Skip to main content

Mondoo 11.17 is out!

ยท 5 min read
Tim Smith
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 11.17 is out! This release includes Dockerfile security, all-new AWS security policies, and piles of new resources!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container

๐ŸŽ‰ NEW FEATURESโ€‹

New Dockerfile Security policyโ€‹

Secure your container workloads before they run in production with our new Dockerfile Security policy. With automatic Dockerfile discovery in GitHub and GitLab and this new policy, you can evaluate the security of Dockerfiles no matter where they're hiding. Once you've secured your existing files, keep them secure with Dockerfile scanning in CI pipelines.

Dockerfile policy

New CIS AWS Database Services Benchmark policyโ€‹

Keep your most valuable business data secure with the new CIS AWS Database Services benchmark policy. This policy includes security recommendations for Amazon's most popular database services:

  • Amazon Aurora
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon Neptune
  • Amazon RDS
  • Amazon Timestream

New Mondoo Amazon Web Services (AWS) GuardDuty policyโ€‹

Make the most of AWS GuardDuty with our new Mondoo Amazon Web Services (AWS) GuardDuty policy. This policy includes checks to ensure that GuardDuty is properly enabled and configured for EC2, EKS, IAM, Lambda, and S3 security.

Mondoo Amazon Web Services (AWS) IAM Access Analyzer policyโ€‹

Cloud security starts with securing access to critical resources. With the new Mondoo Amazon Web Services (AWS) IAM Access Analyzer policy you can now ensure that IAM Access Analyzer is enabled and properly configured.

๐Ÿงน IMPROVEMENTSโ€‹

Newly certified CIS benchmark policiesโ€‹

Our CIS Red Hat Enterprise Linux, Oracle Linux, AlmaLinux, and Rocky Linux 9 policies are better than ever with updates to improve reliability and query output. Even better, these policies are now certified to pass the rigorous CIS benchmark validation process, so you can be confident they'll secure even the most complex enterprise Linux installations.

Jump right to the pointโ€‹

Now you find what you're looking for with fewer clicks thanks to improved linking behavior on affected assets pages. Links to assets now go directly to the asset result instead of the main asset page, so you can spend your time remediating findings instead of searching for them.

Resource updatesโ€‹

aws.dynamodb.tableโ€‹

  • New items field
  • New latestStreamArn field

aws.elasticacheโ€‹

  • New serverlessCaches field using the new aws.elasticache.serverlessCache resource

aws.guardduty.detectorโ€‹

  • New features field
  • New findings field using the new aws.guardduty.finding resource
  • New tags field
  • Improve performance fetching detector details

aws.iam.accessAnalyzerโ€‹

  • Renamed from aws.accessAnalyzer with backward compatibility for existing policies
  • New findings field using the new aws.iam.accessanalyzer.finding resource

aws.iam.accessanalyzer.analyzerโ€‹

  • New region field
  • Include organization-level analyzers as well as activated but unused analyzers

aws.neptuneโ€‹

  • New resource for the AWS Neptune graph database
  • clusters field using the new aws.neptune.cluster resource
  • instances field using the new aws.neptune.instance resource

aws.rdsโ€‹

  • New allPendingMaintenanceActions field using the new aws.rds.pendingMaintenanceAction resource
  • Deprecate the dbInstances field in favor of a new instances field
  • Deprecate the dbClusters field in favor of a new clusters field

aws.rds.dbcluster and aws.rds.dbinstanceโ€‹

  • New activityStreamMode field
  • New activityStreamStatus field
  • New certificateAuthority field
  • New certificateExpiresAt field
  • New enabledCloudwatchLogsExports field
  • New iamDatabaseAuthentication field
  • New monitoringInterval field
  • New networkType field
  • New preferredBackupWindow field
  • New preferredMaintenanceWindow field
  • Improve performance fetching security groups details
  • Don't include non-RDS engine results

aws.timestream.liveanalyticsโ€‹

  • New resource with databases and tables fields

aws.vpcโ€‹

  • New name field

azure.subscription.cloudDefenderโ€‹

  • Check the pricing tier for the Servers plan when verifying that Azure's Defender for Servers is enabled

microsoft.applicationโ€‹

  • New certificates field using the new microsoft.keyCredential resource
  • New createdAt field
  • New description field
  • New hasExpiredCredentials field
  • New info field
  • New name field
  • New notes field
  • New secrets field using the new microsoft.passwordCredential resource
  • New tags field

microsoft.groupโ€‹

  • New members field

microsoft.userโ€‹

  • New owners field

product.eolโ€‹

Use this new resource to look up end-of-life status for common products. Example:

cnquery> product(name: "php", version: "8.1").releaseCycle { * }
product.releaseCycle: {
  endOfLife: 2025-12-31 01:00:00 +0100 CET
  endOfExtendedSupport: 719528 days
  cycle: "8.1"
  lastReleaseDate: 2024-06-06 02:00:00 +0200 CEST
  name: ""
  link: "https://www.php.net/supported-versions.php"
  latestVersion: "8.1.29"
  endOfActiveSupport: 2023-11-25 01:00:00 +0100 CET
  firstReleaseDate: 2021-11-25 01:00:00 +0100 CET
}

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix a false negative result in the CIS Microsoft 365 policy's "Ensure a dynamic group for guest users is created" check.
  • Add VPC name to asset overview information.
  • Don't execute CIS Windows workstation benchmarks on server releases.
  • Improve the default data returned by the k8s.node resource.
  • On the Available Frameworks page, make compliance framework descriptions more concise.
  • Add an AWS CloudFormation policy variant icon on policy pages.
  • Fix missing risk factors in the affected assets views.
  • Show the risk score instead of CVSS scores in asset CVE tables.
  • Allow sorting by risk score in tables.
  • Fix Windows asset information not returning on some Windows releases if WinRM is disabled.