Skip to main content

Mondoo 11.4 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ Mondoo 11.4 is out! This release includes loads of new CIS benchmark policies, new AWS resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

New CIS Debian 12 benchmark policies​

Secure Debian 12 systems with new CIS Debian Linux 12 Benchmark Levels 1 & 2 policies. These policies include 284 checks specifically tuned for this latest release of Debian.

Expanded AWS network inspection capabilities​

New AWS resources provide detailed insights into your AWS network infrastructure.

Use this resource...To gather information on...
aws.ec2.eipElastic IPs, including attachment status and the individual IPs of instances to which they're attached
aws.vpc.natgatewayVPC NAT gateways, including the IP addresses and VPCs associated with them
aws.vpc.peeringConnectionVPC peering connections, to understand how VPCs in different AWS accounts relate
aws.vpc.serviceEndpointVPC service endpoints, to better understand connectivity to AWS PrivateLink

🧹 IMPROVEMENTS​

Improved risk score display for CVEs​

Understand the true risk of CVEs at a glance with a new risk score box on CVE pages. The risk score box includes the overall risk of the CVE as well as the CVSS score, EPSS score, risk factors, and blast radius so you can quickly understand whether a CVE needs attention.

CVE Risk Score Box

Updated Windows and Linux CIS benchmark policies​

Scan your infrastructure with the very latest CIS benchmark policies for Linux and Windows. These updated policies include improved descriptions, remediation steps, and new checks to keep your systems secure against the latest threats.

  • CIS Benchmark RHEL 7 v4.0.0
  • CIS Benchmark CentOS 7 v4.0.0
  • CIS Benchmark Oracle Linux 7 v4.0.0
  • CIS Benchmark Amazon Linux 2 v3.0.0
  • CIS Benchmark Windows 2019 v3.0.0
  • CIS Benchmark Windows 2022 v3.0.0

Improved container policy application​

From SSH configuration to interactive user permissions, many traditional security checks aren't applicable in a container world. To reduce noise and help you prioritize what matters, CIS benchmarks no longer apply to container workloads. Instead, we've modified our existing Mondoo Linux Security policy to better execute on containers. We highly recommend enabling this policy to scan your containerized workloads.

If you have any suggestions for how we can improve this policy, reach out at hello@mondoo.com.

Fedora AWS instance snapshot scanning​

Scan Fedora workloads in AWS without deploying the Mondoo package. New snapshot scanning support for Fedora instances makes this possible.

Improved control of SSH policy application​

Tune Mondoo's SSH security checks to meet your particular business needs with new reworked SSH checks that include properties. With properties, you can set your allowed SSH key exchange algorithms, ciphers, and message authentication codes (MACs) without the need to write your own checks.

Validate user account domains in internal Slack channels​

Our new Ensure domain is enforced on internal channels check lets you make sure all users in your internal channels signed up to Slack using an approved email domain. This check includes a property so you can add one or more allowed domains to ensure that all employees use work email accounts.

Proxy support for Kubernetes container scans​

Running an air-gapped Kubernetes cluster? Don't worry; we've got you covered with new support for scanning workload container images using a proxy server. Update to the 11.2 release of the Mondoo Kubernetes Operator and set your proxy URL in the new ContainerProxy configuration option.

Resource improvements​

aws.dynamodb.export​

aws.ssm.parameter​

docker.file​

  • New user field

πŸ› BUG FIXES AND UPDATES​

  • Improve the application of chrony and timesyncd checks in CIS Linux benchmarks.
  • Improve handling of API token creation.
  • Add a helpful message for users when a space has no prioritization data due to older Mondoo scans.
  • Don't show the risk factors heading on the Affected Assets page if there are no risk factors.
  • Add break-out links for top CVEs and security misconfigurations on space dashboards.
  • Improve formatting of downloaded compliance frameworks.
  • Improve reliability of checks in the CIS Azure Foundations benchmark policies.
  • Fix a failure fetching the docker.file.file resource field.
  • Fix querying subnetworks for a network on GCP.
  • Improve rendering of the ellipsis menu in AWS integration pages.
  • Fix navigation bar links to Slack scanning integrations failing to load.
  • Add new asset overview information for Azure assets when scanning with --discover all.
  • Fix failures scanning Dockerfiles not in the current directory.
  • Fix scans of some Windows assets not showing results.
  • Update the exceptions count on assets to not include rejected exceptions.

Mondoo 11.3 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 11.3 is out! This release includes new Kubernetes policies, GitHub org scanning support, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

All-new CIS Kubernetes policies​

Mondoo now includes the latest CIS Kubernetes benchmark policies for self-managed Kubernetes clusters, EKS, AKS, and GKE. These policies include the latest CIS recommendations as well as all-new queries for improved output so you can remediate issues more quickly.

GitHub organization scanning​

Set it and forget it with complete GitHub organization scanning. Configure the integration one time and scan new repositories as they're created so you're never caught off guard.

Organization scanning options

Need more control over what's scanned? Specify individual repositories to include in the scan, or repos you'd like skipped.

Scan filtering options

Scanning on the command line? Enjoy a 10x performance improvement and new scalability improvements to scan large organizations.

🧹 IMPROVEMENTS​

Better understand risks of affected assets​

CVE and advisory pages now include the count of individual risk factors, so you can better understand the distribution of risk throughout your infrastructure.

Risk assessment counts

Cancel running AWS integration scans​

Cancel all running AWS instance scans for your organization or account directly from the integration page with a new "Cancel Scans" option on the ellipsis menu.

Cancel running scans

Resource updates​

github.organization​

  • Add hasOrganizationProjects field
  • Add hasRepositoryProjects field

πŸ› BUG FIXES AND UPDATES​

  • Prevent empty asset names when scanning operating systems.
  • Don't fail when using the JUnit output formatter if a policy bundle is empty.
  • Don't require delete run commands permission to scan VMs in Azure.
  • Fix failures in the aws.elb.loadbalancer resource when used with --discover resources.
  • Improve asset overview data for various AWS assets when scanning with --discover resources.
  • Improve performance of asset platform detection.
  • Improve the space dashboard experience when scanning VMware and Azure assets.
  • Better handle empty author and committer data in GitHub repo scans.
  • Fix a failure loading some asset scans.
  • Fix breadcrumbs on CVE and advisory pages.
  • Improve rendering of the affected assets page risk factors on narrow displays.
  • Improve rendering of inventory list platform badges on narrow displays.
  • On individual check pages, show more of the check description text before truncating it with a Show More link.
  • Use a clearer icon for generating compliance reports from framework pages.
  • Display more useful error messages if an asset cannot be displayed in the console.
  • Improve rendering of risk factor icons throughout the console.

Mondoo 11.2 is out!

Β· 6 min read
Mondoo Core Team

πŸ₯³ Mondoo 11.2 is out! This release includes a whole new compliance as code experience, new tools to prioritize findings, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Compliance as code in Compliance Hub​

Every audit is different. Now you can customize the Mondoo Compliance Hub experience to match the exact evidence required by your auditor.

Start by downloading one of our top industry compliance frameworks to your local system directly from Compliance Hub

Download a framework

This Compliance as Code framework file is pre-customized for your space with compliance evidence mappings from policies you've enabled and any exceptions you've defined. Want to edit a mapped check or perhaps add a new population control your auditor is asking for? You can customize this file with any additional controls or specific evidence items your auditor has asked for.

Edit a framework

With your compliance framework fully customized for your auditor's requirements, upload it to Compliance Hub and track your progress just as you would using an out-of-the box framework. Need to make a change? Don't worry: You can replace the framework with an updated version at any time or remove it altogether.

Edit a framework

New policy check detail pages​

New policy check pages allow you to better understand critical impacts to your business. Score tiles bring risk front and center and include risk factors and blast radius, so you can understand the priority of findings. With refactored query descriptions it's easier to understand why a check is important, how Mondoo evaluates your assets, and what risk factors mean to the safety of your infrastructure.

Check Page

New Affected Assets vulnerabilities page​

A whole new vulnerabilities Affected Assets page lets you better prioritize assets in your environment with critical vulnerabilities. Top-of-page filters allow to drill into individual risk factors that increase or decrease the threat that vulnerabilities present.

Vulnerabilities Affected Assets page

Automated integration setup in Terraform​

Sprinkle some IaC on your Mondoo deployment with the latest capabilities in Mondoo's Terraform provider 0.6.0. With this new release of our Terraform provider you automate the setup of Azure, Slack, and domain integrations. You can even tie in the Azure setup with the Mondoo setup to make managing Azure applications easier than ever. Thanks you @mati007thm and @Pauti for all your fantastic work making this provider possible!

Kubernetes DaemonSet-based node scanning​

With the new DaemonSet Kubernetes node scanning option you can scan Kubernetes cluster nodes with the Mondoo Kubernetes Operator even if the node utilization is too high for CronJob scheduling. If your clusters run high utilization you can either edit an existing integration to use DaemonSets or configure a new integration with DaemonSet node scanning.

K8s integration setup page

🧹 IMPROVEMENTS​

Resource updates​

aws.ec2.images​

  • Add createdAt field

aws.elb.loadbalancer​

  • Add availabilityZones field
  • Add elbType field
  • Add hostedZoneId field
  • Add region field
  • Add securityGroups field
  • Add vpc field
  • Deprecate vpcId in favor of vpc field which exposes the aws.vpc resource

aws.vpc.subnet​

  • Add region field

docker.file​

  • Add expose field
  • Add label field

gcp.project.gkeService.cluster​

  • Expand default fields to improve cnquery shell use
  • Add shieldedNodesConfig field
  • Add costManagementConfig field
  • Add confidentialNodesConfig field
  • Add identityServiceConfig field
  • Add networkPolicyConfig field

gcp.project.gkeService.cluster.addonsConfig​

  • Add gcsFuseCsiDriverConfig field
  • Add statefulHaConfig field

gcp.project.gkeService.cluster.networkConfig​

  • Add enableMultiNetworking field
  • Add enableFqdnNetworkPolicy field
  • Add enableCiliumClusterwideNetworkPolicy field

sshd.config​

An all-new sshd.config resource includes support for parsing the combined sshd_config and sshd_config.d/* configs. Now Mondoo can track the running state of your SSH daemon no matter where you define configuration options.

Mondoo now properly identifies match groups across include paths defined in the sshd_config file. We have extensively tested how SSHd handles the various edge-cases and have adjusted our parser accordingly. It now properly parses the different scenarios of match groups with or without include statements and adds them to the affected subgroups.

The content field is now deprecated. This is an old remnant that is no longer providing the best version of the raw SSHd config. As mentioned above, include and match statements actually behave differently based on their context. They cannot simply be aggregated into a single content file. Instead, please use the already provided file and files fields, which both have content as their subfields. k8s Multiple statements are now correctly treated in params. In the case of SSHd, the first statement usually wins (with a couple of edge-cases that are still aggregated, which have been added here as well).

Include statements now work with relative and absolute paths. We previously only supported relative paths (such as files inside of /etc/ssh). This limitation is no longer in place.

Ubuntu 24.10 CVE detection​

Yesterday Canonical announced the start of development for Ubuntu 24.10, code named Oracular Oriole. If you're a risk taker and want to run this pre-alpha release of Ubuntu, Mondoo has your back with CVE support for this upcoming release.

More policies out of the box for new spaces​

Get started more quickly with new out-of-the-box policies for DNS, Slack, and TLS for all newly created spaces.

πŸ› BUG FIXES AND UPDATES​

  • Prevent failures scanning GCP BigQuery.
  • Fix failures scanning Atlassian accounts.
  • Improve display of Azure resources on the inventory page when resource discovery is used.
  • Improve documentation for AWS and Azure resources within cnquery shell.
  • Fix failures scanning GCP compute resources.
  • Support scanning individual resources within a GCP org during scanning.
  • Display CVEs linked to CentOS advisories.
  • Switch Red Hat Enterprise Linux EOL dates to use the Maintenance Support 2 date because this is included with support by default.
  • Improve performance of the advisories page.
  • Don't include preview policies in an asset's score.
  • Improve display of Atlassian group names on the inventory page.
  • Don't group GCP Folders as "Others" on the inventory page.
  • Fix warnings in GCP compute instance asset overview pages.
  • Fix Azure compute VMs grouping under "Subscriptions" on the inventory page.
  • Improve the icon for the remote execution risk factor.
  • Collect the version of Microsoft Exchange to the Mondoo Windows asset inventory query pack.

Mondoo 11.1 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 11.1 is out! This release includes Dockerfile scanning, ENV var credentials in inventory files, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Dockerfile scanning​

Expose security concerns before they reach production with new Mondoo Dockerfile scanning. Run cnquery shell docker file DIRECTORY_OR_PATH to inspect a single Dockerfile or find nested Dockerfiles within directories. Using the new docker.file resource, you can explore the file itself or dive into Dockerfile stages and instructions.

cnquery shell docker file Dockerfile
β†’ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
β†’ connected to Dockerfile
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> docker.file.stages{*}
docker.file.stages: [
0: {
entrypoint: null
add: []
run: [
0: docker.file.run script="mkdir -p /opt/app"
1: docker.file.run script="npm install"
]
file: docker.file file.path="Dockerfile" instructions.length=8 stages.length=1
copy: [
0: docker.file.copy src=[
0: "src/package.json"
1: "src/package-lock.json"
] dst="."
]
from: docker.file.from name="" image="node" tag="18.16.0-alpine3.17"
env: {}
cmd: docker.file.run script="npm
start"
}
]

Stay tuned for upcoming Dockerfile policies and Dockerfile security monitoring in the Mondoo Console!

Google Container-Optimized OS 113​

Mondoo now includes security scanning and EOL detection support for Google's latest COS 113 release.

🧹 IMPROVEMENTS​

Resource updates​

aws.ec2.instances​

  • Improve the performance of instance scanning

aws.ec2.networkacl​

  • Add associations field

aws.inspector​

aws.s3.bucket​

  • Fix failures fetching ACL grants

gcp.project.bigqueryService​

  • Fix failures querying BigQuery resources

Store credentials in ENV vars with inventory files​

Supercharge Mondoo scans in your CI pipelines using ENV var credentials in Mondoo inventory files.

Specify an ENV var within your inventory file:

spec:
assets:
- connections:
- type: slack
credentials:
- type: env
env: CUSTOM_SLACK_TOKEN

Set that ENV var in your CI job and run cnspec as usual:

export CUSTOM_SLACK_TOKEN="token"
cnquery scan --inventory-file inventory.yml

Updated Mondoo AWS policy​

We rewrote the Mondoo AWS Security policy from the ground up with new and expanded queries that match the latest AWS capabilities and risks.

Improved vulnerability EPSS graphs​

Improved EPSS graphs expose the risk percentile and are redesigned for easy reading.

EPSS Graph

πŸ› BUG FIXES AND UPDATES​

  • Return the full package version when analyzing RPMs.
  • When performing volume/snapshot scanning of XFS volumes, scan all non-boot volumes if multiple XFS volumes exist.
  • Always close the RPM database after checking packages.
  • Fix a race condition in provider shutdown.
  • Renamed Workstation to Development Workstation on the integrations page.

Mondoo 11.0 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ Mondoo 11.0 is out! This release includes Firewatch, our new risk prioritization system!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Introducing Mondoo Firewatch​

Mondoo version 11 ships with our all-new Firewatch feature, which helps you to surface critical risks and prioritize the most important findings first.

Expose risks that compromise assets​

Not all security findings are created equal. With Firewatch, we combine contextual risks on the asset and downstream system exposure to elevate the most important findings first. Elevating risk allows you to move beyond the fire hose of security findings and instead fix the issues most likely to impact your business.

New views for advisories, CVEs, and assets show risk scores and factors to expose the importance of fixes for your infrastructure.

Advisories

Dive deeper into individual risks with exposure and downstream impact information throughout the console.

CVE Details Page

Understand the impact of a fix​

It feels good to kill two birds with one stone. Findings in Mondoo now include a blast radius, so you can understand how many systems are impacted by a finding and resolve a large number of findings at once.

Blast Radius

Prioritize findings with a whole new space experience​

Your time isn't limitless, so it's crucial to understand quickly the most important work to be done. In addition to our new risk scoring, we've reworked the UI to focus on the most critical issues first. The all-new space dashboard features a sunburst dial for navigating critical findings in your overall infrastructure, as well as ranked lists of both vulnerabilities and security findings.

Space Dashboard

Learn More​

For a deeper look at what we do and how it works, read our Firewatch blog post.

πŸ”¨ BREAKING CHANGES​

End of life for cnspec/cnquery 9.x​

With the release of cnspec and cnquery 11.0, we are no longer supporting our legacy 9.x releases. This does not mean your clients will immediately stop working. However, we will start updating policies to use new MQL capabilities introduced in version 10.0. These changes will improve the readability of queries as well as the scan output, but they are not compatible with older clients. If you need assistance with upgrading older clients, please reach out via our Support form.

New default JSON CLI output​

cnspec's --json flag now uses our updated json-2 output format by default. If you rely on the original JSON output, you can still set that using the --output json-2 flag.

🧹 IMPROVEMENTS​

Windows 11 compatibility policy​

Enable the new Windows 11 Compatibility policy to see if existing Windows workstations meet the hardware requirements for Windows 11. This policy includes several different checks for CPU, RAM, TPM, and hard drive space requirements. To learn more about these hardware requirements, read Microsoft's Windows 11 Specs & System Requirements page.

CIS Azure Foundations 2.1.0​

Mondoo now includes the latest CIS Azure Foundations 2.1.0 benchmarks. This new release of the policy includes 82 total updates, including 7 all-new checks and the removal of 8 checks that are no longer relevant.

Console performance improvements​

No one wants to wait for web pages to load. That's why we sprinkled some magical optimizations on how the console fetches space and asset data to make sure pages are always snappy to load.

Updated Mondoo Microsoft Azure Security policy​

We rewrote the Mondoo Microsoft Azure Security policy from the ground up with new and expanded queries that match the latest Azure capabilities, including Microsoft Entra ID.

Additional organization owner privileges​

Organization owners are no longer required to be space owners in order to remove users from a space.

πŸ› BUG FIXES AND UPDATES​

  • Skip CIS Linux checks for at and cron to skip if packages are not installed.
  • Improve query output of CIS at and cron checks using variants.
  • Update macOS policy to not fail if OS configuration files are missing.
  • Improve memory usage when scanning large numbers of assets.
  • Improve query output in the Mondoo HTTP policy.
  • Improve reliability of VM scanning in Azure.
  • Display check counts when a policy has over 100 checks.
  • Add bread crumbs to check pages to take you back to the policy or security page.
  • Sort scores on the asset pages from worst to best score.
  • Improve the performance of the aws.cloudtrails.trail and aws.ec2.instance resources.

Mondoo 10.11 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ Mondoo 10.11 is out! This release includes Azure Container Registry scanning, expanded OS query packs, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Azure Container Registry scanning​

Mondoo now supports scanning Azure Container Registries (ACR) that require authentication using credentials stored after running the az login command.

To login and scan a complete registry run:

az login
cnspec scan container registry my_registry.azurecr.io

🧹 IMPROVEMENTS​

Collect logged-in users in query packs​

Windows, Linux, and macOS query packs now collect the currently logged-in users so you can understand active users on endpoints or remote connections to servers.

πŸ› BUG FIXES AND UPDATES​

  • Fix a failure running the users.all(sshkeys == empty) query.
  • Don't panic when the scan play is set to 0.
  • Ignore deactivated users in the Slack policy's multi-factor authentication (MFA) check. Thanks for this fix, @jaybrueder!
  • Improve the AWS IAM user "MFA enabled" check to only check users with a set password.
  • Fix the discovery of GCP organizations and folders.
  • Improve the scan gcp help output.
  • Improve failure output when a CLI command can't be parsed in the GCP provider.
  • Fix 403 errors when scanning GCP.
  • Fix failures scanning container registries.
  • Don't print the asset MRN when running cnspec scans.
  • Improve snapshot filesystem type detection.
  • Fix failures scanning Google BigQuery assets.
  • Improve retries during AWS scanning when requests timeout.
  • Fix failures scanning Amazon ECR container registries.

Mondoo 10.10 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 10.10 is out! This release includes XZ Utils vulnerability detection, expanded AWS asset inventory, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

XZ Utils Vulnerability policy​

The recent XZ supply chain attack in XZ 5.6.0 and 5.6.1 (CVE-2024–3094) thankfully didn't make it into any mainstream enterprise Linux distributions. There's still a significant risk if employees are running rolling distributions or pre-releases of upcoming Linux distros. To quickly evaluate your CVE-2024–3094 exposure, we've created a new XZ Vulnerability (CVE-2024–3094) policy that looks for XZ 5.6.0/5.6.1 on impacted Linux releases:

  • Alpine
  • Arch
  • Debian trixie/sid
  • Fedora 40
  • Kali 2024.1
  • openSUSE Tumbleweed

XZ Vulnerability Policy affected assets

🧹 IMPROVEMENTS​

Improved AWS asset overview information​

Get the context you need to resolve security findings quickly with expanded overview information on AWS assets:

  • Volume size on EBS volumes and snapshots
  • Database engine version on RDS instances
  • Storage size and type on RDS instances
  • Table size on DynamoDB tables
  • Retention time on CloudWatch log groups

RDS instance with expanded asset overview

Expanded Endpoint Detection and Response policy support​

Detect the ESET EDR in the Endpoint Detection and Response (EDR) policy.

New Terraform checks in CIS GCP Foundation policy​

Flag critical security misconfigurations before they ever run in your infrastructure with expanded Terraform config checks in the CIS Google Cloud Platform Foundation policy. New checks evaluate Terraform configs for proper GCP uniform bucket level access setup.

Fedora 40 EOL/CVE detection​

The Fedora 40 beta is now available for testing, and Mondoo is ready with CVE and EOL detection for this upcoming Linux release. Keep your test systems safe from critical vulnerabilities such as the compromised XZ release (CVE-2024–3094) that originally shipped in this beta.

Resource improvements​

aws.autoscaling.groups​

  • Improve resource default values
  • New availabilityZones field
  • New capacityRebalance field
  • New defaultInstanceWarmup field
  • New desiredCapacity field
  • New instances field
  • New maxInstanceLifetime field

aws.cloudfront.distributions​

  • New cnames field

πŸ› BUG FIXES AND UPDATES​

  • Improve performance of AWS cloud detection.
  • Fix Windows policies with multi-language support to rely on the system language instead of the locale.
  • Simplify the Linux server installation instructions.
  • Support vulnerability scanning of RPMs with a ^ symbol in the name.
  • Update additional CIS GCP Foundations checks to work against Terraform configs.
  • Fix the CIS VMware ESXi 6.7 Benchmark - Corporate/Enterprise Environment policy to only apply to VMware 6.

Mondoo 10.9 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 10.9 is out! This release includes CVE remediation automation, detection of remote exploits in your infra, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Automate your CVE remediation​

Let Mondoo do the heavy lifting when it comes to remediating critical software vulnerabilities in your infrastructure with new Ansible and Bash remediation scripts to accelerate the patching of systems.

Software resolution

Expose remote exploits in your infrastructure​

With the new "Remote execution" risk for CVEs and advisories, you can now prioritize and patch the highest risks to your business before attackers find them. Mondoo lets you sort by CVEs and vendor advisories that are known to be susceptible to remote code execution over the network.

CVE-2023-22505 Remote Exploit

🧹 IMPROVEMENTS​

Resource improvements​

asset​

  • New field annotations.

aws.iam.policies​

  • Fix parsing data in attachedRoles field.

aws.rds.dbcluster​

  • New field hostedZoneId.
  • New field latestRestorableTime.
  • New field masterUsername.

aws.rds.dbinstance​

  • New field latestRestorableTime.
  • New field masterUsername.

Ansible scan interval / splay settings​

Control the scan interval and splay settings for Mondoo clients set up with the Mondoo Ansible role using new splay and timer variables.

Learn more in our all new Ansible docs!

Signed providers on Windows​

Is it an advanced security product or a virus? It turns out that sometimes your endpoint protection software can't tell the difference. To help, we're signing all Mondoo providers to prevent tools flagging providers as potentially malicious software.

Friendly messages for space viewers in Kubernetes integrations​

Want to take a peak at the configuration of Kubernetes integrations, but you only have the viewer permissions on the space? No worries. Kubernetes integration pages now show friendly messages when service account information is unavailable due to a lack of permissions. Stay curious.

πŸ› BUG FIXES AND UPDATES​

  • Collect running kernel in SBOMs.
  • Don't fail if a Linux process is running under a user that has been deleted.
  • Fix AWS instances failing to scan via SSM in the Lambda integration.
  • Improve network security group checks in the CIS Azure Foundation benchmark policy to ignore case and better target the security rules.
  • Update CIS benchmarks for AlmaLinux, Rocky Linux, and Oracle Linux to skip GDM checks on headless systems.
  • Display the Terraform logo for the Terraform Asset Inventory Pack.
  • Display the Windows logo instead of the Microsoft 365 logo for all Windows desktop CIS policies.
  • Improve Azure Pipeline setup examples in the console.
  • Show labels on the asset overview when an asset is unscored.
  • Update instructions and documentation links in Azure integration to match the latest Microsoft Entra ID pages.
  • Improve AWS integration error messages in the console.
  • Prevent multiple AWS scan requests from running at once in the AWS integration.
  • Fix incorrect links in Red Hat advisories.
  • Fix newer vendor advisories showing as unscored when the attached CVEs have no score.
  • Improvements to Okta and Azure SCIM 2.0 support.
  • Fix scanning of Docker images that are not on the system.
  • Fix fetching of Microsoft 365 groups when there are a large number of groups in Entra ID.
  • Fix scanning of private images in Kubernetes clusters.
  • Improve performance in the tls.certificate resource.

Mondoo 10.8 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ Mondoo 10.8 is out! This release includes a NIST CSF 2.0 compliance, Okta and Entra ID SCIM, expanded policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Okta and Microsoft Entra ID SCIM 2.0 support​

There's nothing worse than the endless stream of tickets to add, remove, or change user access to SaaS services. Now, with Okta and Microsoft Entra ID SCIM 2.0 support in Mondoo private instances, that's a thing of the past. Sync your users and groups automatically so the right users always have the proper access, keeping your auditors happy without a ticket in sight. Did that big budget increase finally allow you to expand your security team? Automatically provision access for your new team members as they start. Time to promote an engineer into management to wrangle your growing team? Automatically provide that employee with the appropriate administrative access to Mondoo spaces and organizations. Contact your support representative to learn more about enabling SCIM 2.0 support, including automated deployment options with the Mondoo Terraform provider.

NIST Cybersecurity Framework (CSF) 2.0 support​

Automatically track your compliance against the newly released NIST Cybersecurity Framework (CSF) 2.0. With CIS benchmark checks automatically mapped to the 104 new CSF 2.0 controls, you can enable policies and watch the results flow in showing where you stack up against these updated NIST recommendations.

NIST CSF 2.0

🧹 IMPROVEMENTS​

Resource improvements​

gcp.project.computeService.attachedDisk​

  • Add a new source field.

AWS Resources​

  • Improve handling of integer values in AWS. Fields representing maximum/minimum values, such as aws.cloudfront.distribution.origin.connectionTimeout, now return 0 when no value has been set. When a field represents a port value, such as aws.rds.dbInstance.port, Mondoo now represents unset values as -1.

Expanded CIS GCP Foundations policy​

Catch security problems before they reach production without the need for multiple tools and security policies. New Terraform variants in the CIS GCP Foundations benchmark policy provide a single check for both running GCP assets and the Terraform code that generates those assets. Learn more about securing Terraform code using Mondoo in the Mondoo docs.

New CLI flags for inventory files​

New simpler command line flags make it clearer how to use inventory files with cnspec and how to specify different inventory formats:

  • --inventory-file string: Set the path to the inventory file.
  • --inventory-format-ansible: Set the inventory format to Ansible.
  • --inventory-format-domainlist: Set the inventory format to domain list.

Additional package data in SBOMs​

SBOM files generated with cnquery sbom now include each installed package's origin and architecture data.

Improved AWS instance naming / tagging​

AWS instances scanned with SSM or through the Mondoo Platform AWS integration include new configuration information to make them easier to find and understand:

  • Asset names now use the AWS instance name (if the instance has a name)
  • New mondoo.com/parent-id, mondoo.com/instance-id, and mondoo.com/ssm-connection labels display on each AWS instance asset.

Wolfi container package detection​

Expose package information in Chainguard's Wolfi "un-distribution" with support for Wolfi's APK packages:

cnquery shell container image cgr.dev/chainguard/caddy
β†’ connected to Wolfi
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> packages
packages.list: [
0: package name="ca-certificates-bundle" version="1708982311:20240226-r0"
1: package name="caddy" version="1710420294:2.7.6-r4"
2: package name="wolfi-baselayout" version="1701735113:20230201-r7"
]

πŸ› BUG FIXES AND UPDATES​

  • Rename the spaces Overview page to Dashboard.
  • Rename the Security and Vulnerability Dashboard pages to be Overview.
  • Resolve failures scanning Amazon ECR.
  • Add missing description and remediation step in NSA PowerShell: Security Measures to Use and Embrace policy.
  • Update searches on the space page to be case-insensitive.
  • Improve reliability of queries in the CIS Azure Foundations and AWS Operational Best Practices policies.
  • Remove any pending space invites if the inviter no longer has the necessary privileges to invite users.
  • Fix failures loading software pages on an asset due to duplicate discovered packages.
  • When an Ansible inventory file is malformed, display an error message instead of returning 0 assets.
  • Support generating Ubuntu CPEs in SBOMs on the upcoming Ubuntu 24.04 release.
  • Fix failures scanning AWS instances from the AWS integration.
  • Improve checks for LAPS on Windows assets in CIS/BSI policies.
  • Improve checks for anonymous pipe access on Windows assets to account for differences between domain controllers and domain member servers.
  • Improve the descriptions and remediation text in the AWS Operational Best Practices policies.

Mondoo 10.7 is out!

Β· 3 min read
Mondoo Core Team

Get this release: Installation Docs | Package Downloads | Docker Container


🧹 IMPROVEMENTS​

Show numeric asset scores in the CLI​

Understand your precise scores in the cnspec CLI with new numeric score values in addition to A-F scores.

Numeric scores

Add specific vendor advisory sources​

Jump right to the source with new direct links to vendor advisories on software advisory pages.

Advisory links

Improved AWS integration troubleshooting​

Failures happen, so let's get to the root cause faster with new troubleshooting options for AWS integrations. The ... menu in the AWS integrations pages now includes new options that:

  • Force an update of the Lambda code powering the integration
  • Send diagnostics logs directly to Mondoo

Diagnostics information

Kubernetes scanning performance improvements​

We introduced a new mechanism to reduce the number of calls made during asset discovery. This is especially helpful when scanning larger Kubernetes clusters. It lets cnquery and cnspec incrementally scan every asset one by one without having to scan all of them initially. This performance improvement not only drastically cuts the execution time, it also eliminates the need for reading container images twice from the system, cutting down on I/O load.

This improvement is automatically enabled for new workloads. We currently support it for container images and plan to extend it to other workloads with costly discovery steps in the future.

πŸ› BUG FIXES AND UPDATES​

  • Fix failures to detect vulnerable versions of system-wide Visual Studio Code installations on Windows.
  • Fix incorrect pluralization on the assets page.
  • Fix incorrect source links for Debian, Chrome, and Firefox vulnerabilities and advisories.
  • Fix detection of some newer VMware advisories.
  • Fix macOS systems displaying a low vulnerability score but no CVEs or advisories.
  • Add missing available package data when scanning for vulnerabilities on the command line.
  • Fix failures scanning systems with the command line --incognito flag.
  • Add missing first-found data to the asset software tab.
  • Respect the --output flag when running cnspec vuln.
  • Improve the disk/memory usage of container image scans on large Kubernetes clusters.
  • Fix duplicate AWS instance scans.
  • Add support for VMware vSphere/ESXi 8.0U2b vulnerability scanning.
  • Don't show the service accounts button when a Kubernetes integration is still pending.
  • Show "unknown" instead of "0.0" when a CVSS score has not been published.
  • Don't show an empty CVSS score section on vulnerability pages if they have not been published.
  • Improve the display of vendor icons in the asset software tab.
  • Add tooltips to check status icons in Compliance Hub.
  • Fix failures scanning GCP if resources can't be discovered.
  • Improve the display of installed memory on Windows assets.
  • Add macOS model detection for new M3 MacBook Air laptops.
  • Improve check reliability in the AWS Operation Best Practices policies.