.

SC-23 - Medium - CCI-002470 - V-269584 - SV-269584r1054096_rule

RMF Control

SC-23

Severity

M

CCI

CCI-002470

Version

XYLK-20-000191

Vuln IDs

V-269584

Rule IDs

SV-269584r1054096_rule

Untrusted CAs can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. This requirement focuses on communications protection for the Xylok Security Suite session rather than for the network packet. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOAs).

Checks: C-73617r1053525_chk

Verify that the certificate Xylok uses for SSL is correctly signed with the following command. In this command, replace "xylok.local" with the domain named used to access the Xylok instance. $ openssl s_client -showcerts -servername xylok.local -connect xylok.local:443 </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = E5 verify return:1 depth=0 CN = xylok.local verify return:1 --- Certificate chain 0 s:CN = xylok.local i:C = US, O = Let's Encrypt, CN = E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Jun 12 16:44:03 2024 GMT; NotAfter: Sep 10 16:44:02 2024 GMT -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = E5 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- --- Server certificate subject=CN = xylok.local issuer=C = US, O = Let's Encrypt, CN = E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2367 bytes and written 380 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: E03F9C6A59BD7375CF86B43387C63F9BBD16EAA2A9970E64F70E20317D403D22 Session-ID-ctx: Resumption PSK: 15BFB16AF236A045FE9F5A0F64834A1B3EA76EE4185936D83560BAE940D01FF4 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - d4 7d 77 f4 01 dd ba 65-57 59 76 e0 ab 8a 75 63 .}w....eWYv...uc 0010 - 19 6e cf 1b 44 db 35 c5-27 6b d8 b8 39 76 10 47 .n..D.5.'k..9v.G 0020 - f1 75 a5 4b 3a fb 2b 82-b9 f7 3c c5 7f 82 41 d0 .u.K:.+...<...A. 0030 - 3d 40 f1 f4 0d ef 8e 55-ee 2f 09 4b 96 d9 16 5a =@.....U./.K...Z 0040 - f2 7d cb af bd 55 4b f9-c8 2d 0d 8f 39 16 af 8c .}...UK..-..9... 0050 - 71 df 92 cc d1 1a ed 5d-71 eb a3 7f f0 8b 65 8c q......]q.....e. 0060 - 5b 16 18 0c 61 b2 cc c7-4b [...a...K Start Time: 1719438481 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK DONE If the output indicates a "verify error", Xylok is using a self-signed certificate and this is a finding. If the first certificate displayed is not a DOD-approved CA or other approved authority, this is a finding.

Fix: F-73518r1053526_fix

Generate or acquire certificates from DOD PKI (or other approved source). Remove all files in /opt/xylok/certs. Place new certificate in PEM format at /opt/xylok/certs/cert.crt. Place new private key in PEM format at /opt/xylok/certs/key.key. Restart Xylok: systemctl restart xylok

c

Xylok Security Suite must maintain the confidentiality and disable the use of SMTP.

SC-8 - High - CCI-002420 - V-269585 - SV-269585r1053530_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002420

Version

XYLK-20-000199

Vuln IDs

V-269585

Rule IDs

SV-269585r1053530_rule

Disabling the use of SMTP within the Xylok Security Suite is a strategic decision aimed at enhancing security, ensuring compliance, and reducing operational risks. By eliminating the potential vulnerabilities associated with email communications, Xylok can better protect sensitive data and maintain a robust security posture.

Checks: C-73618r1053528_chk

Verify USE_SMTP is configured by executing the following: $ grep USE_SMTP /etc/xylok.conf If "USE_SMTP" is not set to "False" or is missing, this is a finding.

Fix: F-73519r1053529_fix

Set USE_SMTP: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "USE_SMTP=False" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok

c

Xylok Security Suite must use a central log server for auditing records.

High - CCI-003821 - V-269586 - SV-269586r1053533_rule

RMF Control

Severity

H

CCI

CCI-003821

Version

XYLK-20-000291

Vuln IDs

V-269586

Rule IDs

SV-269586r1053533_rule

Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515

Checks: C-73619r1053531_chk

Verify SIEM. On the host server, ensure /etc/rsyslog.d/101-xylok.conf exists and contains the following contents: $ModLoad imfile $InputFileName /var/log/xylok/api/current $InputFileTag xylok-api: $InputFileStateFile /tmp/xylok-api-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/db/current $InputFileTag xylok-db: $InputFileStateFile /tmp/xylok-db-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/mx/current $InputFileTag xylok-mx: $InputFileStateFile /tmp/xylok-mx-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/primary/current $InputFileTag xylok-primary: $InputFileStateFile /tmp/xylok-primary-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/web/current $InputFileTag xylok-web: $InputFileStateFile /tmp/xylok-web-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/worker/current $InputFileTag xylok-worker: $InputFileStateFile /tmp/xylok-worker-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor If the file contents do not monitor all logs in /var/log/xylok/, this is a finding. If the rsyslog destination is not configured to send logs to a valid syslog server, this is a finding. Note: The rsyslog destination host may appear in a different file, often following a format similar to “*.* @siem.example.com:514.

Fix: F-73520r1053532_fix

Create /etc/rsyslog.d/100-xylok.conf with these contents, ensuring the final line points to a valid syslog server. $ModLoad imfile $InputFileName /var/log/xylok/api/current $InputFileTag xylok-api: $InputFileStateFile /tmp/xylok-api-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/db/current $InputFileTag xylok-db: $InputFileStateFile /tmp/xylok-db-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/mx/current $InputFileTag xylok-mx: $InputFileStateFile /tmp/xylok-mx-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/primary/current $InputFileTag xylok-primary: $InputFileStateFile /tmp/xylok-primary-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/web/current $InputFileTag xylok-web: $InputFileStateFile /tmp/xylok-web-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/worker/current $InputFileTag xylok-worker: $InputFileStateFile /tmp/xylok-worker-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor Restart rsyslog to apply changes: sudo systemctl restart rsyslog

b

Xylok Security Suite must use a valid DOD-issued certification.

CM-6 - Medium - CCI-000366 - V-269740 - SV-269740r1054081_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

XYLK-20-000244

Vuln IDs

V-269740

Rule IDs

SV-269740r1054081_rule

Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.

Checks: C-73773r1054079_chk

Verify the Xylok Security Suite is using a valid DOD-issued certification with the following command: $ openssl x509 -noout -text -in /opt/xylok/certs/cert.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the Issuer is not an approved authority, this is a finding.

Fix: F-73674r1054080_fix

1. Obtain DOD root certificate authority (CA)-signed certificate for the domain or generate a certificate using other approved provider. 2. Install the certificate in x509 format at /opt/xylok/certs/cert.crt 3. Restart Xylok: systemctl restart xylok

Checks: C-73602r1053480_chk

Fix: F-73503r1053481_fix

Generate Mitigation Statement:

Checks: C-73603r1053483_chk

Fix: F-73504r1053484_fix

Generate Mitigation Statement:

Checks: C-73604r1053486_chk

Fix: F-73505r1053487_fix

Generate Mitigation Statement:

Checks: C-73605r1053489_chk

Fix: F-73506r1053490_fix

Generate Mitigation Statement:

Checks: C-73606r1054093_chk

Fix: F-73507r1053493_fix

Generate Mitigation Statement:

Checks: C-73607r1053495_chk

Fix: F-73508r1053496_fix

Generate Mitigation Statement:

Checks: C-73608r1054094_chk

Fix: F-73509r1053499_fix

Generate Mitigation Statement:

Checks: C-73609r1053501_chk

Fix: F-73510r1053502_fix

Generate Mitigation Statement:

Checks: C-73610r1053504_chk

Fix: F-73511r1053505_fix

Generate Mitigation Statement:

Checks: C-73611r1053507_chk

Fix: F-73512r1053508_fix

Generate Mitigation Statement:

Checks: C-73612r1053510_chk

Fix: F-73513r1053511_fix

Generate Mitigation Statement:

Checks: C-73613r1053513_chk

Fix: F-73514r1053514_fix

Generate Mitigation Statement:

Checks: C-73614r1054095_chk

Fix: F-73515r1053517_fix

Generate Mitigation Statement:

Checks: C-73615r1053519_chk

Fix: F-73516r1053520_fix

Generate Mitigation Statement:

Checks: C-73616r1053522_chk

Fix: F-73517r1053523_fix

Generate Mitigation Statement:

Checks: C-73617r1053525_chk

Fix: F-73518r1053526_fix

Generate Mitigation Statement:

Checks: C-73618r1053528_chk

Fix: F-73519r1053529_fix

Generate Mitigation Statement:

Checks: C-73619r1053531_chk

Fix: F-73520r1053532_fix

Generate Mitigation Statement:

Checks: C-73773r1054079_chk

Fix: F-73674r1054080_fix

Generate Mitigation Statement: