| V-269572 | high | Xylok Security Suite must expire a session upon browser closing. | When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser.
Leaving a session open in the browser even after it is closed could expose the system to various types of attacks, like cross-site scripting (XSS) or malware designed to steal session cookies. Automatically expiring sessions mitigates this risk.
Satisfies: SRG-APP-000005, SRG-APP-000220, SRG-APP-000295, SRG-APP-000413 |
| V-269573 | high | Xylok Security Suite must prevent access except through HTTPS. | Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. This must be set to false. HTTPS encrypts data transmitted between the client (browser) and the server. Sensitive information, such as login credentials, personal data, and session cookies, is protected from being intercepted by malicious actors (e.g., through man-in-the-middle attacks) during transmission. When data is sent over HTTP (unencrypted), it can be intercepted and altered. HTTPS mitigates this by encrypting the communication. HTTPS uses digital certificates (SSL/TLS certificates) to authenticate the server’s identity. This ensures that users are connecting to the legitimate server rather than a malicious entity attempting to impersonate the site. HTTPS-only policies enable the use of HSTS, which forces browsers to only interact with the site using HTTPS and prevents users from being redirected to an HTTP version of the site. This can defend against certain attacks, like SSL stripping, which downgrade connections to HTTP.
Satisfies: SRG-APP-000014, SRG-APP-000142, SRG-APP-000219, SRG-APP-000411, SRG-APP-000412, SRG-APP-000439, SRG-APP-000440, SRG-APP-000442, SRG-APP-000514, SRG-APP-000555, SRG-APP-000645
|
| V-269574 | high | Xylok Security Suite must use a centralized user management solution. | Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns Xylok Security Suite with enterprise standards and contributes to a more efficient and secure environment.
Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000033, SRG-APP-000065, SRG-APP-000080, SRG-APP-000089, SRG-APP-000090, SRG-APP-000149, SRG-APP-000150, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000180, SRG-APP-000185, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000345, SRG-APP-000391, SRG-APP-000392, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000503, SRG-APP-000505, SRG-APP-000506, SRG-APP-000508, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000910 |
| V-269577 | high | Xylok Security Suite must be running a supported version. | It is critical to the security and stability of Xylok to ensure that updates and patches are deployed through a trusted software supply chain. Key elements to having a trusted supply chain include ensuring that versions deployed come from known, trusted sources. Additionally, it is important to check for and apply security-relevant updates in a timely manner. To help users manage updates, Xylok manages versions via their internal portal.
Satisfies: SRG-APP-000131, SRG-APP-000456 |
| V-269585 | high | Xylok Security Suite must maintain the confidentiality and disable the use of SMTP. | Disabling the use of SMTP within the Xylok Security Suite is a strategic decision aimed at enhancing security, ensuring compliance, and reducing operational risks. By eliminating the potential vulnerabilities associated with email communications, Xylok can better protect sensitive data and maintain a robust security posture. |
| V-269586 | high | Xylok Security Suite must use a central log server for auditing records. | Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy.
Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515 |
| V-269569 | medium | Xylok Security Suite must protect application-specific data. | The /var/lib/xylok directory is essential for storing various types of data necessary for the operation and functionality of the Xylok Security Suite. It acts as a central repository for application data, ensuring that the suite can function effectively and maintain state and configuration between sessions. Proper management and protection of this directory is crucial to ensure the security and stability of the application. |
| V-269570 | medium | Xylok Security Suite must limit system resources consumed by the application. | Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of background tasks. Open sessions, even sessions not being actively used, consume a small amount of server resources and could result in Xylok becoming slow or entirely responsive.
In addition, this risk impacts the host system for the container by consuming excessive CPU, allowing a DoS attack on Xylok to also impact other software hosted on the same physical machine.
Satisfies: SRG-APP-000001, SRG-APP-000435 |
| V-269571 | medium | Xylok Security Suite must initiate a session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined and/or controlled. This is handled at the operating system-level and results in a system lock.
Satisfies: SRG-APP-000003, SRG-APP-000190 |
| V-269575 | medium | Xylok Security Suite must display the Standard Mandatory DOD Notice and Consent Banner before granting access. | Users accessing Xylok must be informed their actions might be monitored, potentially opening the organization up to legal challenges. Implementing a Consent Banner helps Xylok Security Suite remain compliant with legal requirements and protect user privacy while informing users of their rights regarding their data.
Satisfies: SRG-APP-000068, SRG-APP-000069 |
| V-269576 | medium | Xylok Security Suite must protect audit information from any type of unauthorized access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage.
To ensure the veracity of audit data, the information system and/or the Xylok Security Suite must protect audit information from any and all unauthorized access. This includes read, write, and copy access.
Satisfies: SRG-APP-000118, SRG-APP-000119, SRG-APP-000120, SRG-APP-000121, SRG-APP-000122, SRG-APP-000123 |
| V-269578 | medium | The Xylok Security Suite READONLY configuration must be True. | By default, the Xylok container is created not allowing users to modify any files inside the container.
The only paths that can be altered are mounted from the host. Mount the database files from the host, so that the database server running inside the container can write data.
If READONLY=false, then a user could go into the container as root and change other files. This approach helps protect the application from both external attacks and internal threats. |
| V-269579 | medium | Xylok Security Suite must disable nonessential capabilities. | If Xylok has unnecessary functionality enabled, the server may allow arbitrary code to run within the Xylok container. This would allow the user to potentially launch malicious acts against other hosts from inside the Xylok container.
ENABLE_PP_TEST_API setting in the Xylok Security Suite refers to a configuration flag that enables a specific test API related to the policy processing (PP) functionalities of the suite. This setting is used primarily in development or testing environments to enable specific testing functionalities.
Satisfies: SRG-APP-000141, SRG-APP-000246, SRG-APP-000247, SRG-APP-000384 |
| V-269580 | medium | The Xylok Security Suite configuration for DEBUG must be False. | Providing too much information in error messages risks compromising the data and security of the Xylok Security Suite and system. If DEBUG is set to True, it will show stack traces in error messages to assist with contact Xylok Support, but potentially reveal secure information. |
| V-269581 | medium | Xylok Security Suite must not allow local user or groups. | Active Directory’s (AD's) design to create but not delete local groups supports operational efficiency, system integrity, and compliance needs.
Manual checks will help identify user accounts that are no longer active or orphaned accounts which could pose security risks. Within Xylok there must not be a local users/groups. Manually verifying local users and groups ensures that unauthorized users do not gain access to sensitive resources.
Satisfies: SRG-APP-000328, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735 |
| V-269582 | medium | The Xylok Security Suite configuration file must be protected. | Protecting the configuration file is a fundamental aspect of maintaining the security, integrity, and stability of Xylok Security Suite. By implementing robust protection mechanisms, Xylok can safeguard sensitive information, ensure compliance, and enhance operational reliability while minimizing the risks associated with unauthorized access and misconfigurations. |
| V-269583 | medium | Xylok Security Suite must audit the enforcement actions used to restrict access associated with changes to it. | By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critical security practice for Xylok. It enhances security monitoring, ensures accountability, supports compliance, maintains operational integrity, mitigates risks, and improves integration with security monitoring tools.
Without auditing the enforcement of access restrictions against changes to the Xylok Security Suite configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. |
| V-269584 | medium | Xylok Security Suite must only allow the use of DOD Public Key Infrastructure (PKI) established certificate authorities (CAs) for verification of the establishment of protected sessions. | Untrusted CAs can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.
The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates.
This requirement focuses on communications protection for the Xylok Security Suite session rather than for the network packet.
This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOAs). |
| V-269740 | medium | Xylok Security Suite must use a valid DOD-issued certification. | Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process. |