Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix the policy filter for the tls policy #458

Merged
merged 1 commit into from
Dec 15, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
fix the policy filter for the tls policy
Signed-off-by: Patrick Münch <[email protected]>
atomic111 committed Dec 15, 2024
commit 9ca1e18ca3a262a38615ff88957383dbb5ecd79a
25 changes: 15 additions & 10 deletions core/mondoo-tls-security.mql.yaml
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@
policies:
- uid: mondoo-tls-security
name: Mondoo TLS/SSL Security
version: 1.4.0
version: 1.4.1
license: BUSL-1.1
tags:
mondoo.com/category: security
@@ -31,7 +31,9 @@ policies:
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Secure TLS/SSL connection
filters: asset.platform == 'host'
filters: |
asset.platform == 'host'
tls.params != empty
checks:
- uid: mondoo-tls-security-ciphers-include-aead-ciphers
- uid: mondoo-tls-security-ciphers-include-pfs
@@ -46,7 +48,9 @@ policies:
- uid: mondoo-tls-security-no-weak-block-ciphers
- uid: mondoo-tls-security-no-weak-tls-versions
- title: Valid TLS/SSL certificate
filters: asset.platform == 'host'
filters: |
asset.platform == 'host'
tls.params != empty
checks:
- uid: mondoo-tls-security-cert-domain-name-match
- uid: mondoo-tls-security-cert-is-valid
@@ -59,7 +63,7 @@ policies:
queries:
- uid: mondoo-tls-security-cert-domain-name-match
title: Certificate's domain name must match
impact: 80
impact: 90
docs:
desc: |
The domain name in an SSL/TLS certificate must match the hostname it is intended to secure. Mismatched certificates indicate potential misconfigurations or malicious activity. This can lead to user trust issues and browser warnings, causing service interruptions or loss of user confidence.
@@ -81,6 +85,7 @@ queries:

- uid: mondoo-tls-security-cert-is-valid
title: Certificate is valid
impact: 95
docs:
desc: |
Verifies that the SSL/TLS certificate is valid, has not expired, and is trusted by well-known Certificate Authorities (CAs). Ensures that expired or self-signed certificates are flagged.
@@ -94,7 +99,7 @@ queries:
}
- uid: mondoo-tls-security-cert-no-cert-expired
title: Certificate is not near expiration or expired
impact: 85
impact: 95
docs:
desc: |
Certificates nearing expiration or expired can lead to service interruptions and browser security warnings. This can affect user trust and potentially allow MITM attacks if not addressed promptly.
@@ -124,7 +129,7 @@ queries:
}
- uid: mondoo-tls-security-cert-not-self-signed
title: Do not use a self-signed certificate
impact: 100
impact: 85
docs:
desc: |
Self-signed certificates are not trusted by default in browsers or operating systems. They lack authentication from a trusted CA, exposing the service to MITM attacks and reducing user trust.
@@ -134,7 +139,7 @@ queries:
tls.certificates.last.isCA
- uid: mondoo-tls-security-cert-not-revoked
title: Do not use revoked certificates
impact: 95
impact: 100
docs:
desc: |
Revoked certificates are flagged as compromised or untrustworthy by the CA. Continuing to use them exposes the service to significant security risks and compliance violations.
@@ -200,7 +205,7 @@ queries:
tls.ciphers.none( /export/i )
- uid: mondoo-tls-security-no-diffie-hellman-cipher-suites
title: Avoid anonymous Diffie-Hellman suites
impact: 90
impact: 95
docs:
desc: |
Anonymous Diffie-Hellman suites lack authentication, allowing attackers to impersonate the server or client. This can lead to man-in-the-middle (MITM) attacks and data compromise.
@@ -246,7 +251,7 @@ queries:
mql: tls.ciphers.none( /^old/i )
- uid: mondoo-tls-security-ciphers-include-aead-ciphers
title: Preferred ciphers must include AEAD ciphers
impact: 90
impact: 85
docs:
desc: |
AEAD (Authenticated Encryption with Associated Data) ciphers provide both confidentiality and integrity protection, making them a critical component of modern secure communication protocols.
@@ -264,7 +269,7 @@ queries:
mql: tls.ciphers.any( /ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq/i )
- uid: mondoo-tls-security-mitigate-beast
title: Mitigate BEAST attacks on the server-side
impact: 85
impact: 70
docs:
desc: |
BEAST attacks exploit vulnerabilities in SSL/TLS protocols using CBC encryption. This allows attackers to decrypt sensitive data by manipulating block boundaries.