Skip to main content

Mondoo 8.26 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.26 is out! This release includes OCI asset configuration data, improved Compliance Hub results, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

OCI asset configuration overview data​

Mondoo now shows configuration data for Oracle Cloud Infrastructure (OCI) Tenancies.

OCI Asset Configuration Data

Filter compliance results by asset type​

Compliance Hub now has buttons that let you quickly filter compliance assets by platform type. Because these group buttons in the fleet view were so helpful to users, we added them to compliance as well.

Compliance Hub Asset Groups

🧹 IMPROVEMENTS​

Improved Compliance Hub framework completion calculations​

When we set out to build Compliance Hub, we wanted to enable teams to quickly asses their compliance posture and track progress as they worked to secure systems and services. After launching Compliance Hub, we received insightful feedback from our users. Based on that feedback, this week we've improved how we report progress towards compliance completion.

Previously we calculated a space's compliance completion by the percentage of all assets that were 100% compliant. In some circumstances, the completion status could remain 0% until the team deployed one last magical fix that made all assets compliant.

Compliance Hub now calculates a space's completion as the average of all control completion percentages. Teams can now see incremental progress with each security improvement they deploy. We think this better reflects the true state of compliance and gives users the small wins they deserve as they work to secure their environments.

Improved Compliance Completion Tracking

Improved CIS policy results​

We've reworked many of our bundled CIS benchmark policies to make them more resilient and improve the rendering of scan results:

  • Rework queries in CIS AWS Foundations to improve rendering of results.
  • Improve reliability of Auditd, SELinux, and AppArmor checks in Linux policies.
  • Improve the reliability of the Ensure audit_backlog_limit is sufficient check.
  • Prevent failures in the Ensure permissions on /etc/gshadow are configured check when the file does not exist.
  • Prevent failures in the Ensure cron is restricted to authorized users check when /etc/cron.allow does not exist.
  • Expand the Ensure HTTP server is not installed check for Nginx and lighttpd in addition to Apache2.
  • Add two additional controls to the CIS AWS Foundations benchmark policy.
  • Improve reliability and result output of queries in the CIS GCP and GKE policies.
  • Improve the query output of failing Kubernetes namespaces in the Ensure that all Namespaces have Network Policies defined check.
  • Add missing audit blocks to checks in Kubernetes policies.

πŸ› BUG FIXES AND UPDATES​

  • Improve rendering of GCP tiles in the fleet view when organizations, projects, and cloud assets have scanned.
  • Fix sorting of assets by count in Security > Policies table when there are checks with 0 assets.
  • Don't show empty Manufacturer or Product configuration data on cloud assets.
  • Add the July 31, 2023 EOL date for FreeBSD 13.1.
  • Remove the unused user settings option "Send me space alerts."
  • Improve performance of reporting first time asset scans.
  • Improve error messages when scanning GCP VM instances/snapshots outside of a GCP environment.
  • Rename Oracle Cloud Infrastructure assets to Oracle Cloud Infrastructure Tenancy to better reflect that these are the OCI tenancies.
  • Show policy descriptions in the registry.
  • Show audit content in asset check pages.

Mondoo 8.25 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.25 is out! This release includes improvements to Compliance Hub, updated CIS Debian Linux 2.0 Benchmark, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


🧹 IMPROVEMENTS​

Improved Compliance Hub experience​

We've been busy this week rolling out fixes and improvements to make Compliance Hub an even better experience.

  • The first exception on the compliance exceptions tab now automatically expands for easier viewing.
  • Compliance control pages now include tooltips for the completion column.
  • Controls listed in exceptions now link to the individual control pages.
  • The completion column in control pages now supports ascending and descending sorting.
  • The completion percentage shown for frameworks now better reflects progress.
  • There are improved recommendations when there are no checks or assets in a control.
  • Compliance completion bars in Firefox now size properly at all window dimensions.

CIS Debian Linux 10 Benchmark 2.0​

CIS Debian Linux 10 Benchmark is updated from 1.0 to 2.0. This is a massive update to the CIS benchmarks for Debian that includes the following changes:

  • 38 controls now have improved descriptions, audit instructions, and remediation steps.
  • 34 new controls now follow the "Ensure service X is not installed" method instead of "Ensure service X is disabled".
  • 58 legacy controls have been removed, including the existing "Ensure service X is disabled" controls mentioned above.

πŸ› BUG FIXES AND UPDATES​

  • Don't show duplicate checks in the registry when a policy uses variants.
  • Remove a black box displayed in the registry when a policy uses policy variants.
  • Add three additional controls to the CIS Amazon Linux 2023 policies.
  • Improved descriptions and remediation steps in the CIS Distribution Independent Linux Benchmark policies.
  • Log errors for missing API support when scanning GCP organization and projects instead of failing.
  • Give a unique name to gcp-subnetwork assets that includes the region in the name.
  • Fix the grouping of GCP organizations and projects in the fleet view.
  • Don't attempt to discover GCP projects that are marked for deletion.
  • Don't detect GCP VM instances as VM images.

Mondoo 8.24 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.24 is out! This release includes NIST SP 800-171 compliance, CIS AWS Foundations Benchmark 2.0, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

NIST SP 800-171 Framework​

Mondoo Compliance Hub now includes the NIST SP 800-171 framework, raising the total number of out-of-the-box compliance frameworks to ten. Each of the 110 controls in this framework automatically map to the checks in your infrastructure, so with a flip of a switch you can start your NIST SP 800-171 and see where you stand.

Compliance Hub - NIST SP 800-171

🧹 IMPROVEMENTS​

Improved asset configuration data for GCP projects​

GCP project assets in the fleet now include additional asset configuration data, so you can always understand what's being scanned at a quick glance.

GCP Project Configuration Data

CIS Amazon Web Services (AWS) Foundations Benchmark 2.0​

The CIS Amazon Web Services (AWS) Foundations Benchmark is updated to the latest 2.0 release. This updated benchmark includes a number of important updates to make securing your AWS environment easier:

  • Adds a new check to ensure that EC2 metadata service requires IMDSv2
  • Adds a new check to restrict the usage of AWS CloudShell
  • Removes the check that ensures all S3 buckets have encryption at rest enabled because this feature is now enabled automatically
  • 22 updated checks with improved audit and remediation steps

πŸ› BUG FIXES AND UPDATES​

  • Fix errors determining cloud configuration for containers.
  • Improve slow scan times while waiting on policy data.
  • Resolve a panic loading some queries in the resource explorer.
  • Fix organization overview dashboard to ignore data below 0.
  • Improve reliability of queries in the CIS Distribution Independent Linux Benchmark policy.
  • Update CIS Windows policy scoring to match that of non-Windows CIS benchmarks.
  • Improve the reliability of the GitHub Organization Security and GitHub Repository Security policy SECURITY.md checks.
  • Fix incorrect text on the org and space level service account pages.
  • Improve padding in the asset page configuration tiles.
  • Improve the display of various compliance pages when there is not data.
  • Fix an error in the asset overview data when the cloud could not be properly detected.
  • Fix failures scanning OCI via the integration.
  • Adjust impact scores in the Mondoo Linux Security and CIS Distribution Independent Linux Benchmark policies.
  • Don't show buttons to create new spaces when users only have Viewer privileges.
  • Fix the Kubernetes operator to properly garbage collect old node scans when only node scanning is enabled.
  • Display CVSS 3.1 CVE scores when available.

Mondoo 8.23 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.23 is out! This release includes Mondoo Compliance Hub, improved asset configuration data, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Compliance Hub​

Are you struggling to achieve compliance with frameworks such as SOC 2, HIPAA, BSI, or PCI? Let the new Mondoo Compliance Hub do the heavy lifting for you. It automatically maps all of your existing security scans into the top compliance frameworks, allowing you to quickly view your progress towards compliance. And best of all, you'll never have to take a screenshot for manual evidence gathering again.

Learn more in our Simplifying Compliance: Introducing the Mondoo Compliance Hub blog post.

🧹 IMPROVEMENTS​

Improved asset configuration data​

Last week we added new asset configuration data to the console, so you can quickly understand what Mondoo is scanning and where to find it in your infrastructure. This week we've improved that experience with an updated layout on the asset pages, improved DB type names for AWS RDS instances, and new data collection on Slack and Okta assets.

VMware policy improvements​

  • Update CIS VMware ESXi 6.7 Benchmark from 1.2 to 1.3 with improved audit and remediation steps.
  • Rework queries in CIS ESXi 6.7 and 7.0 benchmarks for improved reliability.

πŸ› BUG FIXES AND UPDATES​

  • Fix failures loading AWS assets in the console.
  • Fix failure applying MS365 policies.
  • Update the VMware appliance to Debian 12.
  • Improve Linux OpenSSH checks to only run when OpenSSH is installed.
  • Improve Ensure SSH Protocol is set to 2 Linux query to only run on the appropriate OpenSSH releases.
  • Improve Ensure access to the su command is restricted Linux query to account for admin or mondoo users.
  • Improve Postfix queries to also ensure that Postfix is running.
  • Update Linux policies to use the port resource instead of the deprecated socketstats resource.
  • Use bool value and not pointer in aws.ec2.networkacl.entry.egress resource.
  • Fix an issue that made MQL query compilation non-deterministic.
  • Improve support for services on SUSE systems.
  • Fix some package queries hanging on SUSE systems.
  • Don't include ignored checks in the asset "Top Recommended Actions" tile.

Mondoo 8.22 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.22 is out! This release includes new asset configuration data, updated CIS policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

New asset configuration insights​

Have you ever struggled to respond to a security alert because you couldn't locate the asset in your infrastructure? Now with Mondoo, you can quickly track down assets in your environment, thanks to new asset configuration information available in the Mondoo Console. This new configuration data includes important asset metadata such as accounts and regions for cloud assets or make, model, and serial number for physical assets. Mondoo automatically collects this data so you don't have to worry about enabling additional policies or query packs.

Example cloud asset:

Cloud asset configuration information

Example physical asset:

Employee laptop configuration information

🧹 IMPROVEMENTS​

See who set up integrations​

Want to know whom to thank for setting up infrastructure integrations in Mondoo? Each integration in Mondoo now shows the creator so you can quickly see who's been busy securing infrastructure in your organization.

Integration with username

CIS AWS Foundations Benchmark 2.0​

Mondoo now includes the CIS AWS Foundations Benchmark policy version 2.0. This updated release includes two new controls to ensure AWS CloudShell access is restricted and to ensure that instances only allow metadata access via IMDSv2. The policy also includes 22 updated controls with improved audit and remediation steps.

CIS Amazon EKS Benchmark 1.3.0​

Mondoo now includes the CIS AWS EKS Benchmark policy 1.3.0. This updated release replaces checks for the deprecated Pod Security Policy system with Pod Security Standards instead. It also includes six updated controls with improved audit and remediation steps.

aws.rds.dbinstance Automatic Upgrade field​

The aws.rds.dbinstance MQL resource now includes a new autoMinorVersionUpgrade field that identifies if automatic minor version upgrades are enabled for the RDS instance.

πŸ› BUG FIXES AND UPDATES​

  • Don't hang waiting on Zypper CLI input when scanning SUSE hosts.
  • Detect SUSE 11 and earlier platforms where /etc/os-release is absent.
  • Fix failures scanning containers on the latest Docker releases.
  • Prevent cnspec service checks from potentially rebooting sys-v init based SUSE 11 and earlier.
  • Fix failures scanning new AWS instances created from the AWS Lambda integration.
  • Fix failing ECR image scans from the AWS Lambda integration.
  • Don't display the Show all policies button on assets when all policies are already showing.
  • Improve the display of current AWS resources from within the AWS Integration page.
  • Stop the packages list in the asset Platform Vulnerabilities tab from reloading twice.
  • Fix a double refresh when selecting asset CVEs.
  • Improve alignment of data on the Platform Vulnerabilities page.
  • Fix Load More pagination on the CVEs page.
  • Fix query results that returned cannot convert primitive with NO type information.
  • Remove empty Impact sections from CIS benchmark policies.
  • Improve MQL query formatting in policies to improve readability.
  • Add a friendly message when an asset has no annotations so it's more clear how to create an annotation.
  • Warn before leaving Risk Actions midway through creating a plan.
  • Fix panics loading some asset data.
  • Improve the display of organization dashboard graphs on tablets.
  • Improve several AWS platform titles.
  • Fix failures using hashi-vault with local inventory files.

Mondoo 8.21 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.21 is out! This release includes loads of new CIS policies, performance improvements, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

New CIS policies for OCI, OpenShift, and Amazon 2023​

We've been busy pulling in the latest CIS policies for your growing infrastructure, with five new policies this week to help you secure the latest platforms:

  • CIS Red Hat OpenShift Container Platform v4 Benchmark - Level 1
  • CIS Red Hat OpenShift Container Platform v4 Benchmark - Level 2
  • CIS Amazon 2023 Benchmark - Level 1
  • CIS Amazon 2023 Benchmark - Level 2
  • CIS Oracle Cloud Infrastructure Foundation Benchmark - Level 1

🧹 IMPROVEMENTS​

Improved policy formatting​

The cnspec bundle lint command has seen improvements to better handle multi-line queries. These queries will now automatically format on individual lines so you can more easily read your policies.

Before:

mql: "users.where(\n  shell.contains(\"nologin\") == false && shell.contains(\"false\") == false\n  && name != \"sync\" && name != \"shutdown\" && name != \"halt\" \n).list {\n  file(home) {exists}\n}\n"

After:

mql: |
users.where(
shell.contains("nologin") == false && shell.contains("false") == false
&& name != "sync" && name != "shutdown" && name != "halt"
).list {
file(home) {exists}
}

Improved performance​

Who doesn't like getting the same thing, only faster? We optimized how we deliver policy data from Mondoo Platform to our clients to make your scans even quicker. Expect to save around 1.5 seconds on each scan. We hope you make the best of this time windfall.

πŸ› BUG FIXES AND UPDATES​

  • Accept Jira project IDs in any case.
  • Suggest CIS GitHub Benchmark policy after setting up a GitHub integration.
  • Show Debian 11/12 security update repository packages in CVE scan results.
  • Fix assets failing to load in the console under some circumstances.
  • Fix CIS Amazon Linux 2 benchmark policies incorrectly applying to Amazon Linux 2023 hosts.
  • Fix failures when EBS volume scanning Amazon 2023 instances.
  • Fix Oracle Linux 8/9 vulnerability scans showing already installed updates for some packages.
  • Fix typos in the Okta Organization Security policy’s query UIDs. Thanks @moeterich.
  • Improve reliability of data exports when data is malformed.
  • Improve reliability of queries in CIS Windows Benchmark policies.
  • Improve reliability of the chrony and timesyncd checks in the Operational Best Practices for Time Synchronization policy.
  • Improve Jira host validation during the integration setup.
  • Improve policy search results in the registry.
  • Improve consistency of CIS benchmark names and query UIDs.
  • Improve queries in CIS Kubernetes Benchmark policies.
  • Rework CIS policies to include groups for better display in the registry.
  • Show an error if a policy cannot be removed from the registry.

Mondoo 8.20 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.20 is out! This release includes Azure Blob Storage exports, updated asset inventory data, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Azure Blob Storage exports​

Continuously export your Mondoo security scan data to Azure storage blobs where external systems like Splunk can consume it.

Azure Blog Storage Exports

🧹 IMPROVEMENTS​

Expanded Linux / macOS inventory packs​

The macOS Inventory Pack and Linux Inventory Pack now include additional information to better identify systems in your infrastructure with CPU, memory, storage, and hardware model data collection.

Example output on macOS:

Retrieve the amount of physical memory:
parse.json.params[SPHardwareDataType].first[physical_memory]: "16 GB"

Retrieve the hostname:
os.hostname: "Tim-Smith.local"

Retrieve the machine model identifier:
parse.json.params[SPHardwareDataType].first[machine_model]: "MacBookPro18,3"

Retrieve the machine model name:
parse.json.params[SPHardwareDataType].first[machine_name]: "MacBook Pro"

Retrieve the model part number:
parse.json.params[SPHardwareDataType].first[model_number]: "MKGQ3LL/A"

Retrieve the system serial number:
parse.json.params[SPHardwareDataType].first[serial_number]: "GGJXG21234"

Retrieve the type of CPU:
parse.json.params[SPHardwareDataType].first[chip_type]: "Apple M1 Pro"

Example output on Linux:

Retrieve the size and filesystem type of the root volume:
command.stdout.trim: "56G ext4"

Retrieve the system manufacturer:
machine.baseboard.manufacturer: "ASUSTeK COMPUTER INC."

Retrieve the system product name:
machine.baseboard.product: "H87I-PLUS"

Retrieve the type of CPU:
command.stdout.trim: "Intel(R) Core(TM) i7-4785T CPU @ 2.20GHz"

Retrieve the amount of physical memory:
command.stdout.trim.+: "16636M"

πŸ› BUG FIXES AND UPDATES​

  • Discover private repos when scanning GitHub organizations.
  • Add --discover organization to the GitHub provider to scan just the organization itself, not repos within the organization.
  • Remove unnecessary AWS tag collection from the AWS global DynamoDB table discovery.
  • Don't collect the root user in "Collect regular user" query pack queries.
  • Add missing impact to CIS GKE Benchmark Level 1.
  • Don't show the unnecessary Mondoo Job Environment platform overview information for Kubernetes assets.
  • Fix the Mondoo Kubernetes Operator to properly report container scanning status.
  • Don't fail a data export if CVE data cannot be found.
  • Ensure that all JSON data in exports can be properly parsed by Splunk.
  • Ensure Azure question packs in the registry show the correct icons.

Mondoo 8.19 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.19 is out! This release includes continuous OCI scanning, organization-wide service accounts, massive Windows performance improvements, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Continuous OCI scanning​

Continuously scan your Oracle Cloud Infrastructure (OCI) services, all without an agent installation. Set up continuous scanning using your existing local OCI configuration file, and we'll do the rest with full infrastructure scans every 4 hours.

OCI Integration List

Organization-wide service accounts​

Need a service account for all your spaces? Now you can create one with organization-wide service accounts, available on the organization settings page. Create new accounts or manage existing accounts with an improved UI to help with cross-team collaboration.

Org Wide Service Account Creation

Scan AWS using assumed roles​

Now you can scan your AWS infrastructure by assuming an AWS role:

cnspec scan aws --option role-arn=ROLEARN
cnspec scan aws --option role-arn=ROLEARN --option external-id=EXTERNALID

CIS GitHub Benchmark policy​

Secure your GitHub organizations and repos with Mondoo and the new CIS GitHub Benchmark 1.0 policy.

GitHub Benchmark

🧹 IMPROVEMENTS​

4.5x Windows speedup with registry improvements​

What's better than improvements to the Windows registrykey resource? How about improvements that also make CIS benchmark scans on Windows nearly 4.5 times faster, all while using 25% less memory? It seems like a tall order, but we've entirely reworked registrykey under the hood to give you some huge new benefits Mondoo-wide.

First off, there's a whole new way to interact with registry data. The registrykey resource includes a new items property that greatly improves how data is returned (versus the now deprecated properties field). This new format allows us to return more than just string values, including new binary and multi-line registry value support.

The existing registrykey.properties data that returned just key/value data:

cnspec> registrykey(path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').properties
registrykey.properties: {
EnableAuthenticateUserSharing: "0"
Guid: ""
NullSessionPipes: ""
ServiceDll: "%SystemRoot%\\system32\\srvsvc.dll"
ServiceDllUnloadOnStop: "1"
autodisconnect: "15"
enableforcedlogoff: "1"
enablesecuritysignature: "0"
requiresecuritysignature: "0"
restrictnullsessaccess: "1"
}

With registrykey.items you'll get back a wealth of data on each registry key that looks more familiar to regedit users:

cnspec> registrykey(path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').items { * }
registrykey.items: [
0: {
value: "0"
type: "dword"
name: "EnableAuthenticateUserSharing"
path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
data: 0
exists: true
}
1: {
value: ""
type: "multistring"
name: "NullSessionPipes"
path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
data: [
0: ""
]
exists: true
}
2: {
value: "%SystemRoot%\\system32\\srvsvc.dll"
type: "expandstring"
name: "ServiceDll"
path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
data: "%SystemRoot%\\system32\\srvsvc.dll"
exists: true
}
3: {
value: "1"
type: "dword"
name: "ServiceDllUnloadOnStop"
path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
data: 1
exists: true
}
...

What about those under-the-hood improvements? registrykey is entirely rewritten to natively query the Windows registry directly instead of going through PowerShell. This increases performance, reduces memory usage, and works better with antivirus systems that could block Mondoo's use of PowerShell.

Execution of the CIS Windows 2022 Level 1 Member Benchmarks policy running on an AWS t2.large instance:

Mondoo ReleaseExecution TimeMemory Usage
8.181 minute 56 seconds140.19 MB
8.1921 seconds104 MB

Updated CIS AKS Benchmark policy​

Both the CIS AKS Benchmark policies are updated from 1.2.0 to 1.3.0. These new versions improve audit/remediation steps and remove checks for the deprecated --protect-kernel-defaults kubelet flag.

πŸ› BUG FIXES AND UPDATES​

  • Add missing impact scores to CIS GKE policy.
  • Support policy variants in query packs.
  • Improve check titles in Mondoo inventory packs.
  • Improve search results in the security registry.
  • Resolve errors loading CI scan results.
  • Fix errors executing local policies containing variants.
  • Display the create time for export integrations.
  • Fix incorrect EOL date for Windows 2016.
  • Fix failures when setting plans in Risk Actions.
  • Resolve occasional failures logging in using Safari.
  • Fix a failure in certain uses of files.find in policies.

Mondoo 8.18 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.18 is out! This release includes new organization wide API keys, updated CIS benchmark policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Organization-wide API keys​

Take your API game from spaces all the way to your organization with new organization-wide API token generation. These tokens have access to the organization and each space within your organization. Automate away!

API Token Generation

🧹 IMPROVEMENTS​

Updated CIS benchmark policies​

There's nothing better than the most up-to-date security recommendations and this week we're shipping the latest and greatest for MS 365, GKE, and Kubernetes.

Microsoft 365 Foundations Benchmark 2.0​

This truly massive update includes 14 new controls and 36 updated controls with improved descriptions and remediation steps. We especially like the new MFA checks that are a must-have for any Microsoft 365 admin.

New controls:

  • Access reviews for high privileged Azure AD roles
  • Ensure two Emergency Access accounts have been defined
  • SharePoint and OneDrive integration with Azure AD B2B
  • Access reviews for Guests E5
  • Microsoft 365 on the web restrictions
  • Restrict non-admin users from creating tenants
  • Ensure custom banned passwords lists are used
  • Idle session timeout
  • Ensure 'Phishing-resistant MFA strength' is required for Administrators
  • Microsoft Authenticator is configured to protect against MFA fatigue
  • Microsoft Azure Management restrictions
  • Restrict access to the Azure AD administration portal' is set to 'Yes'
  • Strict protection preset for Priority accounts
  • New recommendation for users tagged as priority accounts

Google Kubernetes Engine Benchmark 1.4.0​

The new CIS GKE Benchmark is updated for Kubernetes 1.25 and the latest features in GKE. Say goodbye to legacy Pod Security Policies checks and say hello to a whole new set of controls for Pod Security Standards.

New and updated vanilla Kubernetes CIS Benchmarks​

CIS released several Kubernetes benchmarks for vanilla Kubernetes installations, including multiple benchmarks for specific Kubernetes releases and an unversioned benchmark targeting the latest Kubernetes release. Mondoo now includes an updated CIS Kubernetes Benchmark targeting Kubernetes 1.25. If you're running Kubernetes 1.24 and want a version-specific benchmark, apply the new CIS Kubernetes V1.24 Benchmark.

  • CIS Kubernetes V1.24 Benchmark - Level 1 - Worker Node
  • CIS Kubernetes V1.24 Benchmark - Level 2 - Worker Node
  • CIS Kubernetes V1.24 Benchmark - Level 1 - Master Node
  • CIS Kubernetes V1.24 Benchmark - Level 2 - Master Node

πŸ› BUG FIXES AND UPDATES​

  • Fix detection of services on Raspbian Linux.
  • Fix failures running the Windows CIS policies.
  • Rework all Kubernetes queries in policies for improved reliability.
  • Properly render properties in the Open Registry.
  • Fix policies in the Open Security Registry showing invalid properties.

Mondoo 8.17 is out!

Β· 5 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.17 is out! This release includes new Jira ticketing integration, GCP snapshot scanning, continuous Azure VM scanning, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Atlassian Jira ticketing integration​

Exposing critical issues is only half the journey toward a secure and compliant infrastructure. The next step is effectively communicating these findings to the appropriate teams and tracking remediation progress. Take the work out of communicating your findings with Mondoo's new Atlassian Jira integration.

Create Jira ticket

Automatically create issues directly in Atlassian Jira so teams can schedule remediation work within their existing project workflows. Without ever leaving the Mondoo Console, you can create Jira tickets that include all the details necessary for infrastructure owners to remediate findings, even if they don't have access to Mondoo.

Jira project

GCP snapshot scanning​

In Mondoo 8.16, we introduced GCP VM instance scanning using snapshots, allowing you to scan running instances without agents or impact on production workloads. This week we're extending our GCP scanning options with support for scanning snapshots by name. With snapshot scanning, you scan different point-in-time snapshots of VMs, giving you deep insights into systems at a particular point in time as well as security over time.

cnquery shell gcp snapshot suse12 --project-id my-project-id
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
β†’ found target volume device name=/dev/sdb3
___ _ __ ___ _ __ ___ ___
/ __| '_ \/ __| '_ \ / _ \/ __|
| (__| | | \__ \ |_) | __/ (__
\___|_| |_|___/ .__/ \___|\___|
mondooβ„’ |_|
cnspec> asset.platform
asset.platform: "sles"
cnspec> asset.version
asset.version: "12.5"
cnspec> packages
packages.list: [
0: package name="release-notes-sles" version="12.5.20200504-3.11.1"
1: package name="libqrencode3" version="3.4.3-1.31"
2: package name="lifecycle-data-sle-module-toolchain" version="1-3.15.1"
3: package name="yast2-firewall" version="3.4.0-6.3.2"
4: package name="recode" version="3.6-663.62"
5: package name="sle-module-legacy-release-POOL" version="12-10.10.1"
6: package name="SuSEfirewall2" version="3.6.312.333-3.13.1"
7: package name="gamin-server" version="0.1.10-11.19"
...

Continuous Azure VM scanning​

Scanning Azure VMs is easier than ever with our Azure integration's new continuous VM scanning feature. Automatically scan all VMs in your subscription without needing to deploy agents or change your provisioning process.

To enable VM scanning, select the Scan VMs option during the Azure integration setup.

Scan VMs Option

Mondoo discovers all Linux and Windows VMs in your subscription automatically and scans these VMs using Azure's built-in Run Commands functionality.

Scanned VMs

🧹 IMPROVEMENTS​

Use the latest existing snapshot for GCP VM instance scanning​

Want to scan GCP VM instances by snapshot, but don't want to wait for a new snapshot to be created? Now you can scan GCP instances using existing VM snapshots with the new --use-latest-snapshot flag.

cnspec scan gcp instance sles12 --project-id my-project-id --zone us-central1-a --use-latest-snapshot
β†’ no Mondoo configuration file provided. using defaults
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1

sles12 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: C


Asset: sles12
-------------

Checks:
βœ• Fail: D 20 Ensure auditing for processes that start prior to auditd is enabled
βœ• Fail: D 20 Ensure successful file system mounts are collected
βœ• Fail: C 40 Ensure Advanced Intrusion Detection Environment (AIDE) is installed
βœ“ Pass: A 100 Ensure rsh server is stopped and not enabled
βœ• Fail: F 0 Ensure secure permissions on /etc/group- are set
βœ“ Pass: A 100 Ensure Avahi server is stopped and not enabled
βœ• Fail: D 20 Ensure system accounts are non-login
βœ“ Pass: A 100 Ensure secure permissions on /etc/group are set
! Error: Ensure rsyslog default file permissions configured
βœ“ Pass: A 100 Ensure prelink is disabled
βœ“ Pass: A 100 Ensure auditd is installed
βœ“ Pass: A 100 Ensure X Window System is not installed
! Error: Ensure access to the su command is restricted
βœ• Fail: D 20 Ensure session initiation information is collected
βœ• Fail: F 0 Ensure broadcast ICMP requests are ignored
βœ• Fail: D 20 Ensure login and logout events are collected
...

More asset inventory data on Windows​

The cnquery Windows Asset Inventory Pack now includes additional inventory data collection:

  • Installed hotfixes
  • Installed features
  • Windows Computer/System information
  • Expanded network interface information

πŸ› BUG FIXES AND UPDATES​

  • Add a remediation hint for UFW users to the Linux Security policy. Thanks for this update, @danielwillshare!
  • Add custom metrics to the Mondoo Kubernetes Operator. Thanks for this update, @mariuskimmina!
  • Improve help output in cnspec and cnquery.
  • Fix ignored checks on assets not displaying as ignored.
  • Fixed incorrect "Private" status for policies on the Security Policies page.
  • Improve Security Policy tooltips and column names.
  • Remove outdated (ONLINE) status from assets on the Security Policies page.
  • Use the term "checks" instead of "queries" on the Security Policies page.
  • Fix the display of nested queries in the asset resources tab.
  • Fix an incorrect remediation step in the CIS Distribution Independent Linux Benchmark policy.