search

mondoohq / cnspec

An open source, cloud-native security to protect everything from build to runtime
https://cnspec.io
Other
269 stars 12 forks source link

host scanning shows errors for some domains that require www prefix #959

Open mariuskimmina opened 11 months ago

mariuskimmina commented 11 months ago

I noticed that cnspec scan host fails for some domains.

Here is an example

./cnspec scan host bit-summit.com
→ no Mondoo configuration file provided, using defaults
! No credentials provided. Switching to --incognito mode.
→ discover related assets for 1 asset(s)

 bit-summit.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score

! resolver.db> failed to store data, types don't match asset=//policy.api.mondoo.com/assets/2YRA9NhsVhVkyX1mIrJ5OUJlTFN checksum=J3wPUaXo+YPkc28TNTVsi3GKXjagXheHsqzDkSPG1l3FcA0cTbKEk8viK5v5E3LYhNPNfkH9z34UfAA63m4myA== data={"type"
:"\u0004"} expected=score received=bool
! resolver.db> failed to store data, types don't match asset=//policy.api.mondoo.com/assets/2YRA9NhsVhVkyX1mIrJ5OUJlTFN checksum=LydWJ7zhkO5DiirseJv69Xno8XXgJj9dLIh+j60lW1/L5AovumfYjuRrbawPan4dSYgEFLdyf4ws1irKGm5pIQ== data={"type"
:"\u0000"} expected=score received=unset
x failed to send datapoints error="2 errors occurred:\n\t* failed to store data for \"J3wPUaXo+YPkc28TNTVsi3GKXjagXheHsqzDkSPG1l3FcA0cTbKEk8viK5v5E3LYhNPNfkH9z34UfAA63m4myA==\", types don't match: expected score, got bool\n\t* fai
led to store data for \"LydWJ7zhkO5DiirseJv69Xno8XXgJj9dLIh+j60lW1/L5AovumfYjuRrbawPan4dSYgEFLdyf4ws1irKGm5pIQ==\", types don't match: expected score, got unset\n\n"
Asset: bit-summit.com
---------------------

Checks:
! Error:        Avoid cipher suites with RSA key exchange
! Error:        Preferred ciphers must include perfect forward secrecy (PFS)
. Skipped:      Do not use a self-signed certificate
! Error:        The certificate's domain name must match
. Skipped:      Do not use weak certificate signatures
! Error:        Avoid export ciphers suites
! Error:        Mitigate BEAST attacks on the server-side
! Error:        Avoid weak block ciphers
! Error:        Avoid old cipher suites
! Error:        Certificate is not near expiration or expired
! Error:        Avoid NULL cipher suites
! Error:        Avoid RC4 ciphers
. Skipped:      None of the certificates (intermediate, root) have expired
! Error:        Avoid weak block cipher modes
! Error:        Preferred ciphers must include AEAD ciphers
. Skipped:      The certificate is valid
. Skipped:      Do not use revoked certificates
✕ Fail:         Avoid weak SSL and TLS versions
! Error:        Avoid anonymous Diffie-Hellman suites

Scanned 1 asset

Network API
    F bit-summit.com
mariuskimmina commented 11 months ago

Ah, it started to work if we add www 

./cnspec scan host www.bit-summit.com                                                                                                             ✔  4s   11:57:49 
→ no Mondoo configuration file provided, using defaults
! No credentials provided. Switching to --incognito mode.
→ discover related assets for 1 asset(s)

 www.bit-summit.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score

Asset: www.bit-summit.com
-------------------------

Checks:
✓ Pass:         The certificate is valid
✓ Pass:         Do not use a self-signed certificate
✓ Pass:         Certificate is not near expiration or expired
✓ Pass:         Avoid NULL cipher suites
✕ Fail:         Avoid cipher suites with RSA key exchange
✕ Fail:         Mitigate BEAST attacks on the server-side
✓ Pass:         None of the certificates (intermediate, root) have expired
✕ Fail:         Avoid old cipher suites
✓ Pass:         Avoid RC4 ciphers
✓ Pass:         Preferred ciphers must include AEAD ciphers
✓ Pass:         Do not use weak certificate signatures
✕ Fail:         Avoid weak SSL and TLS versions
✕ Fail:         Avoid weak block cipher modes
✓ Pass:         Avoid weak block ciphers
✓ Pass:         Avoid export ciphers suites
✓ Pass:         Avoid anonymous Diffie-Hellman suites
✓ Pass:         Do not use revoked certificates
✓ Pass:         Preferred ciphers must include perfect forward secrecy (PFS)
✓ Pass:         The certificate's domain name must match

Scanned 1 asset

Network API
    F www.bit-summit.com

Would be neat if we could catch that automatically I guess, makes this more of an enhancement request than a bug report tho.

mariuskimmina commented 11 months ago

The same error shows up when trying to scan http://mondoo.com (note the explicit http not https)

./cnspec scan host http://mondoo.com
→ no Mondoo configuration file provided, using defaults
! No credentials provided. Switching to --incognito mode.
→ discover related assets for 1 asset(s)

 mondoo.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score

! resolver.db> failed to store data, types don't match asset=//policy.api.mondoo.com/assets/2YU9wulIQP9z4wQc6E3QTucasaB checksum=LydWJ7zhkO5DiirseJv69Xno8XXgJj9dLIh+j60lW1/L5AovumfYjuRrbawPan4dSYgEFLdyf4ws1irKGm5pIQ== data={"type"
:"\u0000"} expected=score received=unset
! resolver.db> failed to store data, types don't match asset=//policy.api.mondoo.com/assets/2YU9wulIQP9z4wQc6E3QTucasaB checksum=J3wPUaXo+YPkc28TNTVsi3GKXjagXheHsqzDkSPG1l3FcA0cTbKEk8viK5v5E3LYhNPNfkH9z34UfAA63m4myA== data={"type"
:"\u0004"} expected=score received=bool
x failed to send datapoints error="2 errors occurred:\n\t* failed to store data for \"LydWJ7zhkO5DiirseJv69Xno8XXgJj9dLIh+j60lW1/L5AovumfYjuRrbawPan4dSYgEFLdyf4ws1irKGm5pIQ==\", types don't match: expected score, got unset\n\t* fa
iled to store data for \"J3wPUaXo+YPkc28TNTVsi3GKXjagXheHsqzDkSPG1l3FcA0cTbKEk8viK5v5E3LYhNPNfkH9z34UfAA63m4myA==\", types don't match: expected score, got bool\n\n"
Asset: mondoo.com
-----------------

Checks:
! Error:        Preferred ciphers must include perfect forward secrecy (PFS)
. Skipped:      Do not use a self-signed certificate
✕ Fail:         Avoid weak SSL and TLS versions
. Skipped:      Do not use weak certificate signatures
...