Xylok Security Suite must use a valid DOD-issued certification.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269740 | SRG-APP-000516 | XYLK-20-000244 | SV-269740r1054081_rule | 2024-12-13 | 1 |
| Description |
|---|
| Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process. |
| ℹ️ Check |
|---|
| Verify the Xylok Security Suite is using a valid DOD-issued certification with the following command: $ openssl x509 -noout -text -in /opt/xylok/certs/cert.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the Issuer is not an approved authority, this is a finding. |
| ✔️ Fix |
|---|
| 1. Obtain DOD root certificate authority (CA)-signed certificate for the domain or generate a certificate using other approved provider. 2. Install the certificate in x509 format at /opt/xylok/certs/cert.crt 3. Restart Xylok: systemctl restart xylok |