Skip to main content

Mondoo 5.12.2 is out!

ยท 4 min read
Dominik Richter
Mondoo Core Team

๐Ÿฅณ mondoo 5.12.0 is out!

๐ŸŽ‰ NEW FEATURESโ€‹

TLS resource

We are releasing a new resource that allows you to test remote TLS and SSL connections.

This resource is currently in preview and may be adjusted or expanded in the next month.

Whenever you run the tls resource against a target, we will execute a range of tests with the endpoint to see which features it can support:

tls("mondoo.com") {
  versions
  ciphers
}
tls: {
  versions: [
    0: "tls1.3"
    1: "tls1.2"
  ]
  ciphers: [
    0: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    1: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    2: "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
    3: "TLS_CHACHA20_POLY1305_SHA256"
    4: "TLS_AES_128_GCM_SHA256"
    5: "TLS_AES_256_GCM_SHA384"
    6: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    7: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
    8: "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
  ]
}

Additionally, you can gain access to certificates available on the TLS/SSL endpoint, including the entire certificate chain:

tls("mondoo.com").certificates {
  subject.dn
  issuer.dn
}
tls.certificates: [
  0: {
    subject.dn: "CN=*.edge.easyredir.net"
    issuer.dn: "CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB"
  }
  1: {
    subject.dn: "CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB"
    issuer.dn: "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"
  }
  2: {
    subject.dn: "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"
    issuer.dn: "CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"
  }
]

Port resources

We are also releasing a new resource to allow users to query open ports on their systems. This resource is currently in preview and may be expanded and adjusted in the next month.

ports.list {
  state
  port
  protocol
  process.executable
  user
}
ports.list: [
  0: {
    state: "established"
    user: user id = user/1000/zero
    port: 41260
    protocol: "tcp"
    process.executable: "GeckoMain"
  }
  1: {
    state: "established"
    user: user id = user/1000/zero
    port: 51690
    protocol: "tcp"
    process.executable: "GeckoMain"
  }
  ...

You can simply query listening ports via:

ports.listening {
  port
  protocol
  address
  user
}
ports.listening: [
  0: {
    protocol: "tcp"
    port: 22
    user: user id = user/0/root
    address: "0.0.0.0"
  }
  1: {
    protocol: "tcp"
    port: 443
    user: user id = user/1000/zero
    address: "127.0.0.1"
  }
  ...

Empty fields in MQL resources

Problem: Some resources may have fields that don't have values. So far, this created a challenge in MQL in cases where we couldn't create the resource if its dependencies were null. For example: If we wanted to show a port resource but didn't know its running process.

Solution: Allow resources to be initialized with null fields. When extracting values from it, it will render the entire resource as null instead of printing errors for individual fields:

ports.list {
  port
  process {
    executable
    pid
  }
}

Results in:

ports.list: [
  0: {
    port: 34454
    process: {
      pid: 1121
      executable: "GeckoMain"
    }
  }
  1: {
    port: 68
    process: null
  }
  ...
]

This is in line with the expected behavior in GraphQL.

Comments in MQL

Problem: MQL is oriented around providing querying capabilities found in GraphQL with scripting found in other lightweight languages like JavaScript. The latter had informed our commenting style in MQL, which was limited to //. This created problems where users would try comments via # resulting in broken queries.

Solution: After careful review we decided to switch comments to use # as the preferred commenting style. This both aligns with comments in YAML, thus making policy editing easier, and with GraphQL comments.

At the same time we still support and will continue to support comments via //. These are not recommended and may be auto-formatted in the future, but are available as well.

mondoo {
  # This is the recommended commenting style ๐Ÿคฉ
  version build
}

Shell commands

Problem: When using the shell users would try to hit CTRL + C to clear the line but instead exited the shell. This was unexpected to most as most CLI shells behave differently.

Solution: The Mondoo shell now doesn't exit when you hit CTRL + C anymore. Instead it prints a newline. Additionally, CTRL + D now exits the shell, alongside the already existing exit command. This is in line with most other shell environments we tested.

Additionally you can now hit CTRL + Z to pause the execution and send the Mondoo shell to the background. Like other Linux/macOS/Unix commands, you can restore it using fg in Bash/Zsh/etc.

๐Ÿงน IMPROVEMENTSโ€‹

  • Add basic support for SUSE Linux Enterprise Micro
  • AWS Lambda function is now scheduled to update once every 8 hours instead of hourly
  • ๏ธUse connection hostname as vSphere API hostname so users can distinguish them
  • Agents can now report more error messages to the server, which will ease debugging in the future

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • regex.email has been improved to more accurately capture email addresses