Skip to main content

Mondoo 3.6.0 is out!

ยท 4 min read
Christoph Hartmann
Christoph Hartmann
Mondoo Core Team

3.6.0โ€‹

๐ŸŽ‰ FEATURES

  • new: add the --discover option and harmonize existing discovery methods

๐Ÿงน IMPROVEMENTS

  • improve: queries labels are more detailed and better reflecting its state
  • improve: updated the Kubernetes Benchmark and Windows 2019 Benchmark
  • improve: added experimental env variable MONDOO_PROCFS to activate procfs use to read processes
  • improve: switch arista transport scheme from aristaeos to arista

๐Ÿ› BUG FIXES AND UPDATES

  • fix: fixes an issue with the k8s:// resolver where the images where not properly detected via mondoo scan -t k8s://
  • fix: fixes an issue where the Windows service start took too long
  • fix: fixes an issue with Linux control that checked the grub 1 and grub 2 bootloader configuration
  • fix: fixes an issue where container images and repositories from registries could not be scanned
  • fix: handle case where suse 15.0 was not properly detected as eol
  • fix: (part two) fallback to /etc/hostname for platform identifier if hostname command is missing e.g on Arch Linux

๐Ÿ—‘ REMOVED:

  • removed: we removed SSH Server Policy, please replace it with the appropriate policy for your environment, eg. DIL

๐Ÿฅณ new --discover option

We introduce a new --discovery and --discover-filter option to mondoo scan and mondoo shell. This allows a more clean separation between transport options via --option and discovery options. As part of this change we also enabled the discovery of container and images for the local docker agent.

Nested Scan for vSphere

mondoo scan -t vsphere://root@192.168.87.7 --discover host-machines,instances --discover-filter moids="HostSystem-ha-host"

# previously this would have been:
mondoo scan -t vsphere://root@192.168.87.7 --option host-machines=true --option instances=true --option moids="HostSystem-ha-host"

Ability to discover all docker container and images

mondoo scan -t docker:// --discover all

Explicit fetch from Container Registry

When users run mondoo scan -t docker://centos:7.8.2003 we try to use the local image from docker engine and fall-back to fetch if from remote. Users can now skip the docker resolve step and tell mondoo to go directly to the registry:

mondoo scan -t cr://centos:7.8.2003

๐Ÿงน switch arista transport scheme from aristaeos to arista

# before
mondoo scan -t aristaeos://admin@192.168.178.154 --ask-pass --insecure
# after
mondoo scan -t arista://admin@192.168.178.154 --ask-pass --insecure

๐Ÿงช experimental procfs implementation

Allow Linux users to opt-into the procfs implementation for processes via:

MONDOO_PROCFS="on" mondoo shell -t ssh://root@$(minikube ip)

๐ŸŽ‰ Kubernetes Server + Agent Scan

To run the mondoo service on each node do the following:

  1. Activate the Kubernetes Benchmark in your space
  2. Download agent credentials
  3. Update the following config
---
# daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: mondoo-daemonset

spec:
  selector:
    matchLabels:
      name: mondoo-daemonset
  template:
    metadata:
      labels:
        name: mondoo-daemonset
    spec:
      tolerations:
        # this toleration is to have the daemonset runnable on master nodes
        # remove it if your masters can't run pods
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      containers:
        - name: mondoo-agent
          image: docker.io/mondoolabs/mondoo
          command: ["mondoo", "serve", "--config", "/etc/opt/mondoo/mondoo.yml"]
          volumeMounts:
            - name: root
              mountPath: /mnt/host/
              readOnly: true
            - name: config
              mountPath: /etc/opt/mondoo/
              readOnly: true
          env:
            - name: DEBUG
              value: "false"
            - name: MONDOO_PROCFS
              value: "on"
      terminationGracePeriodSeconds: 30
      volumes:
        - name: root
          hostPath:
            path: "/"
        - name: config
          configMap:
            name: mondoo-daemonset-config
            items:
              - key: config
                path: mondoo.yml

Use your agent credentials and add them to a config map:

---
# daemonset-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: mondoo-daemonset-config
data:
  config: |
    agentmrn: //agents.api.mondoo.app/spaces/{spaceid}/agents/{agentid}
    api-endpoint: https://api.mondoo.app
    certificate: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    privatekey: |
      -----BEGIN PRIVATE KEY-----
      ...
      -----END PRIVATE KEY-----
    spacemrn: //captain.api.mondoo.app/spaces/upbeat-haslett-916671
    assets:
    - connection: "fs:///mnt/host"
kubectl apply -f daemonset-config.yaml
kubectl apply -f daemonset.yaml

# verify that the service runs
kubectl get pods
NAME                     READY   STATUS      RESTARTS   AGE
mondoo-daemonset-dgrrz   1/1     Running     1          3d10h

๐ŸŽ‰ Equinix API support

This is the first iteration of our Equinix Metal integration. It adds the following:

  • New Equinix Metal transport
  • New resources to check for equinix content

We think it is best to use project-scoped API credentials. During development we run into an issue with the API that we worked around.

To connect to equinix:

export PACKET_AUTH_TOKEN="your_token_here"
mondoo shell -t equinix://projects/aa123456-a11a-b22b-c33c-123ab1cd234

Here are some sample queries:

equinix.metal.project { id name}
equinix.metal.project.users
equinix.metal.project.users { fullName }
equinix.metal.project.sshKeys {id fingerPrint}
equinix.metal.project.devices { hostname }