diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index 205b3f61..4f968f43 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -100,7 +100,7 @@ policies: filters: asset.platform == "aws" checks: - uid: mondoo-aws-security-dynamodb-table-encrypted-kms - - title: AWS RDS DBInstance + - title: AWS RDS DB Instance filters: asset.platform == "aws" checks: - uid: mondoo-aws-security-rds-instance-public-access-check @@ -667,6 +667,7 @@ queries: # Outputs a map in the format {\"mondoo-test@mondoo.com\": , \"mondoo-test2@mondoo.com\": } value = { for k, v in aws_iam_virtual_mfa_device.mondoo_test_mfa : k => v.qr_code_png } } + ``` __AWS Console__ diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index 5fdc3c41..83c411a2 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -352,7 +352,7 @@ queries: - Check for rules where the protocol is set to `TCP`. - The destination port or port range includes `3389`. - The source address prefix is too broad, such as 'Any', '0.0.0.0', '/0', '/0', 'internet', or 'any'. - 5. Note down any NSG rules that do not comply with your organization’s security policy regarding restricted access to RDP. These rules should ideally allow access only from trusted, secure networks, and not from the open internet. + 5. Note down any NSG rules that do not comply with your organization's security policy regarding restricted access to RDP. These rules should ideally allow access only from trusted, secure networks, and not from the open internet. 1. Navigate to **Virtual Machines** in the Azure Portal. 2. For each VM, select the **Networking** blade to review network configurations. @@ -1214,6 +1214,7 @@ queries: key_vault_id = azurerm_key_vault.example.id expiration_date = "2025-05-01T01:02:03Z" } + ``` - uid: mondoo-azure-security-ensure-the-expiration-date-is-set-for-all-keys-and-secrets-in-kv-single filters: | asset.platform == "azure-keyvault-vault" diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index 0b038ab8..243d565e 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -84,9 +84,9 @@ queries: * Non-compliance with DNS standards: DNS resolvers expect NS and MX records to point to hostnames. Using IPs can lead to unpredictable behavior or DNS resolution failures. * Security risks: Directly exposing IP addresses can make your infrastructure more vulnerable to attacks, such as DDoS or reconnaissance efforts. remediation: | - For NS records: Always configure them to point to the authoritative DNS server’s FQDN (e.g., ns1.example.com). + For NS records: Always configure them to point to the authoritative DNS server's FQDN (e.g., ns1.example.com). - For MX records: Always point them to a valid mail server’s FQDN (e.g., mail.example.com). + For MX records: Always point them to a valid mail server's FQDN (e.g., mail.example.com). - uid: mondoo-dns-security-no-legacy-office-365-mx-records title: Ensure legacy MX records are not used with Office 365 impact: 80 @@ -119,16 +119,16 @@ queries: containsOnly(["aspmx.l.google.com.", "alt1.aspmx.l.google.com.", "alt2.aspmx.l.google.com.", "alt3.aspmx.l.google.com.", "alt4.aspmx.l.google.com."]) docs: desc: | - This security check verifies that the domain’s MX (Mail Exchange) records are correctly configured to use the Google Workspace (formerly G Suite) email servers. Proper configuration ensures reliable email delivery and leverages Google’s advanced email security and management features. + This security check verifies that the domain's MX (Mail Exchange) records are correctly configured to use the Google Workspace (formerly G Suite) email servers. Proper configuration ensures reliable email delivery and leverages Google's advanced email security and management features. Why this is important: * Reliable email delivery: Incorrect or missing MX records can result in undelivered email. * Security risks: Using incorrect MX records can route email through untrusted servers, exposing the organization to spoofing, phishing, or data interception attacks. * Google Workspace functionality: Google Workspace requires specific MX records to activate its full suite of email features, including spam protection, encryption, and account-based email management. - * Compliance and best practices: Adhering to Google Workspace’s DNS configuration guidelines ensures compatibility and minimizes the risk of service disruptions. + * Compliance and best practices: Adhering to Google Workspace's DNS configuration guidelines ensures compatibility and minimizes the risk of service disruptions. remediation: | - Ensure the domain’s MX records point to Google’s designated email servers: + Ensure the domain's MX records point to Google's designated email servers: * ASPMX.L.GOOGLE.COM * ALT1.ASPMX.L.GOOGLE.COM * ALT2.ASPMX.L.GOOGLE.COM diff --git a/core/mondoo-dockerfile-security.mql.yaml b/core/mondoo-dockerfile-security.mql.yaml index def48ea0..0f96f0ba 100644 --- a/core/mondoo-dockerfile-security.mql.yaml +++ b/core/mondoo-dockerfile-security.mql.yaml @@ -59,7 +59,7 @@ policies: queries: - uid: mondoo-docker-security-no-management-ports - title: Don’t expose management ports + title: Don't expose management ports impact: 100 mql: | docker.file.stages.all(expose.all(port != 22)) @@ -89,7 +89,7 @@ queries: - Review the Dockerfile and ensure that package managers are configured to use SSL certificate validation. - Use secure practices for package installations to maintain system integrity: Remove any insecure options such as `--nogpgcheck`, `--no-check-certificate`, `--no-gpg-check`, and similar flags. - uid: mondoo-docker-security-no-insecure-certificate-validation-apt - title: Don’t disable certificate validation in APT + title: Don't disable certificate validation in APT impact: 100 mql: | docker.file.stages.all(run.none(script.contains("--allow-insecure-repositories"))) @@ -101,7 +101,7 @@ queries: - Review the Dockerfile `RUN` instructions to ensure that APT commands do not use the `--allow-insecure-repositories` option. - Configure APT to use secure repositories and avoid options that bypass certificate validation. - uid: mondoo-docker-security-no-insecure-certificate-validation-curl - title: Don’t disable certificate validation in curl + title: Don't disable certificate validation in curl impact: 100 mql: | docker.file.stages.all(run.none(script.contains("--insecure"))) @@ -115,7 +115,7 @@ queries: - Avoid using `curl` with `--insecure` or `-k` options. - Ensure that proper SSL certificate validation is enabled for all `curl` operations. - uid: mondoo-docker-security-no-insecure-certificate-validation-wget - title: Don’t disable certificate validation in Wget + title: Don't disable certificate validation in Wget impact: 100 mql: | docker.file.stages.all(run.none(script.contains("--no-check-certificate"))) @@ -127,7 +127,7 @@ queries: - Review the Dockerfile `RUN` instructions to ensure that `wget` commands do not use the `--no-check-certificate` option. - Configure Wget to use certificate validation to enhance the security of your container configurations. - uid: mondoo-docker-security-no-sudo-commands - title: Don’t run commands using sudo + title: Don't run commands using sudo impact: 100 mql: | docker.file.stages.all(run.none(script.contains("sudo"))) @@ -141,7 +141,7 @@ queries: - Ensure that all commands are executed with the least privileges required. - Configure containers to operate with non-root users where possible, and avoid privilege escalation techniques. - uid: mondoo-docker-security-no-gpg-skip-yum - title: Don’t skip GPG validation in YUM/DNF + title: Don't skip GPG validation in YUM/DNF impact: 100 mql: | docker.file.stages.all(run.none(script.contains("--nogpgcheck"))) @@ -190,7 +190,7 @@ queries: - Verify the necessity of each `ADD` instruction and ensure it is used correctly. - Perform a security review to ensure that any use of `ADD` does not introduce vulnerabilities or expose sensitive information. - uid: mondoo-docker-best-practice-no-latest-tag - title: Don’t build containers from latest tags + title: Don't build containers from latest tags impact: 100 mql: | docker.file.stages.all(from.tag != "latest") diff --git a/core/mondoo-tls-security.mql.yaml b/core/mondoo-tls-security.mql.yaml index 264fc5e5..eb1cbf37 100644 --- a/core/mondoo-tls-security.mql.yaml +++ b/core/mondoo-tls-security.mql.yaml @@ -65,10 +65,10 @@ queries: title: Certificate's domain name must match impact: 90 docs: - desc: | + desc: | The domain name in an SSL/TLS certificate must match the hostname it is intended to secure. Mismatched certificates indicate potential misconfigurations or malicious activity. This can lead to user trust issues and browser warnings, causing service interruptions or loss of user confidence. remediation: | - Ensure the certificate’s Common Name (CN) or Subject Alternative Name (SAN) fields match the intended domain name. Obtain a valid certificate for the domain from a trusted Certificate Authority (CA) and install it on the server. + Ensure the certificate's Common Name (CN) or Subject Alternative Name (SAN) fields match the intended domain name. Obtain a valid certificate for the domain from a trusted Certificate Authority (CA) and install it on the server. mql: | checkA1 = tls.certificates.first.subject.commonName == asset.fqdn @@ -102,7 +102,7 @@ queries: impact: 95 docs: desc: | - Certificates nearing expiration or expired can lead to service interruptions and browser security warnings. This can affect user trust and potentially allow MITM attacks if not addressed promptly. + Certificates nearing expiration or expired can lead to service interruptions and browser security warnings. This can affect user trust and potentially allow MITM attacks if not addressed promptly. remediation: | Monitor certificate expiration dates and renew them well in advance. mql: | @@ -180,7 +180,7 @@ queries: desc: | RC4 is a weak cipher prone to cryptographic attacks. Its use is discouraged as it does not provide sufficient encryption strength for modern applications. remediation: | - Remove RC4 from the server’s list of supported ciphers. Configure preferred ciphers to use modern, secure options such as AES-GCM. + Remove RC4 from the server's list of supported ciphers. Configure preferred ciphers to use modern, secure options such as AES-GCM. mql: | tls.ciphers.none( /rc4/i ) - uid: mondoo-tls-security-no-null-cipher-suites @@ -196,7 +196,7 @@ queries: - uid: mondoo-tls-security-no-export-cipher-suites title: Avoid export ciphers suites impact: 95 - docs: + docs: desc: | Export cipher suites are intentionally weakened cryptographic algorithms designed to meet outdated export regulations. They are vulnerable to brute-force attacks and compromise encryption security. remediation: | @@ -216,7 +216,7 @@ queries: - uid: mondoo-tls-security-no-weak-block-ciphers title: Avoid weak block ciphers impact: 85 - docs: + docs: desc: | Weak block ciphers, such as DES or 3DES, are vulnerable to modern cryptographic attacks, including brute force and collision attacks, reducing the overall security of the communication. remediation: |