Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix dmarc checks in mail policy #456

Merged
merged 1 commit into from
Dec 4, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions core/mondoo-email-security.mql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
policies:
- uid: mondoo-email-security
name: Mondoo Email Security
version: 1.0.0
version: 1.1.0
license: BUSL-1.1
tags:
mondoo.com/category: security
Expand Down Expand Up @@ -58,7 +58,7 @@ queries:
+ dns.params.A.rData.first.split(".")[1] + "."
+ dns.params.A.rData.first.split(".")[0]
+ ".in-addr.arpa"
dns(reverseDNSDomain).params.PTR.rData.any(_.contains(asset.fqdn))
dns(reverseDNSDomain).params.PTR.rData.any(_.contains(domainName.fqdn))
docs:
desc: |
Reverse DNS queries for IPv4 addresses use the special domain in-addr.arpa. In this domain, the IPv4 address is represented as a concatenated sequence of four decimal numbers separated by periods, to which is added the second-level domain suffix .in-addr.arpa. The four decimal numbers are obtained by splitting the 32-bit IPv4 address into four octets and converting each octet to a decimal number. These decimal numbers are then arranged in the following order: the smallest octet is first (leftmost) and the most significant octet is last (rightmost). It is important to note that this is the reverse order of the usual convention for writing IPv4 addresses in text form.
Expand Down Expand Up @@ -182,7 +182,7 @@ queries:
title: DNS SPF Records
- uid: mondoo-email-security-dmarc
title: Ensure DMARC DNS entry exists
mql: dns("_dmarc."+asset.name).records != empty
mql: dns("_dmarc."+domainName.fqdn).records != empty
docs:
desc: DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling.
audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC DNS entry exists
Expand All @@ -193,7 +193,7 @@ queries:
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-version
title: Ensure DMARC version 1
mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/v=DMARC1/)
mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/v=DMARC1/)
docs:
desc: Set the DMARC version in the TXT record to 1.
audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC TXT record contains `v=DMARC1`.
Expand All @@ -208,7 +208,7 @@ queries:
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-policy
title: Ensure DMARC policy is set to quarantine or reject
mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/reject|quarantine/)
mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/reject|quarantine/)
docs:
desc: In the DMARC implementation, you can tell email receivers how to handle email messages that fail authentication and protect your domain from spoofing and other phishing attacks. There are three DMARC policies (Monitoring Policy, Quarantine Policy, Reject Policy) that you can implement.
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC policy quarantine or reject is configured.
Expand All @@ -223,7 +223,7 @@ queries:
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-rua
title: Ensure DMARC RUA tag
mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/rua=mailto/)
mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/rua=mailto/)
docs:
desc: |
Receiving email servers regularly send DMARC Aggregate Reports (RUA) to all domains that have an adequately implemented DMARC policy. These reports contain encrypted aggregate statistics in XML format and are sent to the email addresses specified in the RUA tag of the DMARC record. In simpler terms, the RUA tag is used to specify one or more email addresses where you want to receive DMARC Aggregate Reports.
Expand All @@ -239,7 +239,7 @@ queries:
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-ruf
title: Ensure DMARC RUF tag
mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/ruf=mailto/)
mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/ruf=mailto/)
docs:
desc: |
The RUF (or DMARC Failure or Forensic Report) tag was designed to inform domain administrators when emails fail SPF, DKIM, and DMARC authentication checks. The report includes sensitive details about the email, such as the header, subject, URLs, and attachments. However, many organizations prefer not to request RUF reports due to privacy and compliance concerns. The main goal is to comply with privacy laws and prevent data breaches.
Expand Down Expand Up @@ -269,8 +269,8 @@ queries:
"mailjet"
]
mql: |
props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /p=/)
props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /k=rsa/)
props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+domainName.fqdn).params['TXT']['rData'].first == /p=/)
props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+domainName.fqdn).params['TXT']['rData'].first == /k=rsa/)
docs:
desc: |
A DKIM record is a specialized DNS TXT record that stores the public key used to verify an email's authenticity.
Expand Down
Loading