Mods

turbot/net_insights

GitHub
Overview
7Dashboards
54Controls
26Queries
2Variables
GitHub
Loading controls...
On This Page
Description
Usage
Plugins & Tables
Params
SQL
Get Involved
Edit on GitHub
Discuss on Slack

Control: Ensure domains have a CAA record configured to whitelist a CA for issuing certificates

Description

The CAA record is a type of DNS record used to provide additional confirmation for the Certification Authority (CA) when validating an SSL certificate. With CAA in place, the attack surface for fraudulent certificates is reduced, effectively making sites more secure.

Usage

Run the control in your terminal:

steampipe check net_insights.control.ssl_certificate_caa_record_configured

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.ssl_certificate_caa_record_configured

Plugins & Tables

net_dns_record
Net plugin

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

with domain_list as (
  select
    distinct domain
  from
    net_dns_record
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  order by
    domain
),
domain_with_caa_record as (
  select
    distinct domain
  from
    net_dns_record
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
    and type = 'CAA'
)
select
  domain_list.domain as resource,
  case
    when domain_with_caa_record.domain is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when domain_with_caa_record.domain is not null then domain_list.domain || ' has CAA record.'
    else domain_list.domain || ' does not have a CAA record.'
  end as reason
from
  domain_list
  left join domain_with_caa_record on domain_list.domain = domain_with_caa_record.domain
order by
  domain_list.domain;