Get Started with the Mondoo Shell
The Explanationβ
What is this thing?
Mondoo shell is a powerful discovery tool for your infrastructure.
What does it do?
It enables you to ask questions about your infrastructure. Instead of manually inspecting and parsing the services list, ip tables, and packages on your machine, or manually chaining and aggregating results of AWS api calls across multiple regions, you can ask and discover with a query written in MQL in Mondoo shell.
What does it run on?
All platforms that are supported by Mondoo scan are supported by Mondoo shell.
Start the Mondoo Shellβ
Connect to the Mondoo shell the same way you would run a Mondoo Scan:
mondoo shell aws
mondoo shell ssh vagrant@127.0.0.1:2222 -p vagrant --insecure --sudo
mondoo shell k8s
The Examplesβ
Linux Systemβ
query:
# list all the packages on the machine
packages.list { installed outdated name }
partial sample result:
543: {
name: "openssl"
installed: true
outdated: false
}
544: {
name: "dbus-common"
installed: true
outdated: false
}
545: {
name: "gzip"
installed: true
outdated: false
}
546: {
name: "dbus"
installed: true
outdated: false
}
547: {
name: "systemd-udev"
installed: true
outdated: false
}
query:
# parse the sshd config file and return the ciphers and params
sshd.config("/etc/ssh/sshd_config") { ciphers params }
partial sample result:
sshd.config: {
params: {
AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES,LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT,LC_IDENTIFICATION LC_ALL LANGUAGE,XMODIFIERS"
AuthorizedKeysFile: ".ssh/authorized_keys"
ChallengeResponseAuthentication: "no"
GSSAPIAuthentication: "no"
GSSAPICleanupCredentials: "no"
HostKey: "/etc/ssh/ssh_host_rsa_key,/etc/ssh/ssh_host_ecdsa_key,/etc/ssh/ssh_host_ed25519_key"
PasswordAuthentication: "yes"
AWS Accountβ
query:
# return the instanceType, tags, and launchTime for all EC2 instances in the AWS account (multi-region)
aws.ec2.instances { instanceType tags launchTime }
partial sample result:
10: {
launchTime: 2022-06-20 12:26:40 +0000 UTC
tags: {
GitHubOrg: "mondoohq"
GitHubRepo: "demo"
Name: "kali-linux-hacker-instance-ecrm"
Terraform: "true"
}
instanceType: "t2.medium"
}
11: {
launchTime: 2021-01-16 15:25:54 +0000 UTC
tags: {}
instanceType: "t2.small"
}
query:
# return location, policy, encryption, and logging configurations for all the S3 buckets in the AWS account
aws.s3.buckets { location policy encryption logging }
partial sample result:
3: {
logging: {}
encryption: {
Rules: [
0: {
ApplyServerSideEncryptionByDefault: {
KMSMasterKeyID: null
SSEAlgorithm: "AES256"
}
BucketKeyEnabled: false
}
]
}
policy: aws.s3.bucket.policy id = aws-logs-1234567891011-us-east-2-access-logs
location: "us-east-2"
}
4: {
logging: {}
encryption: null
policy: null
location: "eu-central-1"
}
K8S Clusterβ
query:
# return the name, labels, and kind for all k8s nodes
k8s.nodes { name labels kind }
partial sample result:
0: {
kind: "Node"
labels: {
beta.kubernetes.io/arch: "amd64"
beta.kubernetes.io/os: "linux"
kubernetes.io/arch: "amd64"
kubernetes.io/hostname: "minikube"
kubernetes.io/os: "linux"
minikube.k8s.io/commit: "a03fbcf166e6f74ef224d4a63be4277d017bb62e"
minikube.k8s.io/name: "minikube"
minikube.k8s.io/updated_at: "2022_06_15T17_35_18_0700"
minikube.k8s.io/version: "v1.22.0"
node-role.kubernetes.io/control-plane: ""
node-role.kubernetes.io/master: ""
node.kubernetes.io/exclude-from-external-load-balancers: ""
}
name: "minikube"
}
query:
# return the name and spec of all k8s services
k8s.services { name spec }
partial sample result:
1: {
name: "kube-dns"
spec: {
clusterIP: "10.96.0.10"
clusterIPs: [
0: "10.96.0.10"
]
ipFamilies: [
0: "IPv4"
]
ipFamilyPolicy: "SingleStack"
ports: [
0: {
name: "dns"
port: 53.000000
protocol: "UDP"
targetPort: 53.000000
}
1: {
name: "dns-tcp"
port: 53.000000
protocol: "TCP"
targetPort: 53.000000
}
2: {
name: "metrics"
port: 9153.000000
protocol: "TCP"
targetPort: 9153.000000
}
]
selector: {
k8s-app: "kube-dns"
}
sessionAffinity: "None"
type: "ClusterIP"
}
}
Going Furtherβ
MQL has the ability to filter and evaluate query results. The syntax is based on javascript and GraphQL.
Keywords for Listing Results and Filteringβ
- : use to list all the fields in a resource
- { fieldname_1 fieldname_2 }: use curly brackets and specific field names to only return the fields you want
- where: use where to only return results that match the where clause
Keywords for True/False Results on Arrays ([])β
- all: all results must match
- any: at least one result must match
- one: only one result must match
- contains: match result exists on the array
- containsNone: match result does not exist on the array
Helpersβ
- time.now(): timestamp for now time
- time.day, time.minute: multiply against an int to evaluate against a day/time
What is available to queryβ
See everything you can query here
Examplesβ
# return information all EC2 instances where the launchTime is before 3 days ago
aws.ec2.instances.where(launchTime < time.now() - 3 * time.day) { arn launchTime tags }
# ensure the sshd config macs contains the string "test"
sshd.config.macs.contains("test")
# return the name and policy statements of all S3 buckets where the policy is not null
aws.s3.buckets.where(policy != null) { name policy.statements }
# no AWS IAM user should have policies attached directly to their user
aws.iam.users.all( attachedPolicies.length == 0 )