feature: IANA update
This commit is contained in:
Heiko
117
README.md
117
README.md
@@ -1,63 +1,132 @@
|
||||
# compliance-scan
|
||||
|
||||
SSL/TLS configuration analysis with automated IANA/BSI compliance checking.
|
||||
SSL/TLS configuration analysis with automated BSI/IANA compliance checking.
|
||||
|
||||
## Quick Start
|
||||
|
||||
```bash
|
||||
# Scan
|
||||
# Install
|
||||
poetry install
|
||||
|
||||
# Scan server
|
||||
poetry run compliance-scan scan example.com:443,636
|
||||
|
||||
# Report
|
||||
# Generate report
|
||||
poetry run compliance-scan report -t md -o report.md
|
||||
|
||||
# Update IANA registry data
|
||||
poetry run compliance-scan update-iana
|
||||
```
|
||||
|
||||
## Installation
|
||||
|
||||
```bash
|
||||
poetry install
|
||||
```
|
||||
Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed. These messages are harmless and can be ignored.
|
||||
|
||||
## Features
|
||||
|
||||
- Multi-port TLS/SSL scanning
|
||||
- Multi-port TLS/SSL scanning with SSLyze
|
||||
- BSI TR-02102-1/2 compliance validation
|
||||
- IANA recommendations checking
|
||||
- Vulnerability detection (Heartbleed, ROBOT, CCS Injection)
|
||||
- Certificate validation
|
||||
- Certificate validation with key size compliance
|
||||
- Multiple report formats (CSV, Markdown, reStructuredText)
|
||||
- IANA registry updates from official sources
|
||||
|
||||
## Commands
|
||||
|
||||
### Scan
|
||||
|
||||
```bash
|
||||
# Scan with ports
|
||||
compliance-scan scan <hostname>:<port1>,<port2> [--print] [-db <path>]
|
||||
compliance-scan scan <hostname>:<port1>,<port2> [options]
|
||||
|
||||
# Generate report
|
||||
compliance-scan report [scan_id] -t <csv|md|rest> [-o <file>]
|
||||
# Examples
|
||||
compliance-scan scan example.com:443,636 --print
|
||||
compliance-scan scan [2001:db8::1]:443 -db custom.db
|
||||
```
|
||||
|
||||
# List scans
|
||||
Note: SSLyze outputs INFO-level log messages during scanning that cannot be suppressed.
|
||||
|
||||
Options:
|
||||
|
||||
- `--print` - Display scan summary in console
|
||||
- `-db <path>` - Database file path (default: compliance_status.db)
|
||||
|
||||
### Report
|
||||
|
||||
```bash
|
||||
compliance-scan report [scan_id] -t <type> [options]
|
||||
|
||||
# Examples
|
||||
compliance-scan report -t md -o report.md
|
||||
compliance-scan report 5 -t csv --output-dir ./reports
|
||||
compliance-scan report --list
|
||||
```
|
||||
|
||||
Options:
|
||||
|
||||
- `-t <type>` - Report type: csv, md, markdown, rest, rst
|
||||
- `-o <file>` - Output file for Markdown/reStructuredText
|
||||
- `--output-dir <dir>` - Output directory for CSV files
|
||||
- `--list` - List all available scans
|
||||
- `-db <path>` - Database file path
|
||||
|
||||
### Update IANA Data
|
||||
|
||||
```bash
|
||||
compliance-scan update-iana [-db <path>]
|
||||
|
||||
# Example
|
||||
compliance-scan update-iana -db compliance_status.db
|
||||
```
|
||||
|
||||
Updates IANA registry data from official sources. Default database contains IANA data as of 12/2024.
|
||||
|
||||
## Report Formats
|
||||
|
||||
**CSV**: Granular files per port and category for data analysis.
|
||||
|
||||
**Markdown**: Single comprehensive report with all findings.
|
||||
|
||||
**reStructuredText**: Sphinx-compatible report with CSV table includes.
|
||||
|
||||
## Supported Protocols
|
||||
|
||||
Opportunistic TLS: SMTP, LDAP, IMAP, POP3, FTP, XMPP, RDP, PostgreSQL
|
||||
Direct TLS: HTTPS, LDAPS, SMTPS, IMAPS, POP3S
|
||||
**Opportunistic TLS**: SMTP, LDAP, IMAP, POP3, FTP, XMPP, RDP, PostgreSQL
|
||||
|
||||
**Direct TLS**: HTTPS, LDAPS, SMTPS, IMAPS, POP3S
|
||||
|
||||
## Compliance Standards
|
||||
|
||||
- BSI TR-02102-1: Certificate requirements
|
||||
- BSI TR-02102-2: TLS cipher suites and parameters
|
||||
- IANA TLS Parameters: Cipher suites, signature schemes, supported groups
|
||||
|
||||
## Documentation
|
||||
|
||||
**[Detailed Guide](docs/detailed-guide.md)** - Complete reference with CLI commands, database schema, compliance rules, and development guide.
|
||||
**[Detailed Guide](docs/detailed-guide.md)** - Complete reference with database schema, compliance rules, and development information.
|
||||
|
||||
## Requirements
|
||||
|
||||
- Python 3.13+
|
||||
- SSLyze 6.0.0+
|
||||
- Poetry
|
||||
- SSLyze 6.0.0+
|
||||
|
||||
## Planned Features
|
||||
## Database
|
||||
|
||||
- CLI command for updating IANA reference data
|
||||
- Automated IANA registry updates from web sources base on `src/sslysze_scan/scan_iana.py`
|
||||
- TLS Parameters: https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
|
||||
- IKEv2 Parameters: https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml
|
||||
Default location: `compliance_status.db`
|
||||
|
||||
Template with reference data: `src/sslysze_scan/data/crypto_standards.db`
|
||||
|
||||
Schema version: 5 (includes optimized views for reporting)
|
||||
|
||||
## Development
|
||||
|
||||
```bash
|
||||
# Run tests
|
||||
poetry run pytest
|
||||
|
||||
# Update IANA reference data in template
|
||||
python3 -m sslysze_scan.iana_parser
|
||||
```
|
||||
|
||||
## Version Management
|
||||
|
||||
Version is maintained in `pyproject.toml` and read dynamically at runtime.
|
||||
|
||||
Reference in New Issue
Block a user