fix dmarc checks in mail policy

Signed-off-by: Patrick Münch <[email protected]>
mondoohq · Dec 3, 2024 · 96e93e7 · 96e93e7
1 parent b3e4883
commit 96e93e7
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/core/mondoo-email-security.mql.yaml b/core/mondoo-email-security.mql.yaml
@@ -4,7 +4,7 @@
 policies:
   - uid: mondoo-email-security
     name: Mondoo Email Security
-    version: 1.0.0
+    version: 1.1.0
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -58,7 +58,7 @@ queries:
           +  dns.params.A.rData.first.split(".")[1] + "."
           +  dns.params.A.rData.first.split(".")[0]
           + ".in-addr.arpa"
-      dns(reverseDNSDomain).params.PTR.rData.any(_.contains(asset.fqdn))
+      dns(reverseDNSDomain).params.PTR.rData.any(_.contains(domainName.fqdn))
     docs:
       desc: |
         Reverse DNS queries for IPv4 addresses use the special domain in-addr.arpa. In this domain, the IPv4 address is represented as a concatenated sequence of four decimal numbers separated by periods, to which is added the second-level domain suffix .in-addr.arpa. The four decimal numbers are obtained by splitting the 32-bit IPv4 address into four octets and converting each octet to a decimal number. These decimal numbers are then arranged in the following order: the smallest octet is first (leftmost) and the most significant octet is last (rightmost). It is important to note that this is the reverse order of the usual convention for writing IPv4 addresses in text form.
@@ -182,7 +182,7 @@ queries:
         title: DNS SPF Records
   - uid: mondoo-email-security-dmarc
     title: Ensure DMARC DNS entry exists
-    mql: dns("_dmarc."+asset.name).records != empty
+    mql: dns("_dmarc."+domainName.fqdn).records != empty
     docs:
       desc: DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting that a mail-receiving organization can use to improve mail handling.
       audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC DNS entry exists
@@ -193,7 +193,7 @@ queries:
         title: M3AAWG Email Authentication Recommended Best Practices (2020)
   - uid: mondoo-email-security-dmarc-version
     title: Ensure DMARC version 1
-    mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/v=DMARC1/)
+    mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/v=DMARC1/)
     docs:
       desc: Set the DMARC version in the TXT record to 1.
       audit: Run the `dig _dmarc.<domain>` command and verify that the DMARC TXT record contains `v=DMARC1`.
@@ -208,7 +208,7 @@ queries:
         title: M3AAWG Email Authentication Recommended Best Practices (2020)
   - uid: mondoo-email-security-dmarc-policy
     title: Ensure DMARC policy is set to quarantine or reject
-    mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/reject|quarantine/)
+    mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/reject|quarantine/)
     docs:
       desc: In the DMARC implementation, you can tell email receivers how to handle email messages that fail authentication and protect your domain from spoofing and other phishing attacks. There are three DMARC policies (Monitoring Policy, Quarantine Policy, Reject Policy) that you can implement.
       audit: Run the `dig TXT _dmarc.<domain>` command and verify that the DMARC policy quarantine or reject is configured.
@@ -223,7 +223,7 @@ queries:
         title: M3AAWG Email Authentication Recommended Best Practices (2020)
   - uid: mondoo-email-security-dmarc-rua
     title: Ensure DMARC RUA tag
-    mql: dns("_dmarc."+asset.name).params['TXT']['rData'].all(/rua=mailto/)
+    mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/rua=mailto/)
     docs:
       desc: |
         Receiving email servers regularly send DMARC Aggregate Reports (RUA) to all domains that have an adequately implemented DMARC policy. These reports contain encrypted aggregate statistics in XML format and are sent to the email addresses specified in the RUA tag of the DMARC record. In simpler terms, the RUA tag is used to specify one or more email addresses where you want to receive DMARC Aggregate Reports.
@@ -239,7 +239,7 @@ queries:
         title: M3AAWG Email Authentication Recommended Best Practices (2020)
   - uid: mondoo-email-security-dmarc-ruf
     title: Ensure DMARC RUF tag
-    mql: dns("_dmarc." + asset.name).params['TXT']['rData'].all(/ruf=mailto/)
+    mql: dns("_dmarc."+domainName.fqdn).params['TXT']['rData'].all(/ruf=mailto/)
     docs:
       desc: |
         The RUF (or DMARC Failure or Forensic Report) tag was designed to inform domain administrators when emails fail SPF, DKIM, and DMARC authentication checks. The report includes sensitive details about the email, such as the header, subject, URLs, and attachments. However, many organizations prefer not to request RUF reports due to privacy and compliance concerns. The main goal is to comply with privacy laws and prevent data breaches.
@@ -269,8 +269,8 @@ queries:
             "mailjet"
           ]
     mql: |
-      props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /p=/)
-      props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+asset.name).params['TXT']['rData'].first == /k=rsa/)
+      props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+domainName.fqdn).params['TXT']['rData'].first == /p=/)
+      props.mondooEmailSecurityDkimSelectors.contains(dns(_+"._domainkey."+domainName.fqdn).params['TXT']['rData'].first == /k=rsa/)
     docs:
       desc: |
         A DKIM record is a specialized DNS TXT record that stores the public key used to verify an email's authenticity.