Prioritization with context: Mondoo Firewatch​

Ever feel like you're drowning in a rushing firehose of security findings? What about so-called critical vulnerabilities that, it turns out, aren't really much of a threat to your infrastructure? 

This month we released the first phase of our all-new Firewatch feature, a solution to overwhelming and often misrepresented findings. Firewatch surfaces genuinely critical risks and prioritizes the most important findings in your infrastructure.  

Firewatch evaluates and prioritizes findings and vulnerabilities based on contextual risks on affected assets and downstream system exposure. Our unique algorithm considers multiple angles and factors to highlight the issues most likely to expose your business to attack.

We redesigned our UI to focus on the most critical issues first. The all-new space dashboard includes an interactive sunburst chart for navigating critical findings in your entire space, as well as ranked lists of both vulnerabilities and security findings.

New views for advisories, CVEs, and assets show risk scores and contextual risk factors to expose the importance of fixes needed in your infrastructure.

When you explore the details of an individual risk from anywhere in the Mondoo Console, you now see exposure and downstream impact that help you compare and plan.

New policy check pages allow you to better understand critical impacts to your business. Score tiles bring risk front and center so you can understand the priority of findings. With refactored query descriptions, it's easier to understand why a check is important, how Mondoo evaluates your assets, and what risk factors mean to the safety of your organization.

The new blast radius value for every finding tells you the potential impact of a problem… and of fixing it. Blast radius isn't just the number of assets that have the issue; it also considers risk factors of all of the assets that have the issue. 

A new Affected Assets page lets you better prioritize assets in your environment with critical vulnerabilities. Top-of-page filters allow you to drill into individual risk factors that increase or decrease the threat that vulnerabilities present.

Improved EPSS graphs expose the risk percentile and are easier to read.

For a deeper look at the game-changing features of Mondoo Firewatch and an idea of what's coming next, read our Firewatch blog post.

Console performance improvements​

No one wants to wait for slow-loading web pages. That's why we unleashed some masterful jiu jitsu on how the console fetches space and asset data. Now our pages are always speedy to load.

Compliance as code​

Every audit is different. Now you can customize the Mondoo Compliance Hub experience to match the exact evidence required by your auditor.

Download one of our top industry compliance frameworks to your local system directly from Mondoo Compliance Hub.

The framework file you download is pre-customized for your space with compliance evidence mappings from policies you've enabled, as well as any exceptions you've defined. You can customize the file with any additional controls or specific evidence items your auditor requests.

With your compliance framework fully customized for your auditor's requirements, upload it to Mondoo Compliance Hub and track your progress just as you would using an out-of-the box framework. Need to make a change? Don't worry: You can replace the framework with an updated version at any time or remove it altogether.

Scan more

Scan Azure Container Registry

Mondoo now supports scanning Azure Container Registries (ACR) that require authentication using credentials stored after running the az login command.

To log in and scan a complete registry, run:

az login
cnspec scan container registry my_registry.azurecr.io

Dockerfile scanning​

Expose security concerns before they reach production with new Mondoo Dockerfile scanning. Run cnquery shell docker file DIRECTORY_OR_PATH to inspect a single Dockerfile or find nested Dockerfiles within directories. Using the new docker.file resource, you can explore the file itself or dive into Dockerfile stages and instructions.

cnquery shell docker file Dockerfile
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ connected to Dockerfile
 ___ _ __   __ _ _   _  ___ _ __ _   _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
\___|_| |_|\__, |\__,_|\___|_|   \__, |
 mondoo™      |_|                |___/  interactive shell

cnquery> docker.file.stages{*}
docker.file.stages: [
 0: {
   entrypoint: null
   add: []
   run: [
     0: docker.file.run script="mkdir -p /opt/app"
     1: docker.file.run script="npm install"
   ]
   file: docker.file file.path="Dockerfile" instructions.length=8 stages.length=1
   copy: [
     0: docker.file.copy src=[
       0: "src/package.json"
       1: "src/package-lock.json"
     ] dst="."
   ]
   from: docker.file.from name="" image="node" tag="18.16.0-alpine3.17"
   env: {}
   cmd: docker.file.run script="npm
start"
 }
]

Stay tuned for upcoming Dockerfile policies and Dockerfile security monitoring in the Mondoo Console!

Kubernetes DaemonSet-based node scanning​

With the new DaemonSet Kubernetes node scanning option you can scan Kubernetes cluster nodes with the Mondoo Kubernetes Operator even if the node utilization is too high for CronJob scheduling. If your clusters run high utilization, you can either edit an existing integration to use DaemonSets or configure a new integration with DaemonSet node scanning.

New and updated policies

XZ Utils Vulnerability policy​

Although the recent XZ supply chain attack in XZ 5.6.0 and 5.6.1 (CVE-2024–3094) thankfully didn't make it into any mainstream enterprise Linux distributions, there's still a significant risk if employees are running rolling distributions or pre-releases of upcoming Linux distros. To quickly evaluate your CVE-2024–3094 exposure, we've created a new XZ Vulnerability (CVE-2024–3094) policy that looks for XZ 5.6.0/5.6.1 on impacted Linux releases:

• Alpine
• Arch
• Debian trixie/sid
• Fedora 40
• Kali 2024.1
• openSUSE Tumbleweed

Expanded Endpoint Detection and Response (EDR) policy support​

Mondoo now detects the ESET EDR with our new Endpoint Detection and Response (EDR) policy.

Rewritten cloud policies

We rewrote the Mondoo AWS Security policy and the Mondoo Microsoft Azure Security policy from the ground up with new and expanded queries that match the latest capabilities and risks, including Microsoft Entra ID.

Windows 11 compatibility policy​

Enable the new Windows 11 Compatibility policy to see if existing Windows workstations meet the hardware requirements for Windows 11. This policy includes several different checks for CPU, RAM, TPM, and hard drive space requirements. To learn more about these hardware requirements, read Microsoft's Windows 11 Specs & System Requirements.

New Terraform checks in the CIS GCP Foundation policy​

Now you can flag critical security misconfigurations before they ever run in your infrastructure. New and expanded Terraform config checks in the CIS Google Cloud Platform Foundation policy evaluate Terraform configs for proper GCP uniform bucket level access setup.

Support for the latest platforms

Fedora 40 EOL/CVE detection​

Mondoo already offers CVE and EOL detection for the Fedora 40 beta, which is now available for testing. Protect your test systems from critical vulnerabilities such as the compromised XZ release (CVE-2024–3094) that originally shipped in this beta.

Google Container-Optimized OS 113​

Mondoo now includes security scanning and EOL detection support for Google's latest COS 113 release.

Ubuntu 24.10 CVE detection​

Canonical recently announced the start of development for Ubuntu 24.10, code named Oracular Oriole. If you're a risk taker and want to run this pre-alpha release of Ubuntu, Mondoo has your back with CVE support for this upcoming release.

Automate deployments with Terraform​

Mondoo's latest Terraform provider allows you to automate the setup of Azure, Slack, and domain integrations. You can even tie in the Azure setup with the Mondoo setup to make managing Azure applications easier than ever. Thank you @mati007thm and @Pauti for all your fantastic work making this provider possible!

Expanded resource support

aws.autoscaling.groups​

• Improve resource default values
• New availabilityZones field
• New capacityRebalance field
• New defaultInstanceWarmup field
• New desiredCapacity field
• New instances field
• New maxInstanceLifetime field

aws.cloudfront.distributions​

• New cnames field

aws.ec2.instances​

• Improve the performance of instance scanning

aws.ec2.networkacl​

• New associations field

aws.inspector​

• New resource for Amazon Inspector

aws.s3.bucket​

• Fix failures fetching ACL grants

gcp.project.bigqueryService​

• Fix failures querying BigQuery resources

aws.ec2.images​

• New createdAt field

aws.elb.loadbalancer​

• New availabilityZones field
• New elbType field
• New hostedZoneId field
• New region field
• New securityGroups field
• New vpc field
• Deprecate vpcId in favor of vpc field, which exposes the aws.vpc resource

aws.vpc.subnet​

• New region field

docker.file​

• New expose field
• New label field

gcp.project.gkeService.cluster​

• Expand default fields to improve cnquery shell use
• New shieldedNodesConfig field
• New costManagementConfig field
• New confidentialNodesConfig field
• New identityServiceConfig field
• New networkPolicyConfig field

gcp.project.gkeService.cluster.addonsConfig​

• New gcsFuseCsiDriverConfig field
• New statefulHaConfig field

gcp.project.gkeService.cluster.networkConfig​

• New enableMultiNetworking field
• New enableFqdnNetworkPolicy field
• New enableCiliumClusterwideNetworkPolicy field

sshd.config​

An all-new sshd.config resource includes support for parsing the combined sshd_config and sshd_config.d/* configs. Now Mondoo can track the running state of your SSH daemon no matter where you define configuration options.

What's next?

Mondoo Firewatch already eliminates so much frustration and uncertainty from your prioritization and planning efforts. But there's more to come: Watch for the upcoming ability to customize how Mondoo prioritizes vulnerabilities and security findings.

In the meantime, explore Mondoo and see for yourself how much smarter your team can work when your decisions are well-informed.

‍