From 457ea67f66cffae626a7c44a109f44fa6663c2f9 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 30 Apr 2026 08:36:02 +0700 Subject: [PATCH] Add rules section --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 7ae1ee0..31a97a4 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,21 @@ make plugin Applies to services of type `abstract.XMPP`. +## Rules + +| Code | Description | Severity | +|----------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------| +| `xmpp.srv_c2s` | Verifies that client-to-server SRV records (_xmpp-client / _xmpps-client / _jabber) are published and resolvable. | CRITICAL | +| `xmpp.srv_s2s` | Verifies that server-to-server SRV records (_xmpp-server / _xmpps-server) are published and resolvable. | CRITICAL | +| `xmpp.c2s_reachable` | Verifies that at least one client-to-server endpoint accepts TCP and completes TLS. | CRITICAL | +| `xmpp.s2s_reachable` | Verifies that at least one server-to-server endpoint accepts TCP and completes TLS. | CRITICAL | +| `xmpp.starttls_required` | Verifies that STARTTLS is advertised and required on every reachable c2s/s2s endpoint. | CRITICAL | +| `xmpp.sasl_mechanisms` | Reviews the c2s SASL mechanisms offer (presence of SCRAM, absence of password-equivalent PLAIN-only). | CRITICAL | +| `xmpp.s2s_dialback` | Verifies that s2s endpoints advertise dialback or SASL EXTERNAL after TLS (federation auth). | CRITICAL | +| `xmpp.ipv6_reachable` | Flags deployments that are only reachable over IPv4. | INFO | +| `xmpp.direct_tls` | Flags c2s deployments that do not publish XEP-0368 direct-TLS SRV records. | INFO | +| `xmpp.tls_quality` | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the XMPP service. | CRITICAL | + ## License MIT (see `LICENSE`). Third-party attributions in `NOTICE`.