Automatic Analysis updates:
DB maintenance process cleans unused checks from the DB and ensures all referenced checks have a valid benchmark version associated with them. This should have minimal user impact.
Corrected some CKL export issues
Hitting arrows keys correctly navigates between checks in benchmark view
Postprocessing button in analysis view now keeps filters
Prev/next buttons on analysis page retain filter criteria
Allow old scan data to load if no recommendation status was set in additional_output
Emergency release to fix an issue preventing automatic analysis from running.
Automatic analysis has seen a number of major updates.
CKL import has been improved and moved to the web interface, see updated docs under "Upload to Xylok" for more information.
POA&M header can be controled via new POA&M settings, allowing the system name and other specific details to be filled in during generation
The Xylok API is now officially supported. Detailed documentation is available under the user menu->API Documentation and high-level docs and use cases can be found under the Automation header of the Xylok docs. The initial use case of this automating scaning and analyzing a machine. Supported API endpoints include:
You can now drop files on the sidebar, making uploading results easy no matter where you are in Xylok. Multiple files can be uploaded at a time and you will be blocked from navigating away while the uploads are in progress.
Sidebar now holds a small task monitor, allowing it to track background tasks and download generated files without having to stay on a specific page.
There is a new import/export format for Xylok. The new SQLite-based format demands less memory and will work on a wider range of systems. There's also more room for optimization, potentially allowing for quick importing/exporting in the future. Features of the new format include:
Spreadsheet versions of the various raters (CCI, control, tech) area all exportable directly from the rater page, reducing navigation
Uploads and downloads now persist to temporary storage on-disk, rather than being retained fully in memory. This should reduce issues on lower-memory systems where imports could not be completed because of out-of-memory process termination. A maintenance process has been added to help clean temporary files over time.
A new task-montioring page has been created, allowing you to view all background processes in the same location.
Multiple files can now be selected during upload
This release comes with a major rewrite of the Xylok user interface. Please give us feedback at support@xylok.io if you run into any issues or have requests! The documentation has been updated to reflect the new look. Other than looking completely different, some notable features of the new UI include:
Documentation now has a section on the workflow for the Assessment Rater displays, covering the CCI Rater, Control Rater, Technical Rater, and POA&M Manager. As we encourage more organizations to use these integrated tools, we're hoping to build out even more reporting around them. If you have requests or ideas, let us know.
The Raters now generally have a "Reviewed" date, allowing them to be more easily updated over time. No changes since the last time you looked at a CCI? Just mark it "reviewed" so you know it's still accurate!
Breaking: The run
subcommand from the xylok manager, because it caused permissions issues. To compenstate, we now create a new /_passthrough
mount for Xylok, intended for transfering files in and out of the container.
The host location of this mount can be found by running ./xylok pt ext
. The Command Line Utilties
->Working with Containers
sections of the documentation has more details on this.
RHEL 6 STIG Added missing commands for v2r2. PP fixes on several checks.
RHEL 8 STIG Adding missing commands to checks in v1r4
RHEL 7 - Updated for new release v3r5 - Fixes for commands and post processing
RHEL 7:
Updated MS SQL Server 2016 Database STIG v2r2 and MS SQL Server 2016 Instance STIG v2r5.
Updated IIS 10 Server STIG v2r4 and IIS 10 Site STIG v2r4.
Updated IIS 8.5 Server STIG v2r3 and IIS 8.5 Site STIG v2r4.
Updated VMware vSphere 6.5 Virtual Machine STIG v2r1.
Updated IE 11 STIG v2r1.
Updated Microsoft Edge STIG v1r3.
Populated Microsoft Office 365 ProPlus STIG v2r3 with commands and postprocessing, and expert comments for DISA mistakes.
More minor updates to Windows 10, Windows Server 2016 and 2019 STIGs.
Updated firewall rule checks in Microsoft Windows 2012 Server DNS STIG.
Updated Windows Server 2016/2019 check for 'create symbolic links' regarding Hyper-V role.
Minor updates to Windows 10, Server 2016, Server 2019 STIGs (v2r2).
Updated Windows Server 2019 STIG v2r2 and Windows Server 2016 STIG v2r2.
Added 'looking for' statements for all the basic Cisco L2S PP
Corrected runner for ASA commands
Added basic PP (no recommendations) to more of the Cisco IOS l2s STIG
Added Cisco ASA commands to ASA FW STIG
Added HP Comm commands to Layer 2 Switch SRG
Updated Windows Server 2016 STIG v2r2.
Updated Windows 10 STIG v2r2, including user-identified issues (Thanks!).
Updated Internet Explorer 11 STIG v1r19, including user-identified issues (Thanks!).
Xylok now runs as a non-root user on all installations. To facilitate this, the following things will occur during installation and/or upgrade:
xylok
user and group will be created on the host if it does not exist. This user will be given a home directory (necessary for execution of the container under Podman), but should be created with a system-level UID.xylok
xylok
group. Most files, except for Postgres database files, allow group access.Xylok now uses systemd to manage on-boot execution for all installations, rather than relying on Docker's restart=always
. The xylok
unit will be installed during the upgrade. From then on, the systemd unit xylok
can be used for status, starting, and stopping. On Docker systems, there is a dependency on docker starting.
/opt/xylok/xylok logs -f worker
Nginx (v1.20 currently) has replaced Caddy as the reverse proxy. This has a few benefits:
The move to a single container for all Xylok processes made logging more challenging. This has been resolved, with physical logs being generated at /var/log/xylok/ for each internal component.
/opt/xylok/xylok logs
sub command has been updated to reflect this change. By default, a ZIP file with the last 5000 lines of each log will be generated, plus some settings (passwords/secrets are excluded) and the docker container logs.logs
command also has a -f
flag, which tails all component logs and allows for nice real-time debugging of any issues.settings
subcommand now shows default settings. This will allow us to more easily consolidate the documentation for all settings into the Xylok command, rather than just seperate docs.REMOVED: The FARR has been removed in favor of using the CCI Rater and/or POA&M Rater. If your organization utilitizes the FARR, please contact support@xylok.io.
Always add Xylok OS Baseline to scans. This fixes the requirement from the previous update that all users must manually add the OS Baseline to their machines to activate the automatic data import. As a part of this:
A PPSM in two formats can be generated using port information gathered by the Xylok OS Baseline. The new report is available under Reports -> Ports, Protocols, and Services Matrix. The data will start being populated the next time a scan is performed. If you need a PPSM in a different format, please contact support@xylok.io
CKL import will now automatically add IP/MAC addresses and host name if they are in the scan.
Users will now be notified if the OS they have entered for their machine does not match the OS found in the baseline scan. (Windows and RHEL only so far)
Quick-turn release to fix two issues.
Added an automated "Machine Benchmark Status Report" under the Reports tab. This will generate a spreadsheet that shows the Stig Viewer score and Xylok score, separated for each benchmark, for every machine under a client.
When importing a scan or running Post Processing, machine info can be automatically updated. If new information conflicts with old information, user can choose which to keep, or to ignore future suggestions. Can also undo ignoring suggestions. More QOL to follow.
To activate this feature, assign the Xylok OS Baseline to all machines you'd like to track
Currently, supported OSes include:
Let us know if you encounter any issues or have any particular OSes you'd like support added for.
Added package to log all Javascript errors and exceptions to the main logs, allowing for end-to-end debugging if support is needed.
users can now use ./xylok logs to save a report of all the container logs.
Xylok can now be hardened to more accurately match the Docker Enterprise STIG. See the "Security" page of the new version of the manual for more details, but included features include:
There is now a "logs" subcommand for xylok-manager.py, which fetches all the container logs with a single command. This should help with debugging issues on customer installs.
Active Directory sign in is available for users who want to log in using Windows Server or Microsoft Azure:
Scan details page has an option to filter items by "interview", showing only items that have interview question to answer.
Scan Details page shows a progress bar to show how many items are reminaing for that scan (unreviewed/needs manual review).
Scan analysis pages now hides the less pretty version of the Xylok recommendations and instead have a more obvious way to apply those recommendations.
There's now options for managing automatic analysis (AA) data, the markings Xylok uses to match up old compliance information with new data when you import scans:
Xylok now supports both Docker and Podman.
human_id is now accessible to post-processing scripts by using "ctx.human_id"
Post-processing scripts can mark an item as "needs manual review" to make it obvious the data was looked at by the script, but a determination is impossible without more information. Reports treat this status the same as "not reviewed."
Upgrade Django to 2.2 LTS.
Remote databases are now supported for standalone installations. IE, an AWS RDS Postgres instance could be used.
Better handling of volumes under SELinux (even when using Docker).
Machine scan listing is now correctly paginated.
Self-managed user password changes.
CKL production has numerous fixes:
Bulk postprocessing of small scans (less than 100 items) will now succeed
Updated benchmarks are pulled in correctly again
NOTE This version will upgrade your system to Postgres 11. A special backup will be created as a part of this process. Please contact Xylok if you encounter any issues.
context
informationcontext
variable to PP scripts carries additional information without adding to the global namespace