Skip to main content

Mondoo 5.20.0 is out!

ยท 4 min read
Jay Mundrawala
Mondoo Core Team

๐Ÿฅณ mondoo 5.20.0 is out!

๐ŸŽ‰ NEW FEATURESโ€‹

Support for Terraform Objects

Given a Terraform definition for:

resource "google_compute_instance" "default" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"

boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}

// Local SSD disk
scratch_disk {
interface = "SCSI"
}

metadata = {
enable-oslogin = false
}
}

metadata is a defined object and not a block. The following query requests the arguments:

terraform.resources.where( nameLabel  == "google_compute_instance" ) {
arguments
}

Before this, the metadata was null because key/value pairs have not been parsed:

terraform.resources.where: [
0: {
arguments: {
machine_type: "e2-medium"
metadata: null
name: "test"
zone: "us-central1-a"
}
}
]

With this latest release:

terraform.resources.where[0].arguments: {
machine_type: "e2-medium"
metadata: {
enable-oslogin: true
}
name: "test"
zone: "us-central1-a"
}

Support Linux kernel vault

Storing credentials on disk is not recommended and Mondoo strongly advises doing so for production environments. Therefore we support various vault backends that allow you to store credentials in a secure way.

Given a simple inventory file that scans a Linux machine via SSH and password authentication:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-ssh-inventory
labels:
environment: production
spec:
assets:
# Linux with password authentication
- id: linux-with-password
connections:
- host: 192.168.178.28
backend: ssh
credentials:
- user: chris
password: password1! # implicit type password

With this inventory, you can scan the machine:

mondoo scan โ€”inventory inventory.yml
โ†’ load inventory inventory=inventory.yml

Of course, we do not want to store credentials in plain text files. In the past we assumed that we can do that via systemd secret service. The problem is that this interface is only working well with Gnome and KDE and is mostly bundled with Desktop environments. This is problematic for headless server.

To solve the issue meet Linux Kernel Key Management:

NOTE: An introduction to [Kernel key management](Kernel key management LWN.net) explains how it works. See keyutils man page for more details

On Debian keyutils need to be present to use the kernel key management:

apt-get install keyutils

Configure Mondooโ€™s vault to use the keyring mondoo-client-vault for secrets:

mondoo vault set mondoo-client-vault โ€”type linux-kernel-keyring
โ†’ set new vault configuration name=mondoo-client-vault
โ†’ stored vault configuration successfully

Mondoo itself stores its configuration for vaults via Linux Kernel Key Management. The configuration is stored in mondoo-cli-keyring keyring and user-vaults key.

keyctl list @u
1 key in keyring:
599473326: --alswrv 1000 1000 keyring: mondoo-cli-keyring

keyctl show 599473326
Keyring
599473326 --alswrv 1000 1000 keyring: mondoo-cli-keyring
988442797 --alswrv 1000 1000 \_ user: user-vaults

Now we need to add a secret for a remove ssh connection. We set mondoo-client-vault as the key ring that Mondoo Client will use.

# The format to add a key is as following
# keyctl add user {desc} {data} @u
keyctl add user 'secret for 192.168.178.28' '{ "user": "chris", "password": "password1!", "type": "password" }' @u
52720293

# Next, lets display the key within the keyring
keyctl list @u
1 key in keyring:
52720293: --alswrv 1000 1000 user: secret for 192.168.178.28

# lets display the created key
keyctl print 52720293
{ "user": "chris", "password": "password1!", "type": "password" }

# Later, we can delete the key from user scope via:
# keyctl purge -p user "secret for 192.168.178.28"

Now we can adapt the inventory:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-ssh-inventory
labels:
environment: production
spec:
assets:
# Linux with password authentication
- id: linux-with-password
connections:
- host: 192.168.178.28
backend: ssh
credentials:
- secret_id: secret for 192.168.178.28
vault:
name: mondoo-client-vault

๐Ÿงน IMPROVEMENTSโ€‹

  • Add end-of-life information for vSphere 7.0.0
  • Improved handling for miss-configured sudo where SSH connections do not return the platform name properly
  • Asset search is now case insensitive
  • The AWS CloudFormation can be customized when creating the stack

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix Linux policies to check correct cron package name based on distribution
  • Fix not found handling in AWS S3 resource. This would cause fields to error out instead of returning null when they were not set
  • Fix awsec2ebs transport to not error out when there are multiple volumes