v2022.08.25 (2022-08-25)

Features

Scan analysis is now fully JS-driven, which should make it faster and prevent losing search filters during navigation
Added a Control Groups filter in the CCI Rater
Added ability to copy comments from a CCI Rating to multiple CCI Ratings in the CCI Rater
Groups of CCI Ratings can be updated at once using Group CCI Rater
Xylok import selections allow for specific rating types to be selected
Updated API Documentation to include new POST methods to edit multiple rater/scan items simultaneously

Fixes

Fixed a bug which was causing the SAR reports to not use the latest ratings
Collection scripts no longer include (blank) sections for runners which don't actually have any commands. This shouldn't have any execution effect other than not confusingly saying the script is starting the network runner when you're on an RHEL box

Benchmark Changes

Fix: RHEL-6 checks: copied 62-2 command and pp into 62-3. Fixed issue on 55
Scraper: Updated benchmark vvoip_technical, added version v3r15
Scraper: Updated benchmark voice_video_session_management, added version v2r2
Scraper: Updated benchmark vvoip_stig_policy, added version v3r18
Scraper: Updated benchmark voice_video_endpoint, added version v2r2
Scraper: Updated benchmark vtc_policy, added version v1r12
Scraper: Added benchmark tanium_7-x_stig, added version v1r1
Scraper: Updated benchmark samsung_android_os_9_knox_3-x_cope_kpe_legacy_stig, added version v1r5
Scraper: Updated benchmark samsung_os_9_knox_3-x_cobo_kpe_ae_stig, added version v1r4
Scraper: Updated benchmark samsung_android_os_9_knox_3-x_cobo_kpe_legacy_stig, added version v1r5
Scraper: Updated benchmark samsung_os_9_knox_3-x_cope_kpe_ae_stig, added version v1r4
Scraper: Updated benchmark zos_ibm_system_display_and_search_facility_for_racf_stig, added version v6r9
Scraper: Updated benchmark ss_android_12_kpe_3-x_cope_stig, added version v1r2
Scraper: Updated benchmark ss_android_12_kpe_3-x_cobo_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_eam_tomcat_stig, added version v1r3
Scraper: Updated benchmark vmw_vsphere_6-7_photon_os_stig, added version v1r4
Scraper: Added benchmark toss_4_stig, added version v1r1
Scraper: Updated benchmark ibm_aspera_platform_4-2_stig, updated version v1r1
Scraper: Updated benchmark tm_tippingpoint_idps_stig, added version v1r2
Scraper: Updated benchmark samsung_sds_emm_stig, added version v1r3
Scraper: Updated benchmark zos_ibm_system_display_and_search_facility_for_acf2_stig, added version v6r10
Scraper: Updated benchmark zos_ibm_system_display_and_search_facility_for_tss_stig, added version v6r9
Scraper: Updated benchmark splunk_enterprise_8-x_for_linux_stig, added version v1r3
Scraper: Updated benchmark sles_15_stig, added version v1r7
Scraper: Updated benchmark sles_12_stig, added version v2r7
Scraper: Updated benchmark rhel_8_stig, updated version v1r7
Scraper: Updated benchmark rhel_8_stig, added version v1r7
Scraper: Updated benchmark rhel_7_stig, added version v3r8
Scraper: Updated benchmark postgresql_9-x_stig, added version v2r3
Scraper: Added benchmark pan_prisma_cloud_compute_stig, added version v1r1
Scraper: Updated benchmark oracle_linux_8_stig, added version v1r3
Scraper: Updated benchmark oracle_linux_7_stig, added version v2r8
Scraper: Updated benchmark oracle_database_12c_stig, added version v2r5
Scraper: Updated benchmark network_infrastructure_policy_stig, added version v10r3
Scraper: Updated benchmark netapp_ontap_dsc_9-x_stig, added version v1r2
Scraper: Added benchmark microsoft_windows_11_stig, added version v1r1
Scraper: Updated benchmark ms_office_365_proplus_stig, added version v2r6
Scraper: Updated benchmark iis_8-5_server_stig, added version v2r4
Scraper: Updated benchmark iis_8-5_site_stig, added version v2r6
Scraper: Updated benchmark iis_10-0_site_stig, added version v2r6
Scraper: Updated benchmark iis_10-0_server_stig, added version v2r6
Scraper: Updated benchmark ie_11_stig, added version v2r2
Scraper: Updated benchmark ms_exchange_2016_edge_transport_server_stig, added version v2r4
Scraper: Updated benchmark ms_edge_stig, added version v1r5
Scraper: Updated benchmark moz_firefox_stig, added version v6r3
Scraper: Added benchmark mariadb_enterprise_10-x_stig, added version v1r2
Scraper: Updated benchmark kubernetes_stig, added version v1r6
Scraper: Updated benchmark juniper_router_rtr_stig, added version v2r4
Scraper: Added benchmark juniper_ex_l2s_stig, added version v1r1
Scraper: Added benchmark juniper_ex_rtr_stig, added version v1r1
Scraper: Added benchmark juniper_ex_ndm_stig, added version v1r1
Scraper: Updated benchmark ibm_zos_acf2_stig, added version v8r7
Scraper: Updated benchmark ibm_aspera_platform_4-2_stig, added version v1r2
Scraper: Updated benchmark ibm_aix_7-x_stig, added version v2r6
Scraper: Updated benchmark general_purpose_operating_system, added version v2r4
Scraper: Updated benchmark fn_fortigate_firewall_stig, added version v1r2
Scraper: Updated benchmark fn_fortigate_firewall_ndm_stig, added version v1r2
Scraper: Updated benchmark edb_postgres_advanced_server_stig, added version v2r2
Scraper: Updated benchmark edb_postgres_advanced_server_v11_on_windows_stig, added version v2r2
Scraper: Updated benchmark database_generic, added version v3r3
Scraper: Updated benchmark cisco_ios-xe_router_ndm_stig, added version v2r4
Scraper: Updated benchmark cisco_ios_xe_switch_ndm_stig, added version v2r3
Scraper: Updated benchmark cisco_ios_switch_ndm_stig, added version v2r4
Scraper: Updated benchmark cisco_ios_router_ndm_stig, added version v2r4
Scraper: Updated benchmark crunchy_data_postgresql_stig, added version v2r1
Scraper: Updated benchmark canonical_ubuntu_20-04_lts_stig, added version v1r5
Scraper: Updated benchmark u_can_ubuntu_18-04_stig, added version v2r8
Scraper: Updated benchmark avepoint_docave_6_stig, added version v1r2
Scraper: Added benchmark avepoint_docave_6_stig, added version v1r1
Scraper: Updated benchmark apple_os_x_10-15_stig, added version v1r9
Scraper: Updated benchmark apple_macos_12_stig, added version v1r3
Scraper: Updated benchmark apple_ios-ipados_15_stig, added version v1r3

v2022.07.1 (2022-07-21)

Features

Importing Xylok Archives will now allow for selecting which components (clients, scans, ratings, etc) to import
Xylok will now generate a certificate with a subject alternate name, rather than only a common name. This SAN can be controlled via the XYLOK_HOST setting, see https://support.xylok.io/kb/en/article/https-and-ssl-certificates for more details

Fixes

Importing network files now correctly displays the error message if they are missing a command
Client dashboard bug fix
Rater modals load correct data again
Importing ratings no longer wipes ratings for other clients
Added is_current to more rating tables in export
Sw list and pps information now get stored correctly as lists in database
Fixed issue with importing POA&M entries from archive
Automatically correct configuration if not DB password is set

Benchmark Changes

Removed show config command with an HPCom OS in Network L2 Switch.
RHEL 6 fixes:
- Removed smart quotes from command in RHEL 6, added pp for latest version
- Check correctly marks NA when IPv6 is disabled
Updated several Windows 10 checks to resolve module import error.
Fixed PP for older windows software collection
Updated Windows 7 - WINUR-000032 PP to correct false positive condition.
Scraper: Added benchmark mcafee_ens_10-x_local_client_stig, added version v1r1

v2022.06.2 (2022-06-27)

Major Features

Xylok manager works with Podman 4.x now

Features

Scans can now have individual benchmarks removed. Option is under the Scan Options menu when analyzing a scan. Closes #312
Rater tables now hide certain columns on smaller screens
CCI, POAM, RTM managers have multi-edit functionality
All Raters that use a 'reviewed' column can now mark items as 'reviewed' in bulk
Benchmark reference now says if a benchmark isn't covered by the user's license
Benchmarks show if the benchmark is licensed in the metadata section of the reference

Fixes

Scan Details page now correctly handles marking all items when filtered
Commands are always sorted in check analysis, letting them be stable regardless of edits
Removed unused check edit page, corrected edit links from machine/location/client findings listings
'Use scan as AA baseline' is working properly again.
Scan detail progress bar bug

Benchmark Changes

Added PAN-OS commands and PAN-OS to OS list
Added device model tracking for Cisco IOS
Added show vtp command to Cisco L2S benchmark
Made Win 10 software list correctly be marked as N/A again
Fixed IE8 DTBI765 command.
Updated Windows Server 2016 and 2019, both v2r4.
Updated Windows PAW v2r2.
Updated Windows 2012 DNS v2r5.
Updated Windows Server 2012 DC & MS, both v3r4.
Updated Windows 10 v2r4.
Updated MS Defender v2r4.
Updated McAfee ENS 10.x v2r7.
Updated HBSS ePO 5.x v2r7.
Marked Cisco IOS XE Router RTR v2r4 ready.
Updated Cisco ASA FW v1r2.
Updated Splunk 8 v1r2.
Updated MS SQL Server 2016 Database and Instance, v2r4 and v2r7, respectively.
Updated Mozilla Firefox v6r2.
Scraper: Updated benchmark mcafee_ens_10-x_stig, added version v2r7
Scraper: Updated benchmark hbss_epo_5-3_5-9_stig, added version v2r7
Scraper: Updated benchmark windows_server_2019_stig, added version v2r4
Scraper: Updated benchmark windows_server_2016_stig, added version v2r4
Scraper: Updated benchmark windows_paw_stig, added version v2r2
Scraper: Updated benchmark microsoft_windows_2012_server_domain_name_system_stig, added version v2r5
Scraper: Updated benchmark windows_2012_ms_stig, added version v3r4
Scraper: Updated benchmark windows_2012_dc_stig, added version v3r4
Scraper: Added benchmark ms_windows_10_stig, added version v2r4
Scraper: Added benchmark ms_defender_antivirus, added version v2r4

v2022.06.1 (2022-05-31)

Major Features

Automated software list and benchmark recommendations:
- Xylok processes the software lists collected by the Xylok OS Baseline benchmark (automatically run on most scans) during post-processing. Software and versions are added to the machine and are now visible under the "Software" link in the machine details.
- The software list page will recommend benchmarks where possible and offer a single-click Add option.
- Benchmarks that should currently be automatically recommended are listed below. We're working on adding more--please let us know if you have any requests or issues!
  - adobe_acrobat_pro_dc_classic_stig
  - adobe_acrobat_pro_dc_continuous_stig
  - adobe_acrobat_pro_dc_stig
  - adobe_acrobat_reader_dc_classic_track_stig
  - google_chrome_current_windows
  - google_search_applicance_stig
  - jre_7_unix_stig
  - jre_8_and_unix_stig
  - jre_8_and_windows_stig
  - mcafee_virusscan88_managed_client
  - microsoft_onedrive_for_business_2016
  - microsoft_sql_server_2012_database_instance_security_technical_implementation_guide
  - moz_firefox_stig
  - ms_office_365_proplus_stig
  - ms_sql_server_2014_database_stig
  - ms_sql_server_2014_instance_stig
  - ms_sql_server_2016_database_stig
  - ms_sql_server_2016_instance_stig
  - ms_sql_server_database_2012
  - ms_sql_server_installation_2012
  - ms_sql_server_instance_2012
  - splunk_enterprise_7-x_for_windows_stig
- Archive format now supports importing and exporting matching software version information
- Regardless of recomendations, the installed software list will appear as an additional column on the hardware spreadsheet. We're looking into improving this format to more closely reflect how most AF/SF organization represent their HW/SW lists. If you have examples from your organization, we'd gladly use them to inform our approach.
ISOs and Zip archives of scripts
- In addition to ISOs for locations, locations can now produce a Zip-compressed archive of all machine scripts under them
- Downloading scripts for the entire client is now possible
- Breaking change: Script ISOs/archives are now built with descending directories for locations, rather than being flat at the location level. Location directories are prefixed with "__" to help distinguish them from machines in file listings. Previously all machines under a location were listed in a flat structure, regardless of child locations

Features

Upgraded to Postgres 13 and Debian Bullseye
Added rater row fetches to the API Documentation. Note that they're all marked as internal use, so the format may be changed in the future.
Permission Errors now show a less ambiguous message
Upgraded blank setup database with latest migrations
Documentation fully moved from internal docs to external site (https://support.xylok.io)
Updated documentation regarding archive format
Limited nginx to TLS 1.2 and 1.3

Fixes

Checklist exports with CUI STIGs (HBSS is the most common example) can now be correctly imported into STIG Viewer. The latest version of STIG Viewer threw an error when a STIG had an 'FOUO' classification.
Restore script uses correct internal path for restoring file
Fixed issues with navigating using browser's forward/back that did not return complete pages.
Fixed nav bar issues when navigating through history on some pages
Raters were not correctly excluding old data during filter and duplicate current rows in raters
"Add Group" bug fixed
Corrected losing the search filter when using the 're-run pp' button

Benchmark Changes

Updated MS Outlook 2016 v2r3.
Updated MS Office 365 ProPlus v2r5.
Updated Google Chrome v2r6.
RHEL 8 updates
Added commands and PP to Cisco ASA NDM v1r1.
Updated PP on Cisco NX-OS Switch RTR v2r1.
Scraper: Updated benchmark traditional_security_checklist, added version v2r2
Scraper: Added benchmark zebra_android_11_cobo_stig, added version v1r1
Scraper: Updated benchmark zos_roscoe_for_acf2_stig, added version v6r8
Scraper: Updated benchmark zos_bmc_mainview_for_zos_for_acf2_stig, added version v6r9
Scraper: Updated benchmark zos_ibm_system_display_and_search_facility_for_acf2_stig, added version v6r9
Scraper: Updated benchmark zos_ca_vtape_for_acf2_stig, updated version v6r4
Scraper: Updated benchmark vmw_vsphere_6-7_photon_os_stig, added version v1r3
Scraper: Updated benchmark zos_ca_vtape_for_racf_stig, updated version v6r4
Scraper: Added benchmark ss_android_12_kpe_3-x_cobo_stig, added version v1r1
Scraper: Added benchmark ss_android_12_kpe_3-x_cope_stig, added version v1r1
Scraper: Updated benchmark zos_ca_vtape_for_tss_stig, updated version v6r4
Scraper: Added benchmark vmw_nsx-t_manager_ndm_stig, added version v1r1
Scraper: Added benchmark vmw_nsx-t_t1_gateway_fw_stig, added version v1r1
Scraper: Added benchmark vmware_nsx-t_distributed_fw_stig, added version v1r1
Scraper: Added benchmark vmware_nsx-t_sdn_controller_stig, added version v1r1
Scraper: Added benchmark vmw_nsx-t_t1_gateway_rtr_stig, added version v1r1
Scraper: Added benchmark vmw_nsx-t_t-0_rtr_stig, added version v1r1
Scraper: Added benchmark vmw_nsx-t_t-0_gateway_fw_stig, added version v1r1
Scraper: Updated benchmark splunk_enterprise_8-x_for_linux_stig, added version v1r2
Scraper: Updated benchmark sles_15_stig, added version v1r6
Scraper: Updated benchmark rhel_8_stig, added version v1r6
Scraper: Updated benchmark rhel_7_stig, added version v3r7
Scraper: Added benchmark rancher_mcm_stig, added version v1r1
Scraper: Updated benchmark palo_alto_networks_ndm_stig, added version v2r1
Scraper: Updated benchmark oracle_linux_8_stig, added version v1r2
Scraper: Updated benchmark oracle_linux_7_stig, added version v2r7
Scraper: Updated benchmark oracle_database_12c_stig, added version v2r4
Scraper: Updated benchmark network_wlan_ap-ig_platform_stig, added version v7r2
Scraper: Updated benchmark network_wlan_ap-nipr_platform_stig, added version v7r2
Scraper: Updated benchmark network_wlan_controller_platform_stig, added version v7r2
Scraper: Updated benchmark network_infrastructure_policy_stig, added version v10r2
Scraper: Updated benchmark ms_sql_server_2016_instance_stig, added version v2r7
Scraper: Updated benchmark ms_sql_server_2016_database_stig, added version v2r4
Scraper: Updated benchmark microsoft_sharepoint_server_2013, added version v2r3
Scraper: Updated benchmark microsoft_outlook_2016, added version v2r3
Scraper: Updated benchmark ms_office_365_proplus_stig, added version v2r5
Scraper: Updated benchmark moz_firefox_stig, added version v6r2
Scraper: Added benchmark mot_solutions_android_11_cobo_stig, added version v1r1
Scraper: Added benchmark mongodb_enterprise_advanced_4-x_stig, added version v1r1
Scraper: Updated benchmark mongodb_3-x_stig, added version v2r1
Scraper: Updated benchmark kubernetes_stig, added version v1r5
Scraper: Updated benchmark juniper_router_rtr_stig, added version v2r3
Scraper: Updated benchmark juniper_router_ndm_stig, added version v2r1
Scraper: Updated benchmark ibm_zos_tss_stig, added version v8r6
Scraper: Updated benchmark ibm_zos_racf_stig, added version v8r7
Scraper: Updated benchmark ibm_zos_acf2_stig, added version v8r6
Scraper: Added benchmark ibm_aspera_platform_4-2_stig, added version v1r1
Scraper: Updated benchmark ibm_aix_7-x_stig, added version v2r5
Scraper: Added benchmark hpe_nimble_storage_array_stig, added version v1r1
Scraper: Updated benchmark general_purpose_operating_system, added version v2r3
Scraper: Updated benchmark google_chrome_current_windows, added version v2r6
Scraper: Updated benchmark firewall_srg, added version v2r2
Scraper: Updated benchmark enclave_-_zone_d, added version v1r6
Scraper: Updated benchmark enclave_-_zone_b, added version v1r6
Scraper: Updated benchmark enclave_-_zone_a, added version v1r6
Scraper: Updated benchmark enclave_-_zone_c, added version v1r6
Scraper: Updated benchmark cisco_ise_ndm_stig, added version v1r3
Scraper: Updated benchmark cisco_ios-xe_router_rtr_stig, added version v2r4
Scraper: Updated benchmark cisco_asa_fw_stig, added version v1r2
Scraper: Updated benchmark canonical_ubuntu_20-04_lts_stig, added version v1r4
Scraper: Updated benchmark u_can_ubuntu_18-04_stig, added version v2r7
Scraper: Updated benchmark apple_os_x_10-15_stig, added version v1r8
Scraper: Updated benchmark apple_os_x_10-14_stig, added version v2r6
Scraper: Updated benchmark apple_os_x_10-13_stig, added version v2r5
Scraper: Updated benchmark apple_macos_12_stig, added version v1r2
Scraper: Updated benchmark apple_macos_11_stig, added version v1r6

v2022.04.3 (2022-04-21)

Major Features

The new sorting and filtering from the CCI and Control raters is now also applied to the RTM, Technical and POA&M tools

Features

When importing data that requires a pre-selected client, the error message should be more intuitive.
HW Spreadsheet now includes compliance scores in last two columns
Updated file import to handle new STIG Viewer .ckl files

Fixes

Automatic Analysis updates:
- Maintenance process now ensures AA database remains valid and removes duplicate entries if they exist
- Copying AA values from one family to another no longer gives an error
- AA creation has an explicit lock around it, rather than relying on only having a single process registered for handling AA
DB maintenance process cleans unused checks from the DB and ensures all referenced checks have a valid benchmark version associated with them. This should have minimal user impact.
Corrected some CKL export issues
Hitting arrows keys correctly navigates between checks in benchmark view
Postprocessing button in analysis view now keeps filters
Prev/next buttons on analysis page retain filter criteria
Allow old scan data to load if no recommendation status was set in additional_output

Benchmark Changes

The internal NetworkParse library will better handle Cisco configuration files with 'unusual' indentation by somewhat understanding what commands are permitted to have children. If you encounter changes to your processing because of these changes, let us know!
Marked RHEL 8 v1r5 as customer ready
Added PP to Cisco IOS-XE Switch RTR v2r1.
Added PP to Cisco IOS-XE Router RTR v2r3
Added PP to Cisco IOS Switch RTR v2r1
Updated PP on Cisco IOS Router RTR and NX-OS Switch RTR based on testing
Minor correction to PP on single Cisco IOS Router RTR check

v2022.04.2 (2022-04-05)

Fixes

Imported files correctly show redirection/view link
PP no longer errors out
Fixed view changes in analysis erasing search filter

v2022.04.1 (2022-04-05)

Emergency release to fix an issue preventing automatic analysis from running.

Fixes

No longer fully family ID from the wrong location during AA
AA moved to a single new table with integrated command values and a update date
Task sidebar monitor has an icon for when tasks have an action needed
Archives with benchmarks with no versions (uncommon) can still be successfully imported

v2022.03.1 (2022-03-28)

Major Features

Automatic analysis has seen a number of major updates.
- There are now three AA pools: machine, family, and "universal". Previously only family and universal existed. This change allows machine-specific selections to stay consistent across AA runs.
- Updated Data Analysis documentation with more details about how AA works internally, with a full example across multiple machines. (https://xylok.notion.site/Data-Analysis-168a4af4d49e4c8db16086762837df28)
- During AA for a single scan, you can now select which AA pools to use. See updated documentation for more details about how AA works.
- Allow AA items to represent all possible finding statuses. Previously they would only save Compliant, Noncompliant, and N/A. As a consequence, when you unmark an item we no longer re-mark that item the next time AA is run.
- Breaking Change: The majority of AA data should carry forward with no changes. However, AA entries were post-processing recommendations were overriden will not carry forward.
- Universal AA pool can now be exported by logged-in users from the User Menu. Individual benchmark AA pools are no longer exportable via the benchmark page.
- When exporting a client with scan data, AA data for all client machines, families, and the universal pool will be exported.
- If you need to drop AA data for a machine because items were incorrectly marked, you can now delete a machine's data pool from the Machine Details' Options dropdown.
- Family data can be deleted in the same way, from the corresponding Family Details page.

Features

CCI rater modal always shows link to 'all items' and all related items view shows everything, regardless of status
The scan item list (when you first go to analyze a scan) has a new search! This is an early version of the search--some improvements in this and similar search dialogs will appear in the next release. We'll add more detailed documentation when that release gets pushed, but for now: pressing / will open and focus the search, Enter to apply, Escape to close.

Fixes

Empty and commands with no OSes are now fatal errors in our tooling, so users should never see a check with a command that mysteriously doesn't run.
CCI rater modal was showing the finding count as N/As. Now it shows the actual N/A count, like you'd expect.
Diff with previous check data has colors correctly set
Prevent wrapping of CCI numbers in control rater and benchmark IDs in benchmark browser
Client export when families exist works, closes #285
AA data with an inconclusive status will be migrated to not a finding (this was causing AA issues for some users)
More reliably force the settings page on the raters if not configured
Enabled proxy keepalives per Nginx recommendations
ADFS login redirect should work again
Scan comparison no longer throws an exception

Benchmark Changes

We no longer print the PP recommendations at the end of the output. This is a breaking change that will reset AA for items where PP recommendations were overridden. Because other AA changes are being implemented in this release, this should consolidate any additional workload to a single cycle.
Updated MS Office 365 to v2r4.
Populated commands for latest Cisco IOS, IOS XE and IOS XR Router RTR STIGs.
Added commands for latest Cisco NX-OS Switch RTR, NDM, and L2S.
Populated Cisco NX-OS Switch NDM v2r3 commands.
Added PP to Cisco NX-OS Switch NDM v2r3.
Added PP to Cisco NX-OS Switch NDM v2r3.
Added PP to Cisco NX-OS Switch RTR v2r1.
Added PP to Cisco IOS Switch NDM v2r3.
Added PP to Cisco IOS Router NDM v2r3.
Added PP to Cisco IOS XE Router NDM v2r3.
Added PP to Cisco IOS XE Switch L2S v2r2.
Added PP to Cisco IOS XE Switch NDM v2r2.
Added PP to Cisco IOS XR Router NDM v2r2.
RHEL 7 - Fixed broken post-processing on RHEL-07-010340
RHEL 8 - Command and Post Processing updates
SUSE 15 - PP and test cases
Updated VMWare VSphere 6.7 ESXi, vCenter, Virtual Machine STIGs, all v1r2.
Missing OSes fixed for RHEL 5, MacOS 11, SuSe zlinux, SLES 15, web policy, Ubuntu 20.04, and Windows 2008 r2 DC
Updated Windows 10 BitLocker Network Unlock configuration (WN10-00-000031) to be manual review.

v2022.02.2 (2022-02-17)

Major Features

SCAP scans can now be uploaded from Xylok's GUI. Process is the same as CKLs--see "Uploading to Xylok" documentation page for more details.

Features

Django form errors have styling added
Login virtually always takes you back to your original page now

Fixes

Individual findings spreadsheet can be produced again
Creating users via the admin interface no longer complains about a missing password
Worked around a regression in Podman 3.4
Client dashboard redirect has correct URL to cci rater
CKL exports with idential STIG IDs in a single CKL correctly match finding detail data to the check (before the same data would be replicated across matching STIG IDs)

Benchmark Changes

Another fix to rule IDs. Should help with the reliability of CKL's interoperability.
Marked Splunk 8.x v1r1 ready.
More tests and PP updates on Splunk 8.x.
Minor update on Splunk 7.x PP.
Old Windows Firewall removed
Cleaned up Network-Perimeter Layer 3 Switch v8r32.
Cleaned up Network-Firewall v8r25.
Updated Windows 10, WN10-SO-000280 to account for 24 hour times.
Updated IIS 10.0 Site v2r5.
Updated IIS 10.0 Server v2r5.
Updated IIS 8.5 Site v2r6.
Updated McAfee ENS 10.x v2r6.
Updated MS SQL Server 2014 Instance v2r2.
Updated MS SQL Server 2016 Database v2r3 & Instance v2r6.
Updated HBSS ePO 5.x v2r6.
Updated HBSS McAfee Agent v5r5
Updated MS Office System 2016 v2r2.
Updated McAfee VirusScan 8.8 Managed Client v6r1.
Updated McAfee VirusScan 8.8 Local Client v6r1.
Scraper: Updated benchmark vmw_vsphere_6-7_postgresql_stig, updated version v1r1
Scraper: Updated benchmark vmw_vsphere_6-7_esxi_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_eam_tomcat_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_perfcharts_tomcat_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_ui_tomcat_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_sts_tomcat_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_rhttpproxy_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_vcenter_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_photon_os_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_virtual_machine_stig, added version v1r2
Scraper: Updated benchmark vmw_vsphere_6-7_vami-lighttpd_stig, added version v1r2
Scraper: Updated benchmark cisco_ios-xe_router_rtr_stig, updated version v2r3
Scraper: Updated benchmark cisco_ios-xe_router_ndm_stig, updated version v2r3
Scraper: Updated benchmark windows_10_stig, updated version v2r3
Scraper: Updated benchmark microsoft_windows_2012_server_domain_name_system_stig, updated version v2r4
Scraper: Updated benchmark windows_firewall_with_advanced_security, updated version v2r1
Scraper: Updated benchmark general_purpose_operating_system, updated version v2r2
Scraper: Updated benchmark windows_2012_ms_stig, updated version v3r3
Scraper: Updated benchmark apache_server_2-4_unix_server_stig, updated version v2r3
Scraper: Updated benchmark windows_server_2019_stig, updated version v2r3
Scraper: Updated benchmark windows_2012_dc_stig, updated version v3r3
Scraper: Updated benchmark windows_firewall, updated version v1r7
Scraper: Updated benchmark windows_server_2016_stig, updated version v2r3
Scraper: Updated benchmark fs_nac_stig, updated version v1r3
Scraper: Updated benchmark u_can_ubuntu_18-04_stig, updated version v2r6
Scraper: Updated benchmark windows_paw_stig, updated version v2r1
Scraper: Updated benchmark active_directory_domain, updated version v3r1
Scraper: Added benchmark apple_macos_12_stig, added version v1r1

v2022.02.1 (2022-02-01)

Fixes

Importing Xylok archives correctly pins benchmark versions. This was preventing importing Xylok archives from actually importing assigned machine benchmarks.

v2022.01.2 (2022-01-31)

Major Features

CKL import has been improved and moved to the web interface, see updated docs under "Upload to Xylok" for more information.
- CKL import now ties data to CCI's if possible and will create commands on the fly as needed
- CKL import wizard allows client selection as well
- These improvements allow more flexibility in the benchmarks being imported. As long as the CKL matches an existing benchmark, even if Xylok does not have commands in place for it or it's not under your license, you can import CKL data and have it tie the the CCI rater and other reports.
POA&M header can be controled via new POA&M settings, allowing the system name and other specific details to be filled in during generation

Features

More improvements to the ACAS importing wizard
Cleaned up task monitor page, much clearer when jobs are in different states
Added backup-cleanup.sh script and supporting docs
Better detection for when raters need to be rebuilt, mitigating a common 500 error when clicking a rater row that has not been built yet. This does not eliminate the need to rebuild manually at this point--not all "rebuild-required" cases are detecteed.

Fixes

Check Rule IDs are correctly applied again--they had accidentally been located in the expert comments. The most significant issue with this was CKL exports, which would have invalid IDs.
Mobile menu fully working again
Handle 'choice' type questions the same as 'choices'
Try to be even more robust in our python search. Might still allow the Xylok manager to work even if Python is not in the PATH.
During benchmark imports, don't try to correct RTM settings which don't exist
Django messages are now correctly displayed on all pages
User email password reset flow working
Upload API via token is working again
User password changes no longer kick to the Django admin style view
No longer display password reset link when email isn't configured.
User's passwords can be directly fixed in the user admin page
Task monitor always switches priority to newest created window, making it more likely it initiates downloads in the user's active window
No longer show rebuild jobs in the task monitor, led to confusing double entries when importing scans and the scan comparison job also appeared
Fixed a bug which would prevent POA&M from being built when underlying benchmark data was tombstoned

Benchmark Changes

Updated MS Edge PP
Updated MS Edge benchmark question
Updates to MS Edge STIG v1r4.
Update and marked Google Chrome v2r5 ready.
RHEL 8 PP syntax errors fixed in RHEL-08-010050 and RHEL-08-010070
Fixed RHEL-06-000315, now displays raw output
Cisco Firewall fix for NET0820
Updated MS Outlook 2016 v2r2, and removed duplicative try/excepts.
Added additional examples for Cisco IOS Switch L2S tests
Updated more Cisco IOS Switch L2S PP
Updated Cisco IOS Switch L2S PP
RHEL 7 RHEL-07-021350 - Changed Post Processing to check for a str value of 1 instead of int value
Post Processing Updates: SLES-15-010030 SLES-15-010180 SLES-15-010430
Commands populated for Cisco IOS Switch RTR STIG v2r1.

v2022.01.1 (2022-01-13)

Major Features

Nessus result importing is now supported, see "Uploading to Xylok" in the updated documentation. Please report any issues you find to support@xylok.io!

Features

PP processor now makes an internal note when an exception is caught--the goal is to make this a searchable attribute during analysis.
When loading the installation license, add benchmarks which have changed IDs to the license as well.
When benchmarks are merged, we now migrate existing assignments of the old benchmark to the new ID. Between this and the previous change, customers with the "old" ID on their license don't need to take any action to jump to the updated benchmark from DISA.

Fixes

Small fix to PSQL runner to prevent errors outputting the command in the result file. Should have no notable affect on results
Reduce error messages in logs when MX process isn't able to clean a directory. No notable impact on operation
Newly created clients are now automatically selected as the current client, closes #263
Use shell entrypoint for health check to ensure environment is configured correctly, closes #264
Increase healthcheck time to allow full ready check to work more reliably
When building releases, we always use the same-tagged version of the benchmark repo for a more reproducible build.
Database restore script works again
Navigating between scan items from analysis page now saves changes correctly
Fixed hotkeys and character escaping in analysis view
Prevent systemctl status from hanging at the end of the installer if the window is small
Removed "inconclusive" status from findings/compliance choices. Migrated any "inconclusive" status in DB to "compliant"

Benchmark Changes

First pass commands done CISCO IOS XE r3 NDM
Merged 3 MS SQL Server 2012 Instance STIGs into ms_sql_server_2012_stig.
Merged and Updated Mozilla Firefox v6r1.
Marked MS OneDrive v2r2 ready.
Merged Microsoft OneDrive for Business 2016 to Microsoft OneDrive v2r2.
SLES 15 first pass commands in place
Merge Windows Firewall benchmark to v2r1 (No changes in actual benchmark)
HBSS ePO 5.x v2r5
McAfee ENS 10.x v2r5
Windows 2012 Server DNS v2r4
HBSS McAfee Agent v5r4
HBSS Agent Handler v2r2
HBSS Remote Console v5r1
HBSS Rogue Sensor v5r1
Windows PAW v2r1
Active Directory Domain v3r1
Windows Server 2012 DC v3r3
Windows Server 2012 MS v3r3.
Windows Server 2016 v2r3
Windows Server 2019 v2r3
Fixed conflicting Win Defender command ID
Microsoft Windows Defender Antivirus STIG v2r3.
Windows 10 STIG v2r3.
Tweaked MS Dot Net Framework question collection for cmd.
Microsoft Windows 2008 Server Domain Name System STIG v1r8.
RHEL 8 Commands Complete
PostgreSQL 9 fixes
Apache 2.4 UNIX site/server commands

v2021.12.2 (2021-12-10)

Features

Added SUSE 15 to OS list
Added "View Admin Page" option on scans, machines, locations, and clients for staff users
Selected client is no longer tracked in the database. This allows you to use different browsers or incognito mode to work with multiple clients at the same time
Scan comparison now works across clients. Fixed bugs when working with multiple clients at the same time

Fixes

Work more reliably when multiple windows are open and the user attempts to select different clients. Previously we relied on the selected client when editing families, machines, and locations, which led to bugs when editing items not in the currently selected client.
Fixed database admin page selects
Removed editing previous scan from admin (with many scans, that field has the potential to prevent the page from loading)
Prevent code with breakpoints from deploying
Slightly better recovery when parsing an exception from a background job fails
Handle the menu correctly when the user is logged in but does not have a client selected

Benchmark Changes

RHEL 8 Commands Complete

v2021.12.1 (2021-12-07)

Major Features

The Xylok API is now officially supported. Detailed documentation is available under the user menu->API Documentation and high-level docs and use cases can be found under the Automation header of the Xylok docs. The initial use case of this automating scaning and analyzing a machine. Supported API endpoints include:
- Searching for a machine
- Fetching machine script
- Uploading results
- Copying interview answers
- Running Automatic Analysis
- Monitoring the status of background tasks
You can now drop files on the sidebar, making uploading results easy no matter where you are in Xylok. Multiple files can be uploaded at a time and you will be blocked from navigating away while the uploads are in progress.
Sidebar now holds a small task monitor, allowing it to track background tasks and download generated files without having to stay on a specific page.

Features

Single scans can now be exported as CKLs
When benchmarks are removed from machines/locations, the client will have the pinned benchmarks removed
Machine list is now sortable
Hitting '/' (slash) to select search box now works on benchmark, machine, and scan lists
We now display the benchmark ID as a column in the backmark listing (rather than the short title) and provide an easy copy button
Navigation now correctly resets to a valid state if the open menu is no longer valid (ie, when you log out)
Single-task monitor page nicely shows stracktrace, better parsing of exceptions
Re-worked single task monitor page to use task monitoring API
Virtually all jobs receive a description when starting now, plus all jobs have a reasonable timeout now
Navigation menu now allows navigating between section menus without page reloading
Task displays are now limited to the initiating user
Include container memory infomration in container log output
Include container processes in container log output
Include mx process logs in logs command

Fixes

Correctly hide FOUO STIGs from unauthenticated users (thanks to the user who caught that!)
Don't error out when serializing job with no result
Moved to using Alpine to handle row clicks in benchmark browser, preventing history weirdness with HTMX
Complete export includes ratings. Because ratings depend on scans, the option to download them separately has been removed for now--if you need this feature, contact support
Allow for nulls in RTM verification dates in export
If XYLOK_DATA setting has a ~ in it, don't accidentally create a ~ directory (expand it correctly to the user's home)
RTM validation date is now the date of the last rebuild. RTM verification date is the date of the last physical 'reviewed' click on the control or the last scan data for technical data
Removed redundant reports from reports menu found in respective raters
RTM includes checks from benchmarks assigned to machines, even if there are no scans
Fixed deprecation warning from my_init
Modified UI elements, fixed comment box typing/saving
Removed deprecation warning about 'GROUP_CLAIM' when using ADFS authentication
Correctly return default value when getting archive settings that don't exist
RTM now works when there are no scans in client

Benchmark Changes

Updated McAfee Application Control 7.x STIG v1r6.
Updated Splunk Enterprise 7.x for Windows STIG v2r3 and marked ready.
Added PP for Splunk Enterprise 7 STIG v2r3.

v2021.11.2 (2021-11-23)

Features

There is a new import/export format for Xylok. The new SQLite-based format demands less memory and will work on a wider range of systems. There's also more room for optimization, potentially allowing for quick importing/exporting in the future. Features of the new format include:
- Scans, client data, and CCI/Control/Tech/POAM/RTM ratings
- Dependent benchmarks for scans--now an export from one system includes everything needed to work on a different system, even potentially outdated/removed commands
- SQLite3-based, which allows for easier searching and manipulation than the previous format. If needed, the sqlite3 CLI client is included in the Xylok container image.
- Greatly reduced memory usage
- In the future, we plan to include AA data and allow for selective importing of parts of the archive.
Spreadsheet versions of the various raters (CCI, control, tech) area all exportable directly from the rater page, reducing navigation
Uploads and downloads now persist to temporary storage on-disk, rather than being retained fully in memory. This should reduce issues on lower-memory systems where imports could not be completed because of out-of-memory process termination. A maintenance process has been added to help clean temporary files over time.
A new task-montioring page has been created, allowing you to view all background processes in the same location.
Multiple files can now be selected during upload

Fixes

Allow boolean questions to work
Fixed documentation on importing SCAP/CKL results.

Benchmark Changes

Started Splunk Enterprise for Windows v2r3.
Updated Windows Server 2008 MS STIG v6r46.
RHEL 6 - Additional commands and corrected Post Processing errors
Finalized IE9 STIG v1r15.
Finalized IE8 STIG v1r20.
Finalized IE 7 STIG v4r20.
Finalized IE 6 STIG v4r11.
Added remaining RHEL 8 Checks missing commands
RHEL 8 - Adding missing commands
Added PP to some Cisco ASA Firewall STIG v1r1 checks.
Updated Windows 7 - WINUR-000032 to allow for capitalization variations of the 'Auditors' group.
Updated VMWare vSphere 6.5 ESXi STIG v2r3.

v2021.11.1 (2021-11-07)

Major Changes

This release comes with a major rewrite of the Xylok user interface. Please give us feedback at support@xylok.io if you run into any issues or have requests! The documentation has been updated to reflect the new look. Other than looking completely different, some notable features of the new UI include:
- The UI menu has been broken down into "sections," reflecting the actions you're most likely to be working on at a given time. I.E., when doing assessments the scan list, raters, and importing are all easily accessible.
- Keyboard-driven workflow for scan analysis. Hover over the "?" at the top of the analysis display to see a list of the keyboard shortcuts.
- The output display for the analysis page can now expand to full screen, for those especially big outputs.
- Far more items have smooth searching now, with results appearing as you type
Documentation now has a section on the workflow for the Assessment Rater displays, covering the CCI Rater, Control Rater, Technical Rater, and POA&M Manager. As we encourage more organizations to use these integrated tools, we're hoping to build out even more reporting around them. If you have requests or ideas, let us know.
The Raters now generally have a "Reviewed" date, allowing them to be more easily updated over time. No changes since the last time you looked at a CCI? Just mark it "reviewed" so you know it's still accurate!
Breaking: The run subcommand from the xylok manager, because it caused permissions issues. To compenstate, we now create a new /_passthrough mount for Xylok, intended for transfering files in and out of the container. The host location of this mount can be found by running ./xylok pt ext. The Command Line Utilties->Working with Containers sections of the documentation has more details on this.

Features

Added a search to copy answers page, added a link to view all related items from CCI Modal
We've re-introduced the Technical Rater, formerly called the "FARR". This is intended to provide an interface for rating items on a strictly technical level, outside the CCI Rater. May help with prioritization of fixes.
Clicking the command link when analyzing opens the command in a new tab with a nice plain-text view
Added CLI tool to merge two CCI rating sets
Display background request errors consistently, letting the user know when an error occured.
Search builder in raters now include filtering for reviewed/updated date range and clear form button
We now have automated testing around both clean and upgrade installs on every release for on Ubuntu 21.04, CentOS 7 using Docker 1, CentOS 7 using modern Docker, and CentOS 8 using Podman.
Container health checks also confirm the background workers are responding.
Most of the system configuration checking has been moved to xylok-manager, allowing it to be re-run on the host as needed (rather than requiring the installer)
Greatly reduced installer size
Numerous library upgrades, including Python 3.9 and Django 3.2.
Added the ability to see recent server logs from the web by going to the user menu->Server Logs. User must be marked as "staff" in the Django database admin.

Fixes

No longer error out when importing a ZIP file
Benchmark details check table now sorts by stig id by default
Properly run backup of database during install
Scan comparison family was using name instead of pk, causing it to not load the correct scans when clicking in from an external link.
Correctly update pagination when searching in raters
Added back in bulk delete scan warning page
The 'unmarked' filter should now show 'needs human review' items
Added support for detecting prompt for HP devices (surroundeded by [])
Scan comparison URL includes client information, allowing it to work even if a different client was selected by user
Correctly apply PP when multiple items recommend the same thing
Don't accidentally create '~' folders in Xylok Manager
Nulls are now stripped from PP output, preventing broken PP scripts from causing issues in processing other checks.

Benchmark Changes

RHEL 6 STIG Added missing commands for v2r2. PP fixes on several checks.
RHEL 8 STIG Adding missing commands to checks in v1r4
RHEL 7 - Updated for new release v3r5 - Fixes for commands and post processing
RHEL 7:
- RHEL-07-021340 - Added Post Processing
- RHEL-07-040180 - Changed command and added Post Processing
- RHEL-07-040190 - Changed command and added Post Processing
- RHEL-07-040200 - Changed command and added Post Processing
- RHEL-07-040520 - Added Post Processing
- RHEL-07-010270 - Changed command and fixed Post Processing
- RHEL-07-010480 - Modified Post Processing to handle RHEL versions better
- RHEL-07-010482 - Added Post Processing with recommendation
- RHEL-07-010483 - Added Post Processing with recommendation
- RHEL-07-910055 - Changed command and added Post Processing
- RHEL-07-020210 - Added Post Processing with recommendation
- RHEL-07-010119 - Removed hard coded 5 for retry in Post Processing
- RHEL-07-021031 - Changed the 'ls' command to a 'stat' command and it no longer returns a line if no results are found
- RHEL-07-010310 - Corrected the recommendation to compliant when the correct value of '0' exists in Post Processing
- RHEL-07-040170 - Modified command and Post Processing
- RHEL-07-040710 - Changed the compliant value to 'no' in Post Processing
- Marked RHEL 7 v3r4 ready, added remaining command
Updated MS SQL Server 2016 Database STIG v2r2 and MS SQL Server 2016 Instance STIG v2r5.
Updated IIS 10 Server STIG v2r4 and IIS 10 Site STIG v2r4.
Updated IIS 8.5 Server STIG v2r3 and IIS 8.5 Site STIG v2r4.
Updated VMware vSphere 6.5 Virtual Machine STIG v2r1.
Updated IE 11 STIG v2r1.
Updated Microsoft Edge STIG v1r3.
Populated Microsoft Office 365 ProPlus STIG v2r3 with commands and postprocessing, and expert comments for DISA mistakes.
More minor updates to Windows 10, Windows Server 2016 and 2019 STIGs.
Updated firewall rule checks in Microsoft Windows 2012 Server DNS STIG.
Updated Windows Server 2016/2019 check for 'create symbolic links' regarding Hyper-V role.
Minor updates to Windows 10, Server 2016, Server 2019 STIGs (v2r2).
Updated Windows Server 2019 STIG v2r2 and Windows Server 2016 STIG v2r2.
Added 'looking for' statements for all the basic Cisco L2S PP
Corrected runner for ASA commands
Added basic PP (no recommendations) to more of the Cisco IOS l2s STIG
Added Cisco ASA commands to ASA FW STIG
Added HP Comm commands to Layer 2 Switch SRG
Updated Windows Server 2016 STIG v2r2.
Updated Windows 10 STIG v2r2, including user-identified issues (Thanks!).
Updated Internet Explorer 11 STIG v1r19, including user-identified issues (Thanks!).

v2021.09.2 (2021-09-16)

Features

Installer should be more robust now, handling various edge cases more appropriately and be more adept at recovering from failed partial installs. In addition, there are some settings it will now check during installation and warn the user to correct.
File imports are sorted, making it a bit easier to tell progress
Cancelling following xylok logs no longer throws a keyboard interrupt error.
Podman logic has seen more improvements.
Removed start.sh and stop.sh scripts. With the move to systemd as the control scheme, using the appropriate systemctl start/stop commands is more appropriate.
Better management of benchmarks by allowing verisons and checks to be tombstoned (benchmarks and commands already could be). This helps manage major STIG changes over time and prevents visual build up of old STIG data

Fixes

No longer display tombstoned benchmarks on benchmark listings
Correctly import from deeply-nested directory structures
If a benchmark has no ready versions, during import we now force the latest version to be ready. This avoids weird behavior around brand new benchmarks.
Forced benchmarks to re-import to ensure tombstoning is properly applied
During setup, all xylok manager calls are made using 'bash' to avoid noexec issues on tmp partitions
Handle JSON decode errors in the Xylok Manager correctly on Python 2
Create xylok data and logs folders before settings permissions
Benchmark coverage page loads correctly, rather than trying to find a benchmark with the id 'coverage'

Benchmark Changes

Combined VPN benchmarks
Combined traditional security benchmarks
Combined router SRG benchmarks
Combined IE8 benchmarks
Combined IE9 benchmarks
Combined general purpose OS benchmarks
Combined SQL Server 9 benchmarks
Combined Database Generic SRGs
Combined OSX 10.15 benchmarks
Combined Voice and Video Endpoint SRGs
Combined RHEL 8 STIGs
Updates to Oracle DB 11.2g STIG v2r1.
Marked Oracle DB 11.2g v2r1 as ready for customers
Populated Cisco IOS XE Switch L2S STIG v2r1.
Updated Cisco IOS Switch L2S STIG v2r2.
Oracle Database 11.2g STIGs combined
Updated Windows 10 commands and PP.
Updated Mozilla Firefox STIG v5r2.
Adding Red Hat 8 Commands
Updated MS SQL Server 2014 Instance STIG v2r1.
Updated MS Windows 2012 Server Domain Name System STIG v2r3.
Updated VMWare vSphere 6.5 ESXi STIG v2r2.
Updated VMWare vSphere 6.5 vCenter Server for Windows STIG v2r2.
Updated MS SQL Server 2016 Instance STIG v2r4.
Updated Adobe Acrobat Pro DC Continuous STIG v2r1.
Updated Microsoft IIS 8.5 Site STIG v2r3.
Update Microsoft Office System 2016 STIG v2r1.
Updated Microsoft IIS 10.0 Server STIG v2r3.
Updated Microsoft IIS 10.0 Site STIG v2r3.
Updated Google Chrome STIG v2r4.
Updated MS Edge STIG v1r2.

v2021.09.1 (2021-09-02)

Major Features

Xylok now runs as a non-root user on all installations. To facilitate this, the following things will occur during installation and/or upgrade:
- A xylok user and group will be created on the host if it does not exist. This user will be given a home directory (necessary for execution of the container under Podman), but should be created with a system-level UID.
- Xylok data files (/var/lib/xylok, /var/log/xylok, /opt/xylok) and configuration files (/etc/xylok.conf) will have their owner changed to xylok
- If a non-Xylok user should have access to the Xylok data, they can be added to the xylok group. Most files, except for Postgres database files, allow group access.
- When starting, the Xylok Manager will also work to ensure files are owned by the correct user. If you encounter permissions errors, please contact Xylok support (support@xylok.io).
Xylok now uses systemd to manage on-boot execution for all installations, rather than relying on Docker's restart=always. The xylok unit will be installed during the upgrade. From then on, the systemd unit xylok can be used for status, starting, and stopping. On Docker systems, there is a dependency on docker starting.

Features

Updated help docs to reflect new security information
Removed Redis AOF log, making startup faster. We don't need the solid persistent anyway, it's only for caching and session data.
Logs command supports specifying components, if you only need to tail certain processes. IE, /opt/xylok/xylok logs -f worker

Fixes

Benchmark import correctly removes old version of checks from versions
Rating importing no longer resets update dates, which occasionally led to the wrong data being displayed as 'current'
Corrected POA&M rebuilding and generation from reports menu
When saving on the various raters, return the correct page of the results still. In addition, don't give a 404 on an empty page--just return the last page
As a safety measure, during an install individually request each old component shut down
Ensure Postgres always terminates connections, rather than waiting for clients to DC
Correctly update cci compliance status when copying in modal
Resolved a CSRF issue when using non-standard ports for hosting
If there are no permissions to create proxy certs, put in tmp directory
Don't exit when files are links and/or removed during permissions settings
Set root data/logs directories with correct permissions, in addition to core mount points
Dynamically generate self-signed certificates during boot. This fixes and issue when using non-root UID/GIDs for Xylok, which led to Nginx not being able to acces the snakeoil certs.

Benchmark Changes

Adding RHEL 8 commands
Numerous benchmarks imported thanks to the quarerly release.
Added 24hr time parsing/examples Win Svr 2019 (Thanks Thomas)
Added 24hr time parsing/examples Win Svr 2016
Fixed issue with WDNS-SC-000010 not showing 2012 command in Windows 2012 DNS STIG v2r2.
Marked indos 2012 DNS v2r2 ready.
Updated SSHD config checks
Initial commit on apple_macos_11_stig

v2021.08.1 (2021-08-08)

Major Features

Nginx (v1.20 currently) has replaced Caddy as the reverse proxy. This has a few benefits:
- Static files (CSS, Javascript) will be served more quickly.
- All content is Gzip, helping any installations with slower networks.
- Fewer compatiblity issues during upgrades, which should help with the previous fixed-SSL certificate reliability issues.
- A more robust Content Server Policy has been put in place, following best practices where possible.
The move to a single container for all Xylok processes made logging more challenging. This has been resolved, with physical logs being generated at /var/log/xylok/ for each internal component.
- The /opt/xylok/xylok logs sub command has been updated to reflect this change. By default, a ZIP file with the last 5000 lines of each log will be generated, plus some settings (passwords/secrets are excluded) and the docker container logs.
- The logs command also has a -f flag, which tails all component logs and allows for nice real-time debugging of any issues.

Features

Container read-only setting can now be set via environment variable.
Include CSP nonce for scripts where possible. CSP nonce values are regenerated on every build.
Development images are now also read-only, hopefully avoiding issues moving to production.
Nginx can now be put into maintenance mode, where no traffic is sent to Xylok.
Xylok Manager settings subcommand now shows default settings. This will allow us to more easily consolidate the documentation for all settings into the Xylok command, rather than just seperate docs.
Removed nodejs from final production image, reducing size slightly.

Fixes

Don't include a DB version script in utils, just do it directly in setup.sh. Correted DB version retrieval.
If a DB upgrade occurs, don't fail out when it returns non-0 due to normal warnings.
Strip docker log output to avoid blank lines at end.

Benchmark Changes

Marked Windows 2012 DNS v2r2 ready.
Fixed issue with WDNS-SC-000010 not showing 2012 command in Windows 2012 DNS STIG v2r2.

v2021.07.2 (2021-07-30)

Fixes

Corrected proxy config to work with internal and external certs by splitting configs
Corrected README instructions for creating an fixed certificate

Benchmark Changes

Updated IIS Server 8.5/10 checks IISW-SV-000130/IIST-SV-000130 to limit search to local drives.

v2021.07.1 (2021-07-23)

REMOVED: The FARR has been removed in favor of using the CCI Rater and/or POA&M Rater. If your organization utilitizes the FARR, please contact support@xylok.io.

Features

Re-wrote client control page to be server-side rendered. After initial build, display should be vastly faster
Client control coverage is now computed in the background and cached for 10 minutes
Aadded more robustness to Task Monitor exception parsing
POA&M, CCI, and Control raters are now rendered on the server side. This should greatly increase the loading of certain aspects, like related data.
Small redesign of Client/Location/Machine details pages
All machines list is now searchable by machine name/short name/location/OS/family
Scan list and location scans list are now searchable

Fixes

No longer default Django DEBUG to on
Remove OOB for machine list search (fixes JS console error)
When a client's controls are not found in cache, still return user to correct page after build
Searching for just a number in the CCI rater now works as you'd expect. IE, just typing "366" correctly returns just CCI-000366.
Corrected how saving history works during a rebuild
Corrected Xylok Manager to work with Python 2 again
Show Benchmark check IDs in benchmark detail print view

Benchmark Changes

Added time limits to PP code
Populated IIS 8.5 Server and Site STIGs v2r2 after constant pressure and bullying from the work list.
Added another SID to Windows User translation PP util.
Added HPCom OS cmds to Infrastructure L3 Switch STIG v8r29.
Updated Cisco IOS Switch L2S STIG v2r1.
Added 4 well known SIDs to Windows User translation PP utility.
Updated APPNET0066 PP of PS command in Dot Net Framework STIG v2r1 to correct bad regex issue.
Updated MS Windows Server 2012 DC/MS STIGs v3r2.
Updated MS Windows Server 2016 v2r2.
Updated Windows 10 STIG v2r2.
Updated Windows Server 2019 STIG v2r2.
Updated Windows Defender AV STIG v2r2.
Added Windows Server 2019 support to OS Baseline
Solaris 11 command updates
Added basic support for Dell switches to Layer 2 Switch SRG
Scraper: Added benchmark zebra_android_10_cobo_stig, added version v1r1
Scraper: Added benchmark zebra_android_10_cope_stig, added version v1r1
Scraper: Added benchmark tm_tippingpoint_ndm_stig, added version v1r1
Scraper: Added benchmark tm_tippingpoint_idps_stig, added version v1r1
Scraper: Updated benchmark samsung_sds_emm_stig, added version v1r2
Scraper: Added benchmark ms_scom_stig, added version v1r1
Scraper: Updated benchmark layer_2_switch_srg, added version v2r1
Scraper: Updated benchmark juniper_router_rtr_stig, updated version v2r2
Scraper: Updated benchmark windows_server_2019_stig, added version v2r2
Scraper: Updated benchmark windows_server_2016_stig, added version v2r2
Scraper: Updated benchmark windows_defender_antivirus, added version v2r2
Scraper: Updated benchmark windows_2012_ms_stig, added version v3r2
Scraper: Updated benchmark windows_2012_dc_stig, added version v3r2
Scraper: Updated benchmark windows_10_stig, added version v2r2

v2021.06.2 (2021-06-16)

Fixes

Only mount /etc/passwd when using Docker and a custom UID/GID, Podman nicely creates the container user for us.
Corrected Xylok Manager to work with Python 2 again

v2021.06.1 (2021-06-15)

Major Features

All Xylok components now run inside a single container. This simplifies supporting both Docker and Podman. In addition, it has allowed for more robust process supversion to be put in place, ensuring failing components restart automatically. The impact on user installations should be minimal. The only caveat to this is the renaming of CPU/memory limit settings. See https://www.notion.so/xylok/Security-91146958a092412696696eee2d665260

Features

Duplicate scan errors are much prettier
Make Posix scripts world-readable at the completion of the script, rather than making requiring the end user to fix it
Error pages are correctly styled and display friendlier error messages. For logged-in users, the stacktrace will be displayed for easier debugging (hidden for anonymous users).
Sidebar now sticks in the same place when scrolling
Default to showing more lines in output during analysis
Commands now have a "Show full command" link at the end of the truncated one of the command is too long to fit on the page. Also has a "collapse command" option once it's expanded

Fixes

Powershell collection script now shows output location at end of script
Ensure comments and finding details do not contain invalid characters for XML
Downloads on the task page should correctly continue to refresh
Corrected error display for errors with a ':' in them
Downloads which complete before the task monitor page loads should still download properly
Show a nicer download link in case downloads do not start automatically.
Increased ready check retry count to 120
DB and Redis ready now gets checked for all commands--and the DB check works even if the DB isn't configured yet
Remove old docker-compose files from existing installations
Allow non-root UIDs to work with matplotlib
Remove unneeded Python libs for production installs

Benchmark Changes

Added basic support for Dell switches to Layer 2 Switch SRG

v2021.05.2 (2021-05-20)

Fixes

Fixed Python 2 compatibility during installation and added testing to check against all supported versions of Python

Benchmark Changes

Corrected scraped benchmarks which lacked check contents.

v2021.05.1 (2021-05-17)

Features

Task monitor page has been rewritten to report errors more nicely
Several pages should load more quickly and reliably, with less network traffic (rendering has been moved server side)
Added search and paging to client listing page

Fixes

Small fixes to systemd unit file. There may still be an issue with RHEL 7 and Podman 3.
When booting, Xylok components will attempt to wait for the database and redis to be fully ready
Added redis to DB start script, since both those backend services might be needed independently of the scanner.
Don't eat user messages on task waiting page
Note that podman 2 mode also covers podman 3
Scan comparison fixed
Corrected issue with check links in analysis items
Cleaned up several unused JS files

Benchmark Changes

All PP now notifies that it completed successfully
Updated PP for RHEL and windows machines to collect data needed for PPSM.
Commands/PP added for VMWare vSphere 6.7 ESXi, Virtual Machine, and vCenter STIGs. All v1r1.
New commands for Solaris 11x86
Updated MS Office System 2013 v2r1.
Updated MS SQL Server 2016 Instance v2r3.
Update MS Windows DNS 2012 v2r2.
Updated Google Chrome v2r3
Updated McAfee VirusScan Enterprise 8.8 Local (v5 r16) and Managed (v5 r21) to combine commands & PP.
Updates for IIS 10 Site & Server STIGs v2r2.
Commands/PP populated for IIS 10 Server & Site STIGs, both v2r1.

v2021.04.1 (2021-04-21)

Major Features

Always add Xylok OS Baseline to scans. This fixes the requirement from the previous update that all users must manually add the OS Baseline to their machines to activate the automatic data import. As a part of this:
- All licenses and installers get xylok_os_baseline bundled in. To see the new benchmark, you may need to update the license in Xylok. If you have any issues, please contact Xylok support.
A PPSM in two formats can be generated using port information gathered by the Xylok OS Baseline. The new report is available under Reports -> Ports, Protocols, and Services Matrix. The data will start being populated the next time a scan is performed. If you need a PPSM in a different format, please contact support@xylok.io
CKL import will now automatically add IP/MAC addresses and host name if they are in the scan.
Users will now be notified if the OS they have entered for their machine does not match the OS found in the baseline scan. (Windows and RHEL only so far)

Fixes

Xylok will now correctly start automatically on system boot.
CKL exports will now more reliably include all available check data. Previously, CKLs might ignore some data if the data was from an older version of a check, but this created issues with transitions between benchmark releases.
Correctly mark no-longer present versions of benchmarks as 'not ready'
Fixed machine info alerting when the new value is empty.

v2021.03.2 (2021-04-01)

Quick-turn release to fix two issues.

Fixes

Cleaned up migration missing warning
Corrected scan multi-item edit and filter

v2021.03.1 (2021-03-26)

Major Features

Added an automated "Machine Benchmark Status Report" under the Reports tab. This will generate a spreadsheet that shows the Stig Viewer score and Xylok score, separated for each benchmark, for every machine under a client.
When importing a scan or running Post Processing, machine info can be automatically updated. If new information conflicts with old information, user can choose which to keep, or to ignore future suggestions. Can also undo ignoring suggestions. More QOL to follow.
- To activate this feature, assign the Xylok OS Baseline to all machines you'd like to track
- Currently, supported OSes include:
  - Windows 7
  - Windows Server 2012
  - Windows 10
  - Windows 8
  - Windows Server 2008
  - Windows Vista
  - Windows XP
  - Windows Server 2016
  - RHEL 5-8
- Let us know if you encounter any issues or have any particular OSes you'd like support added for.
Added package to log all Javascript errors and exceptions to the main logs, allowing for end-to-end debugging if support is needed.
users can now use ./xylok logs to save a report of all the container logs.

Other Features

Left/right buttons will no longer disappear when changing a scan items status
Matplotlib will load quicker
If a user changes a machine's location, the machine's scans will relocate to the new location as well
Users will now be notified if a scan's location does not match the machine's location from the scan details page.

Fixes

Support Docker 1.26 for healthchecks
Recent location scans were adding duplicate of most recent scan rather than location scans with no machine (as intended).
Location scan list was only displaying most recent scans, causing unexpected results. Location and Scan list now default to show all scans, and can also show most recent if desired.

v2021.02.3 (2021-02-24)

Major Features

Xylok can now be hardened to more accurately match the Docker Enterprise STIG. See the "Security" page of the new version of the manual for more details, but included features include:
- Health checks for all containers (always on)
- Container restart policy (configurable)
- Bind interface (configurable)
- Enabled "no-new-privileges" security option (always on)
- Components can run as non-root users inside containers (must be configured, see security guide)
- Containers run with read-only filesystems (always on)
- CPU and memory limits (configurable)
There is now a "logs" subcommand for xylok-manager.py, which fetches all the container logs with a single command. This should help with debugging issues on customer installs.

Other Features

Log Django requests and exceptions at a more detailed level, which will allow those details to be included in the container logs.
We no longer prompt about upgrading benchmarks. Use the "--no-benchmarks" flag if skipping the upgraded benchmarks is needed.

v2021.02.2 (2021-02-17)

Major Features

Active Directory sign in is available for users who want to log in using Windows Server or Microsoft Azure:
- NOTE: Please reference the updated documentation for details on how to implement this feature for your system.
Scan details page has an option to filter items by "interview", showing only items that have interview question to answer.
Scan Details page shows a progress bar to show how many items are reminaing for that scan (unreviewed/needs manual review).

Other Features

Users can specify AD_CHECK_CA (True/False) to either bypass the Active Directory certificate check or have Xylok use their certificate file.
Users can login using the form method when AD sign in is enabled.

v2021.02.1 (2021-02-04)

Major Features

Scan analysis pages now hides the less pretty version of the Xylok recommendations and instead have a more obvious way to apply those recommendations.
There's now options for managing automatic analysis (AA) data, the markings Xylok uses to match up old compliance information with new data when you import scans:
- AA data can now be copied over to a new or existing family
- Users can now use a scan as a 'baseline' for AA for a machine family, essentially updating all the AA items to use the findings from that scan
- Admin page now has a filter to show AA items by family, enabling deletion of AA data for families. AA data copy to new family now copies check command sets correctly.
- From admin page, can filter (and therefore delete) AA items by benchmark as well now.

Other Features

STIG titles no longer have to be unique, allowing for easier migration when forced by DISA
Controls page now shows filtering options by control groups in navigation pane. Hovering a control group abbreviation in the sidebar will show the full group name.
Added a navigation pane for more pages.
Benchmark questions can now have more strict structure. Existing answers are unchanged, but this will allow Xylok to enforce better answers going forward.
Allow commands to be ordered within a runner.

Fixes

New users can successfully switch/select clients
POA&M no longer includes N/A rows
SCAP import handles duplicate STIG titles more correctly
If there is no data in the installer, don't attempt to load it. As a consquence, we can now allow the installer to bail if importing data does fail.
No longer show Matplotlib debugging output

v2021.01.1 (2021-01-04)

Other features

PP recommendation functions can now take both an issue list and a header for that list

Fixes

Clients with fully completed task lists wwill no longer redirect to the login screen.

v2020.12.1 (2020-12-30)

Major Features

Export/import of client control ratings updated to include all date information and POA&M status
Users can now import CKL data into Xylok
A "new client checklist" will now appear when a new client is created. If you've used Xylok before, go to the checklist and hit "Mark All Complete."
Poam rater can now have multiple items edited at a time.
Multiple edit for scan details page, allowing quickly changing status and comment of multiple analysis items.

Other Features

Store alternate benchmark IDs in database, allowing migration over time when DISA changes benchmarks.
Allow commands to be ordered within a runner. From a user's perspective, this should result in more consistent analysis displays.
Added instructions for gaining privileged access on switches and logging using SSH
New versions of benchmarks no longer default to customer ready. This should allow Xylok to wait to release new versions until commands have been added for new benchmarks.

Fixes

Xylok manager now correctly determines relative path to files, fixing some CLI usage issues.
Interview OS devices (ie, printers) now correctly skip producing an actual script. This mostly caused confusion because printers would have a generated script.
Fixed a bug where NewClientChecklist was initializing incorrectly.
Correct customer databases to merge various duplicate/renamed benchmarks. Notable among these are Firefox and the voice and video services STIGs
Control rater was not allowing controls to become compliant again thanks to old CCI rating data. That's fixed now, only the most recent CCI ratings will be used
Client Dashboard and New Client checklist no longer return error with no Client or if CCI's haven't been built.
CKL import should more reliably find matching benchmarks
Fixed benign error message near end of installer output

v2020.10.1 (2020-10-22)

Major features

Users can now import SCAP results into Xylok
A client's POA&M can now be managed directly within Xylok, allowing dates and comments to be tracked. Changes are timestampted in the database, laying the groundwork for reviewing changes over time. The generated POA&M Template will integrate any changes made on this POA&M manager.
CCI and Control raters store changes over time, allowing for review of changes over time.
An integrated Client Dashboard is now available under the Clients menu. This dashboard includes configurable graphs to show changes over time.
Benchmark editing is now performed outside the main Xylok Scanner web interface. Benchmarks are tracked in an external repository to allow for more flexibility in tooling and testing. A plan will be developed to transition organizations that currently edit benchmarks internally to the new tools.

Other Features

Added filter for "needs manual review" on the scan details page. Added new icon for "needs manual review".
Xylok manager will return return code from commands run via exec
Podman 2 rootless mode is now more fully supported.
Old benchmarks can now be more cleanly hidden from view, but still exist for purposes of old scans.
During install, perform cleanup of old Xylok images based on image tag. This removes the need for an all-or-nothing image prune call. As a consequence, upgrades will no longer prompt for confirmation.
Benchmarks are tracked by a Git commit ID, allowing upgrades to complete more quickly if a given benchmark hasn't been updated.
Moved to HTML based help documentation.
Xylok default users are no longer bundled into installs.
Redis will persist its database across upgrades, allowing users to stay logged in
Ability to enable/disable using 'unready' versions of benchmarks. Defaults to disabled.
Added benchmarks and admin user CLI flags to installer
Added support for .tar.gz, .tar.bz2, and .tar.lzma files in import
Simple page to grab authentication token for use with external tools using the Xylok API.

Bug fixes

Detect Podman version 2 correctly
Detect even more odd builds of Docker
Default to debug off for local installs
Importing a client from JSON correctly saves RMF overlays.
POA&M now properly only includes non-compliant rows
Support OSes that ship with a base64 that does not support newline-terminated inputs. (RHEL 5 is notable here).
Bulk processing now links back to machine/location scan list. Select all and select page are now options
Proxy now has access to certificates on host again

v2020.08.2 (2020-08-10)

Small speed improvements in Xylok Manager
Docker 1.13 supported

v2020.08.1 (2020-08-07)

Xylok now supports both Docker and Podman.
- CentOS 8/RHEL 8 support should be much better using in-repo Podman.
- Podman 1 in root mode should work correctly.
- Podman 2 and rootless modes has not been tested as much.
- Systemd is needed to auto-start Xylok on boot. Xylok Manager's "systemd" subcommand can help manage the service file.
- All Podman installs should be treated as experimental--please contact support if you encounter any issues!
human_id is now accessible to post-processing scripts by using "ctx.human_id"
Post-processing scripts can mark an item as "needs manual review" to make it obvious the data was looked at by the script, but a determination is impossible without more information. Reports treat this status the same as "not reviewed."
Upgrade Django to 2.2 LTS.
Remote databases are now supported for standalone installations. IE, an AWS RDS Postgres instance could be used.
Better handling of volumes under SELinux (even when using Docker).
Machine scan listing is now correctly paginated.
Self-managed user password changes.

v2020.06.3 (2020-06-30)

User may now set http and https port manually before install using --http(s)-port flag

v2020.06.2 (2020-06-26)

Scan list now has checkboxes to select multiple scans for deletion/auto-analysis/post-processing.
Added ability to specify listening ports via HTTP_PORT and HTTPS_PORT in /etc/xylok.conf. See Manual for more information.
Embeded docker-compose updated to latest version
Some delete form "Cancel" buttons have been fixed.

v2020.06.1 (2020-06-03)

Proxy bind addresses set up to correctly issue certs in all cases
Never require SSL from the Xylok web server, handle only on proxy side

v2020.05.1 (2020-05-21)

Allow importing clients that have old version infomation stored
Install defaults to production mode
Show Caddy environment during boot
Upgraded to release version of Caddy 2

v2020.04.2 (2020-04-22)

Always set PATH for Windows batch scripts (should help systems that have had powershell removed from the path)

v2020.04.1 (2020-04-16)

Now using Caddy as the reverse proxy, unifying all deployment types under the same server.
Proxy now hosts most static files, reducing number of containers in use (and a small reduction in disk usage).
Caddy requires a common name in certificates. If a certificate does not match this requirement, it will be moved in /opt/xylok/certs to allow Caddy to still run using a self-signed certificate.
Additional HTTP security headers enabled for local installs

v2020.03.3 (2020-03-25)

Docker helper scripts have been overhauled, fixing some issues and adding some flexibility. General usage has not changed.
Docker helpers run commands as the current user, avoiding some permissions issues that might arise.
import-data.sh CLI allows automatic analysis to be run immediately, see updated manual.
Updated Xylok manual with instructions for updated import-data.sh
PP moved into core application. Brings a massive speed improvement at the possible cost of stability. Postprocessing speed more than doubled, bulk processing updates are more quickly applied to the database.
As a result, there will no longer be a separate "postprocessor" Docker container. It should be automatically removed during the upgrade.
Added support for additional string outputs from PP. Currently does nothing, but in the future these may be shown as additional columns on spreadsheets or other reports
Build image no longer warns about Docker if it is not in use for that build step
Build licenses, images, and benchmarks as separate parts
Profiling features and support for internal use

v2020.03.2 (2020-03-10)

Frontend correctly responds to requests again

v2020.03.1 (2020-03-10)

CKL production has numerous fixes:
- 'rule names'. Not all STIGs will work correctly, new data can only be pulled from some STIGs.
- Severity values are correct now, so all Cat I/II/III tabs will populate correctly.
- CKLs are built into a location-based directory structure
Bulk postprocessing of small scans (less than 100 items) will now succeed
Updated benchmarks are pulled in correctly again

v2020.01.3 (2020-01-23)

Fixed technical likelihood not saving on CCI rater
Fixed Traefik 2 not working with HTTPS. This fix includes forcing all clients to redirect to HTTPS--if this causes problems for your organization contact support@xylok.io

v2020.01.2 (2020-01-22)

Fixed technical items not appearing on CCI rater
Moved to Traefik 2 as a proxy for local installations
Added CCIs to several benchmarks that did not have CCIs from DISA or that tied to RMF rev 3, including Cisco Firewall, JRE 7, and some RHEL 6 items.

v2020.01.1 (2020-01-13)

Updated AFSPC A3/6 MAD
Fixed post processing timing out on large scans
Copying question answers when the 'from' scan does not contain all the benchmarks of the 'to' scan now succeeds

v2019.12.1 (2019-12-14)

Bug Fixes

Copying question answers when the 'from' scan does not contain all the benchmarks of the 'to' scan now succeeds
Bulk Postprocessing for large scans will no longer timeout
If a 40X error is encountered by the PP test script, it now shows the response body
Benchmark importer does not die on XSL files
More reliably only stop existing install if the stop script actually exists
Warn when showing raw output on PP tab during analysis
Correctly end Airtable upload loop
Benchmark version comparison no longer duplicates changed/removed entries

Features

Benchmark changes are now pushed to tracker for easier management

Infrastructure Refinements

Limit benchmark update time to 30 minutes
Make working with empty PP output more consistent

v2019.11.1 (2019-11-13)

NOTE This version will upgrade your system to Postgres 11. A special backup will be created as a part of this process. Please contact Xylok if you encounter any issues.

Bug Fixes

Severity value displays correctly on benchmark listing (internal value was correct)
Question editing corrected
OSes not selected warning fixed for when only tags are in use
Updated all use of version/release numbers to support string versions
Ensure selects with no key or os tag are still correct
Only Xylok production will attempt to send errors to central logging
Runners are loaded correctly for command verification
Note in the check search that regex is supported
Check searches with incomplete regular expressions will now be treated as plain strings
PP error helper grammar fixed
Base64 works on systems that do not support base64 --decode
PP audit helper handled blank case and correctly marks "no rules" case as noncompliant
eMASS TR fixed following other internal changes
Control rater CCI definitions included again
Bug with control rater rebuilder related to assessment number corrected
Risk rating from MAD not being included in CCI dump

Features

Added separate vCenter OS(es) to reduce the confusion around using "ESXi" when collecting data on a vCenter server.
Added versions.sh script to utilities, allowing for easy confirmation of the version numbers of components in Xylok
Xylok web displays long benchmark IDs appropriately
Pointed file importer to new XML processor
CIS and DISA XCCDF imports run through a merge operation into the original JSON in Xylok
CIS and DISA benchmark conversions to JSON fully supported
When Xylok service(s) are not availble, try to die with a nicer message
Interview and user-editable answers are now easily copied from scan to scan
Stacked scan info more closely together to save space
Show scan descriptions on various lists
Scans can now have a description set to help differentiate scans
Control ratings can now be imported and exported independent of the remainder of the client configuration
Windows Server 2012 no longer depends on subinacl and dumpsec
CCI rater rebuild now applies automatically compliant/NAs from MAD
Add audit module to PP docs
PP new check_audit_lines() helper is available
PP audit helper functions added
Seaching and filtering for new columns in CCI rater
CCI rater modal links to CCI page
New-style CCI rating calculator complete
New CCI rater modal layout
Manual has a new section for working with ESXi/vCenter

Infrastructure Refinements

pgcli multistage build
pgcli moved to Python3
Moved to Taskfile for task management
Less noisy DOCKER_HOST initialization
Always pull base image again
Build custom pgcli image
Build custom version of Redis image
Whitenoise uses Django finders to locate static files
Whitenoise 4.1
Multistage PP image build
Simplified black configuration
Optomized core Docker image for size
Machine and location commands are retrieved via access layer
Clean up unnecessary imports
Sped up most integration tests
Always clear caches on DB initialization
Test for exporting ISO
Tests for client importing and exporting
Fixed STIG XML importing during automatic updates
Customized Postgres 11 image
Migrate raw risk comments to technical comment field

v2019.09.2 (2019-09-10)

Bug Fixes

Handle no scan being supplied to PP processor
Handle blank PP scripts more gracefully

Features

PP tester script can now accept scan and client JSON for more involved scripts
More informative error messages for PP stack traces
PP script errors are reported with line numbers closer to the real location (should only be offset by 1 line)

Infrastructure Refinements

After finishing disk cleanup, show resulting free space
Use Kaniko to build main builder image

v2019.09.1 (2019-09-06)

Benchmarks

Windows Server 2019 has been updated with commands, please report any issues you encounter!

Bug Fixes

Fixed an issue with context.raw not always returning the correct value
PP with blank raw_output works again
Fixed a speed regression with PP and the new options available to scripts
Pager-based filtering corrected to work with all pages
Sorting on special columns (risk, category, status) works as expected now
Allow 255 characters for benchmark IDs and short titles
Normalize benchmark ID when importing SCAP content
Use the benchmark ID as the short title if the normal title is too long
When clicking copyable text, ensure the scroll position doesn't change.

Features

Added new SIDs for resolve_sids
Benchmark list included in SAR
Added ability to export the SAR data as a JSON file
Added Lenenshtein Distance algorithm as PP helper
Clients can now be marked as classified (in a future release, this will allow reports to be marked appropriately)
Postprocessing documentation updated with context information
New Context object available for PP to use, which includes smart properties for common PP needs
Hovering over a command in analysis shows the PP script in use (if any)
New context variable to PP scripts carries additional information without adding to the global namespace
PP now has much more data available to it.
Bulk processing of a scan's PP should be faster in some circumstances.
Results listing shows PP output if available
CCI rater now uses a fancy search box that can take multiple conditions and negations
Allow search entry via query builder OR direct input
Removed old filter headers on CCI rater
Support "has:" queries in fancy search
Increased the size of the CCI rater modal text boxes some

v2019.08.1 (2019-08-06)

Bug Fixes

Preemptive fix to avoid poorly constructed benchmark helpers from breaking building scripts.
Error if no data config is given for a spreadsheet column
Autofit gives a bit more room
HW report widths fixed
eMASS TR formatting fixed to focus on results more
Fixed wrapping on machine report
eMASS TR now has blue "results here" and autofiltering by default. Closes #146 and #145
Conditional formatting location adjusts with additional columns
During base control wrap-up, N/A controls no longer affect the parent control's status
Newline in checksum file
Build SAR System Control Risk Distibution off full control list including enhancements, not just base
Individual names for checksum files
SAR Baseline Control Review CCI C/NC/NA/etc counts corrected
SAR Base Control Review comments for NAs are more appropriate.
Control rater now prioritizes compliance status by NC > C > NA CCIs. I.E., if there's a conflict then the highest rating wins.
SAR Base Control Review has spaces added for status now
On SAR CCI&AP tab, statuses now include spaces

Features

Conditional formatting for findings spreadsheet
Colors for SAR ratings
Added conditional formatting for POAM Severity and Residual Risk columns
Impact Description can be included on POA&M (just a blank placeholder)
Added more POA&M options: Rule ID/STIG ID and the ability to include items without an AP
POA&M now has an options page that allows adding blank lines to template. Closes #142
Added a Control Review worksheet to the tab, which covers all controls including enhancements (in contrast to the Base Control sheet)
Added System Control Risk Distribution chart to SAR
Control Rater default comments are now built off NAs and Compliants as well
Allow filtering for NAs on CCI and control rater
If the CCI Benchmark for a CCI is marked as Not Applicable, the associated CCI will also be marked NA regardless of other data.
Include Not Applicables on CCI rater modal items
If a NIST CSF category is an "unknown" risk (probably compliant), call it Compliant on the NIST CSF SAR tab
If a CCI has no mitigations, state that rather than having a blank commet in the default comment

Infrastructure Refinements

Use fully qualified Docker image tags for installers for increased Podman/Docker interoperability
Removed mypy dependency
Moved all conditional formatting into helper functions
Documented spreadsheet_builder
More consistent internal name for spreadsheet config items
SAR moved to spreadsheet builder
FARR spreadsheet moved to helper
Moved HW report to new spreadsheet helper
Moved Individual Findings Spreadsheet to new builder
POA&M and Scan Comparison moved to new spreadsheet generator helper

v2019.07.2 (2019-07-17)

Features

Show OS on machine page
A default comment can now be built for the control rater. Use control rating default comment in reports if a manual comment is not set
Added implementation guidance from MAD to CCIs. Hot loaded on demand
Better description of Control Rater comment purpose
Show default comment on control rater if there is no other comment
NC3 overlay updated
Control pages show deprecation/withdrawn warnings

Benchmarks

Tomcat benchmark built
SQL Server 2008 R2 working from Server 2008 (Using SQL Server 2012 STIG)

Bug Fixes

Client controls and CCIs are filtered by withdrawn/deprecated status
POA&M now uses Rule ID and skips item without MAD entries by default
"Tranditional" misspelling fixed
POA&M now includes only emass-only columns
Label the FARR Risk as such in the individual findings spreadsheet to avoid confusion
Firefox control overlay formatting
If AA data can't be imported for any reason, skip it without dying on remaining data
Don't die if there's no exception to report in a JSON call
eMASS TR control names have no spaces in them
It is now possible to click the actual overlay row instead of just the links
"Medium" renamed to "Moderate" in all applicable cases
On POAM, all severity/impact strings use spaces instead of underscores
SAR risks/etc have underscores replaced with spaces

Infrastructure Refinements

Checksum file is more simply named
Corrected hash file format

v2019.06.12 and v2019.07.1 (2019-07-06)

Infrastructure Refinements

Installer can now be pushed to ShareFile

v2019.06.11 (2019-06-26)

Bug Fixes

Firefox control overlay formatting
If AA data can't be imported for any reason, skip it without dying on remaining data

v2019.06.10 (2019-06-21)

Bug Fixes

Findings JSON generation no longer complains about UUIDs

v2019.06.9 (2019-06-20)

Features

Added "machines" column to POA&M
Added FQDN to JSON findings

v2019.06.8 (2019-06-19)

Features

Added machine and location ID to finding JSON

v2019.06.7 (2019-06-19)

Bug Fixes

Only benchmarks available in a license are shown in the benchmark list
Cache clear command works
"Eventually" has arrived
Report generation script as JSON

Features

Networkparse 1.6.5
JSON export of individual findings
Individual findings JSON can be built quickly from the command line

v2019.06.4 (2019-06-09)

Bug Fixes

Scale workers correctly again, now that zombie workers are corrected
Keep trying worker names until one works, fixing workers dying early

v2019.06.3 (2019-06-07)

Bug Fixes

Use command -v instead of which in POSIX and CSH environments. Fixes an issue with Solaris 10

v2019.06.1 (2019-06-05)

Bug Fixes

MySQL scripts can be generated

Features

PP scripts run in a function now, allowing them to return early
Updated NetworkParse to 1.6.4

Infrastructure Refinements

Only run a single worker until name duplication issue can be resolved

v2019.05.9 (2019-05-30)

Bug Fixes

Handle non-UUID case in patching benchmarks

Features

NetworkParse 1.6.1

Infrastructure Refinements

Removed applications from the DB

v2019.05.8 (2019-05-22)

Bug Fixes

Skip loading benchmarks if they don't exist in installer
When building installers without a complete installer, don't die
Handle diffs requests that have JSON files that are not in the DB

Features

Easier method of extracting benchmark changes from last update

Infrastructure Refinements

Check for new STIGs every hour

v2019.05.7 (2019-05-21)

Bug Fixes

Added FortiOS to application fixture
Only show overlay if dragging files, not text

Features

NetworkParse v1.2.0
Show OSes in command table row
Benchmark metadata is always loaded and placed in store, making page transitions faster

v2019.05.6 (2019-05-16)

Bug Fixes

When the user is not logged in, don't show file drop indication
Importing clients with incomplete control ratings now works
If rule ID isn't available, use stig id for checklists
When exporting Checklists, use Rule ID

Features

Added FortiOS (Fortinet networking OS)
Better error handling on uploads
SPA pages now support drag-and-drop file upload of multiple files
Added RSS feed of STIG changes
Allow specifying the starting url for a benchmark scrape
Updated benchmark scraper to use new DISA cyber.mil site
Rule ID now stored in DB and there is a way to import them using DISA XML

Infrastructure Refinements

On connection/download errors, don't leave the link as marked

v2019.05.5 (2019-05-13)

Features

Added flag to PP testing script to ignore SSL errors, useful for self-signed certs

v2019.05.4 (2019-05-13)

Infrastructure Refinements

Updated NetworkParse documenation to the latest version

v2019.05.3 (2019-05-10)

Bug Fixes

Only create pwsh directory if we're going to actually extract powershell
No longer need to create symlink for powershell, the script itself will create an alias if needed
Supress some PS errors and allow it to work properly on systems with Powershell Core only (pwsh vs powershell)
Less noisy PS extraction
ISOs with multi-extension files work
ESXi from PS now uses correct env
Include updated OS and execution environment info in fixtures
When setting up PowerCLI, use system-specified PathSeparator
Ensure benchmark cache is cleared on imports of JSON

Code Refactoring

ZIP and ISO production use the same method for folder creation

Features

PowerCLI Environment for ESXi
PowerCLI helper in place
Helper assignments can be import/exported
Metadata for benchmarks is easier to read and shows information about runners/oses

v2019.05.2 (2019-05-02)

Bug Fixes

CCI rebuilding will load data correctly at completion
Recommendations and control adds/removes/overlays included in export
Include control number in ratings for client exports

v2019.05.1 (2019-05-02)

Bug Fixes

CCI ratings showing under Control Rater modal
Don't show pager while loading cci/control ratings
POA&M generation errors
DISA Scrape no longer breaks on XML that is not a benchmark
File importer redirect
CCIs in benchmarks will now import correctly
Client controls load properly
ControlRating migration name issue
No longer include controls in installer
SAR generation with new CCI ratings
Control Rater sort order
Control Rater default sort
Control Rater rebuild button
Control rating page and SAR generation working with new control rating table
Indexed check CCI numbers
When searching for ONLY a control group, don't search other text
PDB left in test
SE family sorting into the middle of SC
Link back to benchmark from check
Allow changing versions in comparison
Allow access to the homepage when not logged in. Oops.

Code Refactoring

CCIs eradicated from StigCheck
Function documenation
Removed numerous old STIG change components

Features

Use new benchmark diff across the board
Benchmark diff remade as SPA
SPA homepage used for all home-page links
Homepage is now SPA

Infrastructure Refinements

CCI rater moved to same format as control rater
Controls and CCIs completely removed, migration not applied to remove columns yet
Dependencies upgrades

v2019.04.18 (2019-04-18)

Bug Fixes

Title in benchmarks hides on small screens (short title still visible)
When not authenticated, don't fail on removing commands from metadata
Dynamically show/hide pager on all pages using it
Check links and JS errors when no benchmarks are visible
Allow anonymous users to get background task information
Benchmark check paging is actually used for table
Benchamrk CCIs listing/editing corrected
Don't show Extras in control list
Hide withdrawn controls on control list (can still be viewed)
CCI searching
Scroll position between SPA pages should be more natural
Increased number of items on pages
Use RMF JSON rather than DB for client control determination
Cross-domain overlays corrections
Never apply text-based AA to CCI benchmark
Background task errors have red alert again
Background exception error handling
OVAL importing

Code Refactoring

Removed unneeded template files for controls
Additional old control pages removed
Controls no longer have separate group pages
Removed dependence on RMF controls in DB for reporting
Removed dead system import/export code

Features

From SPA pages, directly go to client selector
Use new SPA benchmarks page
CCIs can now be searched by related RMF controls
Load metadata locally to benchmark list, not into Vuex
Benchmark list is now dynamic, although too slow to use
Paging added to benchmark checks
Show benchmark name on check
Overlays now use SPA exclusively
Overlays now have SPA page
When CCIs are loaded, RMF related numbers are normalized
CCIs now have SPA page available
Controls are now handled by SPA
RMF controls are now searchable and paged
JS Control browser built, not yet default option
Sentry is now used for error recording rather than Rollbar
CCI benchmark is now marked NA based on the client control set.
AA data import now available, upload using the normal fields
Automatic analysis data can be export for a benchmark from the same location as normal benchmark exports

Infrastructure Refinements

Sorting, searching, and paging support all moved to pager mixin
Metadata is produced much more quickly when not in cache
Removed benchmark files to make searching clearer
Removed client.rmf_controls
Removed dependencies on client.rmf_controls
Rollbar removed

v2019.04.1 (2019-04-04)

Bug Fixes

Re-enabled coverage information for controls
Removed duplicate CCI entry for CA-1
Client selected controls working again
Don't double-request benchmark when benchmark page first loads
PP docs not loading in Python 3.7
More likely to find the "useful" error message in the string exeception info
Better handling of in-progress statuses

Code Refactoring

Removed PP browser, instead we point to generated docs

Features

Control list loading speed improved by nearly 50%
Benchmark loading happens in background
Removed need to rebuild scan and benchmark caches during install
Full traceback available for failed tasks (for logged-in users)

Infrastructure Refinements

Testing around comparisons put in place
Consolidated async network handling and downloads
Local installs should spawn more workers. Defaults to 4, but can be configured in /etc/xylok.conf
K8s will now run worker correctly
Moved from Celery to Python RQ to support Python 3.7 and allow better task management
Moved entirely to Poetry from Pipenv
Moved to Python 3.7
Removed unused benchmark_api
Numerous changes to control access internally

v2019.02.7 (2019-02-27)

Bug Fixes

Scan comparison should be more reliable
Scan comparison now automatically performs a compare when both selections are locked

v2019.02.6 (2019-02-21)

Features

Include changelog in docs index

Infrastructure Refinements

Easier method of building release notes

v2019.02.5 (2019-02-21)

Bug Fixes

PathPrefixStrip for docs to allow them to load correctly in standalone installs
Change log section titles for changelog

Infrastructure Refinements

Specify limit and request for all memory on K8s

v2019.02.4 (2019-02-21)

Infrastructure Refinements

Installers built in tagged directories now and make installer names more straight forward
No longer deploy on tags, only master

v2019.02.3 (2019-02-21)

Features

Build release notes and automatically push them