-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathtls_security.yaml
More file actions
218 lines (198 loc) · 7.56 KB
/
Copy pathtls_security.yaml
File metadata and controls
218 lines (198 loc) · 7.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
apiVersion: kopexa.io/v1alpha1
kind: Policy
metadata:
name: kopexa-tls-security
title: Kopexa TLS/SSL Security
version: 1.4.1
scoring_system: banded
groups:
- title: Secure TLS/SSL connection
filter: asset.type == 'host'
checks:
- uid: kopexa-tls-security-ciphers-include-aead-ciphers
- uid: kopexa-tls-security-ciphers-include-pfs
- uid: kopexa-tls-security-mitigate-beast
- uid: kopexa-tls-security-no-diffie-hellman-cipher-suites
- uid: kopexa-tls-security-no-export-cipher-suites
- uid: kopexa-tls-security-no-null-cipher-suites
- uid: kopexa-tls-security-no-old-cipher-suites
- uid: kopexa-tls-security-no-rc4-ciphers
- uid: kopexa-tls-security-no-rsa-key-exchange
- uid: kopexa-tls-security-no-weak-block-cipher-modes
- uid: kopexa-tls-security-no-weak-block-ciphers
- uid: kopexa-tls-security-no-weak-tls-versions
- title: Valid TLS/SSL certificate
filter: asset.type == 'host'
checks:
- uid: kopexa-tls-security-cert-domain-name-match
- uid: kopexa-tls-security-cert-is-valid
- uid: kopexa-tls-security-cert-no-cert-expired
- uid: kopexa-tls-security-cert-no-certs-expired
- uid: kopexa-tls-security-cert-no-weak-signature
- uid: kopexa-tls-security-cert-not-revoked
- uid: kopexa-tls-security-cert-not-self-signed
queries:
- uid: kopexa-tls-security-cert-domain-name-match
title: Certificate's domain name must match
resource: tls
severity: critical
query: |
resource.certificates[0].subject.commonName == asset.name ||
resource.certificates[0].dnsNames.exists(n, n == asset.name)
docs: Certificate domain name must match the hostname.
remediation: Get a certificate that matches the domain.
audit: Check commonName and SANs.
- uid: kopexa-tls-security-cert-is-valid
title: Certificate is valid
resource: tls
severity: critical
query: |
resource.certificates[0].expiresIn.days >= 0 &&
resource.certificates[0].validityDays <= 398 &&
resource.certificates[0].isVerified
docs: |
Certificate must be valid, not expired, trusted by root CAs, and have validity period
within CA/Browser Forum limits (currently 398 days, reducing to 47 days by 2029).
remediation: Renew certificate with valid parameters.
audit: Check details.
- uid: kopexa-tls-security-cert-no-cert-expired
title: Certificate is not near expiration or expired
resource: tls
severity: high
query: resource.certificates[0].expiresIn.days > 30
docs: Renew certificate before it expires (30 days buffer).
remediation: Renew soon.
audit: Check days remaining.
- uid: kopexa-tls-security-cert-no-certs-expired
title: None of the certificates (intermediate or root) have expired
resource: tls
severity: critical
query: resource.certificates.all(c, c.expiresIn.days >= 0)
docs: All certificates in chain must be valid.
remediation: Update full chain.
audit: Check chain.
- uid: kopexa-tls-security-cert-not-self-signed
title: Do not use a self-signed certificate
resource: tls
severity: high
query: resource.certificates[resource.certificates.size()-1].isCA
docs: Do not use self-signed certificates.
remediation: Get CA signed cert.
audit: Check issuer.
- uid: kopexa-tls-security-cert-not-revoked
title: Do not use revoked certificates
resource: tls
severity: critical
query: "true"
docs: (Not implemented) Check for revocation.
remediation: Replace revoked certs.
audit: None
- uid: kopexa-tls-security-cert-no-weak-signature
title: Do not use weak certificate signatures
resource: tls
severity: high
query: |
resource.certificates.all(c, !c.signingAlgorithm.matches('(?i)md2|md5|sha1'))
docs: Use strong signature algorithms (SHA256+).
remediation: Reissue with SHA256.
audit: Check signature algorithm.
- uid: kopexa-tls-security-no-weak-tls-versions
title: Avoid weak SSL and TLS versions
resource: tls
severity: critical
query: |
resource.versions.all(v, v == 'tls1.2' || v == 'tls1.3')
docs: Disable TLS 1.0, 1.1, SSL.
remediation: Configure server to disable old protocols.
audit: Check supported protocols.
- uid: kopexa-tls-security-no-rc4-ciphers
title: Avoid RC4 ciphers
resource: tls
severity: critical
query: resource.ciphers.all(c, !c.matches('(?i)rc4'))
docs: Disable RC4.
remediation: Disable RC4 ciphers.
audit: Check ciphers.
- uid: kopexa-tls-security-no-null-cipher-suites
title: Avoid NULL cipher suites
resource: tls
severity: critical
query: resource.ciphers.all(c, !c.matches('(?i)null'))
docs: Disable NULL ciphers.
remediation: Disable NULL suites.
audit: Check ciphers.
- uid: kopexa-tls-security-no-export-cipher-suites
title: Avoid export ciphers suites
resource: tls
severity: critical
query: resource.ciphers.all(c, !c.matches('(?i)export'))
docs: Disable EXPORT ciphers.
remediation: Disable EXPORT suites.
audit: Check ciphers.
- uid: kopexa-tls-security-no-diffie-hellman-cipher-suites
title: Avoid anonymous Diffie-Hellman suites
resource: tls
severity: high
query: resource.ciphers.all(c, !c.matches('(?i)dh_anon'))
docs: Disable anonymous DH.
remediation: Disable DH_ANON.
audit: Check ciphers.
- uid: kopexa-tls-security-no-weak-block-ciphers
title: Avoid weak block ciphers
resource: tls
severity: high
query: resource.ciphers.all(c, !c.matches('(?i)des|rc2|idea'))
docs: Disable weak block ciphers (DES, RC2, IDEA).
remediation: Use AES.
audit: Check ciphers.
- uid: kopexa-tls-security-no-weak-block-cipher-modes
title: Avoid weak block cipher modes
resource: tls
severity: medium
query: resource.ciphers.all(c, !c.matches('(?i)cbc'))
docs: Avoid CBC mode.
remediation: Use GCM/ChaCha20.
audit: Check ciphers.
- uid: kopexa-tls-security-no-rsa-key-exchange
title: Avoid cipher suites with RSA key exchange
resource: tls
severity: medium
query: resource.ciphers.all(c, !c.matches('(?i)^tls_rsa'))
docs: Avoid RSA key exchange (no PFS).
remediation: Use ECDHE/DHE.
audit: Check ciphers.
- uid: kopexa-tls-security-no-old-cipher-suites
title: Avoid old cipher suites
resource: tls
severity: high
query: resource.ciphers.all(c, !c.matches('(?i)^old'))
docs: Avoid old suites.
remediation: Update ciphers.
audit: Check ciphers.
- uid: kopexa-tls-security-ciphers-include-aead-ciphers
title: Preferred ciphers must include AEAD ciphers
resource: tls
severity: medium
query: resource.ciphers.exists(c, c.matches('(?i)chacha20_poly1305|gcm|ccm'))
docs: Use AEAD ciphers.
remediation: Enable AEAD.
audit: Check for GCM/ChaCha.
- uid: kopexa-tls-security-ciphers-include-pfs
title: Preferred ciphers must include perfect forward secrecy (PFS)
resource: tls
severity: high
query: resource.ciphers.exists(c, c.matches('(?i)ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq'))
docs: Use PFS (ECDHE/DHE).
remediation: Enable PFS.
audit: Check for ECDHE.
- uid: kopexa-tls-security-mitigate-beast
title: Mitigate BEAST attacks on the server-side
resource: tls
severity: high
query: |
resource.versions.all(v, v == 'tls1.2' || v == 'tls1.3') ||
resource.ciphers.all(c, c.matches('(?i)rc4')) ||
resource.ciphers.all(c, !c.matches('(?i)null|dh_anon|export|des|rc2|idea'))
docs: Mitigate BEAST (use TLS 1.2+).
remediation: Enforce TLS 1.2+.
audit: Check version.