-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmondoo-tls-security.mql.yaml
193 lines (182 loc) · 6.69 KB
/
mondoo-tls-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
policies:
- uid: mondoo-tls-security
name: TLS/SSL Security Baseline by Mondoo
version: 1.2.0
authors:
- name: Mondoo, Inc
email: hello@mondoo.com
tags:
mondoo.com/platform: host,network
mondoo.com/category: security
docs:
desc: |
The Transport Layer Security (TLS) protocol is the primary means of protecting network communications.
The TLS/SSL Security Baseline by Mondoo includes controls for ensuring the security and configuration of TLS/SSL connections and certificates.
## Remote scan
Remote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration.
For a complete list of native transports run:
```bash
cnspec scan --help
```
### Scan a host
```bash
cnspec scan host <fqdn>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
scoring_system: 2
specs:
- title: Secure TLS/SSL connection
asset_filter:
query: asset.family.contains('network')
scoring_queries:
mondoo-tls-security-no-weak-tls-versions: null
mondoo-tls-security-no-rc4-ciphers: null
mondoo-tls-security-no-null-cipher-suites: null
mondoo-tls-security-no-export-cipher-suites: null
mondoo-tls-security-no-diffie-hellman-cipher-suites: null
mondoo-tls-security-no-weak-block-ciphers: null
mondoo-tls-security-no-weak-block-cipher-modes: null
mondoo-tls-security-no-rsa-key-exchange: null
mondoo-tls-security-no-old-cipher-suites: null
mondoo-tls-security-ciphers-include-aead-ciphers: null
mondoo-tls-security-ciphers-include-pfs: null
mondoo-tls-security-mitigate-beast: null
- title: Valid TLS/SSL certificate
asset_filter:
query: asset.family.contains('network')
scoring_queries:
mondoo-tls-security-cert-domain-name-match: null
mondoo-tls-security-cert-is-valid: null
mondoo-tls-security-cert-no-cert-expired: null
mondoo-tls-security-cert-no-certs-expired: null
mondoo-tls-security-cert-not-self-signed: null
mondoo-tls-security-cert-not-revoked: null
mondoo-tls-security-cert-no-weak-signature: null
queries:
- uid: mondoo-tls-security-cert-domain-name-match
title: The certificate's domain name must match
impact: 50
query: |
tls.certificates.first.subject.commonName == platform.fqdn
- uid: mondoo-tls-security-cert-is-valid
title: The certificate is valid
impact: 95
query: |
tls.certificates.first {
subject.commonName
notBefore < time.now
notAfter - notBefore < 398*time.day
}
- uid: mondoo-tls-security-cert-no-cert-expired
title: Certificate is not near expiration or expired
query: |
tls.certificates.first.subject.commonName
switch {
case tls.certificates.first.expiresIn.days > 150: score(100);
case tls.certificates.first.expiresIn.days > 120: score(70);
case tls.certificates.first.expiresIn.days > 90: score(50);
case tls.certificates.first.expiresIn.days > 60: score(20);
case tls.certificates.first.expiresIn.days > 30: score(9);
default: score(0);
}
- uid: mondoo-tls-security-cert-no-certs-expired
title: None of the certificates (intermediate, root) have expired
impact: 95
query: |
tls.certificates {
subject.commonName
expiresIn.days > 0
}
- uid: mondoo-tls-security-cert-not-self-signed
title: Do not use a self-signed certificate
impact: 70
query: |
tls.certificates.last.isCA
- uid: mondoo-tls-security-cert-not-revoked
title: Do not use revoked certificates
impact: 95
query: |
tls.certificates {
subject.commonName
isRevoked != true
}
- uid: mondoo-tls-security-cert-no-weak-signature
title: Do not use weak certificate signatures
impact: 95
query: |
tls.certificates {
subject.commonName
signingAlgorithm != /md2|md5|sha1/i
}
- uid: mondoo-tls-security-no-weak-tls-versions
title: Avoid weak SSL and TLS versions
impact: 80
query: |
tls.versions.containsOnly(["tls1.2", "tls1.3"])
- uid: mondoo-tls-security-no-rc4-ciphers
title: Avoid RC4 ciphers
impact: 90
query: |
tls.ciphers.none( /rc4/i )
- uid: mondoo-tls-security-no-null-cipher-suites
title: Avoid NULL cipher suites
impact: 95
query: |
tls.ciphers.none( /null/i )
- uid: mondoo-tls-security-no-export-cipher-suites
title: Avoid export ciphers suites
impact: 95
query: |
tls.ciphers.none( /export/i )
- uid: mondoo-tls-security-no-diffie-hellman-cipher-suites
title: Avoid anonymous Diffie-Hellman suites
impact: 95
query: |
tls.ciphers.none( /dh_anon/i )
- uid: mondoo-tls-security-no-weak-block-ciphers
title: Avoid weak block ciphers
impact: 95
query:
tls.ciphers.none( /des|rc2|idea/i )
- uid: mondoo-tls-security-no-weak-block-cipher-modes
title: Avoid weak block cipher modes
impact: 80
query:
tls.ciphers.none( /cbc/i )
- uid: mondoo-tls-security-no-rsa-key-exchange
title: Avoid cipher suites with RSA key exchange
query:
tls.ciphers.none( /^tls_rsa/i )
- uid: mondoo-tls-security-no-old-cipher-suites
title: Avoid old cipher suites
impact: 95
query:
tls.ciphers.none( /^old/i )
- uid: mondoo-tls-security-ciphers-include-aead-ciphers
title: Preferred ciphers must include AEAD ciphers
impact: 80
query:
tls.ciphers.any( /chacha20_poly1305|gcm|ccm/i )
- uid: mondoo-tls-security-ciphers-include-pfs
title: Preferred ciphers must include perfect forward secrecy (PFS)
impact: 80
query:
tls.ciphers.any( /ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq/i )
- uid: mondoo-tls-security-mitigate-beast
title: Mitigate BEAST attacks on the server-side
refs:
- title: VMware mitigation of CVE-2011-3389 (BEAST) for web server administrators
url: https://kb.vmware.com/s/article/2008784
query: |
switch {
case tls.versions.containsOnly(["tls1.2", "tls1.3"]):
score(100);
case tls.ciphers.all( /rc4/i ):
score(100);
case tls.ciphers.none( /null|dh_anon|export|des|rc2|idea/ ):
score(80);
default:
score(0);
}