-
Notifications
You must be signed in to change notification settings - Fork 3
/
mondoo-ssl-tls-certificate-incident-response.mql.yaml
71 lines (64 loc) · 2.3 KB
/
mondoo-ssl-tls-certificate-incident-response.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
packs:
- uid: mondoo-ssl-tls-certificate-incident-response
name: SSL/TLS Certificate Incident Response Pack
version: 1.1.0
license: BUSL-1.1
authors:
- name: Mondoo, Inc
email: [email protected]
tags:
mondoo.com/platform: host,network
mondoo.com/category: security
docs:
desc: |
### Overview
The SSL/TLS Certificate Incident Response Pack by Mondoo query pack retrieves information about SSL/TLS certificates of a domain for investigation during a security incident.
### Prerequisites
To run this query pack, you will need to install the cnquery binary ([Get Started with cnquery](https://mondoo.com/docs/cnquery/)).
### Run query pack
To run this query pack against a Domain:
```bash
cnquery scan host <domain> -f mondoo-ssl-tls-certificate-incident-response.mql.yaml
```
filters:
- asset.family.contains('network')
queries:
- uid: mondoo-ssl-tls-certificate-incident-response-domain-name
title: Domain Name
mql: |
tls.domainName
- uid: mondoo-ssl-tls-certificate-incident-response-versions
title: Supported SSL and TLS versions
mql: |
tls.versions
- uid: mondoo-ssl-tls-certificate-incident-response-ciphers
title: Supported SSl/TLS ciphers
mql: |
tls.ciphers
- uid: mondoo-ssl-tls-certificate-incident-response-signing-algo
title: Signature algorithm of all certificates in the certificate chain
mql: |
tls.certificates {
signingAlgorithm
subject.commonName
}
- uid: mondoo-ssl-tls-certificate-incident-response-is-revoked
title: Revoked, verified, and CA status of all certificates in the certificate chain
mql: |
tls.certificates {
subject.commonName
isCA
isRevoked
isVerified
}
- uid: mondoo-ssl-tls-certificate-incident-response-when-expire
title: Expiration dates for all certificates in the certificate chain
mql: |
tls.certificates {
subject.commonName
expiresIn
notAfter
notBefore
}