Add rules section
This commit is contained in:
parent
946ec446d2
commit
457ea67f66
1 changed files with 15 additions and 0 deletions
15
README.md
15
README.md
|
|
@ -82,6 +82,21 @@ make plugin
|
|||
|
||||
Applies to services of type `abstract.XMPP`.
|
||||
|
||||
## Rules
|
||||
|
||||
| Code | Description | Severity |
|
||||
|----------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
|
||||
| `xmpp.srv_c2s` | Verifies that client-to-server SRV records (_xmpp-client / _xmpps-client / _jabber) are published and resolvable. | CRITICAL |
|
||||
| `xmpp.srv_s2s` | Verifies that server-to-server SRV records (_xmpp-server / _xmpps-server) are published and resolvable. | CRITICAL |
|
||||
| `xmpp.c2s_reachable` | Verifies that at least one client-to-server endpoint accepts TCP and completes TLS. | CRITICAL |
|
||||
| `xmpp.s2s_reachable` | Verifies that at least one server-to-server endpoint accepts TCP and completes TLS. | CRITICAL |
|
||||
| `xmpp.starttls_required` | Verifies that STARTTLS is advertised and required on every reachable c2s/s2s endpoint. | CRITICAL |
|
||||
| `xmpp.sasl_mechanisms` | Reviews the c2s SASL mechanisms offer (presence of SCRAM, absence of password-equivalent PLAIN-only). | CRITICAL |
|
||||
| `xmpp.s2s_dialback` | Verifies that s2s endpoints advertise dialback or SASL EXTERNAL after TLS (federation auth). | CRITICAL |
|
||||
| `xmpp.ipv6_reachable` | Flags deployments that are only reachable over IPv4. | INFO |
|
||||
| `xmpp.direct_tls` | Flags c2s deployments that do not publish XEP-0368 direct-TLS SRV records. | INFO |
|
||||
| `xmpp.tls_quality` | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the XMPP service. | CRITICAL |
|
||||
|
||||
## License
|
||||
|
||||
MIT (see `LICENSE`). Third-party attributions in `NOTICE`.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue