cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.64k stars 220 forks source link

Ensure SPF records include `-all` #857

Closed adhilto closed 3 months ago

adhilto commented 9 months ago

💡 Summary

Add a Rego check to MS.EXO.2.2v1 to assert that the SPF policy includes -all or a redirect.

Motivation and context

First, a dive into some of the subtleties of the SPF specification. Relevant SPF definitions:

Per RFC 7208:

If ADMDs choose to publish SPF records and want to support receivers making negative authorization determinations, it is necessary for them to publish records that end in "-all", or redirect to other records that do; otherwise, no definitive determination of authorization can be made.

In other words, in order for a mail server to conclude that a given sender is not authorized, the SPF policy must end in -all. Without it, any sender that didn't match the policy will evaluate as "neutral," which means the SPF policy will not provide any spoofing protections against any IPs not explicitly listed.

MS.EXO.2.2v1 states that "An SPF policy SHALL be published for each domain, designating only these addresses as approved senders." Now, given all the above context, we know that in order to meet the intent of the baseline and ensure that "only" the approved senders pass evaluation, the policy needs to either:

We could take this one step further and recursively evaluate the redirects to assert that they redirect to a policy that end in -all, but I'd argue that that is out scope for ScubaGear. Simply adding the above checks would go a long way to ensuring that the SPF records are functioning as intended.

Implementation notes

Ensure the SPF policies include one of the following substrings:

Acceptance criteria

nanda-katikaneni commented 3 months ago

Closed through #1130