Updates TLS/SSL policy with docs/desc/remediation (#457)

<img src="https://media3.giphy.com/media/fpbqdKRPRkd56/giphy.gif"/>

Some new docs/desc/remediations for the TLS/SSL policy

---------

Signed-off-by: scottford-io <[email protected]>
Signed-off-by: Tim Smith <[email protected]>
Co-authored-by: Tim Smith <[email protected]>
Co-authored-by: Letha <[email protected]>

.github/actions/spelling/expect.txt

@@ -27,6 +27,7 @@ Bpcy
 bqowner
 btmp
 bucketnames
+CAs
 cbc
 Cdm
 cea

core/mondoo-tls-security.mql.yaml

@@ -58,7 +58,13 @@ policies:
     scoring_system: highest impact
 queries:
   - uid: mondoo-tls-security-cert-domain-name-match
-    title: The certificate's domain name must match
+    title: Certificate's domain name must match
+    impact: 80
+    docs:
+      desc: | 
+        The domain name in an SSL/TLS certificate must match the hostname it is intended to secure. Mismatched certificates indicate potential misconfigurations or malicious activity. This can lead to user trust issues and browser warnings, causing service interruptions or loss of user confidence.
+      remediation: |
+        Ensure the certificate’s Common Name (CN) or Subject Alternative Name (SAN) fields match the intended domain name. Obtain a valid certificate for the domain from a trusted Certificate Authority (CA) and install it on the server.
     mql: |
       checkA1 = tls.certificates.first.subject.commonName == asset.fqdn
 
@@ -74,7 +80,12 @@ queries:
       checkA1 || checkA2 || checkA3
 
   - uid: mondoo-tls-security-cert-is-valid
-    title: The certificate is valid
+    title: Certificate is valid
+    docs:
+      desc: |
+        Verifies that the SSL/TLS certificate is valid, has not expired, and is trusted by well-known Certificate Authorities (CAs). Ensures that expired or self-signed certificates are flagged.
+      remediation: |
+        Verify the certificate chain with a trusted CA. Ensure the certificate was issued correctly and is active. Replace any invalid certificates promptly.
     mql: |
       tls.certificates.first {
         subject.commonName
@@ -83,6 +94,12 @@ queries:
       }
   - uid: mondoo-tls-security-cert-no-cert-expired
     title: Certificate is not near expiration or expired
+    impact: 85
+    docs:
+      desc: |
+        Certificates nearing expiration or expired can lead to service interruptions and browser security warnings. This can affect user trust and potentially allow MITM attacks if not addressed promptly.   
+      remediation: |
+        Monitor certificate expiration dates and renew them well in advance.
     mql: |
       tls.certificates.first.subject.commonName
       switch {
@@ -93,70 +110,166 @@ queries:
         default: score(0);
       }
   - uid: mondoo-tls-security-cert-no-certs-expired
-    title: None of the certificates (intermediate, root) have expired
+    title: None of the certificates (intermediate or root) have expired
+    impact: 90
+    docs:
+      desc: |
+        The expiration of intermediate or root certificates can disrupt the trust chain, rendering SSL/TLS communications insecure. This affects multiple services relying on the expired certificate.
+      remediation: |
+        Update expired certificates from the CA immediately.
     mql: |
       tls.certificates {
         subject.commonName
         expiresIn.days > 0
       }
   - uid: mondoo-tls-security-cert-not-self-signed
     title: Do not use a self-signed certificate
+    impact: 100
+    docs:
+      desc: |
+        Self-signed certificates are not trusted by default in browsers or operating systems. They lack authentication from a trusted CA, exposing the service to MITM attacks and reducing user trust.
+      remediation: |
+        Replace self-signed certificates with ones issued by a trusted CA. Configure the server to use the new certificates.
     mql: |
       tls.certificates.last.isCA
   - uid: mondoo-tls-security-cert-not-revoked
     title: Do not use revoked certificates
+    impact: 95
+    docs:
+      desc: |
+        Revoked certificates are flagged as compromised or untrustworthy by the CA. Continuing to use them exposes the service to significant security risks and compliance violations.
+      remediation: |
+        Identify revoked certificates using OCSP or CRL. Replace revoked certificates with valid ones from the CA immediately.
     mql: |
       tls.certificates {
         subject.commonName
         isRevoked != true
       }
   - uid: mondoo-tls-security-cert-no-weak-signature
     title: Do not use weak certificate signatures
+    impact: 90
+    docs:
+      desc: |
+        Weak certificate signatures (e.g., SHA-1) are vulnerable to cryptographic attacks. Using them undermines the encryption and allows attackers to forge certificates.
+      remediation: |
+        Use certificates signed with strong algorithms such as SHA-256 or stronger. Obtain updated certificates from a trusted CA.
     mql: |
       tls.certificates {
         subject.commonName
         signingAlgorithm != /md2|md5|sha1/i
       }
   - uid: mondoo-tls-security-no-weak-tls-versions
     title: Avoid weak SSL and TLS versions
+    impact: 95
+    docs:
+      desc: |
+        Weak SSL/TLS versions (e.g., SSL 3.0, TLS 1.0) are vulnerable to numerous exploits like POODLE. Their continued use compromises encrypted communication security.
+      remediation: |
+        Disable SSL and older versions of TLS (e.g., 1.0, 1.1). Enable TLS 1.2 or 1.3 on the server. Update server configurations to enforce modern protocols.
     mql: |
       tls.versions.containsOnly(["tls1.2", "tls1.3"])
   - uid: mondoo-tls-security-no-rc4-ciphers
     title: Avoid RC4 ciphers
+    impact: 90
+    docs:
+      desc: |
+        RC4 is a weak cipher prone to cryptographic attacks. Its use is discouraged as it does not provide sufficient encryption strength for modern applications.
+      remediation: |
+        Remove RC4 from the server’s list of supported ciphers. Configure preferred ciphers to use modern, secure options such as AES-GCM.
     mql: |
       tls.ciphers.none( /rc4/i )
   - uid: mondoo-tls-security-no-null-cipher-suites
     title: Avoid NULL cipher suites
+    impact: 100
+    docs:
+      desc: |
+        NULL cipher suites do not encrypt data during transmission, exposing the data to interception and unauthorized access. Their use undermines the purpose of secure communication.
+      remediation: |
+        Disable NULL cipher suites in your server configuration. Ensure that only secure cipher suites are enabled, such as those using AES-GCM or ChaCha20.
     mql: |
       tls.ciphers.none( /null/i )
   - uid: mondoo-tls-security-no-export-cipher-suites
     title: Avoid export ciphers suites
+    impact: 95
+    docs: 
+      desc: |
+        Export cipher suites are intentionally weakened cryptographic algorithms designed to meet outdated export regulations. They are vulnerable to brute-force attacks and compromise encryption security.
+      remediation: |
+        Remove export cipher suites from your server configuration. Replace them with strong, modern cipher suites such as AES-GCM or ChaCha20.
     mql: |
       tls.ciphers.none( /export/i )
   - uid: mondoo-tls-security-no-diffie-hellman-cipher-suites
     title: Avoid anonymous Diffie-Hellman suites
+    impact: 90
+    docs:
+      desc: |
+        Anonymous Diffie-Hellman suites lack authentication, allowing attackers to impersonate the server or client. This can lead to man-in-the-middle (MITM) attacks and data compromise.
+      remediation: |
+        Disable anonymous Diffie-Hellman suites in your server configuration. Use authenticated key exchange methods such as ECDHE with certificate authentication.
     mql: |
       tls.ciphers.none( /dh_anon/i )
   - uid: mondoo-tls-security-no-weak-block-ciphers
     title: Avoid weak block ciphers
+    impact: 85
+    docs: 
+      desc: |
+        Weak block ciphers, such as DES or 3DES, are vulnerable to modern cryptographic attacks, including brute force and collision attacks, reducing the overall security of the communication.
+      remediation: |
+        Disable weak block ciphers in your server configuration. Use strong encryption algorithms such as AES-256 or AES-GCM.
     mql: tls.ciphers.none( /des|rc2|idea/i )
   - uid: mondoo-tls-security-no-weak-block-cipher-modes
     title: Avoid weak block cipher modes
+    impact: 90
+    docs:
+      desc: |
+        Weak block cipher modes, such as CBC without proper padding or initialization vector (IV) management, are susceptible to attacks like BEAST or padding oracle attacks.
+      remediation: |
+        Disable weak cipher modes like CBC where feasible, and prefer AEAD modes such as GCM or ChaCha20-Poly1305. Update your server configuration to enforce these modes.
     mql: tls.ciphers.none( /cbc/i )
   - uid: mondoo-tls-security-no-rsa-key-exchange
     title: Avoid cipher suites with RSA key exchange
+    impact: 85
+    docs:
+      desc: |
+        Cipher suites using RSA key exchange lack forward secrecy, making past communications vulnerable if the private key is compromised.
+      remediation: |
+        Disable RSA key exchange in your server configuration. Prefer cipher suites with forward secrecy, such as ECDHE or DHE key exchanges.
     mql: tls.ciphers.none( /^tls_rsa/i )
   - uid: mondoo-tls-security-no-old-cipher-suites
     title: Avoid old cipher suites
+    impact: 90
+    docs:
+      desc: |
+        Old cipher suites, such as those using MD5 or SHA-1, are vulnerable to cryptographic attacks. Their use compromises the security of communications.
+      remediation: |
+        Remove outdated cipher suites from your server configuration. Ensure that only modern cipher suites like AES-GCM or ChaCha20-Poly1305 are enabled.
     mql: tls.ciphers.none( /^old/i )
   - uid: mondoo-tls-security-ciphers-include-aead-ciphers
     title: Preferred ciphers must include AEAD ciphers
+    impact: 90
+    docs:
+      desc: |
+        AEAD (Authenticated Encryption with Associated Data) ciphers provide both confidentiality and integrity protection, making them a critical component of modern secure communication protocols.
+      remediation: |
+        Ensure the server configuration includes AEAD ciphers such as AES-GCM or ChaCha20-Poly1305. Remove any non-AEAD ciphers from the preferred list.
     mql: tls.ciphers.any( /chacha20_poly1305|gcm|ccm/i )
   - uid: mondoo-tls-security-ciphers-include-pfs
     title: Preferred ciphers must include perfect forward secrecy (PFS)
+    impact: 95
+    docs:
+      desc: |
+        PFS ensures that session keys cannot be derived from a compromised private key, protecting past communications even if future keys are exposed.
+      remediation: |
+        Configure the server to prioritize cipher suites with forward secrecy, such as ECDHE or DHE key exchanges. Remove non-PFS cipher suites.
     mql: tls.ciphers.any( /ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq/i )
   - uid: mondoo-tls-security-mitigate-beast
     title: Mitigate BEAST attacks on the server-side
+    impact: 85
+    docs:
+      desc: |
+        BEAST attacks exploit vulnerabilities in SSL/TLS protocols using CBC encryption. This allows attackers to decrypt sensitive data by manipulating block boundaries.
+      remediation: |
+        Use TLS 1.2 or higher to mitigate BEAST attacks. If older versions of TLS must be supported, configure the server to prefer RC4 over CBC (although RC4 itself is now discouraged).
     mql: |-
       switch {
         case tls.versions.containsOnly(["tls1.2", "tls1.3"]):