Mondoo 9.5 is out!
π₯³ Mondoo 9.5 is out! This release includes VMware vSphere security advisory detection, expanded AWS/Azure/Okta resources, and more!β
Get this release: Installation Docs | Package Downloads | Docker Container
π NEW FEATURESβ
VMware vSphere CVE detectionβ
Mondoo now includes support for tracking CVEs and security advisories on VMware vSphere installations, so you can keep your most important on-premises assets secure. You'll automatically see CVE/advisory information on VMware vSphere assets in the Mondoo Console and you can scan assets manually on the command line to view this data as well:
cnquery shell vsphere USER@luna.dmz -p FOO
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ’ |_| |___/ interactive shell
cnquery> asset.vulnerabilityReport
asset.vulnerabilityReport: {
platform: {
build: "18778458"
name: "vmware-vsphere"
release: "7.0.3"
title: "VMware vSphere 7.0.3"
}
published: "2023-10-26T13:18:39Z"
stats: {
advisories: {}
cves: {}
exploits: {}
packages: {}
}
}
asset.vulnerabilityReport: {
advisories: [
0: {
ID: "VMSA-2022-0004"
Mrn: "//vadvisor.api.mondoo.app/advisories/VMSA-2022-0004"
cves: [
0: {
ID: "CVE-2021-22041"
Mrn: "//vadvisor.api.mondoo.app/cves/CVE-2021-22041"
cvss: [
0: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"
}
]
worstScore: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"
}
}
...
π§Ή IMPROVEMENTSβ
New AWS resource fields and defaultsβ
The aws.vpc.subnet
resource now includes information on the subnet's availability zone so you can better understand where subnets are located.
cnquery> aws.vpcs.first.subnets{*}
aws.vpcs.first.subnets: [
0: {
arn: "arn:aws:ec2:ap-south-1:177043123456:subnet/subnet-b231234"
id: "subnet-b231234"
cidrs: "172.31.16.0/20"
mapPublicIpOnLaunch: true
defaultForAvailabilityZone: true
availabilityZone: "ap-south-1c"
}
...
We've also improved the default values returned by many AWS resources to give you better output in the cnquery shell as well as query packs. These updated defaults expose AWS resource IDs, regions, availability zones, and other metadata that makes understanding your AWS infrastructure easier with Mondoo. Enable the AWS Asset Inventory Pack in your spaces to see this improved asset inventory data today.
Improved resource output for Azureβ
New default values in Azure resources make exploring asset configuration in the cnquery shell or the resource explorer better than ever. You'll see new improved output on Azure VMs that show OS and hardware types. We've also expanded NIC and disk resources to show information such as the disk size/type and the NIC MAC address type.
cnquery> azure.subscription.computeService.vms.first
azure.subscription.computeService.vms.first: azure.subscription.computeService.vm name="Windows-VM-5n6o" location="eastus" properties.hardwareProfile.vmSize="Standard_DS2_v2" properties.storageProfile.osDisk.osType="Windows"
cnquery> azure.subscription.computeService.disks.first
azure.subscription.computeService.disks.first: azure.subscription.computeService.disk name="Windows-VM-OsDisk-5n6o" location="eastus" properties.osType="Windows" properties.diskSizeGB=127.000000 properties.diskState="Attached"
cnquery> azure.subscription.networkService.interfaces.first
azure.subscription.networkService.interfaces.first: azure.subscription.networkService.interface name="Windows-VM-NIC-5n6o" location="eastus" properties.macAddress="60-45-BD-D7-7E-53" properties.nicType="Standard"
Expanded Okta group and role capabilitiesβ
We've expanded the capabilities of our Okta provider and resources to make it easier to query your Okta configuration. You can now query Okta groups along with their roles and members using the okta.groups
resource:
cnspec> okta.groups.where(roles.one(type =="SUPER_ADMIN")) { name roles { * } members members.length < 2 }
okta.groups.where: [
0: {
roles: [
0: {
created: 2023-04-08 22:11:00 +0200 CEST
lastUpdated: 2023-04-08 22:11:00 +0200 CEST
assignmentType: "GROUP"
id: "ABCD1234"
type: "SUPER_ADMIN"
status: "ACTIVE"
label: "Super Administrator"
}
]
name: "Super Admins"
members.length < 2: true
members: [
0: okta.user profile.email="ben@example.com"
]
}
]
You can also check which permissions are assigned to custom roles using the new okta.customRoles
resource:
cnspec> okta.customRoles { * }
okta.customRoles: [
0: {
label: "Custom Role"
id: "abc12345678910"
description: "Custom Role"
permissions: []
}
]
Improved host scanningβ
We've improved host scanning behavior with updates to Mondoo's host
provider as well as the http
and tls
resources used when scanning domains and IPs. These updates make it easier to get started scanning hosts, even when the hosts aren't the best behaving.
- Default to HTTPS when no protocol information was specified on the CLI. For example, with
cnquery shell host mondoo.com
cnquery now assumes HTTPS. - Improve handling of timeouts when checking TLS certs.
- Improve error handling and logging when connecting to hosts, parsing TLS certificates, and checking TLS on non-TLS hosts.
Updated macOS CIS Benchmark policiesβ
It's been just a week since we last updated macOS CIS benchmark policies, but we're back again with new updates including the official release of the CIS macOS 14.0 benchmark. These new benchmarks include improved descriptions/remediation text, more robust queries, and additional checks for Intel Macs. Be sure to check out the improved results in these releases:
- CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
- CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
- CIS Apple macOS 13.0 Ventura Benchmark v2.0.0
- CIS Apple macOS 14.0 Sonoma Benchmark v1.0.0
Improved Windows EOL datesβ
Windows EOL data in Mondoo Platform now tracks Microsoft's enterprise and education support track, which tends to be about one year later than consumer EOL dates. We've also added Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 releases so you can track upcoming EOL dates for all your Windows workstations.
Improved field copy behaviorβ
Sometimes a user suggests a fix you just can't pass up. User @xorima told us the copy icon in our text fields was hard to read and made copying important text like client installation commands difficult. We retooled the icon to make it better stand out against the text and have a more clear action when the copy was complete. Thanks @xorima!
π BUG FIXES AND UPDATESβ
- Group Photon OS assets as operating systems in the Mondoo Console.
- Fix data queries not always showing the policy or query pack where they were defined.
- Don't error if the same query pack is specified more than once on the command line.
- Don't fail if a query pack has no queries to run after platform filters are applied.
- Properly filter out unsupported queries in a query pack to avoid failures.
- Map checks from the CIS Distribution Independent Linux benchmark to compliance framework controls.
- Fix cleanup of old assets scanned by the Mondoo Kubernetes operator.
- Handle empty report data in the JUnit cnspec reporter.
- Don't fail scanning a container registry if the container's platform cannot be detected.
- Fix a failure running the
cnspec vuln
command. - Fix an error fetching the
azure.subscription.mySql.server
field. - Fix Microsoft 365 assets grouping under Unclassified Assets in the console inventory page.
- Don't show the Schedule Now button for Jira integrations.
- On the Organization page, sort spaces by name instead of space ID.