Split monolithic rule into per-test rules, collect gathers facts only
This commit is contained in:
parent
5b71e85f49
commit
4177fcdc7b
14 changed files with 758 additions and 259 deletions
16
README.md
16
README.md
|
|
@ -119,7 +119,7 @@ Observation data written under `tls_probes`:
|
|||
}
|
||||
```
|
||||
|
||||
The map is keyed by `contract.Ref(ep)` — the same value the host exposes
|
||||
The map is keyed by `contract.Ref(ep)`, the same value the host exposes
|
||||
on the lineage side so that a consumer knows which probe corresponds to
|
||||
which entry it originally published.
|
||||
|
||||
|
|
@ -129,14 +129,14 @@ existing downstream parsers.
|
|||
|
||||
## Issues reported
|
||||
|
||||
- `tcp_unreachable` — dial failed.
|
||||
- `handshake_failed` — TLS handshake or STARTTLS upgrade failed.
|
||||
- `starttls_not_offered` — server didn't advertise STARTTLS. Severity is
|
||||
- `tcp_unreachable`, dial failed.
|
||||
- `handshake_failed`, TLS handshake or STARTTLS upgrade failed.
|
||||
- `starttls_not_offered`, server didn't advertise STARTTLS. Severity is
|
||||
`crit` when `TLSEndpoint.RequireSTARTTLS` is `true`, `warn` otherwise.
|
||||
- `chain_invalid` — leaf does not chain to a system-trusted root.
|
||||
- `hostname_mismatch` — cert SANs don't cover the SNI.
|
||||
- `expired` / `expiring_soon` — cert expiry posture.
|
||||
- `weak_tls_version` — negotiated TLS < 1.2.
|
||||
- `chain_invalid`, leaf does not chain to a system-trusted root.
|
||||
- `hostname_mismatch`, cert SANs don't cover the SNI.
|
||||
- `expired` / `expiring_soon`, cert expiry posture.
|
||||
- `weak_tls_version`, negotiated TLS < 1.2.
|
||||
|
||||
## Options
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue