forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-tls-security.mql.yaml
185 lines (167 loc) · 6.75 KB
/
mondoo-tls-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-tls-security
name: TLS/SSL Security
version: 1.4.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: host
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
The Transport Layer Security (TLS) protocol is the primary means of protecting network communications.
The TLS/SSL Security policy by Mondoo includes checks for ensuring the security and configuration of TLS/SSL connections and certificates.
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Scan a host
```bash
cnspec scan host <fqdn>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Secure TLS/SSL connection
filters: asset.platform == 'host'
checks:
- uid: mondoo-tls-security-ciphers-include-aead-ciphers
- uid: mondoo-tls-security-ciphers-include-pfs
- uid: mondoo-tls-security-mitigate-beast
- uid: mondoo-tls-security-no-diffie-hellman-cipher-suites
- uid: mondoo-tls-security-no-export-cipher-suites
- uid: mondoo-tls-security-no-null-cipher-suites
- uid: mondoo-tls-security-no-old-cipher-suites
- uid: mondoo-tls-security-no-rc4-ciphers
- uid: mondoo-tls-security-no-rsa-key-exchange
- uid: mondoo-tls-security-no-weak-block-cipher-modes
- uid: mondoo-tls-security-no-weak-block-ciphers
- uid: mondoo-tls-security-no-weak-tls-versions
- title: Valid TLS/SSL certificate
filters: asset.platform == 'host'
checks:
- uid: mondoo-tls-security-cert-domain-name-match
- uid: mondoo-tls-security-cert-is-valid
- uid: mondoo-tls-security-cert-no-cert-expired
- uid: mondoo-tls-security-cert-no-certs-expired
- uid: mondoo-tls-security-cert-no-weak-signature
- uid: mondoo-tls-security-cert-not-revoked
- uid: mondoo-tls-security-cert-not-self-signed
scoring_system: highest impact
queries:
- uid: mondoo-tls-security-cert-domain-name-match
title: The certificate's domain name must match
mql: |
checkA1 = tls.certificates.first.subject.commonName == asset.fqdn
if(tls.certificates.first.subject.commonName.contains(/^\*/)) {
checkA1 = asset.fqdn.contains(tls.certificates.first.subject.commonName.split("*.")[1])
}
checkA2 = tls.certificates.first.sanExtension.dnsNames.contains(asset.fqdn)
checkA3 = tls.certificates.first.sanExtension.dnsNames.where(_ == /\*/).where(_.split(".")[-2] + "." + _.split(".")[-1]).any(asset.name.contains(_.split("*.")[1]))
checkA1 || checkA2 || checkA3
- uid: mondoo-tls-security-cert-is-valid
title: The certificate is valid
mql: |
tls.certificates.first {
subject.commonName
notBefore < time.now
notAfter - notBefore < 398*time.day
}
- uid: mondoo-tls-security-cert-no-cert-expired
title: Certificate is not near expiration or expired
mql: |
tls.certificates.first.subject.commonName
switch {
case tls.certificates.first.expiresIn.days > 30: score(100);
case tls.certificates.first.expiresIn.days > 21: score(50);
case tls.certificates.first.expiresIn.days > 14: score(20);
case tls.certificates.first.expiresIn.days > 7: score(9);
default: score(0);
}
- uid: mondoo-tls-security-cert-no-certs-expired
title: None of the certificates (intermediate, root) have expired
mql: |
tls.certificates {
subject.commonName
expiresIn.days > 0
}
- uid: mondoo-tls-security-cert-not-self-signed
title: Do not use a self-signed certificate
mql: |
tls.certificates.last.isCA
- uid: mondoo-tls-security-cert-not-revoked
title: Do not use revoked certificates
mql: |
tls.certificates {
subject.commonName
isRevoked != true
}
- uid: mondoo-tls-security-cert-no-weak-signature
title: Do not use weak certificate signatures
mql: |
tls.certificates {
subject.commonName
signingAlgorithm != /md2|md5|sha1/i
}
- uid: mondoo-tls-security-no-weak-tls-versions
title: Avoid weak SSL and TLS versions
mql: |
tls.versions.containsOnly(["tls1.2", "tls1.3"])
- uid: mondoo-tls-security-no-rc4-ciphers
title: Avoid RC4 ciphers
mql: |
tls.ciphers.none( /rc4/i )
- uid: mondoo-tls-security-no-null-cipher-suites
title: Avoid NULL cipher suites
mql: |
tls.ciphers.none( /null/i )
- uid: mondoo-tls-security-no-export-cipher-suites
title: Avoid export ciphers suites
mql: |
tls.ciphers.none( /export/i )
- uid: mondoo-tls-security-no-diffie-hellman-cipher-suites
title: Avoid anonymous Diffie-Hellman suites
mql: |
tls.ciphers.none( /dh_anon/i )
- uid: mondoo-tls-security-no-weak-block-ciphers
title: Avoid weak block ciphers
mql: tls.ciphers.none( /des|rc2|idea/i )
- uid: mondoo-tls-security-no-weak-block-cipher-modes
title: Avoid weak block cipher modes
mql: tls.ciphers.none( /cbc/i )
- uid: mondoo-tls-security-no-rsa-key-exchange
title: Avoid cipher suites with RSA key exchange
mql: tls.ciphers.none( /^tls_rsa/i )
- uid: mondoo-tls-security-no-old-cipher-suites
title: Avoid old cipher suites
mql: tls.ciphers.none( /^old/i )
- uid: mondoo-tls-security-ciphers-include-aead-ciphers
title: Preferred ciphers must include AEAD ciphers
mql: tls.ciphers.any( /chacha20_poly1305|gcm|ccm/i )
- uid: mondoo-tls-security-ciphers-include-pfs
title: Preferred ciphers must include perfect forward secrecy (PFS)
mql: tls.ciphers.any( /ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq/i )
- uid: mondoo-tls-security-mitigate-beast
title: Mitigate BEAST attacks on the server-side
mql: |-
switch {
case tls.versions.containsOnly(["tls1.2", "tls1.3"]):
score(100);
case tls.ciphers.all( /rc4/i ):
score(100);
case tls.ciphers.none( /null|dh_anon|export|des|rc2|idea/ ):
score(80);
default:
score(0);
}
refs:
- url: https://kb.vmware.com/s/article/2008784
title: VMware mitigation of CVE-2011-3389 (BEAST) for web server administrators