Skip to content

App Requirements

Jump to bottom
tparrott-cse edited this page Jan 13, 2020 · 1 revision

Priority features to implement

  • TBD

Implemented features

Collaboration with MISP team

  • Provide JSON of DMARC-compliant domains to MISP team {domain1:score, domain2:score, .. , domainX:score, }

Backlog

Domain entry

  • Single domain input
  • Multiple domain input (textbox field and/or file upload?)

Overall

  • Ability to query interface/scans via API or web UI
  • Scan and save DMARC result
  • Scan and save SPF result
  • Scan and save DKIM results (if defined in DB)
  • Certain values may be TXT records or CNAMEs, and should be accounted for separately. If CNAME, the actual location should be displayed too

DMARC

  • If existing DMARC configurations are found, use those as a basis for suggesting initial DMARC implementations for new domains
    • Use existing RUA/RUF report senders, optionally CCCS, to suggest new strings for missing domains

SPF

  • Handle 'redirect' and other niche qualifiers
    • Specifically that the 'all'-based tags should ensure that redirect is not included

DKIM

  • Checks for ECC vs RSA keys

  • Create mapping between SPF record entries and DKIM selectors

    • 1+ DKIM selectors may be used for the same SPF record entry (even 100+ DKIM selectors possible)
    • 1-2 DKIM selectors is typical for a particular SPF entry

  • If follow-up SPF scan shows changes, prompt user for DKIM selectors based on the change:

    • If new SPF qualifier shows up (e.g include:thirdparty.test), offer data input for what the expected DKIM selector for that mail sender
    • If part of the SPF string has been removed, ask if the DKIM selectors for that part of the former string should be removed from DB as well

  • In certain cases, DKIM selectors will be known based on the third-party sender. e.g. O365 always uses 'selector1' and 'selector2', but CNAMEs may not be defined by the domain owner

  • If Cloud MTAs added to SPF record, link to DKIM documentation for cloud vendors and check if default CNAME entries created.

Organization Delegation Org A might delegate adminstrative control of domains to Org B but they are the administrative owner Org A might outsource IT management of their domain to outside company B

organization_delegation

  • delegation_id
  • seed
  • source_org_id (organizations -> organization_id) 1-1
  • dest_org_id (organizations -> organization_id) 1-1
  • permission
  1. source_org sets appropriate permission and generates random seed
  • delegation_id | seed | source_org_id | dest_org_id | permission | validated
  • set_by_db | RNG | source_org | NULL | set_by_source_org | FALSE
  1. source_org sends random seed to dest_org and dest_org enters random seed into their portal
  • delegation_id | seed | source_org_id | dest_org_id | permission | validated
  • set_by_db | RNG | source_org | dest_org | set_by_source_org | FALSE
  1. source_org sees dest_org in pending list and clicks approve
  • delegation_id | seed | source_org_id | dest_org_id | permission | validated
  • set_by_db | RNG | source_org | dest_org | set_by_source_org | TRUE
  1. dest_org can now see source_org domains at appropriate permission level---
  • if source_org wants to remove dest_org, source_org admin remove link
  • if source_org wants to change permission level, source_org admin changes permission level

Pseudocode

DMARC-Calculating effective policy levels

policy_levels = ['none', 'quarantine', 'reject']
effective_policy = { policy:pct }
if (policy == quarantine) or (policy == reject):
if pct >= 0 and pct <=100:
current_pct = pct
lower_pct = 100 - pct
lower_policy = policy_levels[(policy in policy_levels) - 1] ; if policy = quarantine, lower policy - none effective_policy.add { lower_policy:lower_pct }

This project was built by the Treasury Board of Canada Secretariat in collaboration with the Canadian Centre for Cyber Security.

Contribute to this documentation.

Clone this wiki locally