Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update text in the email policy #338

Merged
merged 1 commit into from
Jan 18, 2024
Merged

Update text in the email policy #338

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 16 additions & 16 deletions core/mondoo-email-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ policies:
desc: |
## Overview

This policy bundle verifies of best practices for authenticating email messages using the security protocols Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance) DMARC.
This policy bundle verifies best practices for authenticating email messages using security protocols such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).

### Running the Policy

Expand Down Expand Up @@ -65,7 +65,7 @@ queries:
mql: dns.records.where(type == "A") != empty
docs:
desc: |
A domains apex anchor record should be set to something, even if it's a redirect.
A domain's apex anchor record should be set to something, even if it's a redirect.
audit: Run the `dig -t A <domain>` command and verify that there is an A record
remediation: |
Add an A record to your DNS zone file, consider using a redirect to your corporate website.
Expand All @@ -78,7 +78,7 @@ queries:
dns.params['TXT']['rData'].one(/v=spf1/)
docs:
desc: |
SPF (Sender Policy Framework) is a method of preventing email spoofing by allowing the owner of a domain to publish a list of mail servers that are authorized to send email from that domain.
Sender Policy Framework (SPF) is a method of preventing email spoofing by allowing the owner of a domain to publish a list of mail servers that are authorized to send email from that domain.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is set
remediation: |
Add a TXT record to your DNS zone file with the following format:
Expand All @@ -90,10 +90,10 @@ queries:
- url: https://en.wikipedia.org/wiki/Sender_Policy_Framework
title: SPF Record
- uid: mondoo-email-security-single-spf
title: Ensure there are not multiple SPF record
title: Ensure there are not multiple SPF records
mql: dns.params['TXT']['rData'].where(/v=spf1/).length <= 1
docs:
desc: A domain should have only one SPF record.
desc: A domain should have only one Sender Policy Framework (SPF) record.
audit: Run the `dig -t TXT <domain>` command and verify that there is only one SPF record
remediation: |
Remove all but one SPF record from your DNS zone file.
Expand All @@ -104,7 +104,7 @@ queries:
title: Ensure SPF record is not too long
mql: dns.params['TXT']['rData'].where(/v=spf1/).all(_.length <= 255)
docs:
desc: The SPF record should not be longer than 255 characters.
desc: The Sender Policy Framework (SPF) record should not be longer than 255 characters.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is not longer than 255 characters
remediation: |
Remove some of the entries from your SPF record.
Expand All @@ -115,7 +115,7 @@ queries:
title: Ensure SPF record does not contain any excess whitespace
mql: dns.params['TXT']['rData'].where(/v=spf1/).where(/\s{2,}/) == empty
docs:
desc: The SPF record should not contain any unnecessary whitespace.
desc: The Sender Policy Framework (SPF) record should not contain any unnecessary whitespace.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record does not contain any whitespace
remediation: |
Remove all excess whitespace from your SPF record.
Expand All @@ -127,7 +127,7 @@ queries:
mql: |
dns.params['TXT']['rData'].where(/v=spf1/).all(/all/)
docs:
desc: The SPF record should be set to soft fail all.
desc: The Sender Policy Framework (SPF) record should be set to soft fail all.
audit: Run the `dig -t TXT <domain>` command and verify that the SPF record is set to fail or soft fail all
remediation: |
The SPF record should end with all.
Expand All @@ -138,7 +138,7 @@ queries:
title: Do not use deprecated SPF DNS Record Type
mql: dns.records.where(type == "SPF") == empty
docs:
desc: The SPF record should not use the deprecated SPF DNS Record Type.
desc: The Sender Policy Framework (SPF) record should not use the deprecated SPF DNS Record Type.
audit: Run the `dig SPF <domain>` command and verify that the SPF record does not use the deprecated SPF DNS Record Type
remediation: |
Remove the deprecated SPF DNS Record Type from your SPF record.
Expand All @@ -149,7 +149,7 @@ queries:
title: Ensure DMARC DNS entry exists
mql: dns("_dmarc."+asset.name).records != empty
docs:
desc: DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling.
desc: DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling.
audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC DNS entry exists
remediation: |
Add the _dmarc entry to you DNS zone file.
Expand All @@ -160,11 +160,11 @@ queries:
title: Ensure DMARC version 1
mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/v=DMARC1/)
docs:
desc: Set the DMARC version in the TXT record to 1.
desc: Set the DMARC version in the TXT record to 1.
audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC TXT record contains `v=DMARC1`.
remediation: |
Add a TXT record to your DNS zone file with the following format:

```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
Expand All @@ -179,7 +179,7 @@ queries:
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC policy quarantine or reject is configured.
remediation: |
Add a TXT record to your DNS zone file with the following format:

```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
Expand All @@ -195,7 +195,7 @@ queries:
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC RUA tag is configured.
remediation: |
Add a TXT record to your DNS zone file with the following format:

```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
Expand All @@ -211,7 +211,7 @@ queries:
audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC RUF tag is configured.
remediation: |
Add a TXT record to your DNS zone file with the following format:

```
<domain> IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:lunalectric.com; ruf=mailto:lunalectric.com; fo=1;"
```
Expand Down Expand Up @@ -242,7 +242,7 @@ queries:
audit: Run the `dig TXT <selector>._domainkey.<domain>` command and verify that the public key is available.
remediation: |
Add a TXT record to your DNS zone file with the following format:

```
<selector>._domainkey.<domain> IN TXT "v=DKIM1; p=76E629F05F9EF6658533333F5ADE69A240657AB2FC3"
```
Expand Down