Xylok Security Suite must use a centralized user management solution.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269574	SRG-APP-000023	XYLK-20-000009	SV-269574r1053497_rule	2024-12-13	1

Description
Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns Xylok Security Suite with enterprise standards and contributes to a more efficient and secure environment. Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000033, SRG-APP-000065, SRG-APP-000080, SRG-APP-000089, SRG-APP-000090, SRG-APP-000149, SRG-APP-000150, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000180, SRG-APP-000185, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000345, SRG-APP-000391, SRG-APP-000392, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000503, SRG-APP-000505, SRG-APP-000506, SRG-APP-000508, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000910

Description

Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns Xylok Security Suite with enterprise standards and contributes to a more efficient and secure environment. Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000033, SRG-APP-000065, SRG-APP-000080, SRG-APP-000089, SRG-APP-000090, SRG-APP-000149, SRG-APP-000150, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000180, SRG-APP-000185, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000345, SRG-APP-000391, SRG-APP-000392, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000503, SRG-APP-000505, SRG-APP-000506, SRG-APP-000508, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000910

ℹ️ Check
Determine if Xylok is configured to use Active Directory (AD) authentication with the following command, run from the host machine as a normal user: $ grep -e "AD_SIGN_IN" -e "XYLOK_HOST" -e "AD_CLIENT_ID" /etc/xylok.conf Verify the following settings are present: - AD_SIGN_IN - XYLOK_HOST - AD_CLIENT_ID If any of the above settings are not present, blank, or "false" (case insensitive), this is a finding.

ℹ️ Check

Determine if Xylok is configured to use Active Directory (AD) authentication with the following command, run from the host machine as a normal user: $ grep -e "AD_SIGN_IN" -e "XYLOK_HOST" -e "AD_CLIENT_ID" /etc/xylok.conf Verify the following settings are present: - AD_SIGN_IN - XYLOK_HOST - AD_CLIENT_ID If any of the above settings are not present, blank, or "false" (case insensitive), this is a finding.

✔️ Fix
The below procedure assumes an AD server hosted on Windows Server. For AD login using Azure AD, refer to the current Xylok Security Suite manual. Additional advice for AD configuration can also be found in the Xylok manual. Configure the Xylok Security Suite to use Active Directory login using this procedure on the host machine: 1. As root, open /etc/xylok.conf in a text editor. 2. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting will appear as "AD_SIGN_IN=True" in the configuration file, with no quotes. - AD_SIGN_IN: use the value "True" - XYLOK_HOST: set to domain name used to access server on network - AD_CLIENT_ID: This is the value displayed on the ADFS server as ClientId when executing the Add-AdfsClient command - AD_SERVER: The fully qualified domain name (FQDN) of the ADFS server - AD_AUDIENCE: Set this to the value of the aud claim your ADFS server sends back in the JWT token. If this is a URL, it will be the same as the RELYING_PARTY_ID . - AD_RELYING_PARTY_ID: Set this to the Relying Party Trust identifier value of the Relying Party Trust (2012) or Web application (2016) configured in ADFS. 3. Save the configuration file. 4. Restart Xylok to apply settings: # systemctl restart xylok 5. In a web browser on a system with access to Xylok, go to https://<your xylok host>/oauth2/login. If SSO is configured correctly, it will redirect to the organization's sign-on page.

✔️ Fix

The below procedure assumes an AD server hosted on Windows Server. For AD login using Azure AD, refer to the current Xylok Security Suite manual. Additional advice for AD configuration can also be found in the Xylok manual. Configure the Xylok Security Suite to use Active Directory login using this procedure on the host machine: 1. As root, open /etc/xylok.conf in a text editor. 2. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting will appear as "AD_SIGN_IN=True" in the configuration file, with no quotes. - AD_SIGN_IN: use the value "True" - XYLOK_HOST: set to domain name used to access server on network - AD_CLIENT_ID: This is the value displayed on the ADFS server as ClientId when executing the Add-AdfsClient command - AD_SERVER: The fully qualified domain name (FQDN) of the ADFS server - AD_AUDIENCE: Set this to the value of the aud claim your ADFS server sends back in the JWT token. If this is a URL, it will be the same as the RELYING_PARTY_ID . - AD_RELYING_PARTY_ID: Set this to the Relying Party Trust identifier value of the Relying Party Trust (2012) or Web application (2016) configured in ADFS. 3. Save the configuration file. 4. Restart Xylok to apply settings: # systemctl restart xylok 5. In a web browser on a system with access to Xylok, go to https://<your xylok host>/oauth2/login. If SSO is configured correctly, it will redirect to the organization's sign-on page.