[Feature request] Policy Scan Mode / expectation profiles / compliance template

[dreizehnutters]

Background: The tool ssh-audit provides a beneficial feature that allows scanning a target against a specified policy file. This functionality enables users to verify if the server's SSH configuration aligns with predetermined compliance standards or security best practices.

Feature request: I propose that a similar feature be integrated into testssl.sh, thus equipping it with the ability to assess if a given host adheres to defined constraints. This proposed feature could improve the tool by offering:

• Predefined policy templates (e.g., PCI DSS, NIST, custom organizational policies) that users can select to audit against.
• Customizable policy definition where users can specify the criteria and rules for their unique environment.
• An automated way to ensure that SSL/TLS configurations meet specific security compliance requirements.

[dcooper16]

See #333, #1085, #1108.

[dreizehnutters]

TL;DR: its not a novel idea, but implementation is hard ?

[drwetter]

@dreizehnutters : some one has just to do that. Description of todos is e.g. here

[dreizehnutters]

@dreizehnutters : some one has just to do that. Description of todos is e.g. here

If the code base wasn't so daunting - I would try to work on it

[drwetter]

I updated the description mentioning above in #1108. Don't know whether that helps. 2B seems to be (now) the best approach to me.

If you or anyone else wants to give it a shot, try first testssl.sh --csv <file> -p <target> and provide a piece of code whether the (CSV) output shows at least TLS 1.2. Then we need to work on an idea how a compliance template / expectation profile could look like. Then somehow we have a PoC for the protocol section.