diff --git a/README.md b/README.md index 7ae1ee0..31a97a4 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,21 @@ make plugin Applies to services of type `abstract.XMPP`. +## Rules + +| Code | Description | Severity | +|----------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------| +| `xmpp.srv_c2s` | Verifies that client-to-server SRV records (_xmpp-client / _xmpps-client / _jabber) are published and resolvable. | CRITICAL | +| `xmpp.srv_s2s` | Verifies that server-to-server SRV records (_xmpp-server / _xmpps-server) are published and resolvable. | CRITICAL | +| `xmpp.c2s_reachable` | Verifies that at least one client-to-server endpoint accepts TCP and completes TLS. | CRITICAL | +| `xmpp.s2s_reachable` | Verifies that at least one server-to-server endpoint accepts TCP and completes TLS. | CRITICAL | +| `xmpp.starttls_required` | Verifies that STARTTLS is advertised and required on every reachable c2s/s2s endpoint. | CRITICAL | +| `xmpp.sasl_mechanisms` | Reviews the c2s SASL mechanisms offer (presence of SCRAM, absence of password-equivalent PLAIN-only). | CRITICAL | +| `xmpp.s2s_dialback` | Verifies that s2s endpoints advertise dialback or SASL EXTERNAL after TLS (federation auth). | CRITICAL | +| `xmpp.ipv6_reachable` | Flags deployments that are only reachable over IPv4. | INFO | +| `xmpp.direct_tls` | Flags c2s deployments that do not publish XEP-0368 direct-TLS SRV records. | INFO | +| `xmpp.tls_quality` | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the XMPP service. | CRITICAL | + ## License MIT (see `LICENSE`). Third-party attributions in `NOTICE`.