Mods

turbot/net_insights

GitHub
Overview
7Dashboards
54Controls
26Queries
2Variables
GitHub
Loading controls...
On This Page
Description
Usage
Plugins & Tables
Params
SQL
Get Involved
Edit on GitHub
Discuss on Slack

Control: Certificates should not use insecure certificate algorithm (e.g., MD2, MD5, SHA1)

Description

MD2 and MD5 are part of the Message Digest Algorithm family which was created to verify the integrity of any message or file that is hashed. It has been cryptographically broken which means they are vulnerable to collision attacks and hence considered insecure. Also SHA1 is considered cryptographically weak. It is recommended not to use these insecure signatures.

Usage

Run the control in your terminal:

steampipe check net_insights.control.ssl_certificate_no_insecure_signature

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.ssl_certificate_no_insecure_signature

Plugins & Tables

net_certificate
Net plugin

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

select
  common_name as resource,
  case
    when signature_algorithm like any (array [ '%SHA1%', '%MD2%', '%MD5%' ]) then 'alarm'
    else 'ok'
  end as status,
  common_name || ' uses ' || signature_algorithm || ' signature algorithm.' as reason
from
  net_certificate
where
  domain in (
    select
      jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
  )
order by
  common_name;