Xylok Security Suite must limit system resources consumed by the application.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269570	SRG-APP-000001	XYLK-20-000001	SV-269570r1053485_rule	2024-12-13	1

Description
Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of background tasks. Open sessions, even sessions not being actively used, consume a small amount of server resources and could result in Xylok becoming slow or entirely responsive. In addition, this risk impacts the host system for the container by consuming excessive CPU, allowing a DoS attack on Xylok to also impact other software hosted on the same physical machine. Satisfies: SRG-APP-000001, SRG-APP-000435

Description

Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of background tasks. Open sessions, even sessions not being actively used, consume a small amount of server resources and could result in Xylok becoming slow or entirely responsive. In addition, this risk impacts the host system for the container by consuming excessive CPU, allowing a DoS attack on Xylok to also impact other software hosted on the same physical machine. Satisfies: SRG-APP-000001, SRG-APP-000435

ℹ️ Check
Determine if Xylok is configured to limit its maximum CPU and memory usage with the following command, run from the host machine as a normal user: $ grep LIMIT_ /etc/xylok.conf Verify the following settings are configured: - LIMIT_MEM set to less than 100 percent of the host machine's memory. - LIMIT_CPU set to less than 1000. If any of the above settings are not present or are blank, this is a finding.

ℹ️ Check

Determine if Xylok is configured to limit its maximum CPU and memory usage with the following command, run from the host machine as a normal user: $ grep LIMIT_ /etc/xylok.conf Verify the following settings are configured: - LIMIT_MEM set to less than 100 percent of the host machine's memory. - LIMIT_CPU set to less than 1000. If any of the above settings are not present or are blank, this is a finding.

✔️ Fix
Configure the Xylok Security Suite to limit CPU and memory usage using this procedure on the host machine. As root, open /etc/xylok.conf in a text editor. 1. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting might appear as "LIMIT_MEM=4096m" in the configuration file, with no quotes. - LIMIT_MEM: Set to 2048m or greater, and less than 100 percent of the host machine's memory. - LIMIT_CPU: Set to 128 or greater, not to exceed 1000. This value can range from 1 to 1024, where 1024 allows usage of 100 percent of the CPU. 2. Save configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok

✔️ Fix

Configure the Xylok Security Suite to limit CPU and memory usage using this procedure on the host machine. As root, open /etc/xylok.conf in a text editor. 1. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting might appear as "LIMIT_MEM=4096m" in the configuration file, with no quotes. - LIMIT_MEM: Set to 2048m or greater, and less than 100 percent of the host machine's memory. - LIMIT_CPU: Set to 128 or greater, not to exceed 1000. This value can range from 1 to 1024, where 1024 allows usage of 100 percent of the CPU. 2. Save configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok