Skip to main content

Mondoo 7.4 is out!

ยท 6 min read
Tim Smith
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 7.4 is out! This release includes Google Workspaces, Slack, and Okta security scanning!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

Builds for Linux on IBM Zโ€‹

Problem: You need to ensure the security of Linux distributions running on IBM Z mainframes.

Solution: Mondoo now includes packages for Ubuntu, SLES, and Red Hat running on IBM Z mainframes. You can find these packages in our releases repository at releases.mondoo.com.

New SaaS scanning capabilitiesโ€‹

Problem: Securing your business isn't just about the servers that your operations run on. It's also critical to safeguard the many SaaS services your teams rely on. How can you extend policies and security practices to protect this critical infrastructure?

Solution: We've expanded our SaaS Security Posture Management (SSPM) capabilities by introducing resources, security policies, and incident response packs for Google Workspace, Okta, and Slack. These new policies let you codify and continuously apply security policies to these critical SaaS services.

Google Workspaceโ€‹

The new googleworkspace MQL resource pack allows you to query the state of your Google Workspace:

cnquery scan googleworkspace --customer-id <CUSTOMER_ID> --impersonated-user-email <EMAIL>
# list all domains
googleworkspace.domains { * }

# list all groups for your Google Workspace customer
googleworkspace.groups { * }

# find the group for a specific email
googleworkspace.groups.where( email == "myemail@example.com") { * }

# list all users for your Google Workspace customer
googleworkspace.users { * }

# search a specific user
googleworkspace.users.where ( primaryEmail == "myuser@example.com") { * }

# find all users that have Slack authorized
googleworkspace.users.where(tokens.one( displayText == "Slack") ) {
fullName
primaryEmail
}

# list all super admins
googleworkspace.report.users.where(security["isSuperAdmin"] == true) { userEmail }

# check that all users are enrolled with MFA
googleworkspace.report.users.all( security["isS2SvEnrolled"] == true )

Oktaโ€‹

The new okta MQL resource pack allows you to query the state of your Okta organization:

cnquery shell okta --organization <ORG_URL> --token <OKTA_TOKEN>
# display information about the org
okta.organization { * }

# display registered applications
okta.applications { * }

# display all users
okta.users { * }

# display policies
okta.policies.password { id name rules { * } }

Slackโ€‹

The new slack MQL resources will allow you to query the state of your Slack workspace.

cnquery shell slack --token <SLACK_TOKEN>
# display team info
slack.team { * }

# display members
slack.users.members { * }

# display bots
slack.users.bots { * }

# display all users
slack.users { * }

# list all users that have no MFA (members + bots)
slack.users.where( has2FA == false) { * }

# list all members that have no MFA
slack.users.members.where( has2FA == false) { * }

# list all conversation and their creator
slack.conversations { name id creator { id name } }

# display user groups (only on Slack paid plan)
slack.userGroups { * }

# display access logs (only on Slack paid plan)
slack.accessLogs { * }

๐Ÿงน IMPROVEMENTSโ€‹

Package CVE support for Fedora 37โ€‹

The Fedora Project team released Fedora 37 this week. Mondoo is ready for upgrades, with CVE scanning support for this new release.

terraform.module now includes the full block for modulesโ€‹

The terraform.module now returns the full block for the module if it is included in the hcl files:

cnquery> terraform.modules { block key }
terraform.modules: [
0: {
key: "consul.consul_servers.security_group_rules"
block: null
}
1: {
key: "consul.consul_servers.security_group_rules.client_security_group_rules"
block: null
}
2: {
key: ""
block: null
}
3: {
key: "consul"
block: terraform.block id = terraform.block/modules.tf/1/1
}
4: {
key: "consul.consul_clients.iam_policies"
block: null
}
5: {
key: "consul.consul_servers"
block: null
}
6: {
key: "gke"
block: terraform.block id = terraform.block/gke.tf/10/1
}
7: {
key: "consul.consul_clients"
block: null
}
8: {
key: "consul.consul_clients.security_group_rules"
block: null
}
9: {
key: "consul.consul_clients.security_group_rules.client_security_group_rules"
block: null
}
10: {
key: "consul.consul_servers.iam_policies"
block: null
}
]

Array deletion in MQLโ€‹

You can now perform array subtraction within MQL. For example:

> [1,2,3,3,4] - [3,4,5]
[1,2]

TLS configuration within the port resourceโ€‹

The ports resource now includes information on any TLS certificates on the port:

cnquery> ports.listening[1] { port tls{*} }
ports.listening[1]: {
port: 8080
tls: {
socket: socket protocol="tcp" port=8080 address="127.0.0.1"
nonSniCertificates: [
certificate serial="3e:44:c8:e3:2c:bc:2a:6e:0a:1f:f8:9e:53:57:69:91:eb:3f:c4:dd" subject.commonName="mondoo.dev" subject.dn="CN=mondoo.dev,OU=n/a,O=Mondoo,L=LA,ST=California,C=US,1.2.840.113549.1.9.1=#0c0e646f6d406d6f6e646f6f2e636f6d"
]
ciphers: [
0: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
1: "TLS_RSA_WITH_AES_256_CCM_8"
2: "TLS_RSA_WITH_AES_128_GCM_SHA256"
3: "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"
4: "TLS_CHACHA20_POLY1305_SHA256"
5: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
6: "TLS_AES_256_GCM_SHA384"
7: "TLS_RSA_WITH_AES_256_CBC_SHA256"
8: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
9: "TLS_RSA_WITH_AES_128_CBC_SHA"
10: "TLS_RSA_WITH_AES_128_CCM"
11: "TLS_RSA_WITH_AES_128_CCM_8"
12: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
13: "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"
14: "TLS_AES_128_GCM_SHA256"
15: "TLS_RSA_WITH_ARIA_256_GCM_SHA384"
16: "TLS_RSA_WITH_AES_256_CCM"
17: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
18: "TLS_RSA_WITH_AES_128_CBC_SHA256"
19: "TLS_RSA_WITH_ARIA_128_GCM_SHA256"
20: "TLS_RSA_WITH_AES_256_GCM_SHA384"
21: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
22: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
23: "TLS_RSA_WITH_AES_256_CBC_SHA"
]
versions: [
0: "tls1.3"
1: "tls1.2"
]
params: {
certificates: [
0: id:"certificate:f157279e8a7f6b819e8fbcaaa980f069a318bb9ea90ef9ea0c89204cffae4e94" name:"certificate"
]
ciphers: {
OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: false
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: false
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: false
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: false
SSL_DHE_DSS_WITH_DES_CBC_SHA: false
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA: false
SSL_DHE_RSA_WITH_DES_CBC_SHA: false
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA: false
SSL_DH_DSS_WITH_DES_CBC_SHA: false
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA: false
SSL_DH_RSA_WITH_DES_CBC_SHA: false
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: false
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA: false
SSL_DH_anon_WITH_DES_CBC_SHA: false
SSL_DH_anon_WITH_RC4_128_MD5: false
SSL_NULL_WITH_NULL_NULL: false
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: false
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: false
SSL_RSA_EXPORT_WITH_RC4_40_MD5: false
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: false
SSL_RSA_FIPS_WITH_DES_CBC_SHA: false
SSL_RSA_WITH_3DES_EDE_CBC_SHA: false
SSL_RSA_WITH_DES_CBC_SHA: false
SSL_RSA_WITH_IDEA_CBC_SHA: false
SSL_RSA_WITH_NULL_MD5: false
SSL_RSA_WITH_NULL_SHA: false
SSL_RSA_WITH_RC4_128_MD5: false
SSL_RSA_WITH_RC4_128_SHA: false
TLS_AES_128_CCM_8_SHA256: false
TLS_AES_128_CCM_SHA256: false
TLS_AES_128_GCM_SHA256: true
TLS_AES_256_GCM_SHA384: true
TLS_CHACHA20_POLY1305_SHA256: true
TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: false
TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: false
TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: false
TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: false
TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: false
TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: false
TLS_DHE_PSK_WITH_AES_128_CCM: false
TLS_DHE_PSK_WITH_AES_256_CCM: false
TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: false
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: false
TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: false
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: false
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: false
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: false
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: false
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: false
TLS_DHE_PSK_WITH_CHACHA20_POLY1305: false
TLS_DHE_RSA_WITH_AES_128_CCM: false
TLS_DHE_RSA_WITH_AES_128_CCM_8: false
... (197 lines left)

Extend Kubernetes queries for ephemeralContainersโ€‹

We've updated our Kubernetes policies to scan the security of ephemeralContainers defined in Kubernetes workloads. This ensures the security of any containers attached to workloads for debugging.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Significantly reduce memory usage when syncing data to Mondoo Platform.
  • Tag cnspec/cnquery container images on Docker Hub for the major version (7, 8, etc) to match mondoo image tagging.
  • Publish cnspec/cnquery rootless container images to Docker Hub to match mondoo rootless container builds.
  • cnspec -o json now produces properly formatted JSON and includes the policy scores.
  • Resolve errors in some MQL queries using { * } such as docker.containers { * }.
  • Automatically discover Google organizations when --discover is set to auto or the --discover flag is not specified.
  • Resolve authentication failures against Microsoft 365.
  • Update the chevrons in the Fleet view so it's clear when there are hidden lists of assets.
  • Improve CVE pages to show data more reliably.
  • Improve mondoo update reliability on Windows.
  • Update the example setup commands for Debian/Ubuntu on the Integrations page to overwrite repository GPG keys.
  • Improve GitHub Actions examples in the Integrations page.