Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🧹 Fixes double mql issues: Mondoo Linux Policy #415

Merged
merged 15 commits into from
Jul 1, 2024
Merged

🧹 Fixes double mql issues: Mondoo Linux Policy #415

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
3f53bd9
!= null > != empty
mm-weber Jun 28, 2024
bda5ff3
!= null > != empty++
mm-weber Jun 28, 2024
a590f88
fix: Ensure strong account password policy requirements are used
mm-weber Jun 28, 2024
b42ce80
fix/props: - uid: maxAccessKeyAgeMondoo
mm-weber Jun 28, 2024
9a2227e
fix/props: - uid: ebsVolumeDeleteOnTerminationMondoo
mm-weber Jun 28, 2024
277c871
fix/props: - uid: disallowedPortsSSHMondoo
mm-weber Jun 28, 2024
b20fca8
fix/props: - uid: disallowedPortsRDPMondoo
mm-weber Jun 28, 2024
959572d
fix/props: - uid: disallowedPortsUDPMondoo
mm-weber Jun 28, 2024
6253af5
fix/props: - uid: allowedCiphersMondoo
mm-weber Jun 28, 2024
6cd829d
fix/props: - uid: auditFilesMondoo
mm-weber Jun 28, 2024
7ad1f4c
fix/props: - uid: macAlgosMondoo
mm-weber Jun 28, 2024
4f804cc
fix/props: - uid: kexAlgosMondoo
mm-weber Jun 28, 2024
448ca1d
fix/props: - uid: sudoGroupMondoo
mm-weber Jun 28, 2024
f8285dd
fix/props: - uid: auditpolSuccessFailure etc.
mm-weber Jun 28, 2024
ae4147d
fix/versions
mm-weber Jun 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions community/mondoo-phoenix-plcnext-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ queries:
mql: |
return ["[email protected]","[email protected]","diffie-hellman-group-exchange-sha256"]
mql: |
sshd.config.kexs != null
sshd.config.kexs != empty
sshd.config.kexs.containsOnly(props.PLCKexAlgos)
docs:
desc: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received
Expand All @@ -136,7 +136,7 @@ queries:
mql: |
return ["[email protected]","[email protected]","[email protected]","hmac-sha2-512","hmac-sha2-256"]
mql: |
sshd.config.macs != null
sshd.config.macs != empty
sshd.config.macs.containsOnly(props.PLCMacAlgos)
docs:
desc: This variable limits the types of MAC algorithms that SSH can use during communication.
Expand All @@ -156,7 +156,7 @@ queries:
mql: |
return ["[email protected]","[email protected]","[email protected]","aes256-ctr","aes192-ctr","aes128-ctr"]
mql: |
sshd.config.ciphers != null
sshd.config.ciphers != empty
sshd.config.ciphers.containsOnly(props.PLCSshdCiphers)
docs:
desc: This variable limits the ciphers that SSH can use during communication.
Expand Down
46 changes: 23 additions & 23 deletions core/mondoo-aws-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
policies:
- uid: mondoo-aws-security
name: AWS Security
version: 3.0.0
version: 3.0.1
license: BUSL-1.1
tags:
mondoo.com/category: security
Expand Down Expand Up @@ -265,25 +265,25 @@ queries:
title: Ensure strong account password policy requirements are used
impact: 60
props:
- uid: iamPasswordPolicyMaxPasswordAge
- uid: iamPasswordPolicyMaxPasswordAgeMondoo
title: Define the maximum number of days a password is allowed to exist before being rotated
mql: "90"
- uid: iamPasswordPolicyMinimumPasswordLength
- uid: iamPasswordPolicyMinimumPasswordLengthMondoo
title: Minimum password length
mql: "14"
- uid: iamPasswordPolicyPasswordReusePrevention
- uid: iamPasswordPolicyPasswordReusePreventionMondoo
title: Number of passwords before allowing reuse
mql: "24"
- uid: iamPasswordPolicyRequireLowercaseCharacters
- uid: iamPasswordPolicyRequireLowercaseCharactersMondoo
title: Denotes whether lowercase characters are required for passwords
mql: "true"
- uid: iamPasswordPolicyRequireNumbers
- uid: iamPasswordPolicyRequireNumbersMondoo
title: Denotes whether numbers are required for passwords
mql: "true"
- uid: iamPasswordPolicyRequireSymbols
- uid: iamPasswordPolicyRequireSymbolsMondoo
title: Denotes whether symbols are required for passwords
mql: "true"
- uid: iamPasswordPolicyRequireUppercaseCharacters
- uid: iamPasswordPolicyRequireUppercaseCharactersMondoo
title: Denotes whether uppercase characters are required for passwords
mql: "true"
mql: |
Expand All @@ -296,13 +296,13 @@ queries:
aws.iam.accountPasswordPolicy.PasswordReusePrevention != empty
aws.iam.accountPasswordPolicy.MaxPasswordAge != empty
// Validate each policy setting against props
aws.iam.accountPasswordPolicy.where(RequireUppercaseCharacters != empty).all(RequireUppercaseCharacters == props.iamPasswordPolicyRequireUppercaseCharacters)
aws.iam.accountPasswordPolicy.where(RequireLowercaseCharacters != empty).all(RequireLowercaseCharacters == props.iamPasswordPolicyRequireLowercaseCharacters)
aws.iam.accountPasswordPolicy.where(RequireSymbols != empty).all(RequireSymbols == props.iamPasswordPolicyRequireSymbols)
aws.iam.accountPasswordPolicy.where(RequireNumbers != empty).all(RequireNumbers == props.iamPasswordPolicyRequireNumbers)
aws.iam.accountPasswordPolicy.where(MinimumPasswordLength != empty).all(MinimumPasswordLength >= props.iamPasswordPolicyMinimumPasswordLength)
aws.iam.accountPasswordPolicy.where(PasswordReusePrevention != empty).all(PasswordReusePrevention >= props.iamPasswordPolicyPasswordReusePrevention)
aws.iam.accountPasswordPolicy.where(MaxPasswordAge != empty).all(MaxPasswordAge <= props.iamPasswordPolicyMaxPasswordAge)
aws.iam.accountPasswordPolicy.where(RequireUppercaseCharacters != empty).all(RequireUppercaseCharacters == props.iamPasswordPolicyRequireUppercaseCharactersMondoo)
aws.iam.accountPasswordPolicy.where(RequireLowercaseCharacters != empty).all(RequireLowercaseCharacters == props.iamPasswordPolicyRequireLowercaseCharactersMondoo)
aws.iam.accountPasswordPolicy.where(RequireSymbols != empty).all(RequireSymbols == props.iamPasswordPolicyRequireSymbolsMondoo)
aws.iam.accountPasswordPolicy.where(RequireNumbers != empty).all(RequireNumbers == props.iamPasswordPolicyRequireNumbersMondoo)
aws.iam.accountPasswordPolicy.where(MinimumPasswordLength != empty).all(MinimumPasswordLength >= props.iamPasswordPolicyMinimumPasswordLengthMondoo)
aws.iam.accountPasswordPolicy.where(PasswordReusePrevention != empty).all(PasswordReusePrevention >= props.iamPasswordPolicyPasswordReusePreventionMondoo)
aws.iam.accountPasswordPolicy.where(MaxPasswordAge != empty).all(MaxPasswordAge <= props.iamPasswordPolicyMaxPasswordAgeMondoo)
docs:
desc: |
AWS allows custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. IAM user passwords must meet the default AWS password policy if you don't set a custom password policy. AWS security best practices recommend these password complexity requirements:
Expand Down Expand Up @@ -397,15 +397,15 @@ queries:
title: Ensure active access keys are rotated
impact: 70
props:
- uid: maxAccessKeyAge
- uid: maxAccessKeyAgeMondoo
title: Define the maximum number of days an IAM key is allowed to exist before rotation
mql: "90"
mql: |
aws.iam.credentialReport.where(accessKey1Active == true && time.now - userCreationTime > props.maxAccessKeyAge * time.day).all(time.now - accessKey1LastRotated < props.maxAccessKeyAge * time.day)
aws.iam.credentialReport.where(accessKey2Active == true && time.now - userCreationTime > props.maxAccessKeyAge * time.day).all(time.now - accessKey2LastRotated < props.maxAccessKeyAge * time.day)
aws.iam.credentialReport.where(accessKey1Active == true && time.now - userCreationTime > props.maxAccessKeyAgeMondoo * time.day).all(time.now - accessKey1LastRotated < props.maxAccessKeyAgeMondoo * time.day)
aws.iam.credentialReport.where(accessKey2Active == true && time.now - userCreationTime > props.maxAccessKeyAgeMondoo * time.day).all(time.now - accessKey2LastRotated < props.maxAccessKeyAgeMondoo * time.day)
docs:
desc: |
It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAge property.
It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAgeMondoo property.
audit: |
__cnspec shell__

Expand Down Expand Up @@ -1211,7 +1211,7 @@ queries:

```mql
aws.s3.buckets.all(
publicAccessBlock != null && publicAccessBlock.values.all(_ == true)
publicAccessBlock != empty && publicAccessBlock.values.all(_ == true)
)
```

Expand Down Expand Up @@ -2154,7 +2154,7 @@ queries:
title: Ensure EBS volumes attached to EC2 instances are configured for deletion on instance termination
impact: 60
props:
- uid: ebsVolumeDeleteOnTermination
- uid: ebsVolumeDeleteOnTerminationMondoo
title: Defines whether instances should be configured to delete volumes on termination
mql: "true"
variants:
Expand Down Expand Up @@ -2232,7 +2232,7 @@ queries:
- uid: mondoo-aws-security-ec2-volume-inuse-check-all
filters: asset.platform == "aws"
mql: |
aws.ec2.volumes.where(attachments != empty).all(attachments.any(DeleteOnTermination == props.ebsVolumeDeleteOnTermination))
aws.ec2.volumes.where(attachments != empty).all(attachments.any(DeleteOnTermination == props.ebsVolumeDeleteOnTerminationMondoo))
- uid: mondoo-aws-security-ec2-volume-inuse-check-single
filters: asset.platform == "aws-ec2-volume" && aws.ec2.volume.attachments != empty
mql: |
Expand Down Expand Up @@ -2393,7 +2393,7 @@ queries:

```mql
aws.cloudtrail.trails.all(
kmsKey != null
kmsKey != empty
)
```

Expand Down
20 changes: 10 additions & 10 deletions core/mondoo-azure-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security
version: 2.0.0
version: 2.0.1
license: BUSL-1.1
tags:
mondoo.com/category: security
Expand Down Expand Up @@ -216,7 +216,7 @@ queries:
title: Ensure that SSH access is restricted from the internet
impact: 80
props:
- uid: disallowedPortsSSH
- uid: disallowedPortsSSHMondoo
title: a list of disallowed TCP ports, by default SSH listens only on TCP port 22, add more ports as needed
mql: |
return [
Expand Down Expand Up @@ -305,7 +305,7 @@ queries:
&& properties.sourceAddressPrefix == /\*|0\.0\.0\.0|<nw>\/0|\/0|internet|any/
)
allNsgTCP.all(properties.destinationPortRange != "*")
props.disallowedPortsSSH {
props.disallowedPortsSSHMondoo {
disallowedPortSSH = _
disallowedPortSSH
allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortSSH && toPort >= disallowedPortSSH))
Expand All @@ -323,7 +323,7 @@ queries:
)
)
allNsgTCP.all(securityRules.all(properties.destinationPortRange != "*"))
props.disallowedPortsSSH {
props.disallowedPortsSSHMondoo {
disallowedPortSSH = _
disallowedPortSSH
allNsgTCP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortSSH && toPort >= disallowedPortSSH)))
Expand All @@ -332,7 +332,7 @@ queries:
title: Ensure that RDP access is restricted from the internet
impact: 80
props:
- uid: disallowedPortsRDP
- uid: disallowedPortsRDPMondoo
title: a list of disallowed TCP ports, by default RDP listens only on TCP port 3389, add more ports as needed
mql: |
return [
Expand Down Expand Up @@ -419,7 +419,7 @@ queries:
&& properties.sourceAddressPrefix == /\*|0\.0\.0\.0|<nw>\/0|\/0|internet|any/
)
allNsgTCP.all(properties.destinationPortRange != "*")
props.disallowedPortsRDP {
props.disallowedPortsRDPMondoo {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Manuel. I couldn't get why you changed the Azure properties name as we already considered the uniqueness of properties's name in the first place.

Beside if you justify the reasoning, then the name should also be reflected in the query!!!

example:

allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDPMondoo))

disallowedPortRDP = _
disallowedPortRDP
allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDP))
Expand All @@ -437,7 +437,7 @@ queries:
)
)
allNsgTCP.all(securityRules.all(properties.destinationPortRange != "*"))
props.disallowedPortsRDP {
props.disallowedPortsRDPMondoo {
disallowedPortRDP = _
disallowedPortRDP
allNsgTCP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDP)))
Expand Down Expand Up @@ -2081,7 +2081,7 @@ queries:
title: Ensure direct UDP access to Resources from the internet is restricted
impact: 80
props:
- uid: disallowedPortsUDP
- uid: disallowedPortsUDPMondoo
title: a list of disallowed UDP ports, by default covering common UDP services, add more as needed
mql: |
return [
Expand Down Expand Up @@ -2165,7 +2165,7 @@ queries:
&& properties.sourceAddressPrefix == /\*|0\.0\.0\.0|<nw>\/0|\/0|internet|any/
)
allNsgUDP.all(properties.destinationPortRange != "*")
props.disallowedPortsUDP {
props.disallowedPortsUDPMondoo {
disallowedPortUDP = _
disallowedPortUDP
allNsgUDP.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP))
Expand All @@ -2183,7 +2183,7 @@ queries:
)
)
allNsgUDP.all(securityRules.all(properties.destinationPortRange != "*"))
props.disallowedPortsUDP {
props.disallowedPortsUDPMondoo {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same problem here, and overall!

disallowedPortUDP = _
disallowedPortUDP
allNsgUDP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP)))
Expand Down
4 changes: 2 additions & 2 deletions core/mondoo-http-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
policies:
- uid: mondoo-http-security
name: HTTP Security
version: 1.1.0
version: 1.1.1
license: BUSL-1.1
tags:
mondoo.com/category: security
Expand Down Expand Up @@ -48,7 +48,7 @@ policies:
- title: Headers for HTTPS communication
filters: |
asset.platform == 'host'
tls.certificates != null
tls.certificates != empty
checks:
- uid: mondoo-http-security-strict-transport-security
scoring_system: highest impact
Expand Down
Loading
Loading