diff --git a/core/mondoo-tls-security.mql.yaml b/core/mondoo-tls-security.mql.yaml index 10a82bd3..264fc5e5 100644 --- a/core/mondoo-tls-security.mql.yaml +++ b/core/mondoo-tls-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-tls-security name: Mondoo TLS/SSL Security - version: 1.4.0 + version: 1.4.1 license: BUSL-1.1 tags: mondoo.com/category: security @@ -31,7 +31,9 @@ policies: If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Secure TLS/SSL connection - filters: asset.platform == 'host' + filters: | + asset.platform == 'host' + tls.params != empty checks: - uid: mondoo-tls-security-ciphers-include-aead-ciphers - uid: mondoo-tls-security-ciphers-include-pfs @@ -46,7 +48,9 @@ policies: - uid: mondoo-tls-security-no-weak-block-ciphers - uid: mondoo-tls-security-no-weak-tls-versions - title: Valid TLS/SSL certificate - filters: asset.platform == 'host' + filters: | + asset.platform == 'host' + tls.params != empty checks: - uid: mondoo-tls-security-cert-domain-name-match - uid: mondoo-tls-security-cert-is-valid @@ -59,7 +63,7 @@ policies: queries: - uid: mondoo-tls-security-cert-domain-name-match title: Certificate's domain name must match - impact: 80 + impact: 90 docs: desc: | The domain name in an SSL/TLS certificate must match the hostname it is intended to secure. Mismatched certificates indicate potential misconfigurations or malicious activity. This can lead to user trust issues and browser warnings, causing service interruptions or loss of user confidence. @@ -81,6 +85,7 @@ queries: - uid: mondoo-tls-security-cert-is-valid title: Certificate is valid + impact: 95 docs: desc: | Verifies that the SSL/TLS certificate is valid, has not expired, and is trusted by well-known Certificate Authorities (CAs). Ensures that expired or self-signed certificates are flagged. @@ -94,7 +99,7 @@ queries: } - uid: mondoo-tls-security-cert-no-cert-expired title: Certificate is not near expiration or expired - impact: 85 + impact: 95 docs: desc: | Certificates nearing expiration or expired can lead to service interruptions and browser security warnings. This can affect user trust and potentially allow MITM attacks if not addressed promptly. @@ -124,7 +129,7 @@ queries: } - uid: mondoo-tls-security-cert-not-self-signed title: Do not use a self-signed certificate - impact: 100 + impact: 85 docs: desc: | Self-signed certificates are not trusted by default in browsers or operating systems. They lack authentication from a trusted CA, exposing the service to MITM attacks and reducing user trust. @@ -134,7 +139,7 @@ queries: tls.certificates.last.isCA - uid: mondoo-tls-security-cert-not-revoked title: Do not use revoked certificates - impact: 95 + impact: 100 docs: desc: | Revoked certificates are flagged as compromised or untrustworthy by the CA. Continuing to use them exposes the service to significant security risks and compliance violations. @@ -200,7 +205,7 @@ queries: tls.ciphers.none( /export/i ) - uid: mondoo-tls-security-no-diffie-hellman-cipher-suites title: Avoid anonymous Diffie-Hellman suites - impact: 90 + impact: 95 docs: desc: | Anonymous Diffie-Hellman suites lack authentication, allowing attackers to impersonate the server or client. This can lead to man-in-the-middle (MITM) attacks and data compromise. @@ -246,7 +251,7 @@ queries: mql: tls.ciphers.none( /^old/i ) - uid: mondoo-tls-security-ciphers-include-aead-ciphers title: Preferred ciphers must include AEAD ciphers - impact: 90 + impact: 85 docs: desc: | AEAD (Authenticated Encryption with Associated Data) ciphers provide both confidentiality and integrity protection, making them a critical component of modern secure communication protocols. @@ -264,7 +269,7 @@ queries: mql: tls.ciphers.any( /ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq/i ) - uid: mondoo-tls-security-mitigate-beast title: Mitigate BEAST attacks on the server-side - impact: 85 + impact: 70 docs: desc: | BEAST attacks exploit vulnerabilities in SSL/TLS protocols using CBC encryption. This allows attackers to decrypt sensitive data by manipulating block boundaries.