| Finding ID |
Severity |
Title |
Description |
|
V-269586
|
High |
Xylok Security Suite must use a central log server for auditing records. |
Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately... |
|
V-269585
|
High |
Xylok Security Suite must maintain the confidentiality and disable the use of SMTP. |
Disabling the use of SMTP within the Xylok Security Suite is a strategic decision aimed at enhancing security, ensuring compliance, and reducing operational risks. By eliminating the potential vulnerabilities associated with email communications, Xylok can better protect sensitive data and maintain a robust security posture. |
|
V-269577
|
High |
Xylok Security Suite must be running a supported version. |
It is critical to the security and stability of Xylok to ensure that updates and patches are deployed through a trusted software supply chain. Key elements to having a trusted supply chain include ensuring that versions deployed come from known, trusted sources. Additionally, it is important to check for and... |
|
V-269574
|
High |
Xylok Security Suite must use a centralized user management solution. |
Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns Xylok Security Suite with enterprise standards and contributes to a more efficient and secure environment.
Satisfies: SRG-APP-000023, SRG-APP-000025,... |
|
V-269573
|
High |
Xylok Security Suite must prevent access except through HTTPS. |
Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. This must be set to false. HTTPS encrypts data transmitted between the client (browser) and the server. Sensitive information, such as login... |
|
V-269572
|
High |
Xylok Security Suite must expire a session upon browser closing. |
When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser.
Leaving a session open in the browser even after it is closed could expose the system to various types of attacks,... |
|
V-269740
|
Medium |
Xylok Security Suite must use a valid DOD-issued certification. |
Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process. |
|
V-269584
|
Medium |
Xylok Security Suite must only allow the use of DOD Public Key Infrastructure (PKI) established certificate authorities (CAs) for verification of the establishment of protected sessions. |
Untrusted CAs can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.
The DOD... |
|
V-269583
|
Medium |
Xylok Security Suite must audit the enforcement actions used to restrict access associated with changes to it. |
By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critical security practice for Xylok. It enhances security monitoring, ensures accountability, supports compliance, maintains operational integrity, mitigates risks, and improves integration with security monitoring tools.
Without auditing the... |
|
V-269582
|
Medium |
The Xylok Security Suite configuration file must be protected. |
Protecting the configuration file is a fundamental aspect of maintaining the security, integrity, and stability of Xylok Security Suite. By implementing robust protection mechanisms, Xylok can safeguard sensitive information, ensure compliance, and enhance operational reliability while minimizing the risks associated with unauthorized access and misconfigurations. |
|
V-269581
|
Medium |
Xylok Security Suite must not allow local user or groups. |
Active Directory’s (AD's) design to create but not delete local groups supports operational efficiency, system integrity, and compliance needs.
Manual checks will help identify user accounts that are no longer active or orphaned accounts which could pose security risks. Within Xylok there must not be a local users/groups. Manually verifying... |
|
V-269580
|
Medium |
The Xylok Security Suite configuration for DEBUG must be False. |
Providing too much information in error messages risks compromising the data and security of the Xylok Security Suite and system. If DEBUG is set to True, it will show stack traces in error messages to assist with contact Xylok Support, but potentially reveal secure information. |
|
V-269579
|
Medium |
Xylok Security Suite must disable nonessential capabilities. |
If Xylok has unnecessary functionality enabled, the server may allow arbitrary code to run within the Xylok container. This would allow the user to potentially launch malicious acts against other hosts from inside the Xylok container.
ENABLE_PP_TEST_API setting in the Xylok Security Suite refers to a configuration flag that enables... |
|
V-269578
|
Medium |
The Xylok Security Suite READONLY configuration must be True. |
By default, the Xylok container is created not allowing users to modify any files inside the container.
The only paths that can be altered are mounted from the host. Mount the database files from the host, so that the database server running inside the container can write data.
If READONLY=false,... |
|
V-269576
|
Medium |
Xylok Security Suite must protect audit information from any type of unauthorized access. |
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage.
To ensure the veracity of... |
|
V-269575
|
Medium |
Xylok Security Suite must display the Standard Mandatory DOD Notice and Consent Banner before granting access. |
Users accessing Xylok must be informed their actions might be monitored, potentially opening the organization up to legal challenges. Implementing a Consent Banner helps Xylok Security Suite remain compliant with legal requirements and protect user privacy while informing users of their rights regarding their data.
Satisfies: SRG-APP-000068, SRG-APP-000069 |
|
V-269571
|
Medium |
Xylok Security Suite must initiate a session lock after a 15-minute period of inactivity. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity... |
|
V-269570
|
Medium |
Xylok Security Suite must limit system resources consumed by the application. |
Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of background tasks. Open sessions, even sessions not being actively used, consume a small amount of server resources and could result in Xylok becoming slow or entirely responsive.
In addition,... |
|
V-269569
|
Medium |
Xylok Security Suite must protect application-specific data. |
The /var/lib/xylok directory is essential for storing various types of data necessary for the operation and functionality of the Xylok Security Suite. It acts as a central repository for application data, ensuring that the suite can function effectively and maintain state and configuration between sessions. Proper management and protection of... |
