cipherrun 0.3.0

A fast, modular, and scalable TLS/SSL security scanner written in Rust
id: soc2
name: SOC 2 Type II
version: 2017
description: Service Organization Control 2 - Trust Services Criteria for Security, Availability, and Confidentiality
organization: American Institute of Certified Public Accountants (AICPA)
effective_date: 2017-01-01

requirements:
  - id: SOC2-CC6.1
    name: Logical and Physical Access Controls - Encryption in Transit
    description: The entity implements logical access security measures to protect against threats from sources outside its system boundaries
    category: Protocol Security
    severity: high
    remediation: |
      Implement strong encryption for data in transit:
      - Use TLS 1.2 or TLS 1.3 for all network communications
      - Disable legacy protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1)
      - Document encryption standards in security policies
    rules:
      - type: ProtocolVersion
        allowed:
          - TLS 1.2
          - TLS 1.3
        denied:
          - SSLv2
          - SSLv3
          - TLS 1.0
          - TLS 1.1

  - id: SOC2-CC6.6
    name: Encryption Key Management
    description: The entity implements controls to protect cryptographic keys during generation, storage, use, and destruction
    category: Certificate Security
    severity: high
    remediation: |
      Implement robust key management practices:
      - Use minimum RSA 2048-bit keys (4096-bit for high sensitivity)
      - Use minimum ECC 256-bit keys (384-bit for high sensitivity)
      - Document key lifecycle management procedures
      - Implement key rotation schedules
    rules:
      - type: CertificateKeySize
        min_rsa_bits: 2048
        min_ecc_bits: 256

  - id: SOC2-CC6.7
    name: Transmission Encryption Standards
    description: The entity restricts the transmission of sensitive data to authorized internal and external users and processes
    category: Cipher Security
    severity: critical
    remediation: |
      Enforce strong cipher standards:
      - Disable NULL, EXPORT, DES, 3DES, RC4, and other weak ciphers
      - Use AES-256 or AES-128 with GCM mode
      - Implement ChaCha20-Poly1305 as an alternative to AES
      - Document approved cipher suites in policies
    rules:
      - type: CipherSuite
        denied_patterns:
          - ".*_NULL_.*"
          - ".*_EXPORT_.*"
          - ".*_DES_.*"
          - ".*_3DES_.*"
          - ".*_RC4_.*"
          - ".*_MD5.*"

  - id: SOC2-CC6.8
    name: Data Integrity During Transmission
    description: The entity protects information during transmission to prevent unauthorized modification
    category: Cipher Security
    severity: high
    remediation: |
      Use authenticated encryption (AEAD) to ensure data integrity:
      - Prioritize AES-GCM cipher suites
      - Enable ChaCha20-Poly1305 support
      - These provide both confidentiality and message authentication
    rules:
      - type: CipherSuite
        preferred_patterns:
          - ".*_GCM.*"
          - ".*_CHACHA20_POLY1305.*"

  - id: SOC2-CC7.2
    name: System Monitoring - Certificate Management
    description: The entity monitors systems and takes action to maintain the continued effectiveness of security policies
    category: Certificate Security
    severity: medium
    remediation: |
      Implement certificate lifecycle monitoring:
      - Monitor certificate expiration (90-day advance warning)
      - Automate certificate renewal processes
      - Maintain certificate inventory
      - Document certificate management procedures
      - Alert on certificate validation failures
    rules:
      - type: CertificateExpiration
        max_days_until_expiration: 90
      - type: CertificateValidation
        require_valid_chain: true
        require_unexpired: true

  - id: SOC2-CC7.3
    name: Change Management - Security Updates
    description: The entity implements change management processes for security infrastructure
    category: Vulnerability
    severity: high
    remediation: |
      Maintain up-to-date security posture:
      - Apply security patches promptly for known vulnerabilities
      - Address Heartbleed, POODLE, BEAST, CRIME, FREAK, Logjam, etc.
      - Document vulnerability remediation procedures
      - Perform regular vulnerability scanning
    rules:
      - type: Vulnerability

  - id: SOC2-CC6.2
    name: Strong Cryptographic Hash Functions
    description: The entity uses industry-standard cryptographic algorithms for certificates
    category: Certificate Security
    severity: high
    remediation: |
      Use strong hash functions for certificate signatures:
      - SHA-256, SHA-384, or SHA-512
      - Avoid MD5 and SHA-1 (deprecated and weak)
      - Update certificate issuance processes
    rules:
      - type: SignatureAlgorithm
        allowed:
          - sha256
          - sha384
          - sha512
        denied:
          - md5
          - sha1

  - id: SOC2-CC6.3
    name: Perfect Forward Secrecy
    description: The entity protects session keys to prevent decryption of captured traffic
    category: Cipher Security
    severity: medium
    remediation: |
      Enable Perfect Forward Secrecy (PFS):
      - Use ephemeral Diffie-Hellman (DHE/ECDHE) key exchange
      - Ensures past sessions cannot be decrypted if private keys are compromised
      - Disable static RSA key exchange
    rules:
      - type: ForwardSecrecy
        required: true