Merge branch 'main' into chris-rock/okta-members

mondoohq · Nov 21, 2023 · 129a12a · 129a12a
2 parents 62946cb + dae9ea0
commit 129a12a
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 2 deletions.
diff --git a/core/mondoo-http-security.mql.yaml b/core/mondoo-http-security.mql.yaml
@@ -0,0 +1,57 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+policies:
+  - uid: mondoo-http-security
+    name: HTTP Security
+    version: 1.0.0
+    license: BUSL-1.1
+    tags:
+      mondoo.com/category: security
+      mondoo.com/platform: network
+    authors:
+      - name: Mondoo, Inc
+        email: [email protected]
+    docs:
+      desc: |
+        ## Overview
+
+        The HTTP Security by Mondoo policy includes checks for ensuring the security of HTTP headers.
+
+        ## Remote scan
+
+        Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
+
+        For a complete list of providers run:
+
+        ```bash
+        cnspec scan --help
+        ```
+
+        ### Scan a host
+
+        ```bash
+        cnspec scan host <fqdn>
+        ```
+
+        ## Join the community!
+
+        Our goal is to build policies that are simple to deploy, accurate, and actionable.
+
+        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
+    groups:
+      - title: Secure HTTP headers
+        filters: asset.platform == "host"
+        checks:
+          - uid: mondoo-http-security-x-content-type-options-nosniff
+    scoring_system: 2
+queries:
+  - uid: mondoo-http-security-x-content-type-options-nosniff
+    title: Set X-Content-Type-Options HTTP header to 'nosniff'
+    mql: http.get.header.xContentTypeOptions == "nosniff"
+    docs:
+      desc: |
+        Avoid MIME Type sniffing by setting the 'X-Content-Type-Options' HTTP header to 'nosniff'
+    refs:
+      - url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+        title: MDN Web Docs X-Content-Type-Options
diff --git a/core/mondoo-ms365-security.mql.yaml b/core/mondoo-ms365-security.mql.yaml
@@ -352,9 +352,9 @@ queries:
       microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == false
     docs:
       desc: |
-        This check ensures that the security defaults (which are enabled by default) are enabled in Azure Active Directory.
+        This check ensures that the security defaults (which are enabled by default) are disabled in Azure Active Directory.
 
-        Note: Using security defaults prohibits custom settings. Many best security practices require custom settings, such as requiring MFA for all users and admins.
+        Note: Using security defaults prohibits custom settings. Many best security practices require custom settings.
       audit: |
         __cnspec run__