| V-269569 | | Xylok Security Suite must protect application-specific data. | The /var/lib/xylok directory is essential for storing various types of data necessary for the operation and functionality of the Xylok Security Suite.... |
| V-269570 | | Xylok Security Suite must limit system resources consumed by the application. | Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of backgroun... |
| V-269571 | | Xylok Security Suite must initiate a session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-269575 | | Xylok Security Suite must display the Standard Mandatory DOD Notice and Consent Banner before granting access. | Users accessing Xylok must be informed their actions might be monitored, potentially opening the organization up to legal challenges. Implementing a C... |
| V-269576 | | Xylok Security Suite must protect audit information from any type of unauthorized access. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-269578 | | The Xylok Security Suite READONLY configuration must be True. | By default, the Xylok container is created not allowing users to modify any files inside the container.
The only paths that can be altered are mounte... |
| V-269579 | | Xylok Security Suite must disable nonessential capabilities. | If Xylok has unnecessary functionality enabled, the server may allow arbitrary code to run within the Xylok container. This would allow the user to po... |
| V-269580 | | The Xylok Security Suite configuration for DEBUG must be False. | Providing too much information in error messages risks compromising the data and security of the Xylok Security Suite and system. If DEBUG is set to T... |
| V-269581 | | Xylok Security Suite must not allow local user or groups. | Active Directory’s (AD's) design to create but not delete local groups supports operational efficiency, system integrity, and compliance needs.
Manua... |
| V-269582 | | The Xylok Security Suite configuration file must be protected. | Protecting the configuration file is a fundamental aspect of maintaining the security, integrity, and stability of Xylok Security Suite. By implementi... |
| V-269583 | | Xylok Security Suite must audit the enforcement actions used to restrict access associated with changes to it. | By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critica... |
| V-269584 | | Xylok Security Suite must only allow the use of DOD Public Key Infrastructure (PKI) established certificate authorities (CAs) for verification of the establishment of protected sessions. | Untrusted CAs can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations w... |
| V-269740 | | Xylok Security Suite must use a valid DOD-issued certification. | Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This wou... |
| V-269572 | | Xylok Security Suite must expire a session upon browser closing. | When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if ... |
| V-269573 | | Xylok Security Suite must prevent access except through HTTPS. | Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows... |
| V-269574 | | Xylok Security Suite must use a centralized user management solution. | Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, ... |
| V-269577 | | Xylok Security Suite must be running a supported version. | It is critical to the security and stability of Xylok to ensure that updates and patches are deployed through a trusted software supply chain. Key ele... |
| V-269585 | | Xylok Security Suite must maintain the confidentiality and disable the use of SMTP. | Disabling the use of SMTP within the Xylok Security Suite is a strategic decision aimed at enhancing security, ensuring compliance, and reducing opera... |
| V-269586 | | Xylok Security Suite must use a central log server for auditing records. | Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compl... |
