From 96e93e748bc6bba61482dea80243601a5f7f5f84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Mu=CC=88nch?= <patrick.muench1111@gmail.com> Date: Tue, 3 Dec 2024 22:45:27 +0100 Subject: [PATCH] fix dmarc checks in mail policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com> --- core/mondoo-email-security.mql.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/core/mondoo-email-security.mql.yaml b/core/mondoo-email-security.mql.yaml index 30a57f8d..01507d68 100644 --- a/core/mondoo-email-security.mql.yaml +++ b/core/mondoo-email-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-email-security name: Mondoo Email Security - version: 1.0.0 + version: 1.1.0 license: BUSL-1.1 tags: mondoo.com/category: security @@ -58,7 +58,7 @@ queries: + dns.params.A.rData.first.split(".")[1] + "." + dns.params.A.rData.first.split(".")[0] + ".in-addr.arpa" - dns(reverseDNSDomain).params.PTR.rData.any(_.contains(asset.fqdn)) + dns(reverseDNSDomain).params.PTR.rData.any(_.contains(domainName.fqdn)) docs: desc: | Reverse DNS queries for IPv4 addresses use the special domain in-addr.arpa. In this domain, the IPv4 address is represented as a concatenated sequence of four decimal numbers separated by periods, to which is added the second-level domain suffix .in-addr.arpa. The four decimal numbers are obtained by splitting the 32-bit IPv4 address into four octets and converting each octet to a decimal number. These decimal numbers are then arranged in the following order: the smallest octet is first (leftmost) and the most significant octet is last (rightmost). It is important to note that this is the reverse order of the usual convention for writing IPv4 addresses in text form. @@ -182,7 +182,7 @@ queries: title: DNS SPF Records - uid: mondoo-email-security-dmarc title: Ensure DMARC DNS entry exists - mql: dns("_dmarc."+asset.name).records != empty + mql: dns("_dmarc."+domainName.fqdn).records != empty docs: desc: DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling. audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC DNS entry exists @@ -193,7 +193,7 @@ queries: title: M3AAWG Email Authentication Recommended Best Practices (2020) - uid: mondoo-email-security-dmarc-version title: Ensure DMARC version 1 - mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/v=DMARC1/) + mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/v=DMARC1/) docs: desc: Set the DMARC version in the TXT record to 1. audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC TXT record contains `v=DMARC1`. @@ -208,7 +208,7 @@ queries: title: M3AAWG Email Authentication Recommended Best Practices (2020) - uid: mondoo-email-security-dmarc-policy title: Ensure DMARC policy is set to quarantine or reject - mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/reject|quarantine/) + mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/reject|quarantine/) docs: desc: In the DMARC implementation, you can tell email receivers how to handle email messages that fail authentication and protect your domain from spoofing and other phishing attacks. There are three DMARC policies (Monitoring Policy, Quarantine Policy, Reject Policy) that you can implement. audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC policy quarantine or reject is configured. @@ -223,7 +223,7 @@ queries: title: M3AAWG Email Authentication Recommended Best Practices (2020) - uid: mondoo-email-security-dmarc-rua title: Ensure DMARC RUA tag - mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/rua=mailto/) + mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/rua=mailto/) docs: desc: | Receiving email servers regularly send DMARC Aggregate Reports (RUA) to all domains that have an adequately implemented DMARC policy. These reports contain encrypted aggregate statistics in XML format and are sent to the email addresses specified in the RUA tag of the DMARC record. In simpler terms, the RUA tag is used to specify one or more email addresses where you want to receive DMARC Aggregate Reports. @@ -239,7 +239,7 @@ queries: title: M3AAWG Email Authentication Recommended Best Practices (2020) - uid: mondoo-email-security-dmarc-ruf title: Ensure DMARC RUF tag - mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/ruf=mailto/) + mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/ruf=mailto/) docs: desc: | The RUF (or DMARC Failure or Forensic Report) tag was designed to inform domain administrators when emails fail SPF, DKIM, and DMARC authentication checks. The report includes sensitive details about the email, such as the header, subject, URLs, and attachments. However, many organizations prefer not to request RUF reports due to privacy and compliance concerns. The main goal is to comply with privacy laws and prevent data breaches. @@ -269,8 +269,8 @@ queries: "mailjet" ] mql: | - props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /p=/) - props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /k=rsa/) + props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+domainName.fqdn).params['TXT']['rData'].first == /p=/) + props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+domainName.fqdn).params['TXT']['rData'].first == /k=rsa/) docs: desc: | A DKIM record is a specialized DNS TXT record that stores the public key used to verify an email's authenticity.