Xylok Security Suite must use a central log server for auditing records.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269586	SRG-APP-000745	XYLK-20-000291	SV-269586r1053533_rule	2024-12-13	1

Description
Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515

Description

Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515

ℹ️ Check
Verify SIEM. On the host server, ensure /etc/rsyslog.d/101-xylok.conf exists and contains the following contents: $ModLoad imfile $InputFileName /var/log/xylok/api/current $InputFileTag xylok-api: $InputFileStateFile /tmp/xylok-api-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/db/current $InputFileTag xylok-db: $InputFileStateFile /tmp/xylok-db-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/mx/current $InputFileTag xylok-mx: $InputFileStateFile /tmp/xylok-mx-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/primary/current $InputFileTag xylok-primary: $InputFileStateFile /tmp/xylok-primary-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/web/current $InputFileTag xylok-web: $InputFileStateFile /tmp/xylok-web-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/worker/current $InputFileTag xylok-worker: $InputFileStateFile /tmp/xylok-worker-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor If the file contents do not monitor all logs in /var/log/xylok/, this is a finding. If the rsyslog destination is not configured to send logs to a valid syslog server, this is a finding. Note: The rsyslog destination host may appear in a different file, often following a format similar to “. @siem.example.com:514.

ℹ️ Check

Verify SIEM. On the host server, ensure /etc/rsyslog.d/101-xylok.conf exists and contains the following contents: $ModLoad imfile $InputFileName /var/log/xylok/api/current $InputFileTag xylok-api: $InputFileStateFile /tmp/xylok-api-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/db/current $InputFileTag xylok-db: $InputFileStateFile /tmp/xylok-db-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/mx/current $InputFileTag xylok-mx: $InputFileStateFile /tmp/xylok-mx-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/primary/current $InputFileTag xylok-primary: $InputFileStateFile /tmp/xylok-primary-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/web/current $InputFileTag xylok-web: $InputFileStateFile /tmp/xylok-web-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/worker/current $InputFileTag xylok-worker: $InputFileStateFile /tmp/xylok-worker-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor If the file contents do not monitor all logs in /var/log/xylok/, this is a finding. If the rsyslog destination is not configured to send logs to a valid syslog server, this is a finding. Note: The rsyslog destination host may appear in a different file, often following a format similar to “*.* @siem.example.com:514.

✔️ Fix
Create /etc/rsyslog.d/100-xylok.conf with these contents, ensuring the final line points to a valid syslog server. $ModLoad imfile $InputFileName /var/log/xylok/api/current $InputFileTag xylok-api: $InputFileStateFile /tmp/xylok-api-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/db/current $InputFileTag xylok-db: $InputFileStateFile /tmp/xylok-db-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/mx/current $InputFileTag xylok-mx: $InputFileStateFile /tmp/xylok-mx-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/primary/current $InputFileTag xylok-primary: $InputFileStateFile /tmp/xylok-primary-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/web/current $InputFileTag xylok-web: $InputFileStateFile /tmp/xylok-web-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/worker/current $InputFileTag xylok-worker: $InputFileStateFile /tmp/xylok-worker-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor Restart rsyslog to apply changes: sudo systemctl restart rsyslog

✔️ Fix

Create /etc/rsyslog.d/100-xylok.conf with these contents, ensuring the final line points to a valid syslog server. $ModLoad imfile $InputFileName /var/log/xylok/api/current $InputFileTag xylok-api: $InputFileStateFile /tmp/xylok-api-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/db/current $InputFileTag xylok-db: $InputFileStateFile /tmp/xylok-db-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/mx/current $InputFileTag xylok-mx: $InputFileStateFile /tmp/xylok-mx-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/primary/current $InputFileTag xylok-primary: $InputFileStateFile /tmp/xylok-primary-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/web/current $InputFileTag xylok-web: $InputFileStateFile /tmp/xylok-web-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor $InputFileName /var/log/xylok/worker/current $InputFileTag xylok-worker: $InputFileStateFile /tmp/xylok-worker-log-state $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor Restart rsyslog to apply changes: sudo systemctl restart rsyslog