Releases

ICYMI: Mondoo Release Highlights for February 2023

Welcome to Mondoo's February 2023 release highlights.

Mondoo-release-highlights-graphic

We are thrilled to announce the launching of our Enterprise Cloud and v8, as well as other noteworthy milestones for the month.

Enterprise Cloud

Mondoo Launches Cloud-Based Enterprise Solution

We are thrilled to unveil Mondoo's new cloud-based corporate solution. Data privacy is crucial in regulated industries including healthcare, government, and finance. Our SaaS platform and dedicated environment boost security, privacy, and scalability for large companies.

The release focuses on running a dedicated environment on GCP, Amazon, or Azure, enterprise-level security and compliance controls, frequent product and security upgrades, and unifying security posture management tool footprint into one platform.

Find out more in our blog post.

In-depth support for GCP, Azure, and MS365

Problem: Earlier, Mondoo's GCP and Azure integrations had limited support for policies and resources requiring users to install the Mondoo clients to scan their cloud accounts remotely. There was also limited discoverability of all the things in your cloud accounts.

Solution: We added server-side integrations for GCP, Azure, and MS365, allowing you to scan and integrate these environments without installing agents. You can continuously scan these environments and use MQL to discover all included services and components. We also expanded on policies for these systems, including support for CIS.

New agentless integrations for GCP, Azure and MS365

You can now configure continuous scanning of GCP, Azure, and even Microsoft 365 services through the Mondoo console. No need to download an agent or deploy any code into your infrastructure. Configure read-only service credentials in the Mondoo console and let Mondoo do the rest.

mondoo-integrations-view

GCP, Azure and MS365 Policy updates:

In addition to these integrations, we have also updated our policies.
Mondoo now includes the latest CIS policies for GCP and Azure, version 2.0.0 and 1.5.0 respectively. These updated policies utilize the latest resources shipped with the latest versions of cnspec, and include many new queries as well as audit and remediation steps for all queries. Our certification release for the latest CIS MS365  is coming soon.

Continuous Amazon ECR and ECS scanning

​You can now configure the Mondoo AWS integration to continuously scan your AWS ECR (Elastic Container Registry) and ECS (Elastic Container Service) infrastructure, providing security insight to your critical container infrastructure.

This will now be automatically scanned with your new or existing AWS integration. The configuration can be found on the integration page:

ecr-ecs-scanning

V8 release

Improved policies and query packs

We are excited to announce our latest release of Mondoo version 8 which includes our open source projects cnquery and cnspec.

This release focuses on improving policies and query packs, simplifying their structure, and adding major new features like configurable properties, variants, and embedded queries to enhance your experience with Mondoo.

Find out more in our release notes for v8.

UI Experience Enhancements

New UI navigation experience​

Problem: The top-heavy navigation in Mondoo caused difficulties for our consumers as it was difficult to use, didn't support sub-menus, and exposed only a few menu items. Additionally, the vulnerability database and policy registry were difficult to find, even though they were highly useful.

Solution: To address these issues, we have completely revamped the navigation in the Mondoo interface. We have introduced a new navigation menu to the left side of the website to replace the top navigation tabs.This new menu includes frequently accessed sections of the UI such as Fleet, CI/CD, Integrations, and Policy Hub.

mondoo-fleet-view

Sub-items in the menu make it easier to find what you're looking for without having to navigate through multiple pages. For example, to view Kubernetes integrations you can select IntegrationsKubernetes in the menu instead of loading the Integrations page and then selecting Kubernetes.

This new menu also includes quick access to the Mondoo Vulnerability Database, which was previously buried deep in the Policy Hub. With this new navigation, users can easily find and access the database.

mondoo-vuln-database

Additionally, we have introduced a new integrations menu that summarizes all configured integrations. We have also added a convenient link to add new integrations at the top of the menu.

mondoo-integrations

We have exciting plans to further improve this new navigation menu, so stay tuned for new releases.

Terraform in the fleet view

Problem: When using cnspec to protect  your code, it can be challenging to locate Terraform code results as they appear as uncategorized assets.

Solution: To make it easier to find all of your Terraform scans in one location, we have introduced a new Terraform section in the Fleet view.

mondoo-terraform

Improved platform names and grouping for cloud & SaaS assets​

To improve the user experience and make it easier to locate and categorize assets, we've renamed and introduced new groupings in the fleet view. Azure, Slack, and Okta assets are now azure-subscription, slack-team, and okta-org, respectively, to more accurately reflect their contents. Additionally, we have introduced new Okta, Google Workspace, and Slack groupings to enable users to filter assets by SaaS service.

mondoo-slack-google-okta

Show asset advisory counts in CVE views

​We have added new functionality to show asset advisory counts in CVE views. This allows users to better understand the impact of each vulnerability and prioritize their patching efforts accordingly. Users can now see the asset score for each affected asset, as well as the total number of advisories for each asset directly on the CVE page. This new feature will help users to make more informed decisions about how to allocate their resources to improve their overall security posture.

mondoo-docker

Identify scratch containers​

The latest update to cnspec now detects the platform and architecture of containers built from scratch. With this update, users can more easily identify scratch containers and ensure they are secured properly to reduce security risks.

mondoo-containers

Only applicable controls in the console​

Controls that are automatically skipped are no longer shown as disabled in the Mondoo console. Depending on the policy and infrastructure scanned, there could be several dozen controls that cnspec skipped automatically. This new behavior simplifies the asset controls view and makes it more clear which controls ran and which you disabled.

Org names in shared space titles​

Differentiating between shared spaces can be difficult if the space names are the same. Shared spaces now include the org and space name, so you can better tell spaces apart.

mondoo-shared-spaces

Securing PLCnext controllers​

Small and embedded devices, like programmable logic controllers, are often-times black boxes and can pose a security risk if they are not well-secured.

Mondoo now supports Phoenix PLCnext programmable logic controllers.

Screen Shot 2023-03-06 at 10-19-25 PM-png

Specifically, cnspec and cnquery now support Phoenix PLCnext PLCs. We have introduced a new community Phoenix PLCnext Security Policy that includes 22 security guidelines based on recommendations from the PLCnext community. Additionally, cnquery now includes a new platform output field that specifies the PLCnext platform, including the version number and build.

cnquery PLCnext platform output:

platform: {
 name: "plcnext"
 build: "d755854b5b21ecb8dca26b0a560e6842a0c638d7"
 title: "PLCnext"
 version: "23.0.0.65"
}

With this new support, you can now use Mondoo to audit and secure your PLCnext controllers, ensuring that they are protected against potential security vulnerabilities.

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

Policy updates

GitHub Repository Best Practices policy​

Problem: Keeping track of the status of your GitHub repositories', including any security and best practices violations, can be challenging.

Solution: We’ve created a new policy, "GitHub Repository Best Practices by Mondoo," which covers non-security checks from our existing "GitHub Repository Security by Mondoo" policy. This makes it easier for you to report and address security and best practices issues separately. Additionally, we’ve added a new query to the policy to ensure that repositories are set up to utilize Dependabot for package management lock files, GitHub Actions, or Docker base images.

mondoo-github-repository-best-practices

New and improved EOL detection​

We've improved support for detecting end of life (EOL) platforms with new and updated EOL detection support:

  • Added EOL detection support for FreeBSD.
  • Added EOL detection support for Linux Mint.
  • Added EOL date for Alpine 3.17.
  • Added EOL date for Fedora 36 and 37.
  • Updated Debian EOL dates to use the end of LTS dates.
  • Updated Photon 2.0 EOL date for the revised date of Dec 31, 2022.
  • Updated Amazon 2022 EOL date for the revised date of Nov 1, 2027.

CLI improvements

Improved CLI scanning UX​

In response to community feedback, we have implemented updates to the CLI scanning UX. Now, viewing scan results is easier than ever before. Additionally, we have improved the user experience when scans fail. These updates aim to enhance the overall usability of our CLI scanning feature.

Manage vault secrets data in the CLI

Problem: You want to scan multiple assets using a Mondoo inventory file but  also need to securely store any required secrets.

Solution: cnspec and cnquery now provide the ability to manage secrets data in vaults directly through the command line. To securely store the secrets, a keychain vault can be defined using the command cnspec vault set mondoo-client-vault --type keyring. You can confirm the vault's configuration using the cnspec vault list command. Then, add your secret to the keychain vault with the cnspec vault add-secret command. Once you have added the secret to the keychain vault, you can reference the secret in your inventory. Re-run the scan, and you will see that the secret is now picked up along with the inventory file.

CSV output format for cnquery​

The cnquery CLI can now produce CSV output on the CLI for integration spreadsheet apps or other systems that parse CSV input.

cnquery scan docker debian:11 --output csv > report.csv
mondoo-query

Install cnspec using Ansible​

Our latest release makes it simpler to install and migrate to cnspec at scale with our new Mondoo Ansible role. This role can setup cnspec and cnquery on new systems, and update existing installations to use these tools. Just run this role on your systems, and the latest cnspec release will automatically be running as a service.

Deploy cnspec with Chef Infra​

The mondoo cookbook 0.5.0 is now available on Chef Supermarket. This updated release configures systems to use the cnspec service. If you’re already using the previous release of the cookbook, this release will automatically update your systems from the mondoo service to the cnspec service.

Support storing Okta token in OKTA_CLIENT_TOKEN env var​

If you don't want to pass your Okta token on the CLI with the --token flag, cnquery and cnspec now support fetching the token from the OKTA_CLIENT_TOKEN env var in your shell.

MQL and Resources updates

New azure.subscription.aks.cluster resource​

A new azure.subscription.aks.cluster resource has been added to explore your Kuberenetes clusters in Azure AKS. It allows you to inspect the settings in your Kubernetes control plane and add checks to keep them secure.

To list all AKS clusters:

cnquery> azure.subscription.aks.clusters
azure.subscription.aks.clusters: [
 0: azure.subscription.aksService.cluster name="aks-dev-cluster" location="westeurope"
]

To select particular properties for each cluster:

cnquery> azure.subscription.aks.clusters{name rbacEnabled kubernetesVersion powerState}
azure.subscription.aks.clusters: [
 0: {
   rbacEnabled: true
   powerState: "Running"
   kubernetesVersion: "1.24.9"
   name: "aks-dev-cluster"
 }
]

New aws.ssm resource​

A new aws.ssm resource allows you to explore and secure the settings in your AWS Systems Manager (SSM) infrastructure.

To query SSM data using cnquery:

cnquery> aws.ssm.instances { * }
aws.ssm.instances: [
 0: {
   arn: "arn:aws:ssm:us-east-1:185972261234:instance/i-0f58c727dc7ca1337"
   platformName: "Microsoft Windows Server 2022 Datacenter"
   ipAddress: "172.1.89.50"
   instanceId: "i-0f58c727dc7ca1337"
   region: "us-west-2"
   pingStatus: "Online"
   tags: {
     Name: "test-win"
   }
 }
 1: {
   arn: "arn:aws:ssm:us-east-1:185972261234:instance/i-04680e19801302600"
   platformName: "Amazon Linux"
   ipAddress: "172.1.80.30"
   instanceId: "i-04680e19801302600"
   region: "us-west-2"
   pingStatus: "Online"
   tags: {
     Name: "badssm"
   }
 }
...

Or write a query for a policy:

cnquery> aws.ssm.instances.all(pingStatus == "Online")
[ok] value: true

New AWS MQL resources​

Mondoo now includes new resources for Amazon ECR and CloudFront so you can explore and secure even more of your Amazon infrastructure using MQL.

Query ECR images:

cnquery> aws.ecr.images { * }
aws.ecr.images: [
 0: {
   registryId: "172746783610"
   tags: [
     0: "latest"
   ]
   digest: "sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca"
   repoName: "vjtestpriv"
   mediaType: "application/vnd.docker.distribution.manifest.v2+json"
 }
]
cnquery> aws.ecr.publicRepositories { * }
aws.ecr.publicRepositories: []
cnquery> aws.ecr.privateRepositories { * }
aws.ecr.privateRepositories: [
 0: {
   uri: "172746783610.dkr.ecr.us-east-1.amazonaws.com/vjtestpriv"
   public: false
   region: "us-east-1"
   registryId: "172746783610"
   name: "vjtestpriv"
   arn: "arn:aws:ecr:us-east-1:172746783610:repository/vjtestpriv"
   images: [
     0: aws.ecr.image id = vjtestpriv/sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca
   ]
 }
]


Query CloudFront distributions and functions:

cnquery> aws.cloudfront { distributions { *} functions { * } }
aws.cloudfront: {
 distributions: [
   0: {
     origins: [
       0: aws.cloudfront.distribution.origin id = 185972265011/test-1be01d1424077260.elb.us-east-1.amazonaws.com
     ]
     status: "Deployed"
     cacheBehaviors: []
     domainName: "d1w4eig1i8et92.cloudfront.net"
     arn: "arn:aws:cloudfront::185972265011:distribution/E3J92HBG5Z8S6Q"
     defaultCacheBehavior: {
       AllowedMethods: {
         CachedMethods: {
           Items: [
             0: "HEAD"
             1: "GET"
           ]
           Quantity: 2.000000
         }
         Items: [
           0: "HEAD"
           1: "GET"
         ]
         Quantity: 2.000000
       }
       CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
       Compress: true
       DefaultTTL: null
       FieldLevelEncryptionId: ""
       ForwardedValues: null
       FunctionAssociations: {
         Items: null
         Quantity: 0.000000
       }
       LambdaFunctionAssociations: {
         Items: null
         Quantity: 0.000000
       }
       MaxTTL: null
       MinTTL: null
       OriginRequestPolicyId: null
       RealtimeLogConfigArn: null
       ResponseHeadersPolicyId: null
       SmoothStreaming: false
       TargetOriginId: "test-1be01d1424077260.elb.us-east-1.amazonaws.com"
       TrustedKeyGroups: {
         Enabled: false
         Items: null
         Quantity: 0.000000
       }
       TrustedSigners: {
         Enabled: false
         Items: null
         Quantity: 0.000000
       }
       ViewerProtocolPolicy: "allow-all"
     }
   }
 ]
 functions: [
   0: {
     status: ""
     arn: "arn:aws:cloudfront:global:185972265011::/functions/vjtest"
     comment: ""
     stage: "DEVELOPMENT"
     name: "vjtest"
     runtime: "cloudfront-js-1.0"
     lastModifiedTime: "2023-01-29T21:07:01Z"
     createdTime: "2023-01-29T21:07:01Z"
   }
 ]
}

GCP resource updates​

We've continued to expand the data you can query using MQL in your GCP projects to make asset inventory and security easier:

We added a new gcp.project.compute.addresses resource:

gcp.project.compute.addresses[0]: {
ipv6EndpointType: ""
created: 2022-12-15 12:45:25.62 -0800 -0800
address: "10.10.0.2"
network: data is not a map to auto-expand
networkTier: "PREMIUM"
id: "2700460578865297802"
userUrls: [
    0: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1/forwardingRules/gke-mondoo-gke-cluster-2-c255f8bc-73b71c8f-pe"
]
ipVersion: ""
name: "gke-mondoo-gke-cluster-2-c255f8bc-73b71c8f-pe"
status: "IN_USE"
subnetworkUrl: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1/subnetworks/mondoo-gke-cluster-2-subnet"
prefixLength: 0
networkUrl: ""
regionUrl: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1"
addressType: "INTERNAL"
purpose: "GCE_ENDPOINT"
description: ""
subnetwork: gcp.project.computeService.subnetwork name="mondoo-gke-cluster-2-subnet"
}

We added new gcp.project.compute.forwardingRules resource:

gcp.project.compute.forwardingRules: [
0: {
    description: ""
    ipProtocol: "TCP"
    serviceDirectoryRegistrations: []
    id: "1374403102344"
    labels: {}
    name: "front-lb-1-test"
    serviceName: ""
    network: gcp.project.computeService.network name="test-vpc-3"
    networkUrl: "https://www.googleapis.com/compute/v1/projects/manuel-development-2/global/networks/test-vpc-3"
    allPorts: false
    targetUrl: "https://www.googleapis.com/compute/v1/projects/manuel-development-2/regions/us-central1/targetHttpProxies/lb-1-test-target-proxy"
    ipAddress: "35.209.226.183"
    allowGlobalAccess: false
    networkTier: "STANDARD"
    backendService: ""
    isMirroringCollector: false
    subnetwork: data is not a map to auto-expand
    noAutomateDnsZone: false
    serviceLabel: ""
    ports: []
    loadBalancingScheme: "EXTERNAL_MANAGED"
    ipVersion: ""
    created: 2023-01-19 10:56:30.873 -0800 -0800
    metadataFilters: []
    regionUrl: "https://www.googleapis.com/compute/v1/projects/manuel-development-2/regions/us-central1"
    portRange: "80-80"
    subnetworkUrl: ""
	}
]

gcp.project.dataproc.clusters data is now only gathered if the DataProc Cloud service is enabled in the project.

We improved the reliability of parsing GCP alert policies conditions.

NewPublicAccessPrevention for gcp.storage.buckets resource​

The gcp.storage.buckets resource now includes publicAccessPrevention data. Here's an example of querying this data out for all buckets in a project:

gcp.storage.buckets { iamConfiguration['publicAccessPrevention'] }
gcp.storage.buckets: [
 0: {
   iamConfiguration[publicAccessPrevention]: "inherited"
 }
 1: {
   iamConfiguration[publicAccessPrevention]: "inherited"
 }
 2: {
   iamConfiguration[publicAccessPrevention]: "inherited"
 }
 3: {
   iamConfiguration[publicAccessPrevention]: "inherited"
 }
]

🐛 Other Improvements

  • Improve consistency of the icons in each integration page and ensure they are all using the latest vendor logos.
  • Allow opening assets in the fleet view in new windows.
  • Don't show advisories with 0 impacted assets on the space overview page if there are no advisories for any assets in the space.
  • Allow showing asset utilization even if billing is not configured.
  • Improve the reliability of CIS GCP Foundation benchmark results.
  • Update help and errors for cnspec and cnquery Azure commands to make it more clear you can use both a .pfx and a .pem certificate file.
  • Fix parsing of certificate data on Linux with ports.listening resource.
  • Fix parsing of IPv6 data with the ports.listening resource.
  • Fix discovery of Google Workspace assets.
  • Fix a remediation step typo in the AWS Security by Mondoo policy.
  • Add a tooltip to the Get Support link in the navigation menu.
  • Fix links to ChatOps integrations in the navigation menu.
  • Fix errors running some Google Workspace resources.
  • Improve help for GitHub resources.
  • Improve the error message when Okta API requests fail.
  • Fix a cnspec panic when using the -o output reporter when all results produce an error.
  • Show errors when scanning systems with cnspec.
  • Show asset names with cnspec when using the -o report reporter.
  • The + button on the Managed Clients page now properly links to "Server & Endpoint Security" integrations.
  • The platform column in the Managed Clients page now displays platform values.
  • Notification bell now indicates the number of unread notifications.
  • Update several integration logos to use high-resolution logos for retina displays.
  • Update integration pages with more consistent headers.
  • Handle errors when setting up integrations.
  • Add back the missing link to documentation on the Kubernetes integration page.
  • Change all references to Amazon AWS to be just AWS. No ATM machines here!
  • Fix the AWS Integration counts on the overview page not always matching actual counts.
  • Improve reliability of results in the CIS Microsoft Azure Foundations and CIS GCP Foundations policies.
  • Don't mention the legacy Library name in the Mondoo Vulnerability Database.
  • Update VMware examples in the console to use cnspec.
  • Enable the Mondoo install script to handle GPG key updates to package repositories to prevent update failures.
  • Improve the error message when an incorrect repository is passed to scan github repo.
  • Fix a race condition in the cnspec/cnquery scan progress bars.
  • Print status of assets that can't be scanned in the progress bars.
  • Expose the actual error from GCP when unable to connect to resources.
  • Remove an extra warning that was incorrectly printed while scanning Terraform configs.
  • Ignore Terraform content in the .terraform directory.
  • Properly display policies in Policy Hub that have zero queries.
  • Fix links to integration pages from the Service Accounts.
  • Improve reliability in some Azure CIS Foundation policy queries.
  • Improve the reliability of Kubernetes status in the Kubernetes integration pages.
  • Operating system integration pages no longer mention the setup of Mondoo Client.
  • Kubernetes Integration page once again enables workload scanning by default.
  • Mondoo GitHub action supports scanning GitHub organizations again.
  • Fix MQL queries hanging with aliased and direct resource in the same policy.
  • Show the scan trigger button on the AWS integrations when they are in an errored state.
  • Only call the Google Cloud CLI when scanning GCP if neither project or project-id were provided.
  • Fix errors using the gcp.project.gkeService when a GKE cluster hasn't finished provisioning.
  • Fix failures when scanning GCP storage buckets.
  • Add projectID to many GCP resources so asset relationships can be determined.
  • Deprecate the zone value for GKE clusters in favor of a new location value.
  • We renamed the terraform platform to terraform-hcl because fleet view doesn't make it apparent that it's Terraform HCL configuration files.
  • Scan Google Workspace with cnspec scan google-workspace. Don't worry—the previous command still works for automation backwards compatibility.

Dominik Richter

Dom is a founder, coder, and hacker and one of the creators of Mondoo. He helped shape the DevOps and security space with projects like InSpec and Dev-Sec.io. Dom worked in security and automation at companies like Google, Chef, and Deutsche Telekom. Beyond his work, he loves to dive deep into hacker and nerd culture, science and the mind, and making colorful pasta from scratch.

You might also like

Mondoo May 2024 Release Highlights
Releases
Mondoo April 2024 Release Highlights
Linux
Exploring the Latest Security Features in Ubuntu 24.04