🥳 Mondoo 11.14 is out! This release includes improved EOL OS warnings, new resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🧹 IMPROVEMENTS​

End of life status is now a risk factor​

Better understand when assets are approaching end of life with a new, configurable end-of-life risk factor. This risk factor replaces the existing end-of-life policy and instead uses a configurable warning period and risk factors to expose high-risk EOL assets.

Set your desired warning period or turn off warnings entirely space wide:

Filter on EOL assets within affected asset pages:

New Shodan and VMware inventory packs​

Gather detailed information on more aspects of your infrastructure with new VMware and Shodan asset inventory packs. The VMware asset inventory pack gathers information on vCenter servers as well as individual ESXi hosts, so you can better understand the state of your clusters. The Shodan asset inventory pack gathers information on hosts assets using the Shodan service.

Control cnspec output using an ENV variable​

Control the command line output of cnspec using a new MONDOO_OUTPUT environmental variable that can be set in shell config files or in CI/CD jobs.

export MONDOO_OUTPUT=nodata,nocontrols
cnspec scan local

Resource updates​

gitlab.project​

• New approvalSettings field using the new gitlab.project.approvalRule resource
• New mergeMethod field
• New projectFiles field using the new gitlab.project.file resource
• New projectMembers field using the new gitlab.project.member resource
• New protectedBranches field using the new gitlab.project.protectedBranch resource
• New webhooks field using the new gitlab.project.webhook resource

macos​

• New systemExtensions field using the new macos.systemExtension resource

package​

• New vendor field

🐛 BUG FIXES AND UPDATES​

• Improve application of cloud-specific CIS Kubernetes policies.
• Fix empty packages data on RPM-based systems.
• Improve rendering of the software version distribution chart.
• Improve descriptions of workload scanning options in the Kubernetes integration setup page.
• Improve generation of CPE data in the package resource.
• Scan all supported asset types available in the --discover flag when using the Mondoo Hosted AWS integration.
• Improve retry behavior in the GitHub provider.
• Add BOMRef data to CycloneDX SBOMs.
• Fix integration credentials not updating if they are changed.
• Fix an RPC error during scanning with certain query packs enabled.
• Fix a potential error if checks and data queries use the same UID.
• Improve the CIS EKS policy's Ensure clusters are created with Private Nodes check.
• Improve the reliability of multiple queries in CIS Linux policies.
• Simplify the output of CIS Linux sysctl IP setting checks.
• Add missing check titles in the Mondoo Endpoint Detection and Response (EDR) policy.
• Improve the reliability of the Mondoo Linux Security policy's Ensure discretionary access control permission modification events are collected check. Thanks @ceso!
• Improve rendering of data queries that do not return a result.
• Improve rendering of descriptions and auditing steps in CIS policies.
• Improve reliability of iptables checks in Linux CIS policies.
• Fix missing assets in the affected assets lists.

🥳 Mondoo 11.13 is out! This release includes support for additional workflows, advanced scoring mechanisms, notifications on failing integrations, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Exceptions for vendor advisories​

You can now set exceptions on advisories, not just checks. To set an exception on an advisory, navigate to an asset's Advisories tab and select the advisories to snooze or disable.

To learn more, read the Mondoo documentation.

Choose the security scoring system for each policy in a space​

Mondoo policies support several different scoring systems, depending on how you want to weight the results of the policy. While the recommended scoring mechanism for each policy is built into the policy itself, you can now override the scoring mechanism used directly from the Mondoo console.

Failing integration notification​

Tokens may expire and accounts might change. Now you can quickly spot when integrations stop scanning as they should. Space owners will notice a new icon in the integrations menu whenever an issue arises. Plus, any failing integrations are highlighted on the Integrations page, so you can identify the problem type at a glance without diving into each page.

Updated asset tables on individual checks​

The table of affected assets on each individual check page is now much more informative, showing last update time, additional risk factors, risk score, and asset name. It also supports multi-select for building targeted cases.

Create cases directly from policy check pages​

Cases are a new feature of Mondoo that allow you to turn security findings into tasks to complete. They integrate with Atlassian Jira to fit into your existing workflow.

When you see a security finding that requires fixing, you create a case for that finding. Mondoo automatically includes the details of the finding, information on the asset(s) that contain the finding, and instructions for fixing it. When you save the case, Mondoo automatically creates an issue containing all the same information in your Jira project.

To create cases from failing checks, simply open a check and click the 'Create Case' button. To learn more, read the Mondoo documentation.

🧹 IMPROVEMENTS​

Updated CIS Windows 10 / 11 benchmark policies​

Secure Windows endpoints with the latest CIS Windows 10 and 11 benchmark policies: version 3.0. This major version bump includes a large refactoring of the recommendations for securing Windows hosts, including new and updated recommendations, improved descriptions and remediation text, and overall improvements to queries to ensure you always have the best output to work with.

🐛 BUG FIXES AND UPDATES​

• Immediately refresh asset check overview statistics when exceptions are set.
• Fix incorrect check impact scores displayed on assets.
• Ensure editors can't create API tokens with higher privileges.
• Allow sorting by blast radius in tables.
• Fix policy check pages not showing all affected assets.
• Don't include checks with exceptions in check counts.
• Expand the data included in data exports to include space metadata, base score, and risk score.
• Fix backwards sorting in risk score table columns.
• Allow sorting by last updated time in affected asset tables.
• Fix incorrect scores on versioned software pages.
• Don't scan Azure Storage containers as part of the --discover all command line option.
• Use fully qualified Kubernetes names to ensure assets are unique.
• Show cnspec status output when the client fails to communicate with the platform.
• Substantially improve the reliability of multiple Linux CIS benchmark queries.
• Fix format changes introduced to the CSV data export that were not backwards compatible.
• Fix some CI scan results failing to load in the console.
• Use more consistent names for out-of-the-box data pack queries.

🥳 Mondoo 11.12 is out! This release includes a new way to track security tasks within your team's existing workflow, compliance framework management in the CLI, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Track and remediate vulnerabilities with cases​

Cases are a new feature of Mondoo that allow you to turn security findings into tasks to complete. They integrate with Atlassian Jira to fit into your existing workflow.

When you see a security finding that requires fixing, you create a case for that finding. Mondoo automatically includes the details of the finding, information on the asset(s) that contain the finding, and instructions for fixing it. When you save the case, Mondoo automatically creates an issue containing all the same information in your Jira project.

The Jira issues that Mondoo creates from cases include all the details necessary for infrastructure owners to remediate findings, even if they don't have access to Mondoo.

In the Mondoo Console, if a security finding or an asset has a case associated with it, you can view the case from the finding or the asset. You can also see a list of all cases in a space.

You can also close cases in the Mondoo Console and (optionally) also automatically close the corresponding issue in Jira.

Open the cases management page in the Mondoo Console to get started, or check out the documentation.

Manage compliance frameworks in the CLI​

Whether you're iterating on a custom compliance framework locally or automating the management of frameworks stored in source control repos, the new cnspec framework command makes managing frameworks a breeze. Now you can list, download, upload, and change the state of frameworks entirely on the command line.

Usage:
  cnspec framework [command]

Available Commands:
  active      Change a framework status to active
  download    Download a compliance framework
  list        List available compliance frameworks
  preview     Change a framework status to preview
  upload      Upload a compliance framework

Flags:
  -h, --help   help for framework

Global Flags:
      --api-proxy string   Set proxy for communications with Mondoo API
      --auto-update        Enable automatic provider installation and update (default true)
      --config string      Set config file path (default $HOME/.config/mondoo/mondoo.yml)
      --log-level string   Set log level: error, warn, info, debug, trace (default "info")
  -v, --verbose            Enable verbose output

🧹 IMPROVEMENTS​

Rocky Linux AppStream advisories​

Mondoo now includes Rocky Linux AppStream package advisories, so you can secure assets that use AppStream to get the latest language and server releases.

Expanded Terraform policy support​

Catch critical security issues before they reach production with expanded Terraform support in the CIS AWS Foundations and CIS GCP Foundations benchmark policies.

Resource updates​

aws.ec2.securitygroup.ippermission​

• New prefixListIds field
• New userIdGroupPairs field

aws.iam.policy​

• New policyId field to replace the now deprecated id field

aws.rds.dbinstance​

• New subnets field

aws.vpc.routetable​

• New associations field using the new aws.vpc.routetable.associations resource

🐛 BUG FIXES AND UPDATES​

• Add asset overview information for the k8s-service platform.
• Add services to the discovery help in cnspec scan k8s --help.
• Allow users with organization permissions (but no space permissions) to invite users to a space.
• Improve application of the CIS GitHub benchmark policy on individual repositories.
• Give discovered AWS ECR images a runtime value of aws-ecr.
• Improve and expand checks in the CIS AKS benchmark policy.
• Improve handling of non-English Windows systems in Mondoo, BSI, and CIS policies.
• Update Mondoo, BSI, and CIS Windows policies to better handle settings defined via GPO.
• Improve reliability of some CIS checks on Debian 12 hosts.
• Fix EPSS score values in advisory and CVE summary boxes.
• Make the GitHub Enterprise URL optional during integration setup.
• Don't show private resources in the shell auto complete.
• Don't error when scanning personal GitHub repositories.
• Allow scanning read-only Windows volumes.
• Improve filtering of boot partitions during snapshot scanning.

🥳 Mondoo 11.11 is out! This release includes GitHub Enterprise support, automated IaC file discovery in code repositories, EU NIS2 Cybersecurity Directive Framework support, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Continuous GitHub Enterprise scanning​

Mondoo's GitHub integration has expanded to support GitHub Enterprise as well. GitHub Enterprise users can now get all the Mondoo GitHub features for their private instances, including scans of their GitHub configuration and automatic discovery of Terraform code and Kubernetes manifests in GitHub repositories.

Check out the documentation to learn more about integrating Mondoo Platform with GitHub Enterprise.

IaC file discovery in GitHub and GitLab​

Mondoo now automatically discovers and scans Terraform code and Kubernetes manifests in GitHub and GitLab. If any static Terraform (HCL) or Kubernetes manifest files exist in a repo, Mondoo can detect and scan them for security misconfigurations. This option lets infrastructure developers responsible for writing and maintaining infrastructure as code detect security issues before they create problems in production.

Configure scanning in your existing GitHub and GitLab integrations.

NIS2 Cybersecurity Directive compliance framework​

Mondoo introduces a new NIS2 compliance framework for companies in the European Union that must comply with the NIS2 cybersecurity directive.

CIS Google Workspace benchmark policy​

Secure your Google Workspace infrastructure with the new CIS Google Workspace Foundations Benchmark Level 1 and 2 policies including 58 important security checks.

🧹 IMPROVEMENTS​

Oracle Linux Kernel CVE support​

Mondoo now detects and reports vulnerabilities in the Oracle Unbreakable Enterprise Linux Kernel.

DaemonSet-based Kubernetes integration scanning​

The Mondoo Kubernetes integration now supports running as either a DaemonSet, a Deployment or a CronJob, depending on your needs.

Improved GitHub organization scanning scalability​

Multiple improvements to the GitHub organization scanner now better ensure that Mondoo does not accidentally trigger GitHub's API rate limits.

Improved Mondoo Terraform provider​

The Terraform provider for Mondoo has several changes:

• The Terraform provider has full access to the asset list of a Mondoo space and can leverage those assets in Terraform HCL.
• The Terraform provider now has access to the full list of active policies via a data source.
• You can now use Terraform to enable Mondoo compliance frameworks and even upload custom frameworks.

Resource updates​

aws.rds.dbinstance​

• New subnets field.

azure.subscription.aksService.cluster​

• New apiServerAccessProfile field.

github.branch​

• New headCommitSha field.

github.packages​

• New resource to fetch information on packages for a repository.

🐛 BUG FIXES AND UPDATES​

• Add vendor source links to VMware and Visual Studio Code security advisories.
• Add security advisories for openSUSE Tumbleweed.
• Fix scans failing to cancel in the AWS serverless integrations.
• Fix sort ordering of Blast Radius in tables.
• Fix display of the empty credentials box on the Generate Long-Lived Credentials page.
• Don't reject .in domains in the host integration setup page.
• Fix the settings link in the navigation bar sometimes disappearing.
• Improve the reliability of EBS volume scanning in AWS.
• Improve reliability of VM scans in the Azure integration.
• Update Fedora and AlmaLinux EOL dates to match the latest vendor announcements.
• Update the EOL warning date to be when the date is 6 months out instead of 3.
• Fix an error displaying checks for some policies in the console.
• Fix a failure fetching the attachedPolicies data in the aws.iam.users resource.
• Allow sorting compliance control checks in the console.
• Improve the reliability of CIS Ensure default user umask is configured and Ensure default user umask is 027 or more restrictive checks.
• Improve reliability of some Windows registry-based CIS checks.
• Simplify many Linux checks to improve result output.
• Reduce screen flickering when filtering checks on asset pages.
• Fix missing check counts in the asset check overview.

🥳 Mondoo 11.10 is out! This release includes CIS benchmarks for Exchange Server 2019, improvements to the CVE and advisory UI, new resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Secure Microsoft Exchange Server 2019​

Validate your Microsoft Exchange Server 2019 instance against the latest CIS benchmarks with our new policy, which contains 52 new tests to ensure that you follow best practices and security recommendations.

🧹 IMPROVEMENTS​

Improved affected assets lists for CVE and advisories​

Remediate vulnerabilities more quickly and effectively with refreshed asset tables in the CVE and advisory views, which now provide more relevant information about the vulnerable assets.

Resource updates​

aws.account​

• New tags field. Thanks for this contribution, @Pauti!

aws.eks.cluster​

• New addons field using the new aws.eks.addon resource.
• New iamRole field.

gcp.project.computeService​

• New enabled field.

googleworkspace​

• New calendars field using the new googleworkspace.calendar resource.

googleworkspace.report.apps​

• New admin field.

googleworkspace.user​

• New isDelegatedAdmin field.

🐛 BUG FIXES AND UPDATES​

• Add the generation time in addition to the date on all compliance reports.
• Automatically enable the generated compliance evidence policy for custom compliance frameworks.
• Render check and data query markdown in compliance reports.
• Add the number of queries to the compliance report summary page.
• Fetch the latest VMware advisories that are now published by Broadcom.
• Improve the output of queries in Kubernetes policies.
• Improve reliability of the "Ensure 'Debug programs' is set to 'Administrators'" check in Windows policies.
• Improve connection error output for Google Cloud, Azure, and AWS resources.
• Improve filters on the Azure query pack to prevent failures running queries.
• Improve reliability of the CIS Amazon EKS benchmark "Ensure Network Policy is Enabled and set as appropriate" and "Ensure clusters are created with Private Nodes" checks.
• Expand the NSA PowerShell policy's "Disable and uninstall the deprecated PowerShell v2" check to work on both desktop and server Windows installations.
• More reliably fetch AWS IAM credential reports.
• More reliably fetch Azure managed identity credentials.
• Add EOL date for SLES 15 SP6 (15.6).
• Improve pagination on Firewatch pages.
• Don't displayed already fixed advisories on the advisories page.
• Fix a failure parsing directories within Dockerfiles.

🥳 Mondoo 11.9 is out! This release includes Windows filesystem scanning, expanded IaC reporting, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Windows filesystem scanning​

Need to inspect a Windows system, but don't have access to install cnquery on the system? Now you can attach the drive, or a snapshot of the drive, to another Windows system and run cnquery shell complete with access to all of Mondoo's Windows MQL resources.

Run cnquery shell against a drive by serial number:

./cnquery.exe shell device --serial-number 123455

Run cnquery shell against a specific LUN:

./cnquery.exe shell device --lun 2

🧹 IMPROVEMENTS​

Infrastructure as code inventory group​

Find Mondoo scanned Infrastructure as Code (IaC) files quickly with a new Infrastructure as Code asset group in the Mondoo console inventory page:

Improved risk factor display​

We improved the risk assessment view on CVE and advisory pages so you can better understand which risks apply to assets and which don't.

Expanded Endpoint Detection and Response (EDR) policy support​

The Mondoo Endpoint Detection and Response (EDR) policy now detects systems running Windows Defender with up-to-date definition files.

Kubernetes service discovery​

Expand visibility into your Kubernetes cluster with discovery of Kubernetes services as assets in the Mondoo console.

Find files by permission​

Use the expanded files.find MQL resource to find files containing specific permissions across entire filesystems or specific paths . Pass in standard UNIX octal permission values to find files containing those permissions. Note: This is not an exact match. Searching for '0001' returns all files with execute on other, even if they also have read and write on other.

cnquery> files.find(from: "/etc", type: "file", xdev: false, permissions: 0001)
files.find.list: [
  0: file path="/etc/periodic/daily/999.local" size=712 permissions.string="-rwxr-xr-x"
  1: file path="/etc/periodic/monthly/999.local" size=606 permissions.string="-rwxr-xr-x"
  2: file path="/etc/periodic/weekly/999.local" size=620 permissions.string="-rwxr-xr-x"
  3: file path="/etc/security/audit_warn" size=1326 permissions.string="-r-xr-xr-x"

Resource updates​

aws.account​

• New tags field. Thanks for this contribution, @Pauti!

gcp.project.computeService​

• New enabled field.

🐛 BUG FIXES AND UPDATES​

• Better handle nil values for deprecatedAt or createdAt fields in the aws.ec2.image resource.
• Add asset.runtime value to CloudFormation assets.
• Fix large numbers of advisories or vulnerabilities not displaying correctly on assets.
• Don't show unknown cloud asset inventory information for containers.
• Improve the performance of macOS asset inventory gathering.
• Report unknown serial numbers when OEMs have not set a serial number.
• Fix a failure when scanning Microsoft 365 tenants without a Teams protection policy.
• Fix false negatives for Azure PostgreSQL flexible server checks in the CIS Azure Foundations benchmark policy.
• Fix cancelling jobs for AWS serverless integrations.
• Improve reliability of container pulling checks in both CIS and Mondoo Kubernetes policies.
• Improve reliability of ephemeral container checks in the Mondoo Kubernetes Cluster and Workload Security policy.
• Fix duplicate vulnerability data in S3 exports.
• Improve wording in risk factor descriptions.
• Fix duplicate software displaying on the asset software tab.
• Group Shodan scans under the Network Devices inventory category.
• Improve performance fetching AWS EFS filesystem data.
• Better handle AWS rate limiting when fetching AWS IAM Credential Report information.
• Fix a failure fetching networkConfig information within the gcp.project.gke.cluster resource.
• Fix failing integrations not displaying as failing.
• Fix failures scanning larger AWS accounts using the serverless AWS integration.
• Don't allow clicking the update integration button in the Kubernetes integration form if nothing has changed.
• Improve reliability of EOL risk factor in the affected assets page.
• Add EOL date for openSUSE 15.5.
• Improve formatting in generated package vulnerability remediation scripts.
• Display the complete product name of "Azure SQL Database Server" for "azure-sql-server" platform assets in the console.
• Fix vulnerability scanning on RPM-based systems when using EBS snapshot scanning.
• Fix the Mondoo-hosted AWS integrations not scanning cloud resources as individual assets.
• Fix incorrect coloring for the Known Exploitable Vulnerability risk factor badge.

🥳 Mondoo 11.8 is out! This release includes fine-grained cloud asset scanning, enhanced software inventory, Snowflake scanning, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Fine-grained cloud asset scanning​

Bring greater visibility to your cloud security posture with new fine-grained asset scanning for Azure, Google Cloud, and Mondoo-hosted AWS integrations. Mondoo now discovers and scans common cloud resources such as load balancers, virtual networks, or storage buckets as individual assets.

Expanded asset inventory​

With fine-grained asset scanning you can quickly find and understand cloud assets across multiple providers or accounts—all within Mondoo. Search for resources by name or type using our newly expanded search capabilities.

Once you've found the right asset, quickly determine the location and owner with detailed asset overview data for each asset type.

Improved security visibility​

You can now understand where critical security vulnerabilities exist within your infrastructure. With checks applied directly to cloud assets, you can more easily see which assets pass and which assets fail checks without diving into complex, account-wide check output.

Granular exceptions​

The world is full of edge cases! Now you have the granularity to account for those exceptions where necessary. With fine-grained asset scanning you can create exceptions that run on the specific cloud resources instead of on the account. This means you can disable or snooze a check without losing security visibility across your entire cloud account.

Common questions​

Q: Why is one of my cloud resources not scanning as an individual asset?

A: In this initial release, Mondoo doesn't scan every type of cloud resource independently. We've begun with common resources that include security checks in CIS Level 1 policies. We will expand our scanning coverage as time goes on and as new checks are developed. If there's a resource you'd love to see scanned as an asset in Mondoo let us know at hello@mondoo.com.

Q: Will the increase in asset counts impact billing?

A: Because we believe that cost shouldn't prevent you from solving critical security findings, there is no additional charge for these assets.

Space-wide software vulnerability page​

Mondoo now provides an exhaustive list of all the vulnerable software in your infrastructure. Even better, you can precisely identify risks by digging into specific versions of packages and see everywhere they're installed. This new feature also works seamlessly with Mondoo Firewatch, automatically helping you prioritize remediation using contributing risk factors such as known exploits, running processes, and open network ports.

To get started, under Vulnerabilities in the main navigation, select Software. From there, you can access the full suite of features and immediately begin improving your infrastructure's security posture.

Individual software pages provide a breakdown of deployed package versions, software CVEs, risk factors, and which assets in your environment are running the particular software.

Snowflake scanning​

Use the new snowflake provider in cnquery/cnspec to query and secure critical data in your Snowflake account.

cnquery shell snowflake

Required arguments:

• --account - The Snowflake account name
• --region - The Snowflake region
• --user - The Snowflake username
• --role - The Snowflake role

Password authentication arguments:

• --password - The Snowflake password
• --ask-pass - Prompt for the Snowflake password

shell snowflake --account zi12345 --region us-central1.gcp --user CHRIS  --role ACCOUNTADMIN --ask-pass

Certificate authentication arguments:

• --private-key - The path to the private key file

shell snowflake --account zi12345 --region us-central1.gcp --user CHRIS  --role ACCOUNTADMIN --private-key ~/.ssh/id_rsa

You need to generate a RSA key pair and assign the public key to your user via Snowsight.

Example queries​

Retrieve all users:

cnquery> snowflake.account.users
snowflake.account.users: [
  0: snowflake.user name="CHRIS"
  1: snowflake.user name="DATAUSER"
  2: snowflake.user name="SNOWFLAKE"
]

Retrieve all users that have no MFA:

cnquery> snowflake.account.users.where(extAuthnDuo == false)
snowflake.account.users.where: [
  0: snowflake.user name="CHRIS"
  1: snowflake.user name="DATAUSER"
  2: snowflake.user name="SNOWFLAKE"
]

Retrieve all users that have password authentication:

cnquery> snowflake.account.users.where(hasPassword)
snowflake.account.users.where: [
  0: snowflake.user name="CHRIS"
  1: snowflake.user name="DATAUSER"
  2: snowflake.user name="SNOWFLAKE"
]

Retrieve all users that have certificate authentication:

cnquery> snowflake.account.users.where(hasRsaPublicKey)
snowflake.account.users.where: [
  0: snowflake.user name="CHRIS"
]

Retrieve users that have not logged in for 30 days:

cnquery> snowflake.account.users.where(time.now - lastSuccessLogin > time.day * 30) { lastSuccessLogin }
snowflake.account.users.where: [
  0: {
    lastSuccessLogin: 366 days
  }
]

Check that SCIM is enabled:

cnquery> snowflake.account.securityIntegrations.where(type == /SCIM/).any(enabled == true)
[failed] [].any()
  actual:   []

Check that the retention time is greater 90 days:

cnquery> snowflake.account.parameters.one(key == "DATA_RETENTION_TIME_IN_DAYS" && value >= 90)

Retrieve all databases:

cnquery> snowflake.account.databases
snowflake.account.databases: [
  0: snowflake.database name="CNQUERY"
  1: snowflake.database name="SNOWFLAKE"
  2: snowflake.database name="SNOWFLAKE_SAMPLE_DATA"
]

Quick space and organization navigation​

Quickly navigate between different organizations or spaces with our new navigation bar. With this improved navigation tool, you can:

• Search for organizations or spaces within the drop-down menus
• Choose a space without accessing an organization's Spaces page

🧹 IMPROVEMENTS​

New risk factors for critical Windows systems​

Expose vulnerabilities and misconfigurations on the most important Windows systems in your environment with new risk factors for assets running Microsoft SQL Server or IIS.

Resource updates​

aws.applicationautoscaling.target​

• New createdAt field

aws.ec2.image​

• New deprecatedAt field

🐛 BUG FIXES AND UPDATES​

• Fix a type error querying data from the aws.ecs.task resource.
• When a policy on an asset is in preview, display it in gray on the asset page.
• Show the correct Microsoft icon on the Mondoo Console login page.
• Fix the display of priority chart totals in light mode.
• Improve rendering of priority chart tooltips with large names.
• Fix the tooltip for the priority chart sometimes displaying in the top left of the screen.
• Expand Linux policies to support PowerPC and ARM based systems.
• Improve icons on the workstation setup page.
• Allow updating the Mondoo-hosted AWS integration without re-entering credentials.
• Improve policy score calculations when some policies are in preview.
• Display the correct VPC icon in the AWS integration overview.
• Improve the AWS integration page's Type column to distinguish between organization and single account integrations.
• Improve the performance of Azure VM scanning.
• Add a log entry to the Azure integration when a stopped VM skips during scans.
• Add missing resolved_on CVE data in S3 exports.
• Improve detection of the latest VMware CVEs.
• Avoid rendering the entire page when switching between spaces.
• Improve rendering of text on the "Welcome to Mondoo" that displays when new spaces are created.
• Improve the reliability of the Kubernetes Workload and Cluster Security policy's "Container image pull should be consistent" check.

🥳 Mondoo 11.7 is out! This release includes Ansible playbook scanning, Shodan host security querying, updated policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Ansible playbook scanning​

Query and secure your Ansible playbooks with cnquery and cnspec using our new ansible provider.

cnquery shell ansible my_playbook.yml
→ connected to Ansible Playbook
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> ansible.plays { tasks }
ansible.plays: [
  0: {
    tasks: [
      0: ansible.task name="ensure apache is at the latest version"
      1: ansible.task name="write the apache config file"
      2: ansible.task name="ensure apache is running"
    ]
  }
]

With this provider, you can create custom security policies to enforce your organizational standards in CI jobs:

policies:
  - uid: ansible-best-practices
    name: Ansible Best Practices
    version: 1.0.0
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    groups:
      - filters:
          - mql: asset.platform == "ansible"
        checks:
          - uid: mondoo-ansible-block-error-handling
queries:
  - uid: mondoo-ansible-block-error-handling
    title: Ensure Tasks are wrapped in block error handling
    mql: ansible.plays.all(tasks.none(block == empty))

Shodan search engine querying​

Query domain and IP security information in the Shodan search engine with the new shodan provider in cnquery and cnspec.

cnquery shell shodan

For authentication, use the SHODAN_TOKEN environment variable.

export SHODAN_TOKEN="<token>"

Example queries​

Query the base information for a host by IP address:

cnquery> shodan.host("8.8.8.8") { * }
shodan.host: {
  tags: []
  hostnames: [
    0: "dns.google"
  ]
  org: "Google LLC"
  asn: "AS15169"
  ip: "8.8.8.8"
  isp: "Google LLC"
  vulnerabilities: null
  os: null
  ports: [
    0: 443
    1: 53
  ]
}

Query the hostname for an IP address:

cnquery> shodan.host("8.8.8.8").hostnames
shodan.host.hostnames: [
  0: "dns.google"
]

Display all open ports for a host:

cnquery> shodan.host("8.8.8.8").ports
shodan.host.ports: [
  0: 443
  1: 53
]

Query the DNS information for a domain:

cnquery> shodan.domain("example.com") { * }
shodan.domain: {
  name: "example.com"
  nsrecords: [
    0: shodan.nsrecord domain="example.com" subdomain="" type="A"
    1: shodan.nsrecord domain="example.com" subdomain="" type="AAAA"
    2: shodan.nsrecord domain="example.com" subdomain="" type="MX"
    3: shodan.nsrecord domain="example.com" subdomain="" type="NS"
    4: shodan.nsrecord domain="example.com" subdomain="" type="NS"
    5: shodan.nsrecord domain="example.com" subdomain="" type="SOA"
    6: shodan.nsrecord domain="example.com" subdomain="" type="TXT"
    7: shodan.nsrecord domain="example.com" subdomain="" type="TXT"
    8: shodan.nsrecord domain="example.com" subdomain="www" type="A"
    9: shodan.nsrecord domain="example.com" subdomain="www" type="AAAA"
    10: shodan.nsrecord domain="example.com" subdomain="www" type="TXT"
    11: shodan.nsrecord domain="example.com" subdomain="www" type="TXT"
  ]
  tags: [
    0: "ipv6"
    1: "spf"
  ]
  subdomains: [
    0: "www"
  ]
}

Query the DNS NS records for a domain:

cnquery> shodan.domain("example.com").nsrecords.where(type == "NS") { subdomain  type value }
shodan.domain.nsrecords.where: [
  0: {
    type: "NS"
    subdomain: ""
    value: "a.iana-servers.net"
  }
  1: {
    type: "NS"
    subdomain: ""
    value: "b.iana-servers.net"
  }
]

Query the DNS AAAA records for the "www" subdomain:

cnquery> shodan.domain("example.com").nsrecords.where(type == "AAAA").where(subdomain == "www") { subdomain  type value }
shodan.domain.nsrecords.where.where: [
  0: {
    subdomain: "www"
    value: "2606:2800:21f:cb07:6820:80da:af6b:8b2c"
    type: "AAAA"
  }
]

Discovery and querying options​

Discover all exposed hosts on a network:

cnquery shell shodan --networks "192.168.0.0/20" --discover hosts

Connect to a specific IP address and display all open ports:

cnquery shell shodan host 8.8.8.8

Connect to a domain and display subdomains:

cnquery shell shodan domain example.com

Discover Kubernetes manifests in GitHub and GitLab​

Extend your discovery of IaC assets in your GitHub and GitLab repositories or projects to include Kubernetes manifests: With one command, Mondoo tracks down all your manifest files, no matter where they're hiding.

cnquery scan gitlab --group mondoolabs --discover k8s-manifests
cnspec scan github organization MY_ORG --discover k8s-manifests

Directly scan and query SBOM files​

cnquery now lets you directly query SBOM file content as if the files were real running assets:

cnquery shell sbom cyclonedx_file.json

To inspect SBOM content from Docker Hub:

docker buildx imagetools inspect mondoo/client --format "{{json .SBOM }}"  |  jq '."linux/amd64"."SPDX"' |  cnquery shell sbom -

🧹 IMPROVEMENTS​

CIS Google Cloud Foundations 3.0​

Secure your Google Cloud infrastructure with the latest recommendations from the Center for Internet Security (CIS). This updated policy includes new checks as well as updated audit and remediation steps to match the latest Google Cloud console experience.

Expanded FreeBSD end of life information​

Plan your FreeBSD upgrades with expanded EOL detection for FreeBSD 13.2 and 14.0.

Resource updates​

aws.eks.cluster​

• New nodeGroups field exposing a new aws.eks.nodegroup resource

aws.elb.loadbalancer​

• New targetGroups field exposing a new aws.elb.targetgroup resource

aws.ec2.instance​

• New networkInterfaces field exposing a new aws.ec2.networkinterface field

aws.vpc.natgateway​

• New subnet field

gcp.project.binaryAuthorization​

• New resource for inspecting GKE Binary Authorization configuration

gcp.project.sqlservice.instance.settings.ipconfiguration​

• New sslMode field
• New enablePrivatePathForGoogleCloudServices field

microsoft.policies.authorizationPolicy​

• New permissionGrantPoliciesAssigned field under defaultUserRolePermissions

windows.feature​

• Deprecated in favor of windows.serverFeature, which better describes this as a server-only resource

windows.optionalFeatures​

• New resource to check for optional Windows features on desktop Windows releases

🐛 BUG FIXES AND UPDATES​

• Improve the output of many complex MQL queries in console check results.
• Discover all resources when scanning Kubernetes manifests
• Fix incorrect asset names when scanning Kubernetes manifests without namespaces
• Improve wording in the weekly space summary emails.
• Improve wording and fix a documentation link in the Jira integration setup page.
• Fix an error querying the gcp.project.gke.cluster.networkPolicy resource.
• Fix connection not found errors when scanning some asset types.
• Improve wording in cnquery and cnspec help.
• Prevent some operating system scans from showing up as "other" operating systems in the console.
• Don't fail discovery when a single VMware ESXi host cannot be reached.
• Remove non-functional sorting by risk factors in tables.
• Add a "Type" column in search results when filtering by "All" so it's more clear if entries are assets, checks, or CVEs.
• Fix missing "Space" column information in search when searching at the organization level.
• Add Ensure user consent to apps accessing company data on their behalf is not allowed check to the CIS Microsoft 365 Foundations Benchmark policy.

🥳 Mondoo 11.6 is out! This release includes AWS CloudFormation template scanning, Terraform plan discovery in GitHub, updated CIS content, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

AWS CloudFormation and SAM template scanning​

Catch security issues before they reach production with scanning of JSON and YAML formatted CloudFormation templates and Serverless Application Model (SAM) templates.

cnquery shell cloudformation providers/cloudformation/testdata/cloudformation.yaml
→ loaded configuration from /Users/chris/.config/mondoo/mondoo.yml using source default
→ connected to AWS CloudFormation
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> asset { name platform }
asset: {
  platform: "cloudformation"
  name: "CloudFormation Static Analysis cloudformation"
}

cnquery> cloudformation.template { * }
cloudformation.template: {
  mappings: {
    RegionMap: {
      ap-northeast-1: {
        AMI: "ami-06cd52961ce9f0d85"
      }
      ap-southeast-1: {
        AMI: "ami-08569b978cc4dfa10"
      }
      ap-southeast-2: {
        AMI: "ami-09b42976632b27e9b"
      }
      eu-west-1: {
        AMI: "ami-047bb4163c506cd98"
      }
      sa-east-1: {
        AMI: "ami-07b14488da8ea02a0"
      }
      us-east-1: {
        AMI: "ami-0ff8a91507f77f867"
      }
      us-west-1: {
        AMI: "ami-0bdb828fd58c52235"
      }
      us-west-2: {
        AMI: "ami-a0cfeed8"
      }
    }
  }
  parameters: {
    EnvType: {
      AllowedValues: [
        0: "prod"
        1: "dev"
        2: "test"
      ]
      ConstraintDescription: "must specify prod, dev, or test."
      Default: "test"
      Description: "Environment type."
      Type: "String"
    }
  }
  resources: [
    0: cloudformation.resource name="EC2Instance"
    1: cloudformation.resource name="MountPoint"
    2: cloudformation.resource name="NewVolume"
  ]
  globals: {}
  metadata: {}
  conditions: {
    CreateDevResources: {
      Fn::Equals: [
        0: {
          Ref: "EnvType"
        }
        1: "dev"
      ]
    }
    CreateProdResources: {
      Fn::Equals: [
        0: {
          Ref: "EnvType"
        }
        1: "prod"
      ]
    }
  }
  description: ""
  types: [
    0: "AWS::EC2::Instance"
    1: "AWS::EC2::VolumeAttachment"
    2: "AWS::EC2::Volume"
  ]
  transform: null
  outputs: []
  version: "2010-09-09"
}

Stay tuned for expanded CloudFormation support in Mondoo including detection of templates in GitHub and GitLab repositories and out-of-the-box security policy support.

Discover Terraform plans in GitHub repositories​

Not sure where your IaC code lives? With automatic Terraform plan file discovery in GitHub repositories, it doesn't matter. Scan your entire organization and let Mondoo do the heavy lifting: It automatically finds and scans each file.

cnspec scan github organization MY_ORG --discover repository,terraform

🧹 IMPROVEMENTS​

Updated CIS Benchmark policies​

Secure your infrastructure with the latest CIS guidelines including new checks, improved remediation steps, and more reliable queries:

• CIS Amazon EKS Benchmark v1.5.0
• CIS Microsoft 365 Foundations Benchmark v3.1.0

Alpine Linux 3.20 support​

Keep your container applications secure with EOL and CVE detection support for Alpine Linux 3.20

Fedora 41 CVE detection support​

The Fedora 41 development process is just getting started. But if you're on the bleeding edge, Mondoo is ready with EOL and CVE detection support for this upcoming Fedora release.

Improved Arista EOS support​

It's time to dust off your old Network+ certification and get busy with improved Arista support in Mondoo:

• Find your devices quickly with grouping under "Network Devices" in the inventory list page
• Understand what you're looking at with FQDN and model number information on the asset overview
• Explore system configuration with improved resource default values in cnquery shell

New resource: aws.sqs.queues​

We added a resource for Amazon Simple Queue Service (SQS) queues

🐛 BUG FIXES AND UPDATES​

• Prevent the tls.ciphers resource from hanging if the server returns a Hello Retry Request.
• Improve reliability of TLS scans by using a secp256r1 curve in the hello, which some servers require.
• Scan all images in Amazon ECR registries, not just those with tags.
• Improve rendering of CVEs with short descriptions.
• Don't show the "Copy Table" button on the Asset Software tab when there is no table shown.
• Ensure HTTP Security policy does not apply to non-host systems that include a TLS certificate.
• Fix incorrect CVE pagination on assets.
• Fix display of remote code exploitation risk badges.
• Improve risk factor names for clarity.
• Fix display of tool tips in light mode.
• Fix sorting of CVEs and advisories on the Assets pages.
• Improve reliability and memory usage in the Ensure local interactive user dot files access is configured gen CIS Linux policy check.
• Fix WinRM positives in CIS Windows 2019/2022 WinRM checks.
• Ensure all items in the asset insights heading are clickable.
• Fix incorrect breadcrumbs on some pages.
• Make invitations case insensitive.
• Fix a false positive CVE detection for Python packages on Fedora.
• Fix missing vulnerable software on the asset software tabs.
• Update to the latest Oracle Linux and Linux Mint EOL dates.

🥳 Mondoo 11.5 is out! This release includes new full-text search, Mondoo-hosted AWS scanning, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES​

Full-text search of assets, vulnerabilities, policies, and more​

Expand search from just assets to everything in your Mondoo organization. New full-text search allows you to find spaces, assets, checks, CVEs, and vendor advisories with plain text searches.

Curious what Mondoo knows about RDS in your environment? Search for "RDS" to quickly see RDS database instances and the specific RDS checks applied in any space:

Scan AWS however you please​

Life is all about choice! At Mondoo we think how you scan your assets should be up to you. Thats's why we're extending our existing AWS scanning capabilities to include a new Mondoo-hosted AWS integration, allowing you to quickly set up AWS account scanning without the installation of agent code.

Our existing serverless (Lambda) integration is still available. It provides a higher level of security as well as advanced instance scanning capabilities. To help you decide which is best for you, the AWS integration setup page breaks down the pros and cons of each scanning method.

If you're already using the existing serverless AWS integration, don't feel left out. A whole new integration page management experience awaits you to better expose the current configuration, potential scanning errors, and discovered assets. You can also name your new or existing integrations with more human-friendly titles... because no one should have to remember which 12-digit Amazon account ID belongs to production and which is dev.

🧹 IMPROVEMENTS​

Azure Database for PostgreSQL flexible server support​

Secure your Azure Database for PostgreSQL flexible servers with expanded Azure Database support in Mondoo. Query database instance configuration with the new azure.subscription.postgreSql.flexibleServers resource or ensure proper security settings have been applied with updates to the CIS Azure Foundation benchmark policies and the Mondoo Azure Security policy.

Resource improvements​

aws.ec2.instance​

• New tpmSupport field

aws.ec2.instance.device​

• Improve default fields displayed in cnquery shell

aws.organization​

• New accounts field

aws.rds.backupsetting​

• New resource for RDS DB cluster and instance backup settings

aws.rds.dbcluster​

• New backupSettings field

aws.rds.dbinstance​

• New backupSettings field

azure.subscription.postgreSqlService.flexibleServer​

• New resource for Azure Data for PostgreSQL - Flexible Servers

microsoft.group​

• New groupTypes field
• New membershipRule field
• New membershipRuleProcessingState field

ms365.teams.teamsMeetingPolicyConfig​

• New allowExternalNonTrustedMeetingChat field

ms365.teams.teamsMessagingPolicyConfig​

• New resource for Microsoft 365 messaging policy

ms365.exchangeonline.reportSubmissionPolicy​

• New resource for Microsoft 365 report submission policies

ms365.exchangeonline.teamsProtectionPolicy​

• New resource for Microsoft 365 Teams protection policy

View GitHub integration types​

Quickly find your repository and organization GitHub integrations with a new Type column in the integrations list page.

GitHub-app-based authentication​

Do you want to scan your GitHub organizations and repos, but don't like the idea of using GitHub API tokens? Now you can scan GitHub organizations and repositories using cnspec and GitHub application authentication.

cnspec scan github org MY_ORG --app-id MY_APP_ID --app-installation-id MY_APP_INSTALL_ID --app-private-key PATH_TO_PEM_FILE

🐛 BUG FIXES AND UPDATES​

• Fix truncated policy names in some CIS benchmark policies.
• Resolve an error creating service accounts with multiple permissions.
• Add additional checks to the CIS GKE benchmark policy.
• Fix handling of host scans with the --insecure flag.
• Improve handling of semver values in MQL.
• Prevent a potential memory leak when running as a service.
• Don't crop the names of longer CIS benchmark policies.
• Fix space overview tooltip display in light mode.
• Display "Never" for the last update time when an integration has never run.
• Improve the display of risk factors on the Vulnerabilities Affected Assets page.
• Improve spacing on the spaces list page.
• Fix confusing wording in the EPSS score descriptions.