v2022.04.3 (2022-04-21)

Major Features

• The new sorting and filtering from the CCI and Control raters is now also applied to the RTM, Technical and POA&M tools

Features

• When importing data that requires a pre-selected client, the error message should be more intuitive.
• HW Spreadsheet now includes compliance scores in last two columns
• Updated file import to handle new STIG Viewer .ckl files

Fixes

• Automatic Analysis updates:

  • Maintenance process now ensures AA database remains valid and removes duplicate entries if they exist
  • Copying AA values from one family to another no longer gives an error
  • AA creation has an explicit lock around it, rather than relying on only having a single process registered for handling AA

• DB maintenance process cleans unused checks from the DB and ensures all referenced checks have a valid benchmark version associated with them. This should have minimal user impact.

• Corrected some CKL export issues

• Hitting arrows keys correctly navigates between checks in benchmark view

• Postprocessing button in analysis view now keeps filters

• Prev/next buttons on analysis page retain filter criteria

• Allow old scan data to load if no recommendation status was set in additional_output

Benchmark Changes

• The internal NetworkParse library will better handle Cisco configuration files with 'unusual' indentation by somewhat understanding what commands are permitted to have children. If you encounter changes to your processing because of these changes, let us know!
• Marked RHEL 8 v1r5 as customer ready
• Added PP to Cisco IOS-XE Switch RTR v2r1.
• Added PP to Cisco IOS-XE Router RTR v2r3
• Added PP to Cisco IOS Switch RTR v2r1
• Updated PP on Cisco IOS Router RTR and NX-OS Switch RTR based on testing
• Minor correction to PP on single Cisco IOS Router RTR check

v2022.04.2 (2022-04-05)

Fixes

• Imported files correctly show redirection/view link
• PP no longer errors out
• Fixed view changes in analysis erasing search filter

v2022.04.1 (2022-04-05)

Emergency release to fix an issue preventing automatic analysis from running.

Fixes

• No longer fully family ID from the wrong location during AA
• AA moved to a single new table with integrated command values and a update date
• Task sidebar monitor has an icon for when tasks have an action needed
• Archives with benchmarks with no versions (uncommon) can still be successfully imported

v2022.03.1 (2022-03-28)

Major Features

• Automatic analysis has seen a number of major updates.

  • There are now three AA pools: machine, family, and "universal". Previously only family and universal existed. This change allows machine-specific selections to stay consistent across AA runs.
  • Updated Data Analysis documentation with more details about how AA works internally, with a full example across multiple machines. (https://xylok.notion.site/Data-Analysis-168a4af4d49e4c8db16086762837df28)
  • During AA for a single scan, you can now select which AA pools to use. See updated documentation for more details about how AA works.
  • Allow AA items to represent all possible finding statuses. Previously they would only save Compliant, Noncompliant, and N/A. As a consequence, when you unmark an item we no longer re-mark that item the next time AA is run.
  • Breaking Change: The majority of AA data should carry forward with no changes. However, AA entries were post-processing recommendations were overriden will not carry forward.
  • Universal AA pool can now be exported by logged-in users from the User Menu. Individual benchmark AA pools are no longer exportable via the benchmark page.
  • When exporting a client with scan data, AA data for all client machines, families, and the universal pool will be exported.
  • If you need to drop AA data for a machine because items were incorrectly marked, you can now delete a machine's data pool from the Machine Details' Options dropdown.
  • Family data can be deleted in the same way, from the corresponding Family Details page.

Features

• CCI rater modal always shows link to 'all items' and all related items view shows everything, regardless of status
• The scan item list (when you first go to analyze a scan) has a new search! This is an early version of the search--some improvements in this and similar search dialogs will appear in the next release. We'll add more detailed documentation when that release gets pushed, but for now: pressing / will open and focus the search, Enter to apply, Escape to close.

Fixes

• Empty and commands with no OSes are now fatal errors in our tooling, so users should never see a check with a command that mysteriously doesn't run.
• CCI rater modal was showing the finding count as N/As. Now it shows the actual N/A count, like you'd expect.
• Diff with previous check data has colors correctly set
• Prevent wrapping of CCI numbers in control rater and benchmark IDs in benchmark browser
• Client export when families exist works, closes #285
• AA data with an inconclusive status will be migrated to not a finding (this was causing AA issues for some users)
• More reliably force the settings page on the raters if not configured
• Enabled proxy keepalives per Nginx recommendations
• ADFS login redirect should work again
• Scan comparison no longer throws an exception

Benchmark Changes

• Feat: We no longer print the PP recommendations at the end of the output. This is a breaking change that will reset AA for items where PP recommendations were overridden. Because other AA changes are being implemented in this release, this should consolidate any additional workload to a single cycle.
• Updated MS Office 365 to v2r4.
• Populated commands for latest Cisco IOS, IOS XE and IOS XR Router RTR STIGs.
• Added commands for latest Cisco NX-OS Switch RTR, NDM, and L2S.
• Populated Cisco NX-OS Switch NDM v2r3 commands.
• Added PP to Cisco NX-OS Switch NDM v2r3.
• Added PP to Cisco NX-OS Switch NDM v2r3.
• Added PP to Cisco NX-OS Switch RTR v2r1.
• Added PP to Cisco IOS Switch NDM v2r3.
• Added PP to Cisco IOS Router NDM v2r3.
• Added PP to Cisco IOS XE Router NDM v2r3.
• Added PP to Cisco IOS XE Switch L2S v2r2.
• Added PP to Cisco IOS XE Switch NDM v2r2.
• Added PP to Cisco IOS XR Router NDM v2r2.
• RHEL 7 - Fixed broken post-processing on RHEL-07-010340
• RHEL 8 - Command and Post Processing updates
• SUSE 15 - PP and test cases
• Updated VMWare VSphere 6.7 ESXi, vCenter, Virtual Machine STIGs, all v1r2.
• Missing OSes fixed for RHEL 5, MacOS 11, SuSe zlinux, SLES 15, web policy, Ubuntu 20.04, and Windows 2008 r2 DC
• Updated Windows 10 BitLocker Network Unlock configuration (WN10-00-000031) to be manual review.

v2022.02.2 (2022-02-17)

Major Features

• SCAP scans can now be uploaded from Xylok's GUI. Process is the same as CKLs--see "Uploading to Xylok" documentation page for more details.

Features

• Django form errors have styling added
• Login virtually always takes you back to your original page now

Fixes

• Individual findings spreadsheet can be produced again
• Creating users via the admin interface no longer complains about a missing password
• Worked around a regression in Podman 3.4
• Client dashboard redirect has correct URL to cci rater
• CKL exports with idential STIG IDs in a single CKL correctly match finding detail data to the check (before the same data would be replicated across matching STIG IDs)

Benchmark Changes

• Another fix to rule IDs. Should help with the reliability of CKL's interoperability.
• Marked Splunk 8.x v1r1 ready.
• More tests and PP updates on Splunk 8.x.
• Minor update on Splunk 7.x PP.
• Old Windows Firewall removed
• Cleaned up Network-Perimeter Layer 3 Switch v8r32.
• Cleaned up Network-Firewall v8r25.
• Updated Windows 10, WN10-SO-000280 to account for 24 hour times.
• Updated IIS 10.0 Site v2r5.
• Updated IIS 10.0 Server v2r5.
• Updated IIS 8.5 Site v2r6.
• Updated McAfee ENS 10.x v2r6.
• Updated MS SQL Server 2014 Instance v2r2.
• Updated MS SQL Server 2016 Database v2r3 & Instance v2r6.
• Updated HBSS ePO 5.x v2r6.
• Updated HBSS McAfee Agent v5r5
• Updated MS Office System 2016 v2r2.
• Updated McAfee VirusScan 8.8 Managed Client v6r1.
• Updated McAfee VirusScan 8.8 Local Client v6r1.
• Scraper: Updated benchmark vmw_vsphere_6-7_postgresql_stig, updated version v1r1
• Scraper: Updated benchmark vmw_vsphere_6-7_esxi_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_eam_tomcat_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_perfcharts_tomcat_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_ui_tomcat_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_sts_tomcat_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_rhttpproxy_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_vcenter_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_photon_os_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_virtual_machine_stig, added version v1r2
• Scraper: Updated benchmark vmw_vsphere_6-7_vami-lighttpd_stig, added version v1r2
• Scraper: Updated benchmark cisco_ios-xe_router_rtr_stig, updated version v2r3
• Scraper: Updated benchmark cisco_ios-xe_router_ndm_stig, updated version v2r3
• Scraper: Updated benchmark windows_10_stig, updated version v2r3
• Scraper: Updated benchmark microsoft_windows_2012_server_domain_name_system_stig, updated version v2r4
• Scraper: Updated benchmark windows_firewall_with_advanced_security, updated version v2r1
• Scraper: Updated benchmark general_purpose_operating_system, updated version v2r2
• Scraper: Updated benchmark windows_2012_ms_stig, updated version v3r3
• Scraper: Updated benchmark apache_server_2-4_unix_server_stig, updated version v2r3
• Scraper: Updated benchmark windows_server_2019_stig, updated version v2r3
• Scraper: Updated benchmark windows_2012_dc_stig, updated version v3r3
• Scraper: Updated benchmark windows_firewall, updated version v1r7
• Scraper: Updated benchmark windows_server_2016_stig, updated version v2r3
• Scraper: Updated benchmark fs_nac_stig, updated version v1r3
• Scraper: Updated benchmark u_can_ubuntu_18-04_stig, updated version v2r6
• Scraper: Updated benchmark windows_paw_stig, updated version v2r1
• Scraper: Updated benchmark active_directory_domain, updated version v3r1
• Scraper: Added benchmark apple_macos_12_stig, added version v1r1

v2022.02.1 (2022-02-01)

Fixes

• Importing Xylok archives correctly pins benchmark versions. This was preventing importing Xylok archives from actually importing assigned machine benchmarks.

v2022.01.2 (2022-01-31)

Major Features

• CKL import has been improved and moved to the web interface, see updated docs under "Upload to Xylok" for more information.

  • CKL import now ties data to CCI's if possible and will create commands on the fly as needed
  • CKL import wizard allows client selection as well
  • These improvements allow more flexibility in the benchmarks being imported. As long as the CKL matches an existing benchmark, even if Xylok does not have commands in place for it or it's not under your license, you can import CKL data and have it tie the the CCI rater and other reports.

• POA&M header can be controled via new POA&M settings, allowing the system name and other specific details to be filled in during generation

Features

• More improvements to the ACAS importing wizard
• Cleaned up task monitor page, much clearer when jobs are in different states
• Added backup-cleanup.sh script and supporting docs
• Better detection for when raters need to be rebuilt, mitigating a common 500 error when clicking a rater row that has not been built yet. This does not eliminate the need to rebuild manually at this point--not all "rebuild-required" cases are detecteed.

Fixes

• Check Rule IDs are correctly applied again--they had accidentally been located in the expert comments. The most significant issue with this was CKL exports, which would have invalid IDs.
• Mobile menu fully working again
• Handle 'choice' type questions the same as 'choices'
• Try to be even more robust in our python search. Might still allow the Xylok manager to work even if Python is not in the PATH.
• During benchmark imports, don't try to correct RTM settings which don't exist
• Django messages are now correctly displayed on all pages
• User email password reset flow working
• Upload API via token is working again
• User password changes no longer kick to the Django admin style view
• No longer display password reset link when email isn't configured.
• User's passwords can be directly fixed in the user admin page
• Task monitor always switches priority to newest created window, making it more likely it initiates downloads in the user's active window
• No longer show rebuild jobs in the task monitor, led to confusing double entries when importing scans and the scan comparison job also appeared
• Fixed a bug which would prevent POA&M from being built when underlying benchmark data was tombstoned

Benchmark Changes

• Updated MS Edge PP
• Updated MS Edge benchmark question
• Updates to MS Edge STIG v1r4.
• Update and marked Google Chrome v2r5 ready.
• RHEL 8 PP syntax errors fixed in RHEL-08-010050 and RHEL-08-010070
• Fixed RHEL-06-000315, now displays raw output
• Cisco Firewall fix for NET0820
• Updated MS Outlook 2016 v2r2, and removed duplicative try/excepts.
• Added additional examples for Cisco IOS Switch L2S tests
• Updated more Cisco IOS Switch L2S PP
• Updated Cisco IOS Switch L2S PP
• RHEL 7 FIX: RHEL-07-021350 - Changed Post Processing to check for a str value of 1 instead of int value
• Post Processing Updates: SLES-15-010030 SLES-15-010180 SLES-15-010430
• Commands populated for Cisco IOS Switch RTR STIG v2r1.

v2022.01.1 (2022-01-13)

Major Features

• Nessus result importing is now supported, see "Uploading to Xylok" in the updated documentation. Please report any issues you find to support@xylok.io!

Features

• PP processor now makes an internal note when an exception is caught--the goal is to make this a searchable attribute during analysis.
• When loading the installation license, add benchmarks which have changed IDs to the license as well.
• When benchmarks are merged, we now migrate existing assignments of the old benchmark to the new ID. Between this and the previous change, customers with the "old" ID on their license don't need to take any action to jump to the updated benchmark from DISA.

Fixes

• Small fix to PSQL runner to prevent errors outputting the command in the result file. Should have no notable affect on results
• Reduce error messages in logs when MX process isn't able to clean a directory. No notable impact on operation
• Newly created clients are now automatically selected as the current client, closes #263
• Use shell entrypoint for health check to ensure environment is configured correctly, closes #264
• Increase healthcheck time to allow full ready check to work more reliably
• When building releases, we always use the same-tagged version of the benchmark repo for a more reproducible build.
• Database restore script works again
• Navigating between scan items from analysis page now saves changes correctly
• Fixed hotkeys and character escaping in analysis view
• Prevent systemctl status from hanging at the end of the installer if the window is small
• Removed "inconclusive" status from findings/compliance choices. Migrated any "inconclusive" status in DB to "compliant"

Benchmark Changes

• First pass commands done CISCO IOS XE r3 NDM
• Merged 3 MS SQL Server 2012 Instance STIGs into ms_sql_server_2012_stig.
• Merged and Updated Mozilla Firefox v6r1.
• Marked MS OneDrive v2r2 ready.
• Merged Microsoft OneDrive for Business 2016 to Microsoft OneDrive v2r2.
• SLES 15 first pass commands in place
• Merge Windows Firewall benchmark to v2r1 (No changes in actual benchmark)
• HBSS ePO 5.x v2r5
• McAfee ENS 10.x v2r5
• Windows 2012 Server DNS v2r4
• HBSS McAfee Agent v5r4
• HBSS Agent Handler v2r2
• HBSS Remote Console v5r1
• HBSS Rogue Sensor v5r1
• Windows PAW v2r1
• Active Directory Domain v3r1
• Windows Server 2012 DC v3r3
• Windows Server 2012 MS v3r3.
• Windows Server 2016 v2r3
• Windows Server 2019 v2r3
• Fixed conflicting Win Defender command ID
• Microsoft Windows Defender Antivirus STIG v2r3.
• Windows 10 STIG v2r3.
• Tweaked MS Dot Net Framework question collection for cmd.
• Microsoft Windows 2008 Server Domain Name System STIG v1r8.
• RHEL 8 Commands Complete
• PostgreSQL 9 fixes
• Apache 2.4 UNIX site/server commands

v2021.12.2 (2021-12-10)

Features

• Added SUSE 15 to OS list
• Added "View Admin Page" option on scans, machines, locations, and clients for staff users
• Selected client is no longer tracked in the database. This allows you to use different browsers or incognito mode to work with multiple clients at the same time
• Scan comparison now works across clients. Fixed bugs when working with multiple clients at the same time

Fixes

• Work more reliably when multiple windows are open and the user attempts to select different clients. Previously we relied on the selected client when editing families, machines, and locations, which led to bugs when editing items not in the currently selected client.
• Fixed database admin page selects
• Removed editing previous scan from admin (with many scans, that field has the potential to prevent the page from loading)
• Prevent code with breakpoints from deploying
• Slightly better recovery when parsing an exception from a background job fails
• Handle the menu correctly when the user is logged in but does not have a client selected

Benchmark Changes

• RHEL 8 Commands Complete

v2021.12.1 (2021-12-07)

Major Features

• The Xylok API is now officially supported. Detailed documentation is available under the user menu->API Documentation and high-level docs and use cases can be found under the Automation header of the Xylok docs. The initial use case of this automating scaning and analyzing a machine. Supported API endpoints include:

  • Searching for a machine
  • Fetching machine script
  • Uploading results
  • Copying interview answers
  • Running Automatic Analysis
  • Monitoring the status of background tasks

• You can now drop files on the sidebar, making uploading results easy no matter where you are in Xylok. Multiple files can be uploaded at a time and you will be blocked from navigating away while the uploads are in progress.

• Sidebar now holds a small task monitor, allowing it to track background tasks and download generated files without having to stay on a specific page.

Features

• Single scans can now be exported as CKLs
• When benchmarks are removed from machines/locations, the client will have the pinned benchmarks removed
• Machine list is now sortable
• Hitting '/' (slash) to select search box now works on benchmark, machine, and scan lists
• We now display the benchmark ID as a column in the backmark listing (rather than the short title) and provide an easy copy button
• Navigation now correctly resets to a valid state if the open menu is no longer valid (ie, when you log out)
• Single-task monitor page nicely shows stracktrace, better parsing of exceptions
• Re-worked single task monitor page to use task monitoring API
• Virtually all jobs receive a description when starting now, plus all jobs have a reasonable timeout now
• Navigation menu now allows navigating between section menus without page reloading
• Task displays are now limited to the initiating user
• Include container memory infomration in container log output
• Include container processes in container log output
• Include mx process logs in logs command

Fixes

• Correctly hide FOUO STIGs from unauthenticated users (thanks to the user who caught that!)
• Don't error out when serializing job with no result
• Moved to using Alpine to handle row clicks in benchmark browser, preventing history weirdness with HTMX
• Complete export includes ratings. Because ratings depend on scans, the option to download them separately has been removed for now--if you need this feature, contact support
• Allow for nulls in RTM verification dates in export
• If XYLOK_DATA setting has a ~ in it, don't accidentally create a ~ directory (expand it correctly to the user's home)
• RTM validation date is now the date of the last rebuild. RTM verification date is the date of the last physical 'reviewed' click on the control or the last scan data for technical data
• Removed redundant reports from reports menu found in respective raters
• RTM includes checks from benchmarks assigned to machines, even if there are no scans
• Fixed deprecation warning from my_init
• Modified UI elements, fixed comment box typing/saving
• Removed deprecation warning about 'GROUP_CLAIM' when using ADFS authentication
• Correctly return default value when getting archive settings that don't exist
• RTM now works when there are no scans in client

Benchmark Changes

• Updated McAfee Application Control 7.x STIG v1r6.
• Updated Splunk Enterprise 7.x for Windows STIG v2r3 and marked ready.
• Added PP for Splunk Enterprise 7 STIG v2r3.

v2021.11.2 (2021-11-23)

Features

• There is a new import/export format for Xylok. The new SQLite-based format demands less memory and will work on a wider range of systems. There's also more room for optimization, potentially allowing for quick importing/exporting in the future. Features of the new format include:

  • Scans, client data, and CCI/Control/Tech/POAM/RTM ratings
  • Dependent benchmarks for scans--now an export from one system includes everything needed to work on a different system, even potentially outdated/removed commands
  • SQLite3-based, which allows for easier searching and manipulation than the previous format. If needed, the sqlite3 CLI client is included in the Xylok container image.
  • Greatly reduced memory usage
  • In the future, we plan to include AA data and allow for selective importing of parts of the archive.

• Spreadsheet versions of the various raters (CCI, control, tech) area all exportable directly from the rater page, reducing navigation

• Uploads and downloads now persist to temporary storage on-disk, rather than being retained fully in memory. This should reduce issues on lower-memory systems where imports could not be completed because of out-of-memory process termination. A maintenance process has been added to help clean temporary files over time.

• A new task-montioring page has been created, allowing you to view all background processes in the same location.

• Multiple files can now be selected during upload

Fixes

• Allow boolean questions to work
• Fixed documentation on importing SCAP/CKL results.

Benchmark Changes

• Started Splunk Enterprise for Windows v2r3.
• Updated Windows Server 2008 MS STIG v6r46.
• RHEL 6 - Additional commands and corrected Post Processing errors
• Finalized IE9 STIG v1r15.
• Finalized IE8 STIG v1r20.
• Finalized IE 7 STIG v4r20.
• Finalized IE 6 STIG v4r11.
• Added remaining RHEL 8 Checks missing commands
• RHEL 8 - Adding missing commands
• Added PP to some Cisco ASA Firewall STIG v1r1 checks.
• Updated Windows 7 - WINUR-000032 to allow for capitalization variations of the 'Auditors' group.
• Updated VMWare vSphere 6.5 ESXi STIG v2r3.

v2021.11.1 (2021-11-07)

Major Changes

• This release comes with a major rewrite of the Xylok user interface. Please give us feedback at support@xylok.io if you run into any issues or have requests! The documentation has been updated to reflect the new look. Other than looking completely different, some notable features of the new UI include:

  • The UI menu has been broken down into "sections," reflecting the actions you're most likely to be working on at a given time. I.E., when doing assessments the scan list, raters, and importing are all easily accessible.
  • Keyboard-driven workflow for scan analysis. Hover over the "?" at the top of the analysis display to see a list of the keyboard shortcuts.
  • The output display for the analysis page can now expand to full screen, for those especially big outputs.
  • Far more items have smooth searching now, with results appearing as you type

• Documentation now has a section on the workflow for the Assessment Rater displays, covering the CCI Rater, Control Rater, Technical Rater, and POA&M Manager. As we encourage more organizations to use these integrated tools, we're hoping to build out even more reporting around them. If you have requests or ideas, let us know.

• The Raters now generally have a "Reviewed" date, allowing them to be more easily updated over time. No changes since the last time you looked at a CCI? Just mark it "reviewed" so you know it's still accurate!

• Breaking: The run subcommand from the xylok manager, because it caused permissions issues. To compenstate, we now create a new /_passthrough mount for Xylok, intended for transfering files in and out of the container. The host location of this mount can be found by running ./xylok pt ext. The Command Line Utilties->Working with Containers sections of the documentation has more details on this.

Features

• Added a search to copy answers page, added a link to view all related items from CCI Modal
• We've re-introduced the Technical Rater, formerly called the "FARR". This is intended to provide an interface for rating items on a strictly technical level, outside the CCI Rater. May help with prioritization of fixes.
• Clicking the command link when analyzing opens the command in a new tab with a nice plain-text view
• Added CLI tool to merge two CCI rating sets
• Display background request errors consistently, letting the user know when an error occured.
• Search builder in raters now include filtering for reviewed/updated date range and clear form button
• We now have automated testing around both clean and upgrade installs on every release for on Ubuntu 21.04, CentOS 7 using Docker 1, CentOS 7 using modern Docker, and CentOS 8 using Podman.
• Container health checks also confirm the background workers are responding.
• Most of the system configuration checking has been moved to xylok-manager, allowing it to be re-run on the host as needed (rather than requiring the installer)
• Greatly reduced installer size
• Numerous library upgrades, including Python 3.9 and Django 3.2.
• Added the ability to see recent server logs from the web by going to the user menu->Server Logs. User must be marked as "staff" in the Django database admin.

Fixes

• No longer error out when importing a ZIP file
• Benchmark details check table now sorts by stig id by default
• Properly run backup of database during install
• Scan comparison family was using name instead of pk, causing it to not load the correct scans when clicking in from an external link.
• Correctly update pagination when searching in raters
• Added back in bulk delete scan warning page
• The 'unmarked' filter should now show 'needs human review' items
• Added support for detecting prompt for HP devices (surroundeded by [])
• Scan comparison URL includes client information, allowing it to work even if a different client was selected by user
• Correctly apply PP when multiple items recommend the same thing
• Don't accidentally create '~' folders in Xylok Manager
• Nulls are now stripped from PP output, preventing broken PP scripts from causing issues in processing other checks.

Benchmark Changes

• RHEL 6 STIG Added missing commands for v2r2. PP fixes on several checks.

• RHEL 8 STIG Adding missing commands to checks in v1r4

• RHEL 7 - Updated for new release v3r5 - Fixes for commands and post processing

• RHEL 7:

  • RHEL-07-021340 - Added Post Processing
  • RHEL-07-040180 - Changed command and added Post Processing
  • RHEL-07-040190 - Changed command and added Post Processing
  • RHEL-07-040200 - Changed command and added Post Processing
  • RHEL-07-040520 - Added Post Processing
  • RHEL-07-010270 - Changed command and fixed Post Processing
  • RHEL-07-010480 - Modified Post Processing to handle RHEL versions better
  • RHEL-07-010482 - Added Post Processing with recommendation
  • RHEL-07-010483 - Added Post Processing with recommendation
  • RHEL-07-910055 - Changed command and added Post Processing
  • RHEL-07-020210 - Added Post Processing with recommendation
  • RHEL-07-010119 - Removed hard coded 5 for retry in Post Processing
  • RHEL-07-021031 - Changed the 'ls' command to a 'stat' command and it no longer returns a line if no results are found
  • RHEL-07-010310 - Corrected the recommendation to compliant when the correct value of '0' exists in Post Processing
  • RHEL-07-040170 - Modified command and Post Processing
  • RHEL-07-040710 - Changed the compliant value to 'no' in Post Processing
  • Marked RHEL 7 v3r4 ready, added remaining command

• Updated MS SQL Server 2016 Database STIG v2r2 and MS SQL Server 2016 Instance STIG v2r5.

• Updated IIS 10 Server STIG v2r4 and IIS 10 Site STIG v2r4.

• Updated IIS 8.5 Server STIG v2r3 and IIS 8.5 Site STIG v2r4.

• Updated VMware vSphere 6.5 Virtual Machine STIG v2r1.

• Updated IE 11 STIG v2r1.

• Updated Microsoft Edge STIG v1r3.

• Populated Microsoft Office 365 ProPlus STIG v2r3 with commands and postprocessing, and expert comments for DISA mistakes.

• More minor updates to Windows 10, Windows Server 2016 and 2019 STIGs.

• Updated firewall rule checks in Microsoft Windows 2012 Server DNS STIG.

• Updated Windows Server 2016/2019 check for 'create symbolic links' regarding Hyper-V role.

• Minor updates to Windows 10, Server 2016, Server 2019 STIGs (v2r2).

• Updated Windows Server 2019 STIG v2r2 and Windows Server 2016 STIG v2r2.

• Added 'looking for' statements for all the basic Cisco L2S PP

• Corrected runner for ASA commands

• Added basic PP (no recommendations) to more of the Cisco IOS l2s STIG

• Added Cisco ASA commands to ASA FW STIG

• Added HP Comm commands to Layer 2 Switch SRG

• Updated Windows Server 2016 STIG v2r2.

• Updated Windows 10 STIG v2r2, including user-identified issues (Thanks!).

• Updated Internet Explorer 11 STIG v1r19, including user-identified issues (Thanks!).

v2021.09.2 (2021-09-16)

Features

• Installer should be more robust now, handling various edge cases more appropriately and be more adept at recovering from failed partial installs. In addition, there are some settings it will now check during installation and warn the user to correct.
• File imports are sorted, making it a bit easier to tell progress
• Cancelling following xylok logs no longer throws a keyboard interrupt error.
• Podman logic has seen more improvements.
• Removed start.sh and stop.sh scripts. With the move to systemd as the control scheme, using the appropriate systemctl start/stop commands is more appropriate.
• Better management of benchmarks by allowing verisons and checks to be tombstoned (benchmarks and commands already could be). This helps manage major STIG changes over time and prevents visual build up of old STIG data

Fixes

• No longer display tombstoned benchmarks on benchmark listings
• Correctly import from deeply-nested directory structures
• If a benchmark has no ready versions, during import we now force the latest version to be ready. This avoids weird behavior around brand new benchmarks.
• Forced benchmarks to re-import to ensure tombstoning is properly applied
• During setup, all xylok manager calls are made using 'bash' to avoid noexec issues on tmp partitions
• Handle JSON decode errors in the Xylok Manager correctly on Python 2
• Create xylok data and logs folders before settings permissions
• Benchmark coverage page loads correctly, rather than trying to find a benchmark with the id 'coverage'

Benchmark Changes

• Combined VPN benchmarks
• Combined traditional security benchmarks
• Combined router SRG benchmarks
• Combined IE8 benchmarks
• Combined IE9 benchmarks
• Combined general purpose OS benchmarks
• Combined SQL Server 9 benchmarks
• Combined Database Generic SRGs
• Combined OSX 10.15 benchmarks
• Combined Voice and Video Endpoint SRGs
• Combined RHEL 8 STIGs
• Updates to Oracle DB 11.2g STIG v2r1.
• Marked Oracle DB 11.2g v2r1 as ready for customers
• Populated Cisco IOS XE Switch L2S STIG v2r1.
• Updated Cisco IOS Switch L2S STIG v2r2.
• Oracle Database 11.2g STIGs combined
• Updated Windows 10 commands and PP.
• Updated Mozilla Firefox STIG v5r2.
• Adding Red Hat 8 Commands
• Updated MS SQL Server 2014 Instance STIG v2r1.
• Updated MS Windows 2012 Server Domain Name System STIG v2r3.
• Updated VMWare vSphere 6.5 ESXi STIG v2r2.
• Updated VMWare vSphere 6.5 vCenter Server for Windows STIG v2r2.
• Updated MS SQL Server 2016 Instance STIG v2r4.
• Updated Adobe Acrobat Pro DC Continuous STIG v2r1.
• Updated Microsoft IIS 8.5 Site STIG v2r3.
• Update Microsoft Office System 2016 STIG v2r1.
• Updated Microsoft IIS 10.0 Server STIG v2r3.
• Updated Microsoft IIS 10.0 Site STIG v2r3.
• Updated Google Chrome STIG v2r4.
• Updated MS Edge STIG v1r2.

v2021.09.1 (2021-09-02)

Major Features

• Xylok now runs as a non-root user on all installations. To facilitate this, the following things will occur during installation and/or upgrade:

  • A xylok user and group will be created on the host if it does not exist. This user will be given a home directory (necessary for execution of the container under Podman), but should be created with a system-level UID.
  • Xylok data files (/var/lib/xylok, /var/log/xylok, /opt/xylok) and configuration files (/etc/xylok.conf) will have their owner changed to xylok
  • If a non-Xylok user should have access to the Xylok data, they can be added to the xylok group. Most files, except for Postgres database files, allow group access.
  • When starting, the Xylok Manager will also work to ensure files are owned by the correct user. If you encounter permissions errors, please contact Xylok support (support@xylok.io).

• Xylok now uses systemd to manage on-boot execution for all installations, rather than relying on Docker's restart=always. The xylok unit will be installed during the upgrade. From then on, the systemd unit xylok can be used for status, starting, and stopping. On Docker systems, there is a dependency on docker starting.

Features

• Updated help docs to reflect new security information
• Removed Redis AOF log, making startup faster. We don't need the solid persistent anyway, it's only for caching and session data.
• Logs command supports specifying components, if you only need to tail certain processes. IE, /opt/xylok/xylok logs -f worker

Fixes

• Benchmark import correctly removes old version of checks from versions
• Rating importing no longer resets update dates, which occasionally led to the wrong data being displayed as 'current'
• Corrected POA&M rebuilding and generation from reports menu
• When saving on the various raters, return the correct page of the results still. In addition, don't give a 404 on an empty page--just return the last page
• As a safety measure, during an install individually request each old component shut down
• Ensure Postgres always terminates connections, rather than waiting for clients to DC
• Correctly update cci compliance status when copying in modal
• Resolved a CSRF issue when using non-standard ports for hosting
• If there are no permissions to create proxy certs, put in tmp directory
• Don't exit when files are links and/or removed during permissions settings
• Set root data/logs directories with correct permissions, in addition to core mount points
• Dynamically generate self-signed certificates during boot. This fixes and issue when using non-root UID/GIDs for Xylok, which led to Nginx not being able to acces the snakeoil certs.

Benchmark Changes

• Adding RHEL 8 commands
• Numerous benchmarks imported thanks to the quarerly release.
• Added 24hr time parsing/examples Win Svr 2019 (Thanks Thomas)
• Added 24hr time parsing/examples Win Svr 2016
• Fixed issue with WDNS-SC-000010 not showing 2012 command in Windows 2012 DNS STIG v2r2.
• Marked indos 2012 DNS v2r2 ready.
• Updated SSHD config checks
• Initial commit on apple_macos_11_stig

v2021.08.1 (2021-08-08)

Major Features

• Nginx (v1.20 currently) has replaced Caddy as the reverse proxy. This has a few benefits:

  • Static files (CSS, Javascript) will be served more quickly.
  • All content is Gzip, helping any installations with slower networks.
  • Fewer compatiblity issues during upgrades, which should help with the previous fixed-SSL certificate reliability issues.
  • A more robust Content Server Policy has been put in place, following best practices where possible.

• The move to a single container for all Xylok processes made logging more challenging. This has been resolved, with physical logs being generated at /var/log/xylok/ for each internal component.

  • The /opt/xylok/xylok logs sub command has been updated to reflect this change. By default, a ZIP file with the last 5000 lines of each log will be generated, plus some settings (passwords/secrets are excluded) and the docker container logs.
  • The logs command also has a -f flag, which tails all component logs and allows for nice real-time debugging of any issues.

Features

• Container read-only setting can now be set via environment variable.
• Include CSP nonce for scripts where possible. CSP nonce values are regenerated on every build.
• Development images are now also read-only, hopefully avoiding issues moving to production.
• Nginx can now be put into maintenance mode, where no traffic is sent to Xylok.
• Xylok Manager settings subcommand now shows default settings. This will allow us to more easily consolidate the documentation for all settings into the Xylok command, rather than just seperate docs.
• Removed nodejs from final production image, reducing size slightly.

Fixes

• Don't include a DB version script in utils, just do it directly in setup.sh. Correted DB version retrieval.
• If a DB upgrade occurs, don't fail out when it returns non-0 due to normal warnings.
• Strip docker log output to avoid blank lines at end.

Benchmark Changes

• Marked Windows 2012 DNS v2r2 ready.
• Fixed issue with WDNS-SC-000010 not showing 2012 command in Windows 2012 DNS STIG v2r2.

v2021.07.2 (2021-07-30)

Fixes

• Corrected proxy config to work with internal and external certs by splitting configs
• Corrected README instructions for creating an fixed certificate

Benchmark Changes

• Updated IIS Server 8.5/10 checks IISW-SV-000130/IIST-SV-000130 to limit search to local drives.

v2021.07.1 (2021-07-23)

REMOVED: The FARR has been removed in favor of using the CCI Rater and/or POA&M Rater. If your organization utilitizes the FARR, please contact support@xylok.io.

Features

• Re-wrote client control page to be server-side rendered. After initial build, display should be vastly faster
• Client control coverage is now computed in the background and cached for 10 minutes
• Aadded more robustness to Task Monitor exception parsing
• POA&M, CCI, and Control raters are now rendered on the server side. This should greatly increase the loading of certain aspects, like related data.
• Small redesign of Client/Location/Machine details pages
• All machines list is now searchable by machine name/short name/location/OS/family
• Scan list and location scans list are now searchable

Fixes

• No longer default Django DEBUG to on
• Remove OOB for machine list search (fixes JS console error)
• When a client's controls are not found in cache, still return user to correct page after build
• Searching for just a number in the CCI rater now works as you'd expect. IE, just typing "366" correctly returns just CCI-000366.
• Corrected how saving history works during a rebuild
• Corrected Xylok Manager to work with Python 2 again
• Show Benchmark check IDs in benchmark detail print view

Benchmark Changes

• Added time limits to PP code
• Populated IIS 8.5 Server and Site STIGs v2r2 after constant pressure and bullying from the work list.
• Added another SID to Windows User translation PP util.
• Added HPCom OS cmds to Infrastructure L3 Switch STIG v8r29.
• Updated Cisco IOS Switch L2S STIG v2r1.
• Added 4 well known SIDs to Windows User translation PP utility.
• Updated APPNET0066 PP of PS command in Dot Net Framework STIG v2r1 to correct bad regex issue.
• Updated MS Windows Server 2012 DC/MS STIGs v3r2.
• Updated MS Windows Server 2016 v2r2.
• Updated Windows 10 STIG v2r2.
• Updated Windows Server 2019 STIG v2r2.
• Updated Windows Defender AV STIG v2r2.
• Added Windows Server 2019 support to OS Baseline
• Solaris 11 command updates
• Added basic support for Dell switches to Layer 2 Switch SRG
• Scraper: Added benchmark zebra_android_10_cobo_stig, added version v1r1
• Scraper: Added benchmark zebra_android_10_cope_stig, added version v1r1
• Scraper: Added benchmark tm_tippingpoint_ndm_stig, added version v1r1
• Scraper: Added benchmark tm_tippingpoint_idps_stig, added version v1r1
• Scraper: Updated benchmark samsung_sds_emm_stig, added version v1r2
• Scraper: Added benchmark ms_scom_stig, added version v1r1
• Scraper: Updated benchmark layer_2_switch_srg, added version v2r1
• Scraper: Updated benchmark juniper_router_rtr_stig, updated version v2r2
• Scraper: Updated benchmark windows_server_2019_stig, added version v2r2
• Scraper: Updated benchmark windows_server_2016_stig, added version v2r2
• Scraper: Updated benchmark windows_defender_antivirus, added version v2r2
• Scraper: Updated benchmark windows_2012_ms_stig, added version v3r2
• Scraper: Updated benchmark windows_2012_dc_stig, added version v3r2
• Scraper: Updated benchmark windows_10_stig, added version v2r2

v2021.06.2 (2021-06-16)

Fixes

• Only mount /etc/passwd when using Docker and a custom UID/GID, Podman nicely creates the container user for us.
• Corrected Xylok Manager to work with Python 2 again

v2021.06.1 (2021-06-15)

Major Features

• All Xylok components now run inside a single container. This simplifies supporting both Docker and Podman. In addition, it has allowed for more robust process supversion to be put in place, ensuring failing components restart automatically. The impact on user installations should be minimal. The only caveat to this is the renaming of CPU/memory limit settings. See https://www.notion.so/xylok/Security-91146958a092412696696eee2d665260

Features

• Duplicate scan errors are much prettier
• Make Posix scripts world-readable at the completion of the script, rather than making requiring the end user to fix it
• Error pages are correctly styled and display friendlier error messages. For logged-in users, the stacktrace will be displayed for easier debugging (hidden for anonymous users).
• Sidebar now sticks in the same place when scrolling
• Default to showing more lines in output during analysis
• Commands now have a "Show full command" link at the end of the truncated one of the command is too long to fit on the page. Also has a "collapse command" option once it's expanded

Fixes

• Powershell collection script now shows output location at end of script
• Ensure comments and finding details do not contain invalid characters for XML
• Downloads on the task page should correctly continue to refresh
• Corrected error display for errors with a ':' in them
• Downloads which complete before the task monitor page loads should still download properly
• Show a nicer download link in case downloads do not start automatically.
• Increased ready check retry count to 120
• DB and Redis ready now gets checked for all commands--and the DB check works even if the DB isn't configured yet
• Remove old docker-compose files from existing installations
• Allow non-root UIDs to work with matplotlib
• Remove unneeded Python libs for production installs

Benchmark Changes

• Added basic support for Dell switches to Layer 2 Switch SRG

v2021.05.2 (2021-05-20)

Fixes

• Fixed Python 2 compatibility during installation and added testing to check against all supported versions of Python

Benchmark Changes

• Corrected scraped benchmarks which lacked check contents.

v2021.05.1 (2021-05-17)

Features

• Task monitor page has been rewritten to report errors more nicely
• Several pages should load more quickly and reliably, with less network traffic (rendering has been moved server side)
• Added search and paging to client listing page

Fixes

• Small fixes to systemd unit file. There may still be an issue with RHEL 7 and Podman 3.
• When booting, Xylok components will attempt to wait for the database and redis to be fully ready
• Added redis to DB start script, since both those backend services might be needed independently of the scanner.
• Don't eat user messages on task waiting page
• Note that podman 2 mode also covers podman 3
• Scan comparison fixed
• Corrected issue with check links in analysis items
• Cleaned up several unused JS files

Benchmark Changes

• All PP now notifies that it completed successfully
• Updated PP for RHEL and windows machines to collect data needed for PPSM.
• Commands/PP added for VMWare vSphere 6.7 ESXi, Virtual Machine, and vCenter STIGs. All v1r1.
• New commands for Solaris 11x86
• Updated MS Office System 2013 v2r1.
• Updated MS SQL Server 2016 Instance v2r3.
• Update MS Windows DNS 2012 v2r2.
• Updated Google Chrome v2r3
• Updated McAfee VirusScan Enterprise 8.8 Local (v5 r16) and Managed (v5 r21) to combine commands & PP.
• Updates for IIS 10 Site & Server STIGs v2r2.
• Commands/PP populated for IIS 10 Server & Site STIGs, both v2r1.

v2021.04.1 (2021-04-21)

Major Features

• Always add Xylok OS Baseline to scans. This fixes the requirement from the previous update that all users must manually add the OS Baseline to their machines to activate the automatic data import. As a part of this:

  • All licenses and installers get xylok_os_baseline bundled in. To see the new benchmark, you may need to update the license in Xylok. If you have any issues, please contact Xylok support.

• A PPSM in two formats can be generated using port information gathered by the Xylok OS Baseline. The new report is available under Reports -> Ports, Protocols, and Services Matrix. The data will start being populated the next time a scan is performed. If you need a PPSM in a different format, please contact support@xylok.io

• CKL import will now automatically add IP/MAC addresses and host name if they are in the scan.

• Users will now be notified if the OS they have entered for their machine does not match the OS found in the baseline scan. (Windows and RHEL only so far)

Fixes

• Xylok will now correctly start automatically on system boot.
• CKL exports will now more reliably include all available check data. Previously, CKLs might ignore some data if the data was from an older version of a check, but this created issues with transitions between benchmark releases.
• Correctly mark no-longer present versions of benchmarks as 'not ready'
• Fixed machine info alerting when the new value is empty.

v2021.03.2 (2021-04-01)

Quick-turn release to fix two issues.

Fixes

• Cleaned up migration missing warning
• Corrected scan multi-item edit and filter

v2021.03.1 (2021-03-26)

Major Features

• Added an automated "Machine Benchmark Status Report" under the Reports tab. This will generate a spreadsheet that shows the Stig Viewer score and Xylok score, separated for each benchmark, for every machine under a client.

• When importing a scan or running Post Processing, machine info can be automatically updated. If new information conflicts with old information, user can choose which to keep, or to ignore future suggestions. Can also undo ignoring suggestions. More QOL to follow.

  • To activate this feature, assign the Xylok OS Baseline to all machines you'd like to track

  • Currently, supported OSes include:

    • Windows 7
    • Windows Server 2012
    • Windows 10
    • Windows 8
    • Windows Server 2008
    • Windows Vista
    • Windows XP
    • Windows Server 2016
    • RHEL 5-8

  • Let us know if you encounter any issues or have any particular OSes you'd like support added for.

• Added package to log all Javascript errors and exceptions to the main logs, allowing for end-to-end debugging if support is needed.

• users can now use ./xylok logs to save a report of all the container logs.

Other Features

• Left/right buttons will no longer disappear when changing a scan items status
• Matplotlib will load quicker
• If a user changes a machine's location, the machine's scans will relocate to the new location as well
• Users will now be notified if a scan's location does not match the machine's location from the scan details page.

Fixes

• Support Docker 1.26 for healthchecks
• Recent location scans were adding duplicate of most recent scan rather than location scans with no machine (as intended).
• Location scan list was only displaying most recent scans, causing unexpected results. Location and Scan list now default to show all scans, and can also show most recent if desired.

v2021.02.3 (2021-02-24)

Major Features

• Xylok can now be hardened to more accurately match the Docker Enterprise STIG. See the "Security" page of the new version of the manual for more details, but included features include:

  • Health checks for all containers (always on)
  • Container restart policy (configurable)
  • Bind interface (configurable)
  • Enabled "no-new-privileges" security option (always on)
  • Components can run as non-root users inside containers (must be configured, see security guide)
  • Containers run with read-only filesystems (always on)
  • CPU and memory limits (configurable)

• There is now a "logs" subcommand for xylok-manager.py, which fetches all the container logs with a single command. This should help with debugging issues on customer installs.

Other Features

• Log Django requests and exceptions at a more detailed level, which will allow those details to be included in the container logs.
• We no longer prompt about upgrading benchmarks. Use the "--no-benchmarks" flag if skipping the upgraded benchmarks is needed.

v2021.02.2 (2021-02-17)

Major Features

• Active Directory sign in is available for users who want to log in using Windows Server or Microsoft Azure:

  • NOTE: Please reference the updated documentation for details on how to implement this feature for your system.

• Scan details page has an option to filter items by "interview", showing only items that have interview question to answer.

• Scan Details page shows a progress bar to show how many items are reminaing for that scan (unreviewed/needs manual review).

Other Features

• Users can specify AD_CHECK_CA (True/False) to either bypass the Active Directory certificate check or have Xylok use their certificate file.
• Users can login using the form method when AD sign in is enabled.

v2021.02.1 (2021-02-04)

Major Features

• Scan analysis pages now hides the less pretty version of the Xylok recommendations and instead have a more obvious way to apply those recommendations.

• There's now options for managing automatic analysis (AA) data, the markings Xylok uses to match up old compliance information with new data when you import scans:

  • AA data can now be copied over to a new or existing family
  • Users can now use a scan as a 'baseline' for AA for a machine family, essentially updating all the AA items to use the findings from that scan
  • Admin page now has a filter to show AA items by family, enabling deletion of AA data for families. AA data copy to new family now copies check command sets correctly.
  • From admin page, can filter (and therefore delete) AA items by benchmark as well now.

Other Features

• STIG titles no longer have to be unique, allowing for easier migration when forced by DISA
• Controls page now shows filtering options by control groups in navigation pane. Hovering a control group abbreviation in the sidebar will show the full group name.
• Added a navigation pane for more pages.
• Benchmark questions can now have more strict structure. Existing answers are unchanged, but this will allow Xylok to enforce better answers going forward.
• Allow commands to be ordered within a runner.

Fixes

• New users can successfully switch/select clients
• POA&M no longer includes N/A rows
• SCAP import handles duplicate STIG titles more correctly
• If there is no data in the installer, don't attempt to load it. As a consquence, we can now allow the installer to bail if importing data does fail.
• No longer show Matplotlib debugging output

v2021.01.1 (2021-01-04)

Other features

• PP recommendation functions can now take both an issue list and a header for that list

Fixes

• Clients with fully completed task lists wwill no longer redirect to the login screen.

v2020.12.1 (2020-12-30)

Major Features

• Export/import of client control ratings updated to include all date information and POA&M status
• Users can now import CKL data into Xylok
• A "new client checklist" will now appear when a new client is created. If you've used Xylok before, go to the checklist and hit "Mark All Complete."
• Poam rater can now have multiple items edited at a time.
• Multiple edit for scan details page, allowing quickly changing status and comment of multiple analysis items.

Other Features

• Store alternate benchmark IDs in database, allowing migration over time when DISA changes benchmarks.
• Allow commands to be ordered within a runner. From a user's perspective, this should result in more consistent analysis displays.
• Added instructions for gaining privileged access on switches and logging using SSH
• New versions of benchmarks no longer default to customer ready. This should allow Xylok to wait to release new versions until commands have been added for new benchmarks.

Fixes

• Xylok manager now correctly determines relative path to files, fixing some CLI usage issues.
• Interview OS devices (ie, printers) now correctly skip producing an actual script. This mostly caused confusion because printers would have a generated script.
• Fixed a bug where NewClientChecklist was initializing incorrectly.
• Correct customer databases to merge various duplicate/renamed benchmarks. Notable among these are Firefox and the voice and video services STIGs
• Control rater was not allowing controls to become compliant again thanks to old CCI rating data. That's fixed now, only the most recent CCI ratings will be used
• Client Dashboard and New Client checklist no longer return error with no Client or if CCI's haven't been built.
• CKL import should more reliably find matching benchmarks
• Fixed benign error message near end of installer output

v2020.10.1 (2020-10-22)

Major features

• Users can now import SCAP results into Xylok
• A client's POA&M can now be managed directly within Xylok, allowing dates and comments to be tracked. Changes are timestampted in the database, laying the groundwork for reviewing changes over time. The generated POA&M Template will integrate any changes made on this POA&M manager.
• CCI and Control raters store changes over time, allowing for review of changes over time.
• An integrated Client Dashboard is now available under the Clients menu. This dashboard includes configurable graphs to show changes over time.
• Benchmark editing is now performed outside the main Xylok Scanner web interface. Benchmarks are tracked in an external repository to allow for more flexibility in tooling and testing. A plan will be developed to transition organizations that currently edit benchmarks internally to the new tools.

Other Features

• Added filter for "needs manual review" on the scan details page. Added new icon for "needs manual review".
• Xylok manager will return return code from commands run via exec
• Podman 2 rootless mode is now more fully supported.
• Old benchmarks can now be more cleanly hidden from view, but still exist for purposes of old scans.
• During install, perform cleanup of old Xylok images based on image tag. This removes the need for an all-or-nothing image prune call. As a consequence, upgrades will no longer prompt for confirmation.
• Benchmarks are tracked by a Git commit ID, allowing upgrades to complete more quickly if a given benchmark hasn't been updated.
• Moved to HTML based help documentation.
• Xylok default users are no longer bundled into installs.
• Redis will persist its database across upgrades, allowing users to stay logged in
• Ability to enable/disable using 'unready' versions of benchmarks. Defaults to disabled.
• Added benchmarks and admin user CLI flags to installer
• Added support for .tar.gz, .tar.bz2, and .tar.lzma files in import
• Simple page to grab authentication token for use with external tools using the Xylok API.

Bug fixes

• Detect Podman version 2 correctly
• Detect even more odd builds of Docker
• Default to debug off for local installs
• Importing a client from JSON correctly saves RMF overlays.
• POA&M now properly only includes non-compliant rows
• Support OSes that ship with a base64 that does not support newline-terminated inputs. (RHEL 5 is notable here).
• Bulk processing now links back to machine/location scan list. Select all and select page are now options
• Proxy now has access to certificates on host again

v2020.08.2 (2020-08-10)

• Small speed improvements in Xylok Manager
• Docker 1.13 supported

v2020.08.1 (2020-08-07)

• Xylok now supports both Docker and Podman.

  • CentOS 8/RHEL 8 support should be much better using in-repo Podman.
  • Podman 1 in root mode should work correctly.
  • Podman 2 and rootless modes has not been tested as much.
  • Systemd is needed to auto-start Xylok on boot. Xylok Manager's "systemd" subcommand can help manage the service file.
  • All Podman installs should be treated as experimental--please contact support if you encounter any issues!

• human_id is now accessible to post-processing scripts by using "ctx.human_id"

• Post-processing scripts can mark an item as "needs manual review" to make it obvious the data was looked at by the script, but a determination is impossible without more information. Reports treat this status the same as "not reviewed."

• Upgrade Django to 2.2 LTS.

• Remote databases are now supported for standalone installations. IE, an AWS RDS Postgres instance could be used.

• Better handling of volumes under SELinux (even when using Docker).

• Machine scan listing is now correctly paginated.

• Self-managed user password changes.

v2020.06.3 (2020-06-30)

• User may now set http and https port manually before install using --http(s)-port flag

v2020.06.2 (2020-06-26)

• Scan list now has checkboxes to select multiple scans for deletion/auto-analysis/post-processing.
• Added ability to specify listening ports via HTTP_PORT and HTTPS_PORT in /etc/xylok.conf. See Manual for more information.
• Embeded docker-compose updated to latest version
• Some delete form "Cancel" buttons have been fixed.

v2020.06.1 (2020-06-03)

• Proxy bind addresses set up to correctly issue certs in all cases
• Never require SSL from the Xylok web server, handle only on proxy side

v2020.05.1 (2020-05-21)

• Allow importing clients that have old version infomation stored
• Install defaults to production mode
• Show Caddy environment during boot
• Upgraded to release version of Caddy 2

v2020.04.2 (2020-04-22)

• Always set PATH for Windows batch scripts (should help systems that have had powershell removed from the path)

v2020.04.1 (2020-04-16)

• Now using Caddy as the reverse proxy, unifying all deployment types under the same server.
• Proxy now hosts most static files, reducing number of containers in use (and a small reduction in disk usage).
• Caddy requires a common name in certificates. If a certificate does not match this requirement, it will be moved in /opt/xylok/certs to allow Caddy to still run using a self-signed certificate.
• Additional HTTP security headers enabled for local installs

v2020.03.3 (2020-03-25)

• Docker helper scripts have been overhauled, fixing some issues and adding some flexibility. General usage has not changed.
• Docker helpers run commands as the current user, avoiding some permissions issues that might arise.
• import-data.sh CLI allows automatic analysis to be run immediately, see updated manual.
• Updated Xylok manual with instructions for updated import-data.sh
• PP moved into core application. Brings a massive speed improvement at the possible cost of stability. Postprocessing speed more than doubled, bulk processing updates are more quickly applied to the database.
• As a result, there will no longer be a separate "postprocessor" Docker container. It should be automatically removed during the upgrade.
• Added support for additional string outputs from PP. Currently does nothing, but in the future these may be shown as additional columns on spreadsheets or other reports
• Build image no longer warns about Docker if it is not in use for that build step
• Build licenses, images, and benchmarks as separate parts
• Profiling features and support for internal use

v2020.03.2 (2020-03-10)

• Frontend correctly responds to requests again

v2020.03.1 (2020-03-10)

• CKL production has numerous fixes:

  • 'rule names'. Not all STIGs will work correctly, new data can only be pulled from some STIGs.
  • Severity values are correct now, so all Cat I/II/III tabs will populate correctly.
  • CKLs are built into a location-based directory structure

• Bulk postprocessing of small scans (less than 100 items) will now succeed

• Updated benchmarks are pulled in correctly again

v2020.01.3 (2020-01-23)

• Fixed technical likelihood not saving on CCI rater
• Fixed Traefik 2 not working with HTTPS. This fix includes forcing all clients to redirect to HTTPS--if this causes problems for your organization contact support@xylok.io

v2020.01.2 (2020-01-22)

• Fixed technical items not appearing on CCI rater
• Moved to Traefik 2 as a proxy for local installations
• Added CCIs to several benchmarks that did not have CCIs from DISA or that tied to RMF rev 3, including Cisco Firewall, JRE 7, and some RHEL 6 items.

v2020.01.1 (2020-01-13)

• Updated AFSPC A3/6 MAD
• Fixed post processing timing out on large scans
• Copying question answers when the 'from' scan does not contain all the benchmarks of the 'to' scan now succeeds

v2019.12.1 (2019-12-14)

Bug Fixes

• Copying question answers when the 'from' scan does not contain all the benchmarks of the 'to' scan now succeeds
• Bulk Postprocessing for large scans will no longer timeout
• If a 40X error is encountered by the PP test script, it now shows the response body
• Benchmark importer does not die on XSL files
• More reliably only stop existing install if the stop script actually exists
• Warn when showing raw output on PP tab during analysis
• Correctly end Airtable upload loop
• Benchmark version comparison no longer duplicates changed/removed entries

Features

• Benchmark changes are now pushed to tracker for easier management

Infrastructure Refinements

• Limit benchmark update time to 30 minutes
• Make working with empty PP output more consistent

v2019.11.1 (2019-11-13)

NOTE This version will upgrade your system to Postgres 11. A special backup will be created as a part of this process. Please contact Xylok if you encounter any issues.

Bug Fixes

• Severity value displays correctly on benchmark listing (internal value was correct)
• Question editing corrected
• OSes not selected warning fixed for when only tags are in use
• Updated all use of version/release numbers to support string versions
• Ensure selects with no key or os tag are still correct
• Only Xylok production will attempt to send errors to central logging
• Runners are loaded correctly for command verification
• Note in the check search that regex is supported
• Check searches with incomplete regular expressions will now be treated as plain strings
• PP error helper grammar fixed
• Base64 works on systems that do not support base64 --decode
• PP audit helper handled blank case and correctly marks "no rules" case as noncompliant
• eMASS TR fixed following other internal changes
• Control rater CCI definitions included again
• Bug with control rater rebuilder related to assessment number corrected
• Risk rating from MAD not being included in CCI dump

Features

• Added separate vCenter OS(es) to reduce the confusion around using "ESXi" when collecting data on a vCenter server.
• Added versions.sh script to utilities, allowing for easy confirmation of the version numbers of components in Xylok
• Xylok web displays long benchmark IDs appropriately
• Pointed file importer to new XML processor
• CIS and DISA XCCDF imports run through a merge operation into the original JSON in Xylok
• CIS and DISA benchmark conversions to JSON fully supported
• When Xylok service(s) are not availble, try to die with a nicer message
• Interview and user-editable answers are now easily copied from scan to scan
• Stacked scan info more closely together to save space
• Show scan descriptions on various lists
• Scans can now have a description set to help differentiate scans
• Control ratings can now be imported and exported independent of the remainder of the client configuration
• Windows Server 2012 no longer depends on subinacl and dumpsec
• CCI rater rebuild now applies automatically compliant/NAs from MAD
• Add audit module to PP docs
• PP new check_audit_lines() helper is available
• PP audit helper functions added
• Seaching and filtering for new columns in CCI rater
• CCI rater modal links to CCI page
• New-style CCI rating calculator complete
• New CCI rater modal layout
• Manual has a new section for working with ESXi/vCenter

Infrastructure Refinements

• pgcli multistage build
• pgcli moved to Python3
• Moved to Taskfile for task management
• Less noisy DOCKER_HOST initialization
• Always pull base image again
• Build custom pgcli image
• Build custom version of Redis image
• Whitenoise uses Django finders to locate static files
• Whitenoise 4.1
• Multistage PP image build
• Simplified black configuration
• Optomized core Docker image for size
• Machine and location commands are retrieved via access layer
• Clean up unnecessary imports
• Sped up most integration tests
• Always clear caches on DB initialization
• Test for exporting ISO
• Tests for client importing and exporting
• Fixed STIG XML importing during automatic updates
• Customized Postgres 11 image
• Migrate raw risk comments to technical comment field

v2019.09.2 (2019-09-10)

Bug Fixes

• Handle no scan being supplied to PP processor
• Handle blank PP scripts more gracefully

Features

• PP tester script can now accept scan and client JSON for more involved scripts
• More informative error messages for PP stack traces
• PP script errors are reported with line numbers closer to the real location (should only be offset by 1 line)

Infrastructure Refinements

• After finishing disk cleanup, show resulting free space
• Use Kaniko to build main builder image

v2019.09.1 (2019-09-06)

Benchmarks

• Windows Server 2019 has been updated with commands, please report any issues you encounter!

Bug Fixes

• Fixed an issue with context.raw not always returning the correct value
• PP with blank raw_output works again
• Fixed a speed regression with PP and the new options available to scripts
• Pager-based filtering corrected to work with all pages
• Sorting on special columns (risk, category, status) works as expected now
• Allow 255 characters for benchmark IDs and short titles
• Normalize benchmark ID when importing SCAP content
• Use the benchmark ID as the short title if the normal title is too long
• When clicking copyable text, ensure the scroll position doesn't change.

Features

• Added new SIDs for resolve_sids
• Benchmark list included in SAR
• Added ability to export the SAR data as a JSON file
• Added Lenenshtein Distance algorithm as PP helper
• Clients can now be marked as classified (in a future release, this will allow reports to be marked appropriately)
• Postprocessing documentation updated with context information
• New Context object available for PP to use, which includes smart properties for common PP needs
• Hovering over a command in analysis shows the PP script in use (if any)
• New context variable to PP scripts carries additional information without adding to the global namespace
• PP now has much more data available to it.
• Bulk processing of a scan's PP should be faster in some circumstances.
• Results listing shows PP output if available
• CCI rater now uses a fancy search box that can take multiple conditions and negations
• Allow search entry via query builder OR direct input
• Removed old filter headers on CCI rater
• Support "has:" queries in fancy search
• Increased the size of the CCI rater modal text boxes some

v2019.08.1 (2019-08-06)

Bug Fixes

• Preemptive fix to avoid poorly constructed benchmark helpers from breaking building scripts.
• Error if no data config is given for a spreadsheet column
• Autofit gives a bit more room
• HW report widths fixed
• eMASS TR formatting fixed to focus on results more
• Fixed wrapping on machine report
• eMASS TR now has blue "results here" and autofiltering by default. Closes #146 and #145
• Conditional formatting location adjusts with additional columns
• During base control wrap-up, N/A controls no longer affect the parent control's status
• Newline in checksum file
• Build SAR System Control Risk Distibution off full control list including enhancements, not just base
• Individual names for checksum files
• SAR Baseline Control Review CCI C/NC/NA/etc counts corrected
• SAR Base Control Review comments for NAs are more appropriate.
• Control rater now prioritizes compliance status by NC > C > NA CCIs. I.E., if there's a conflict then the highest rating wins.
• SAR Base Control Review has spaces added for status now
• On SAR CCI&AP tab, statuses now include spaces

Features

• Conditional formatting for findings spreadsheet
• Colors for SAR ratings
• Added conditional formatting for POAM Severity and Residual Risk columns
• Impact Description can be included on POA&M (just a blank placeholder)
• Added more POA&M options: Rule ID/STIG ID and the ability to include items without an AP
• POA&M now has an options page that allows adding blank lines to template. Closes #142
• Added a Control Review worksheet to the tab, which covers all controls including enhancements (in contrast to the Base Control sheet)
• Added System Control Risk Distribution chart to SAR
• Control Rater default comments are now built off NAs and Compliants as well
• Allow filtering for NAs on CCI and control rater
• If the CCI Benchmark for a CCI is marked as Not Applicable, the associated CCI will also be marked NA regardless of other data.
• Include Not Applicables on CCI rater modal items
• If a NIST CSF category is an "unknown" risk (probably compliant), call it Compliant on the NIST CSF SAR tab
• If a CCI has no mitigations, state that rather than having a blank commet in the default comment

Infrastructure Refinements

• Use fully qualified Docker image tags for installers for increased Podman/Docker interoperability
• Removed mypy dependency
• Moved all conditional formatting into helper functions
• Documented spreadsheet_builder
• More consistent internal name for spreadsheet config items
• SAR moved to spreadsheet builder
• FARR spreadsheet moved to helper
• Moved HW report to new spreadsheet helper
• Moved Individual Findings Spreadsheet to new builder
• POA&M and Scan Comparison moved to new spreadsheet generator helper

v2019.07.2 (2019-07-17)

Features

• Show OS on machine page
• A default comment can now be built for the control rater. Use control rating default comment in reports if a manual comment is not set
• Added implementation guidance from MAD to CCIs. Hot loaded on demand
• Better description of Control Rater comment purpose
• Show default comment on control rater if there is no other comment
• NC3 overlay updated
• Control pages show deprecation/withdrawn warnings

Benchmarks

• Tomcat benchmark built
• SQL Server 2008 R2 working from Server 2008 (Using SQL Server 2012 STIG)

Bug Fixes

• Client controls and CCIs are filtered by withdrawn/deprecated status
• POA&M now uses Rule ID and skips item without MAD entries by default
• "Tranditional" misspelling fixed
• POA&M now includes only emass-only columns
• Label the FARR Risk as such in the individual findings spreadsheet to avoid confusion
• Firefox control overlay formatting
• If AA data can't be imported for any reason, skip it without dying on remaining data
• Don't die if there's no exception to report in a JSON call
• eMASS TR control names have no spaces in them
• It is now possible to click the actual overlay row instead of just the links
• "Medium" renamed to "Moderate" in all applicable cases
• On POAM, all severity/impact strings use spaces instead of underscores
• SAR risks/etc have underscores replaced with spaces

Infrastructure Refinements

• Checksum file is more simply named
• Corrected hash file format

v2019.06.12 and v2019.07.1 (2019-07-06)

Infrastructure Refinements

• Installer can now be pushed to ShareFile

v2019.06.11 (2019-06-26)

Bug Fixes

• Firefox control overlay formatting
• If AA data can't be imported for any reason, skip it without dying on remaining data

v2019.06.10 (2019-06-21)

Bug Fixes

• Findings JSON generation no longer complains about UUIDs

v2019.06.9 (2019-06-20)

Features

• Added "machines" column to POA&M
• Added FQDN to JSON findings

v2019.06.8 (2019-06-19)

Features

• Added machine and location ID to finding JSON

v2019.06.7 (2019-06-19)

Bug Fixes

• Only benchmarks available in a license are shown in the benchmark list
• Cache clear command works
• "Eventually" has arrived
• Report generation script as JSON

Features

• Networkparse 1.6.5
• JSON export of individual findings
• Individual findings JSON can be built quickly from the command line

v2019.06.4 (2019-06-09)

Bug Fixes

• Scale workers correctly again, now that zombie workers are corrected
• Keep trying worker names until one works, fixing workers dying early

v2019.06.3 (2019-06-07)

Bug Fixes

• Use command -v instead of which in POSIX and CSH environments. Fixes an issue with Solaris 10

v2019.06.1 (2019-06-05)

Bug Fixes

• MySQL scripts can be generated

Features

• PP scripts run in a function now, allowing them to return early
• Updated NetworkParse to 1.6.4

Infrastructure Refinements

• Only run a single worker until name duplication issue can be resolved

v2019.05.9 (2019-05-30)

Bug Fixes

• Handle non-UUID case in patching benchmarks

Features

• NetworkParse 1.6.1

Infrastructure Refinements

• Removed applications from the DB

v2019.05.8 (2019-05-22)

Bug Fixes

• Skip loading benchmarks if they don't exist in installer
• When building installers without a complete installer, don't die
• Handle diffs requests that have JSON files that are not in the DB

Features

• Easier method of extracting benchmark changes from last update

Infrastructure Refinements

• Check for new STIGs every hour

v2019.05.7 (2019-05-21)

Bug Fixes

• Added FortiOS to application fixture
• Only show overlay if dragging files, not text

Features

• NetworkParse v1.2.0
• Show OSes in command table row
• Benchmark metadata is always loaded and placed in store, making page transitions faster

v2019.05.6 (2019-05-16)

Bug Fixes

• When the user is not logged in, don't show file drop indication
• Importing clients with incomplete control ratings now works
• If rule ID isn't available, use stig id for checklists
• When exporting Checklists, use Rule ID

Features

• Added FortiOS (Fortinet networking OS)
• Better error handling on uploads
• SPA pages now support drag-and-drop file upload of multiple files
• Added RSS feed of STIG changes
• Allow specifying the starting url for a benchmark scrape
• Updated benchmark scraper to use new DISA cyber.mil site
• Rule ID now stored in DB and there is a way to import them using DISA XML

Infrastructure Refinements

• On connection/download errors, don't leave the link as marked

v2019.05.5 (2019-05-13)

Features

• Added flag to PP testing script to ignore SSL errors, useful for self-signed certs

v2019.05.4 (2019-05-13)

Infrastructure Refinements

• Updated NetworkParse documenation to the latest version

v2019.05.3 (2019-05-10)

Bug Fixes

• Only create pwsh directory if we're going to actually extract powershell
• No longer need to create symlink for powershell, the script itself will create an alias if needed
• Supress some PS errors and allow it to work properly on systems with Powershell Core only (pwsh vs powershell)
• Less noisy PS extraction
• ISOs with multi-extension files work
• ESXi from PS now uses correct env
• Include updated OS and execution environment info in fixtures
• When setting up PowerCLI, use system-specified PathSeparator
• Ensure benchmark cache is cleared on imports of JSON

Code Refactoring

• ZIP and ISO production use the same method for folder creation

Features

• PowerCLI Environment for ESXi
• PowerCLI helper in place
• Helper assignments can be import/exported
• Metadata for benchmarks is easier to read and shows information about runners/oses

v2019.05.2 (2019-05-02)

Bug Fixes

• CCI rebuilding will load data correctly at completion
• Recommendations and control adds/removes/overlays included in export
• Include control number in ratings for client exports

v2019.05.1 (2019-05-02)

Bug Fixes

• CCI ratings showing under Control Rater modal
• Don't show pager while loading cci/control ratings
• POA&M generation errors
• DISA Scrape no longer breaks on XML that is not a benchmark
• File importer redirect
• CCIs in benchmarks will now import correctly
• Client controls load properly
• ControlRating migration name issue
• No longer include controls in installer
• SAR generation with new CCI ratings
• Control Rater sort order
• Control Rater default sort
• Control Rater rebuild button
• Control rating page and SAR generation working with new control rating table
• Indexed check CCI numbers
• When searching for ONLY a control group, don't search other text
• PDB left in test
• SE family sorting into the middle of SC
• Link back to benchmark from check
• Allow changing versions in comparison
• Allow access to the homepage when not logged in. Oops.

Code Refactoring

• CCIs eradicated from StigCheck
• Function documenation
• Removed numerous old STIG change components

Features

• Use new benchmark diff across the board
• Benchmark diff remade as SPA
• SPA homepage used for all home-page links
• Homepage is now SPA

Infrastructure Refinements

• CCI rater moved to same format as control rater
• Controls and CCIs completely removed, migration not applied to remove columns yet
• Dependencies upgrades

v2019.04.18 (2019-04-18)

Bug Fixes

• Title in benchmarks hides on small screens (short title still visible)
• When not authenticated, don't fail on removing commands from metadata
• Dynamically show/hide pager on all pages using it
• Check links and JS errors when no benchmarks are visible
• Allow anonymous users to get background task information
• Benchmark check paging is actually used for table
• Benchamrk CCIs listing/editing corrected
• Don't show Extras in control list
• Hide withdrawn controls on control list (can still be viewed)
• CCI searching
• Scroll position between SPA pages should be more natural
• Increased number of items on pages
• Use RMF JSON rather than DB for client control determination
• Cross-domain overlays corrections
• Never apply text-based AA to CCI benchmark
• Background task errors have red alert again
• Background exception error handling
• OVAL importing

Code Refactoring

• Removed unneeded template files for controls
• Additional old control pages removed
• Controls no longer have separate group pages
• Removed dependence on RMF controls in DB for reporting
• Removed dead system import/export code

Features

• From SPA pages, directly go to client selector
• Use new SPA benchmarks page
• CCIs can now be searched by related RMF controls
• Load metadata locally to benchmark list, not into Vuex
• Benchmark list is now dynamic, although too slow to use
• Paging added to benchmark checks
• Show benchmark name on check
• Overlays now use SPA exclusively
• Overlays now have SPA page
• When CCIs are loaded, RMF related numbers are normalized
• CCIs now have SPA page available
• Controls are now handled by SPA
• RMF controls are now searchable and paged
• JS Control browser built, not yet default option
• Sentry is now used for error recording rather than Rollbar
• CCI benchmark is now marked NA based on the client control set.
• AA data import now available, upload using the normal fields
• Automatic analysis data can be export for a benchmark from the same location as normal benchmark exports

Infrastructure Refinements

• Sorting, searching, and paging support all moved to pager mixin
• Metadata is produced much more quickly when not in cache
• Removed benchmark files to make searching clearer
• Removed client.rmf_controls
• Removed dependencies on client.rmf_controls
• Rollbar removed

v2019.04.1 (2019-04-04)

Bug Fixes

• Re-enabled coverage information for controls
• Removed duplicate CCI entry for CA-1
• Client selected controls working again
• Don't double-request benchmark when benchmark page first loads
• PP docs not loading in Python 3.7
• More likely to find the "useful" error message in the string exeception info
• Better handling of in-progress statuses

Code Refactoring

• Removed PP browser, instead we point to generated docs

Features

• Control list loading speed improved by nearly 50%
• Benchmark loading happens in background
• Removed need to rebuild scan and benchmark caches during install
• Full traceback available for failed tasks (for logged-in users)

Infrastructure Refinements

• Testing around comparisons put in place
• Consolidated async network handling and downloads
• Local installs should spawn more workers. Defaults to 4, but can be configured in /etc/xylok.conf
• K8s will now run worker correctly
• Moved from Celery to Python RQ to support Python 3.7 and allow better task management
• Moved entirely to Poetry from Pipenv
• Moved to Python 3.7
• Removed unused benchmark_api
• Numerous changes to control access internally

v2019.02.7 (2019-02-27)

Bug Fixes

• Scan comparison should be more reliable
• Scan comparison now automatically performs a compare when both selections are locked

v2019.02.6 (2019-02-21)

Features

• Include changelog in docs index

Infrastructure Refinements

• Easier method of building release notes

v2019.02.5 (2019-02-21)

Bug Fixes

• PathPrefixStrip for docs to allow them to load correctly in standalone installs
• Change log section titles for changelog

Infrastructure Refinements

• Specify limit and request for all memory on K8s

v2019.02.4 (2019-02-21)

Infrastructure Refinements

• Installers built in tagged directories now and make installer names more straight forward
• No longer deploy on tags, only master

v2019.02.3 (2019-02-21)

Features

• Build release notes and automatically push them