Skip to main content

Mondoo 11.7 is out!

Β· 6 min read
Tim Smith
Mondoo Core Team

πŸ₯³ Mondoo 11.7 is out! This release includes Ansible playbook scanning, Shodan host security querying, updated policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

Ansible playbook scanning​

Query and secure your Ansible playbooks with cnquery and cnspec using our new ansible provider.

cnquery shell ansible my_playbook.yml
β†’ connected to Ansible Playbook
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondooβ„’      |_|                |___/  interactive shell

cnquery> ansible.plays { tasks }
ansible.plays: [
  0: {
    tasks: [
      0: ansible.task name="ensure apache is at the latest version"
      1: ansible.task name="write the apache config file"
      2: ansible.task name="ensure apache is running"
    ]
  }
]

With this provider, you can create custom security policies to enforce your organizational standards in CI jobs:

policies:
  - uid: ansible-best-practices
    name: Ansible Best Practices
    version: 1.0.0
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    groups:
      - filters:
          - mql: asset.platform == "ansible"
        checks:
          - uid: mondoo-ansible-block-error-handling
queries:
  - uid: mondoo-ansible-block-error-handling
    title: Ensure Tasks are wrapped in block error handling
    mql: ansible.plays.all(tasks.none(block == empty))

Shodan search engine querying​

Query domain and IP security information in the Shodan search engine with the new shodan provider in cnquery and cnspec.

cnquery shell shodan

For authentication, use the SHODAN_TOKEN environment variable.

export SHODAN_TOKEN="<token>"

Example queries​

Query the base information for a host by IP address:

cnquery> shodan.host("8.8.8.8") { * }
shodan.host: {
  tags: []
  hostnames: [
    0: "dns.google"
  ]
  org: "Google LLC"
  asn: "AS15169"
  ip: "8.8.8.8"
  isp: "Google LLC"
  vulnerabilities: null
  os: null
  ports: [
    0: 443
    1: 53
  ]
}

Query the hostname for an IP address:

cnquery> shodan.host("8.8.8.8").hostnames
shodan.host.hostnames: [
  0: "dns.google"
]

Display all open ports for a host:

cnquery> shodan.host("8.8.8.8").ports
shodan.host.ports: [
  0: 443
  1: 53
]

Query the DNS information for a domain:

cnquery> shodan.domain("example.com") { * }
shodan.domain: {
  name: "example.com"
  nsrecords: [
    0: shodan.nsrecord domain="example.com" subdomain="" type="A"
    1: shodan.nsrecord domain="example.com" subdomain="" type="AAAA"
    2: shodan.nsrecord domain="example.com" subdomain="" type="MX"
    3: shodan.nsrecord domain="example.com" subdomain="" type="NS"
    4: shodan.nsrecord domain="example.com" subdomain="" type="NS"
    5: shodan.nsrecord domain="example.com" subdomain="" type="SOA"
    6: shodan.nsrecord domain="example.com" subdomain="" type="TXT"
    7: shodan.nsrecord domain="example.com" subdomain="" type="TXT"
    8: shodan.nsrecord domain="example.com" subdomain="www" type="A"
    9: shodan.nsrecord domain="example.com" subdomain="www" type="AAAA"
    10: shodan.nsrecord domain="example.com" subdomain="www" type="TXT"
    11: shodan.nsrecord domain="example.com" subdomain="www" type="TXT"
  ]
  tags: [
    0: "ipv6"
    1: "spf"
  ]
  subdomains: [
    0: "www"
  ]
}

Query the DNS NS records for a domain:

cnquery> shodan.domain("example.com").nsrecords.where(type == "NS") { subdomain  type value }
shodan.domain.nsrecords.where: [
  0: {
    type: "NS"
    subdomain: ""
    value: "a.iana-servers.net"
  }
  1: {
    type: "NS"
    subdomain: ""
    value: "b.iana-servers.net"
  }
]

Query the DNS AAAA records for the "www" subdomain:

cnquery> shodan.domain("example.com").nsrecords.where(type == "AAAA").where(subdomain == "www") { subdomain  type value }
shodan.domain.nsrecords.where.where: [
  0: {
    subdomain: "www"
    value: "2606:2800:21f:cb07:6820:80da:af6b:8b2c"
    type: "AAAA"
  }
]

Discovery and querying options​

Discover all exposed hosts on a network:

cnquery shell shodan --networks "192.168.0.0/20" --discover hosts

Connect to a specific IP address and display all open ports:

cnquery shell shodan host 8.8.8.8

Connect to a domain and display subdomains:

cnquery shell shodan domain example.com

Discover Kubernetes manifests in GitHub and GitLab​

Extend your discovery of IaC assets in your GitHub and GitLab repositories or projects to include Kubernetes manifests: With one command, Mondoo tracks down all your manifest files, no matter where they're hiding.

cnquery scan gitlab --group mondoolabs --discover k8s-manifests
cnspec scan github organization MY_ORG --discover k8s-manifests

Directly scan and query SBOM files​

cnquery now lets you directly query SBOM file content as if the files were real running assets:

cnquery shell sbom cyclonedx_file.json

To inspect SBOM content from Docker Hub:

docker buildx imagetools inspect mondoo/client --format "{{json .SBOM }}"  |  jq '."linux/amd64"."SPDX"' |  cnquery shell sbom -

🧹 IMPROVEMENTS​

CIS Google Cloud Foundations 3.0​

Secure your Google Cloud infrastructure with the latest recommendations from the Center for Internet Security (CIS). This updated policy includes new checks as well as updated audit and remediation steps to match the latest Google Cloud console experience.

Expanded FreeBSD end of life information​

Plan your FreeBSD upgrades with expanded EOL detection for FreeBSD 13.2 and 14.0.

Resource updates​

aws.eks.cluster​

  • New nodeGroups field exposing a new aws.eks.nodegroup resource

aws.elb.loadbalancer​

  • New targetGroups field exposing a new aws.elb.targetgroup resource

aws.ec2.instance​

  • New networkInterfaces field exposing a new aws.ec2.networkinterface field

aws.vpc.natgateway​

  • New subnet field

gcp.project.binaryAuthorization​

  • New resource for inspecting GKE Binary Authorization configuration

gcp.project.sqlservice.instance.settings.ipconfiguration​

  • New sslMode field
  • New enablePrivatePathForGoogleCloudServices field

microsoft.policies.authorizationPolicy​

  • New permissionGrantPoliciesAssigned field under defaultUserRolePermissions

windows.feature​

  • Deprecated in favor of windows.serverFeature, which better describes this as a server-only resource

windows.optionalFeatures​

  • New resource to check for optional Windows features on desktop Windows releases

πŸ› BUG FIXES AND UPDATES​

  • Improve the output of many complex MQL queries in console check results.
  • Discover all resources when scanning Kubernetes manifests
  • Fix incorrect asset names when scanning Kubernetes manifests without namespaces
  • Improve wording in the weekly space summary emails.
  • Improve wording and fix a documentation link in the Jira integration setup page.
  • Fix an error querying the gcp.project.gke.cluster.networkPolicy resource.
  • Fix connection not found errors when scanning some asset types.
  • Improve wording in cnquery and cnspec help.
  • Prevent some operating system scans from showing up as "other" operating systems in the console.
  • Don't fail discovery when a single VMware ESXi host cannot be reached.
  • Remove non-functional sorting by risk factors in tables.
  • Add a "Type" column in search results when filtering by "All" so it's more clear if entries are assets, checks, or CVEs.
  • Fix missing "Space" column information in search when searching at the organization level.
  • Add Ensure user consent to apps accessing company data on their behalf is not allowed check to the CIS Microsoft 365 Foundations Benchmark policy.