turbot/net_insights

Control: SSL/TLS servers should use secure cipher suites

Description

A cipher suite is a set of cryptographic algorithms. The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. It is recommended to use secure ciphers like Authenticated Encryption with Associated Data (AEAD) cipher suites and Perfect Forward Secrecy (PFS) ciphers. The following cipher suites are considered insecure: TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_use_secure_cipher_suite

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_use_secure_cipher_suite --share

Steampipe Tables

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

with domain_list as (
select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1::text[])) as domain
),
check_insecure_cipher as (
select
address,
count(*)
from
net_tls_connection
where
address in (select address from domain_list)
and cipher_suite_name in ('TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256')
and handshake_completed
group by address
)
select
d.domain as resource,
case
when i.address is null or i.count < 1 then 'ok'
else 'alarm'
end as status,
case
when i.address is null or i.count < 1 then d.domain || ' uses secure cipher suites.'
else d.domain || ' does not use secure cipher suites.'
end as reason
from
domain_list as d
left join check_insecure_cipher as i on d.address = i.address;