forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmondoo-email-security.mql.yaml
288 lines (270 loc) · 15.5 KB
/
mondoo-email-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-email-security
name: Email Security Policy
version: 1.0.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: host
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
This policy bundle verifies best practices for authenticating email messages using security protocols such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).
### Running the Policy
```
cnspec scan host mondoo.com -f mondoo-email-security.mql.yaml
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Email Security
filters: |
asset.platform == "host"
dns.mx != empty
checks:
- uid: mondoo-email-security-txt-record
- uid: mondoo-email-security-a-record
- uid: mondoo-email-security-dmarc-ruf
- uid: mondoo-email-security-dmarc-rua
- uid: mondoo-email-security-dmarc-policy
- uid: mondoo-email-security-dmarc-version
- uid: mondoo-email-security-dmarc
- uid: mondoo-email-security-spf
- uid: mondoo-email-security-single-spf
- uid: mondoo-email-security-spf-length
- uid: mondoo-email-security-spf-whitespaces
- uid: mondoo-email-security-spf-fail
- uid: mondoo-email-security-spf-dns-record
- uid: mondoo-email-security-dkim
- uid: mondoo-email-security-reverse-ip-ptr-record-set
queries:
- uid: mondoo-email-security-reverse-ip-ptr-record-set
title: Ensure Reverse IP Lookup PTR record is set (DNS Forward confirmed)
mql: |
reverseDNSDomain =
dns.params.A.rData.first.split(".")[3] + "."
+ dns.params.A.rData.first.split(".")[2] + "."
+ dns.params.A.rData.first.split(".")[1] + "."
+ dns.params.A.rData.first.split(".")[0]
+ ".in-addr.arpa"
dns(reverseDNSDomain).params.PTR.rData.any(_.contains(asset.fqdn))
docs:
desc: |
Reverse DNS queries for IPv4 addresses use the special domain in-addr.arpa. In this domain, the IPv4 address is represented as a concatenated sequence of four decimal numbers separated by periods, to which is added the second-level domain suffix .in-addr.arpa. The four decimal numbers are obtained by splitting the 32-bit IPv4 address into four octets and converting each octet to a decimal number. These decimal numbers are then arranged in the following order: the smallest octet is first (leftmost) and the most significant octet is last (rightmost). It is important to note that this is the reverse order of the usual convention for writing IPv4 addresses in text form.
For example, to query the IP address 8.8.4.4 in reverse order, the PTR record for the domain name 4.4.8.8.in-addr.arpa is queried, which points to dns.google.
If the A record for dns.google in turn points back to 8.8.4.4, it means that the domain is in a [forward-confirmed reverse DNS](https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS) state.
This creates a form of authentication, which is strong enough to be used for whitelisting purposes of email servers.
According to Google's latest guidelines:
"Your sending IP address must have a PTR record. PTR records verify that the sending hostname is associated with the sending IP address.
Every IP address must map to a hostname in the PTR record. The hostname specified in the PTR record must have a forward DNS that refers to the sending IP address."
audit: Run the `dig -t PTR <special-reverse-domain>` command and verify that the it points to your mail domain.
remediation: |
Set up valid reverse DNS records of your sending server IP addresses that point to your domain.
refs:
- url: https://en.wikipedia.org/wiki/Reverse_DNS_lookup
title: Reverse DNS Lookup
- url: https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
title: Forward-confirmed reverse DNS
- url: https://support.google.com/a/answer/81126?hl=en#ip
title: Google Email sender guidelines - IP Addresses
- uid: mondoo-email-security-txt-record
title: Domain Apex should have a TXT record
mql: dns.records.where(type == "TXT") != empty
docs:
desc: |
A TXT record is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is set.
remediation: |
Add a TXT record to your DNS zone file.
refs:
- url: https://en.wikipedia.org/wiki/TXT_record
title: TXT Record
- uid: mondoo-email-security-a-record
title: Domain Apex should have an anchor (A) record
mql: dns.records.where(type == "A") != empty
docs:
desc: |
A domain's apex anchor record should be set to something, even if it's a redirect.
audit: Run the `dig -t A <domain>` command and verify that there is an A record
remediation: |
Add an A record to your DNS zone file, consider using a redirect to your corporate website.
refs:
- url: https://www.easyredir.com/blog/what-is-an-apex-domain/
title: A Record
- uid: mondoo-email-security-spf
title: Ensure SPF record is set
mql: |
dns.params['TXT']['rData'].one(/v=spf1/)
docs:
desc: |
Sender Policy Framework (SPF) is a method of preventing email spoofing by allowing the owner of a domain to publish a list of mail servers that are authorized to send email from that domain.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is set
remediation: |
Add a TXT record to your DNS zone file with the following format:
```
<domain> IN TXT "v=spf1 include:_spf.google.com ~all"
```
refs:
- url: https://en.wikipedia.org/wiki/Sender_Policy_Framework
title: SPF Record
- uid: mondoo-email-security-single-spf
title: Ensure there are not multiple SPF records
mql: dns.params['TXT']['rData'].where(/v=spf1/).length <= 1
docs:
desc: A domain should have only one Sender Policy Framework (SPF) record.
audit: Run the `dig -t TXT <domain>` command and verify that there is only one SPF record
remediation: |
Remove all but one SPF record from your DNS zone file.
refs:
- url: https://en.wikipedia.org/wiki/Sender_Policy_Framework
title: SPF Record
- uid: mondoo-email-security-spf-length
title: Ensure SPF record is not too long
mql: dns.params['TXT']['rData'].where(/v=spf1/).all(_.length <= 255)
docs:
desc: The Sender Policy Framework (SPF) record should not be longer than 255 characters.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is not longer than 255 characters
remediation: |
Remove some of the entries from your SPF record.
refs:
- url: https://datatracker.ietf.org/doc/html/rfc7208#section-3.3
title: Sender Policy Framework (SPF)for Authorizing Use of Domains in Email, Version 1
- uid: mondoo-email-security-spf-whitespaces
title: Ensure SPF record does not contain any excess whitespace
mql: dns.params['TXT']['rData'].where(/v=spf1/).where(/\s{2,}/) == empty
docs:
desc: The Sender Policy Framework (SPF) record should not contain any unnecessary whitespace.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record does not contain any whitespace
remediation: |
Remove all excess whitespace from your SPF record.
refs:
- url: https://en.wikipedia.org/wiki/Sender_Policy_Framework
title: SPF Record
- uid: mondoo-email-security-spf-fail
title: SPF should be set to fail or soft fail all
mql: |
dns.params['TXT']['rData'].where(/v=spf1/).all(/all/)
docs:
desc: The Sender Policy Framework (SPF) record should be set to soft fail all.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is set to fail or soft fail all
remediation: |
The SPF record should end with all.
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-spf-dns-record
title: Do not use deprecated SPF DNS Record Type
mql: dns.records.where(type == "SPF") == empty
docs:
desc: The Sender Policy Framework (SPF) record should not use the deprecated SPF DNS Record Type.
audit: Run the `dig SPF <domain>` command and verify that the SPF record does not use the deprecated SPF DNS Record Type
remediation: |
Remove the deprecated SPF DNS Record Type from your SPF record.
refs:
- url: https://en.wikipedia.org/wiki/Sender_Policy_Framework#DNS_SPF_Records
title: DNS SPF Records
- uid: mondoo-email-security-dmarc
title: Ensure DMARC DNS entry exists
mql: dns("_dmarc."+asset.name).records != empty
docs:
desc: DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling.
audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC DNS entry exists
remediation: |
Add the _dmarc entry to you DNS zone file.
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-version
title: Ensure DMARC version 1
mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/v=DMARC1/)
docs:
desc: Set the DMARC version in the TXT record to 1.
audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC TXT record contains `v=DMARC1`.
remediation: |
Add a TXT record to your DNS zone file with the following format:
```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-policy
title: Ensure DMARC policy is set to quarantine or reject
mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/reject|quarantine/)
docs:
desc: In the DMARC implementation, you can tell email receivers how to handle email messages that fail authentication and protect your domain from spoofing and other phishing attacks. There are three DMARC policies (Monitoring Policy, Quarantine Policy, Reject Policy) that you can implement.
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC policy quarantine or reject is configured.
remediation: |
Add a TXT record to your DNS zone file with the following format:
```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-rua
title: Ensure DMARC RUA tag
mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/rua=mailto/)
docs:
desc: |
Receiving email servers regularly send DMARC Aggregate Reports (RUA) to all domains that have an adequately implemented DMARC policy. These reports contain encrypted aggregate statistics in XML format and are sent to the email addresses specified in the RUA tag of the DMARC record. In simpler terms, the RUA tag is used to specify one or more email addresses where you want to receive DMARC Aggregate Reports.
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC RUA tag is configured.
remediation: |
Add a TXT record to your DNS zone file with the following format:
```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dmarc-ruf
title: Ensure DMARC RUF tag
mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/ruf=mailto/)
docs:
desc: |
The RUF (or DMARC Failure or Forensic Report) tag was designed to inform domain administrators when emails fail SPF, DKIM, and DMARC authentication checks. The report includes sensitive details about the email, such as the header, subject, URLs, and attachments. However, many organizations prefer not to request RUF reports due to privacy and compliance concerns. The main goal is to comply with privacy laws and prevent data breaches.
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC RUF tag is configured.
remediation: |
Add a TXT record to your DNS zone file with the following format:
```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)
- uid: mondoo-email-security-dkim
title: Ensure DKIM is configured
props:
- uid: mondooEmailSecurityDkimSelectors
title: Define a list of valid DKIM selectors
mql: |
[
"google",
"selector1",
"selector2",
"k1",
"dkim",
"mx",
"mailjet"
]
mql: |
props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /p=/)
props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /k=rsa/)
docs:
desc: |
A DKIM record is a specialized DNS TXT record that stores the public key used to verify an email's authenticity.
audit: Run the `dig TXT <selector>._domainkey.<domain>` command and verify that the public key is available.
remediation: |
Add a TXT record to your DNS zone file with the following format:
```
<selector>._domainkey.<domain> IN TXT "v=DKIM1; p=76E629F05F9EF6658533333F5ADE69A240657AB2FC3"
```
refs:
- url: https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf
title: M3AAWG Email Authentication Recommended Best Practices (2020)