Skip to main content

Security and Hardening

System Components

Xylok relies on Docker or Podman for its operation, see Requirements for more information. All updates to the container images should be done via a Xylok-supplied install script. Every new build of a Xylok container includes a container image based on the latest revision of the python:3.9-slim-bullseye image. All Xylok images on your system will be tagged with a name that starts with registry.gitlab.com/xylok.

note

As of this writing, the base image is the Debian Bullseye (Debian 11). Internal services include Postgres 13, Redis 6, and Nginx 1.22. Because new revisions are pulled with every build, the exact version numbers of the above items can be pulled from the locally installed Xylok copy using the version.sh utility script.

Other host-environment components may be updated at any time by your organization, including operating system packages and Docker/Podman itself. If you encounter an issue after updating the host system, contact us and we can assist in determining the conflict and fixing Xylok to work with the new version.

Container Hardening

Xylok can be configured to more closely match the Docker STIGs, if needed in your organization. Some items are configured by default, notably:

  • Health checks
  • Read-only file systems in the container
  • Containers have no-new-privileges set, to prevent elevating privileges from inside the container.
  • Containers use a non-root user, the host's xylok user (this user should be automatically created by the installer)
  • Containers have an explicit "no" restart-policy, avoiding the denial of service attack discussed in the Docker Enterprise STIG.
  • Search engine indexing is disabled by default, so publicly-accessible Xylok instances should not be indexed by the major search engines. See Google's documentation for more information.

If you encounter any issues with hardening, please contact Xylok support.

CPU and Memory Limits

See Configuration Options for all the LIMIT_* settings. There should be no large impact on functionality, unless limits are reduced below the recommendations.

Host Port Mapping to Non-Privileged Ports

Set HTTP_PORT and HTTPS_PORT to ports above 1024. See Configuration Options. Redirections from HTTP to HTTPS may fail with this configured.

Host Hardening

Additional controls may be implemented on the host system, such as SELinux and fapolicyd. If you are hardening the host system, there may be impacts on Xylok. Contact us if the sections below do not fully address your situation.

SELinux

Currently, we know of no particular modifications needed to support SELinux.

FAPolicyD

You will need to allow /opt/xylok/xylok-manager.py to run:

sudo fapolicyd-cli -f add /opt/xylok/xylok-manager.py

If you do need to do this, you will generally see the consequences at the end of installation—Xylok will attempt to call systemctl start xylok and then fail.