> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Comprehensive security documentation for Xloud Platform — infrastructure hardening, VM isolation, API protection, data encryption, and compliance.

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Defense in Depth</p>

Xloud Platform enforces security at every layer of the stack. From hypervisor isolation and encrypted data channels to role-based access control and audit logging, the platform is designed so that no single control failure exposes workloads. This layered approach — commonly called defense in depth — means each security boundary operates independently and reinforces the others.

The sections below cover every security domain: infrastructure TLS, VM isolation, API authentication, data encryption, network segmentation, compliance frameworks, pre-deployment hardening, and troubleshooting.

***

## Xloud SIEM — Unified Security Operations

<CardGroup cols={1}>
  <Card title="Xloud SIEM" icon="shield-alert" href="/security/xloud-siem" color="#197560">
    The integrated Security Information and Event Management layer — Wazuh (HIDS), Lynis
    (auditing), and OpenSCAP (compliance) unified in the **Security Posture** and
    **Alerts** pages in Monitor Center. Start here for a single-pane view of the entire
    cluster's security posture.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Infrastructure Security</p>

<CardGroup cols={2}>
  <Card title="Infrastructure Security" icon="server" href="/security/infrastructure" color="#197560">
    TLS configuration for all platform services, certificate management, HAProxy termination, and endpoint hardening.
  </Card>

  <Card title="Hardening Guide" icon="shield-check" href="/security/hardening-guide" color="#197560">
    Pre-deployment OS hardening, service minimization, database and message queue hardening, and a step-by-step checklist.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Virtual Machine Security</p>

<CardGroup cols={2}>
  <Card title="VM Security" icon="cpu" href="/security/vm-security" color="#197560">
    Hypervisor isolation, security groups, vTPM, encrypted volumes, Secure Boot, anti-affinity, and live migration TLS.
  </Card>

  <Card title="Network Security" icon="network" href="/security/network-security" color="#197560">
    Security groups, FWaaS, port security, anti-spoofing, VLAN/VXLAN segmentation, and VPN as a Service.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>API and Data</p>

<CardGroup cols={2}>
  <Card title="API Security" icon="lock" href="/security/api-security" color="#197560">
    Token authentication, application credentials, rate limiting, CORS, RBAC policy enforcement, and mutual TLS.
  </Card>

  <Card title="Data Security" icon="database" href="/security/data-security" color="#197560">
    Volume encryption (LUKS), object storage encryption, key management integration, encrypted backups, and secure deletion.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Compliance and Operations</p>

<CardGroup cols={2}>
  <Card title="Compliance and Auditing" icon="clipboard-list" href="/security/compliance" color="#197560">
    Audit logging, log retention, SOC 2 / ISO 27001 / HIPAA / PCI-DSS / GDPR frameworks, and incident response.
  </Card>

  <Card title="Security Troubleshooting" icon="wrench" href="/security/hardening-guide" color="#197560">
    TLS errors, 401/403 authentication failures, security group rule issues, audit log gaps, and encryption failures.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Security Tools — Xloud SIEM</p>

These three scanners run in parallel inside Xloud SIEM. Their combined results appear in
the **Security Posture** and **Alerts** pages in the Dashboard's Monitor Center.

<CardGroup cols={3}>
  <Card title="Wazuh" icon="shield-alert" href="/security/wazuh" color="#197560">
    Host intrusion detection, file integrity monitoring, vulnerability assessment, and compliance reporting — deployed across all VMs.
  </Card>

  <Card title="Lynis" icon="list-checks" href="/security/lynis" color="#197560">
    OS security auditing with a hardening index score, actionable remediation suggestions, and fleet-wide sweep support.
  </Card>

  <Card title="OpenSCAP" icon="clipboard-check" href="/security/openscap" color="#197560">
    SCAP-based compliance scanning against CIS Benchmarks, DISA STIGs, PCI-DSS, and HIPAA profiles with automated remediation playbooks.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Security Architecture</p>

The following table summarizes the security controls enforced at each layer of the Xloud platform.

| Layer         | Controls                                                                                               |
| ------------- | ------------------------------------------------------------------------------------------------------ |
| Hypervisor    | Process isolation, seccomp profiles, AppArmor confinement, dedicated service users, live migration TLS |
| Networking    | Security groups (stateful), FWaaS, port security, anti-spoofing, VLAN/VXLAN isolation                  |
| Control Plane | TLS on all APIs, token-based authentication, RBAC policy enforcement, rate limiting                    |
| Storage       | LUKS volume encryption, Ceph encryption at rest, key management via Xloud Key Management               |
| Audit         | CADF event logging, centralized log aggregation, immutable audit trails                                |
| Host Security | Integrated security platform (intrusion detection + FIM), system auditing, SCAP compliance scanning    |

<Note>
  Xloud follows a shared responsibility model. The platform enforces infrastructure-level controls. Workload owners are responsible for securing applications running inside virtual machines.
</Note>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Xloud Security Platform Capabilities</p>

<Info>**Xloud-Developed** — This capability is developed by Xloud and ships with XAVS.</Info>

The following security capabilities are built into the Xloud platform and deploy automatically as part of XAVS. Each capability is production-ready and requires no third-party licensing.

<CardGroup cols={3}>
  <Card title="Integrated SIEM" icon="radar" color="#197560">
    Full security information and event management built into the platform. Agent-based monitoring on all nodes with real-time alerting and log correlation.
  </Card>

  <Card title="Triple Compliance Scanning" icon="clipboard-list" color="#197560">
    Three independent scanners running in parallel: SCA benchmarks, system audit, and SCAP profiles. CIS Level 1 and Level 2 benchmarks included.
  </Card>

  <Card title="OS Hardening (CIS Benchmark)" icon="shield-check" color="#197560">
    Automated CIS benchmark hardening: SSH controls, audit logging, Docker security benchmarks, AppArmor profiles, and SSH allowlisting.
  </Card>

  <Card title="Security Operations Dashboard" icon="layout-dashboard" color="#197560">
    Auto-deployed monitoring dashboard with panels for agent status, API health, credential recovery events, certificate expiry, scan results, and cluster health.
  </Card>

  <Card title="Self-Healing Credentials" icon="key" color="#197560">
    Three-layer automated credential recovery: post-deployment enforcement, periodic watchdog (5-minute intervals), and filesystem guardian (10-minute intervals). Recovery time under 5 minutes with zero human intervention.
  </Card>

  <Card title="Active Response" icon="shield-alert" color="#197560">
    Automated threat response: firewall blocking, host denial, and account disabling on SSH brute force detection.
  </Card>

  <Card title="Certificate Expiry Monitoring" icon="calendar-clock" color="#197560">
    Automated certificate lifecycle monitoring with 30-day warning and 7-day critical alerts across all platform services.
  </Card>

  <Card title="Custom Detection Rules" icon="scan-search" color="#197560">
    Platform-specific detection rules for container lifecycle events including start, stop, crash, and resource limit triggers.
  </Card>

  <Card title="Default Alert Rules" icon="bell" color="#197560">
    12 pre-configured alert rules across 4 groups: node alerts (disk, memory, CPU), service alerts, storage alerts, and infrastructure alerts.
  </Card>

  <Card title="SBOM CI Pipeline" icon="package-search" color="#197560">
    Supply chain security: container image vulnerability scanning, software bill of materials generation (SPDX and CycloneDX formats), and cryptographic image signing.
  </Card>
</CardGroup>

***

<p style={{ fontSize: '1.25rem', fontWeight: 700, marginBottom: '0.75rem' }}>Quick Links</p>

<CardGroup cols={4}>
  <Card title="Enable TLS" icon="lock" href="/security/infrastructure#tls-configuration" color="#197560">
    Configure TLS for all platform services
  </Card>

  <Card title="Security Groups" icon="shield" href="/security/network-security#security-groups" color="#197560">
    Create and manage stateful firewall rules
  </Card>

  <Card title="Encrypt Volumes" icon="hard-drive" href="/security/data-security#volume-encryption" color="#197560">
    Enable LUKS encryption for block storage
  </Card>

  <Card title="Hardening Checklist" icon="list-checks" href="/security/hardening-guide#checklist" color="#197560">
    Pre-deployment security verification
  </Card>
</CardGroup>