Skip to main content

Mondoo 7.16 is out!

ยท 6 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.16 is out! This release includes new Azure, GCP, and Microsoft 365 integrations plus a whole new UI experience!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

New UI navigation experienceโ€‹

Problem: There are many things you can do in the Mondoo Console, but sometimes it's hard to find what you need.

Solution: We rebuilt the navigation in the Mondoo Console from the ground up to make finding information and navigating your infrastructure easier. We replaced the top navigation tabs with a new navigation menu on the left side of the page. This menu includes frequently accessed sections of the UI that were previously tabs, such as Fleet, CI/CD, Integrations, and Policy Hub.

New UI

Sub-items in the menu make it easier to find what you're looking for without having to navigate through multiple pages. For example to view Kubernetes integrations you can select Integrations -> Kubernetes in the menu instead of loading the Integrations page and then selecting Kubernetes. This new menu also includes quick access to the Mondoo Vulnerability Database, which was previously buried deep in the Policy Hub. If you're thinking "I didn't know there was a Mondoo Vulnerability Database," well, that's why we have new menu.

Mondoo Vulnerability Database

We have plenty more planned to fill out this new navigation menu, so stay tuned for new releases.

New GCP, Azure, and Microsoft 365 integrationsโ€‹

Problem: You need to continuously assess the security of all your cloud and SaaS resources.

Solution: You can now configure continuous scanning of GCP, Azure, and even Microsoft 365 services through the Mondoo Console. There's no need to download an agent or deploy any code into your infrastructure. Configure ready-only service credentials in the Mondoo Console and let Mondoo do the rest.

New Integrations Page

Manage vault secrets data with cnspec and cnqueryโ€‹

Problem: You want to use a Mondoo inventory file to scan multiple assets, but you also need to securely store any required secrets.

Solution: cnspec and cnquery now include the ability to manage secrets data in vaults directly using the command line.

Given an existing Mondoo inventory file:

kind: Inventory
spec:
assets:
- id: 34.122.119.102
connections:
- host: 34.122.119.102
backend: ssh
credentials:
- type: password
user: chris
password: mypwd

You can use this inventory file to scan all defined assets:

cnspec scan --inventory-file inventory.yml

To securely store the secrets in this vault, you can define a keychain vault:

cnspec vault set mondoo-client-vault --type keyring
โ†’ set new vault configuration name=mondoo-client-vault
โ†’ stored vault configuration successfully

Then confirm that the vault is configured with the vault list command:

cnspec vault list
vault : mondoo-client-vault (keyring)

Next, add your secret to the keychain vault with the vault add-secret command:

cnspec vault add-secret mondoo-client-vault my-linux-user-secret '{ "user": "chris", "type": "password", "password: mypwd" }'

Now, you can reference the secret from the vault in your inventory:

kind: Inventory
spec:
assets:
- id: 34.122.119.102
connections:
- host: 34.122.119.102
backend: ssh
credentials:
- secret_id: my-linux-user-secret
vault:
name: mondoo-client-vault
type: keyring

Re-run the scan, and you will see that the secret was picked up:

cnspec scan --inventory-file inventory.yml

New AWS MQL resourcesโ€‹

Problem: You want to write policies to secure your Amazon ECR images and Amazon CloudFront distributions.

Solution: Mondoo now includes new resources for Amazon ECR and CloudFront so you can explore and secure even more of your Amazon infrastructure using MQL.

Querying ECR images:

cnquery> aws.ecr.images { * }
aws.ecr.images: [
0: {
registryId: "172746783610"
tags: [
0: "latest"
]
digest: "sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca"
repoName: "vjtestpriv"
mediaType: "application/vnd.docker.distribution.manifest.v2+json"
}
]
cnquery> aws.ecr.publicRepositories { * }
aws.ecr.publicRepositories: []
cnquery> aws.ecr.privateRepositories { * }
aws.ecr.privateRepositories: [
0: {
uri: "172746783610.dkr.ecr.us-east-1.amazonaws.com/vjtestpriv"
public: false
region: "us-east-1"
registryId: "172746783610"
name: "vjtestpriv"
arn: "arn:aws:ecr:us-east-1:172746783610:repository/vjtestpriv"
images: [
0: aws.ecr.image id = vjtestpriv/sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca
]
}
]

Querying CloudFront distributions and functions:

cnquery> aws.cloudfront { distributions { *} functions { * } }
aws.cloudfront: {
distributions: [
0: {
origins: [
0: aws.cloudfront.distribution.origin id = 185972265011/test-1be01d1424077260.elb.us-east-1.amazonaws.com
]
status: "Deployed"
cacheBehaviors: []
domainName: "d1w4eig1i8et92.cloudfront.net"
arn: "arn:aws:cloudfront::185972265011:distribution/E3J92HBG5Z8S6Q"
defaultCacheBehavior: {
AllowedMethods: {
CachedMethods: {
Items: [
0: "HEAD"
1: "GET"
]
Quantity: 2.000000
}
Items: [
0: "HEAD"
1: "GET"
]
Quantity: 2.000000
}
CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
Compress: true
DefaultTTL: null
FieldLevelEncryptionId: ""
ForwardedValues: null
FunctionAssociations: {
Items: null
Quantity: 0.000000
}
LambdaFunctionAssociations: {
Items: null
Quantity: 0.000000
}
MaxTTL: null
MinTTL: null
OriginRequestPolicyId: null
RealtimeLogConfigArn: null
ResponseHeadersPolicyId: null
SmoothStreaming: false
TargetOriginId: "test-1be01d1424077260.elb.us-east-1.amazonaws.com"
TrustedKeyGroups: {
Enabled: false
Items: null
Quantity: 0.000000
}
TrustedSigners: {
Enabled: false
Items: null
Quantity: 0.000000
}
ViewerProtocolPolicy: "allow-all"
}
}
]
functions: [
0: {
status: ""
arn: "arn:aws:cloudfront:global:185972265011::/functions/vjtest"
comment: ""
stage: "DEVELOPMENT"
name: "vjtest"
runtime: "cloudfront-js-1.0"
lastModifiedTime: "2023-01-29T21:07:01Z"
createdTime: "2023-01-29T21:07:01Z"
}
]
}

GitHub Repository Best Practices policyโ€‹

Problem: You want to see the state of your GitHub repositories, including both security and best practices violations.

Solution: We split out non-security checks in the GitHub Repository Security by Mondoo policy into a new policy, GitHub Repository Best Practices by Mondoo, so you can report security and best practices issues independently from one another. We've also added a new query to the GitHub Repository Security by Mondoo policy to ensure repositories are configured to use Dependabot to report available updates for package management lock files, GitHub Actions, or Docker base images.

New Policy

๐Ÿงน IMPROVEMENTSโ€‹

Terraform configs now scan as terraform-hcl platformโ€‹

It isn't always clear that the terraform platform in fleet view was Terraform HCL configuration files, so we've renamed the terraform platform to terraform-hcl. Existing assets will continue to scan and display as terraform until scanned with an updated client.

Add publicAccessPrevention to gcp.storage.buckets resourceโ€‹

The gcp.storage.buckets resource now includes publicAccessPrevention data. Here's an example of querying this data out for all buckets in a project:

gcp.storage.buckets { iamConfiguration['publicAccessPrevention'] }
gcp.storage.buckets: [
0: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
1: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
2: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
3: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
]

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • The + button on the Managed Clients page now properly links to "Server & Endpoint Security" integrations.
  • The platform column in the Managed Clients page now displays platform values
  • Notification bell now indicates the number of unread notifications.
  • Update several integration logos to use high-resolution logos for retina displays.
  • Update integration pages with more consistent headers.
  • Handle errors when setting up integrations.
  • Add back the missing link to documentation on the Kubernetes integration page.
  • Change all references to Amazon AWS to be just AWS. No ATM machines here!
  • Fix the AWS Integration counts on the overview page not always matching actual counts.
  • Improve reliability of results in the CIS Microsoft Azure Foundations and CIS GCP Foundations policies
  • Don't mention the legacy Library name in the Mondoo Vulnerability Database
  • Update VMware examples in the console to use cnspec

Mondoo 7.15 is out!

ยท 4 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.15 is out! This release includes CSV output support, a new GCP CIS policy, and UI improvements!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

CSV output format for cnqueryโ€‹

Problem: You want to export cnquery results to a spreadsheet for analysis.

Solution: The cnquery CLI can now produce CSV output on the CLI for integration spreadsheet apps or other systems that parse CSV input.

cnquery scan docker debian:11 --output csv > report.csv

CSV output in spreadsheet

Terraform in the Fleet viewโ€‹

Problem: You want to use cnspec to secure your Terraform code, but it's hard to find Terraform code results when they show up as uncategorized assets.

Solution: A new Terraform section in the Fleet view makes it easy to find all your Terraform scans in one place.

Terraform in the console

๐Ÿงน IMPROVEMENTSโ€‹

Only show applicable controls in the consoleโ€‹

Controls that are cnspec automatically skipped are no longer shown as disabled in the Mondoo Console. Depending on the policy and infrastructure scanned, there could be several dozen controls that cnspec skipped automatically. This new behavior simplifies the asset controls view and makes it more clear which controls ran and which you disabled.

Improved CLI scanning UXโ€‹

After launching our updated CLI UX last week, we got loads of great feedback from the community on how we could continue to improve the experience. This week we shipped several improvements to make it easier to read the scan output and to improve the experience when scans fail.

Updated CLI scan behavior

Org names in shared space titlesโ€‹

Differentiating between shared spaces can be difficult if the space names are the same. Shared spaces now include the org and space name, so you can better tell spaces apart.

Shared Spaces with Org names

Updated GCP CIS policyโ€‹

Mondoo now includes the latest CIS Google Cloud Platform Foundation Benchmark policy version 2.0.0. This updated policy uses the latest new resources shipped with the latest versions of cnspec. It includes many new queries as well as audit and remediation steps for all queries.

Install cnspec using Ansibleโ€‹

The Mondoo Ansible role has been updated to make deploying and migrating to cnspec at scale easier. This updated role deploys cnspec and cnquery to new systems and upgrades existing installations to use cnspec and cnquery. Just run this role against systems, and you'll automatically have the latest cnspec release running as a service.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Enable the Mondoo install script to handle GPG key updates to package repositories to prevent update failures
  • Improve the error message when an incorrect repository is passed to scan github repo
  • Fix a race condition in the cnspec/cnquery scan progress bars
  • Print status of assets that can't be scanned in the progress bars
  • Expose the actual error from GCP when unable to connect to resources
  • Remove an extra warning that was incorrectly printed while scanning Terraform configs
  • Ignore Terraform content in the .terraform directory
  • Properly display policies in Policy Hub that have zero queries
  • Fix links to integration pages from the Service Accounts
  • Improve reliability in some Azure CIS Foundation policy queries
  • Improve the reliability of Kubernetes status in the Kubernetes integration pages
  • Operating system integration pages no longer mention the setup of Mondoo Client
  • Kubernetes Integration page once again enables workload scanning by default
  • Mondoo GitHub action supports scanning GitHub organizations again
  • Fix MQL queries hanging with aliased and direct resource in the same policy
  • Show the scan trigger button on the AWS integrations when they are in an errored state
  • Only call the Google Cloud CLI when scanning GCP if neither project or project-id were provided
  • Fix errors using the gcp.project.gkeService when a GKE cluster hasn't finished provisioning
  • Fix failures when scanning GCP storage buckets
  • Add projectID to many GCP resources so asset relationships can be determined
  • Deprecate the zone value for GKE clusters in favor of a new location value

Mondoo 7.14 is out!

ยท 7 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.14 is out! This release includes expanded GitHub support, new GCP resources, and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

Dive deeper into GitHubโ€‹

Problem: You need out-of-the-box functionality to help you secure your GitHub organization, repositories, and users.

Solution: We've been busy improving nearly every aspect of the GitHub experience with cnspec, making it easier to apply out-of-the-box policy to secure your GitHub infrastructure and providing the resources and UI experience you need to create custom policies.

The GitHub Organization Security by Mondoo policy has been rewritten from the ground up to focus on critical security settings in your organization and repository. Existing queries focused on open source repository best practices have been removed and replaced with additional security queries to ensure settings like important branch protections are in place.

While building out this updates policy, we realized the various GitHub resources were missing important data necessary to write our out of the box policy and custom policies for your organizations. We made the following changes to improve the GitHub resources:

  • github.repository resources now support repository stargazer counts, repo fork resolution, and support for repository issues.
  • github.organization resource now includes avatar, followers and following data
  • github.user resource is greatly expanded to help examine user accounts
  • github.organization and github.user now support collecting information on gists

Finally, we improved the cnquery to make exploring your GitHub infrastructure easier. The cnquery shell github command now shows a list of repositories to examine, making it easier to find the repository you want to explore. We also added a new cnquery shell github user command allows you to examine details on GitHub users using the expanded github.user resource.

Shell GitHub Repository Selection

New and updated GCP Resourcesโ€‹

Problem: You want to explore and secure your GCP projects using cnquery and cnspec.

Solution: cnquery and cnspec now include new and improved resources for exploring and securing GCP services:

  • New gcp.project.compute.backendServices resource
  • New gcp.project.monitoring.alertPolicies resource
  • Add access data to gcp.project.bigquery.datasets resource
  • Add accessApprovalSettings data to gcp.organizations and gcp.projects resources
  • Add cryptokeys data to gcp.project.kms.keyrings resource
  • Add network data to gcp.project.dns.policies resource
  • Add storageBucket data to gcp.project.logging.sinks resource
  • Add retentionPolicy data to gcp.project.storage.buckets resource
  • Fix errors when using gcp.project.kms when key status is not available
  • Rename gcp.storage resource to gcp.project.storage

Updated Azure CIS Policyโ€‹

Problem: You need CIS policies to keep your Azure subscriptions secure and compliant.

Solution: Mondoo now includes the latest CIS Microsoft Azure Foundations Benchmark version to 1.5.0. This updated policy utilizes the latest new resources shipped with the latest versions of cnspec and includes many new queries as well as audit and remediation steps for all queries.

Store GCP service account in an inventory file vaultโ€‹

Problem: You want to use an inventory file to store a set of GCP assets to scan, but you don't want to insecurely store credentials in the yaml config.

Solution: You can now store your GCP service account data in a secure inventory vault so you can share inventory files without worrying about credentials. This example inventory file stores the credentials used to access GCP infrastructure using the GCP Berglas project.

apiVersion: v1
kind: Inventory
metadata:
name: inventory
spec:
assets:
- name: cool-stuff
connections:
- backend: 13
credentials:
- secret_id: storage/random-bucket2/foo
type: 1
secret_encoding: 3
options:
discover:
targets:
- auto
vault:
name: gcp-berglas
type: gcp-berglas
options:
project_id: mondoo-dev-262313

You can then run this inventory on the CLI without passing credentials on the CLI or within env vars:

cnquery scan --inventory-file inv.yaml

Junit output format for cnspecโ€‹

Problem: You want to run cnspec in your CI pipelines, but the output is hard to understand.

Solution: The cnspec CLI can now produce JUnit output on the CLI for integration with popular CI/CD platforms such as Jenkins or GitLab:

cnspec scan docker debian:10 --output junit > report.junit
<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite name="Policy Report for debian:10@edcf96f9d9d9" tests="85" failures="43" errors="0" id="0" time="">
<testcase name="Ensure auditd is installed" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
<testcase name="Ensure no duplicate UIDs exist" classname="score"></testcase>
<testcase name="Ensure root group is empty" classname="score"></testcase>
<testcase name="Ensure no duplicate group names exist" classname="score"></testcase>
<testcase name="Ensure source routed packets are not accepted" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
...
<testcase name="Ensure login and logout events are collected" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
</testsuite>
</testsuites>

Multi-Role service accountsโ€‹

Problem: You need to set additional permissions for your service accounts, but you don't want to give unnecessary permissions by using the owner role.

Solution: You can now assign more than one role to a service account in the console to provide more fine grained permissions for service accounts. To set permissions on a service account select the Settings tab, select Service Accounts, select the account you wish to edit, and then select the Permissions button.

Permissions selection modal

Trigger AWS integration scans directly in the consoleโ€‹

Problem: Hassle free continuous scanning of your AWS accounts is great, but sometimes you need to trigger a scan to evaluate the current security state.

Solution: Now you can trigger a one time scan of your AWS account in the AWS Integration page.

Scan Now in AWS

Filter namespaces to scan in the Kubernetes Operatorโ€‹

Problem: Different teams are responsible for different parts of a Kubernetes cluster and you need to control which namespaces the Mondoo Kubernetes Operator scans.

Solution: Mondoo now gives you more control over which namespaces are scanned by the Kubernetes Operator. Scan all namespaces, scan all namespaces except a list of specific namespaces, or take full control and only scan specified namespaces.

Namespace Filtering

๐Ÿงน IMPROVEMENTSโ€‹

Improved multi-asset scanning CLIโ€‹

We've reworked how progress bars behave when scanning complex, multi-asset infrastructure such as Kubernetes systems. The new progress bar format will allow you to see better what is currently scanning and the total progress for the cluster scan.

CLI Scan

AWS integrations show asset countsโ€‹

The AWS integration pages now show the total number of assets at the top of the page, similar to other integration pages.

AWS Integration

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix an issue where the fallback to ssh-agent authentication was not working properly
  • Improve client setup instructions in the console to resolve failures
  • Simplify the workstation setup instructions
  • Update Packer integration instructions to use cnspec and the latest Mondoo packer plugin
  • Update long-lived token instructions to use cnspec
  • Make sure that query result data displays in the console scan results
  • Improve the reliability of Kubernetes integration status data in the console
  • Fix the loading of inventory files when cnspec is running in serve mode
  • Fix BSI/CIS/Mondoo Windows policies to account for users on a system that have not yet logged in
  • Improve remediation steps in Mondoo and CIS policies
  • Resolves slow loading times on the integrations tab
  • Fix vendor specific icons not always displaying for policies in Policy Hub
  • Add alias for mondoo login to the existing mondoo register command so that cnspec and mondoo commands match

Mondoo 7.13 is out!

ยท 3 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.13 is out! This release includes new GCP and Azure resources and cnspec as a service!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

New OpenPGP resourceโ€‹

Problem You want to validate that OpenPGP keys for YUM or APT repositories have not expired.

Solution You can now use new OpenPGP resources to validate that repository signatures are still valid.

cnquery>  parse.openpgp(path: "./expires.asc").all( identities.all( signatures.all( keyExpiresIn.days > 30 )))
[ok] value: true

Inspect OpenPGP keys with the following MQL query:

parse.openpgp(path: "./expires.asc")  {
primaryPublicKey { * }
identities {
id
signatures { * }
}
}

Result from cnquery

cnquery> parse.openpgp(path: "./expires.asc")  { primaryPublicKey { * } identities { id signatures { * }  } }
parse.openpgp.list: [
0: {
primaryPublicKey: {
id: "7312FA356E7DB13F"
bitLength: 4096
version: 4
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyAlgorithm: "rsa"
creationTime: 2023-01-14 17:24:58 +0100 CET
}
identities: [
0: {
id: "Test Expiration <test2@example.com>"
signatures: [
0: {
keyAlgorithm: "rsa"
version: 4
keyExpiresIn: 363 days 23 hours 43 minutes 5 seconds
identityName: "Test Expiration <test2@example.com>"
signatureType: "positive_cert"
hash: "SHA-256"
creationTime: 2023-01-14 17:24:58 +0100 CET
lifetimeSecs: -1
expiresIn: null
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyLifetimeSecs: 31449568
}
]
}
]
}
]

New GCP and Azure resourcesโ€‹

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender.defenderForContainers resource
  • NEW azure.cloudDefender.defenderForServers resource
  • NEW azure.resourceGroups resource
  • NEW gcp.project.cloudFunctions resource
  • NEW gcp.project.cloudRun resource
  • NEW gcp.project.dataproc.clusters resource
  • NEW gcp.project.iam.serviceAccounts resource
  • gcp.bigquery is now gcp.project.bigquery
  • gcp.compute is now gcp.project.compute
  • gcp.dns is now gcp.project.dns
  • gcp.project.compute.networks now includes subnetworks data
  • gcp.project.compute.instances now includes confidentialInstanceConfig data
  • gcp.project.dns.managedZones now includes dnssecConfig data
  • gcp.project.kms.keyrings { cryptokeys { * } } now includes created, nextRotation, rotationPeriod, versionTemplate, labels, importOnly, destroyScheduledDuration, and cryptoKeyBackend data
  • gcp.project now includes commonInstanceMetadata data

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

Run cnspec as a serviceโ€‹

Problem You want to move from the existing Mondoo Client to the new and expanded cnspec client to scan your servers, but cnspec can't run as a service

Solution You can now run cnspec as a service to continuously scan servers and workstations. cnspec is our next-generation open source client with capabilities not found in the existing Mondoo command line interface (Mondoo Client). We highly recommend that you migrate your system to use this new and improved client as we begin the process of deprecating Mondoo Client.

Learn about cnspec ->

Install cnspec ->

After deploying the cnspec package to your systems, you can migrate to the cnspec service with the following commands on systemd-based Linux hosts:

systemctl stop mondoo.service
systemctl disable mondoo.service
systemctl enable cnspec.service
systemctl start cnspec.service

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Ensure that gcp.project.bigquery resource IDs are always unique.
  • Change the default values in github.repository from id to fullName to make it easier to find repositories.
  • Print labels when running MQL queries that use variables inside blocks.
  • Show an error instead of crashing if the config file contains malformed keys.
  • Avoid a potential crash when running cnspec login on a fresh installation.

Mondoo 7.12 is out!

ยท 7 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.12 is out! This release includes new GCP/Azure resources, New/Updated CIS Policies, AWS ECS scanning, and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

New GCP and Azure resourcesโ€‹

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender resource
  • NEW azure.sql.server.vulnerabilityassessment resource
  • NEW azure.authorization.roleDefinition resource
  • NEW azure.mysql.flexibleServer resource
  • NEW azure.storage.account.queueService.properties resource
  • NEW azure.storage.account.blobService.properties resource
  • NEW azure.storage.account.tableService.properties resource
  • NEW azure.storage.account.dataProtection resource
  • NEW azure.network.watcher.flowlog resource
  • NEW azure.monitor.diagnosticSettings resource
  • NEW azure.monitor.activitylog resource
  • NEW gcp.project.apiKeys resource
  • NEW gcp.project.essentialContacts resource
  • NEW gcp.project.logging resource
  • NEW gcp.project.sql resource
  • gcp.compute.firewall now includes allowed and denied data
  • gcp.compute.network now includes mode data
  • gcp.project.clusters moved to gcp.project.gke.clusters

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

New and updated CIS policiesโ€‹

Problem: Your infrastructure is complex, with an ever growing number of operating systems you need to secure.

Solution: Mondoo now includes the latest macOS and Linux CIS policies with new policies for the latest OS releases.

New CIS policies:

  • CIS Red Hat Enterprise Linux 9 Benchmark 9 1.0
  • CIS AlmaLinux OS 9 Benchmark 1.0
  • CIS Rocky Linux 9 Benchmark 1.0
  • CIS Oracle Linux 9 Benchmark 1.0
  • CIS Apple macOS 13.0 Ventura Benchmark 1.0.0

Updated CIS policies:

  • CIS CentOS Linux 8 Benchmark updated from 1.0.1 to 2.0.0
  • CIS Oracle Linux 8 Benchmark updated from 1.0.1 to 2.0.0
  • CIS SUSE Linux Enterprise 11 Benchmark updated from 2.0.0 to 2.1.1
  • CIS Apple macOS 10.15 Catalina Benchmark updated from 2.1.0 to 3.0.0
  • CIS Apple macOS 11.0 Big Sur Benchmark updated from 2.1.0 to 3.0.0
  • CIS Apple macOS 12.0 Monterey updated from 1.1.0 to 2.0.0

AWS ECS container scanningโ€‹

You can now scan all AWS ECS containers when scanning your AWS account with a new --discover flag option, ecs. Use this flag with cnquery and cnspec to explore and secure ECS containers in your infrastructure.

Scan ECS Containers on the CLI

Multiple login methods in the Mondoo Consoleโ€‹

Problem: You signed up with your email account, and now you want to sign in with your Google, Microsoft, or GitHub login.

Solution: You can now add multiple authentication methods to your Mondoo Platform account, so you can log in with any combination of email, Microsoft, Google, or GitHub accounts.

To change your login method:

  1. In the top-right corner of the Mondoo Console, select your user icon.
  2. Select User Settings.
  3. In the left navigation, select Security. Under Connected Accounts, you can connect and disconnect accounts to update your login methods.

Managing Connected Accounts

New scan summaries for multiple asset scansโ€‹

Problem: cnspec scan output gives you quick insight into the security posture of assets. However, when scanning complex systems like Kubernetes clusters with hundreds or thousands of assets, there is often too much data to consume.

Solution: We've developed an all-new summary view for asset scans that allows you to more easily understand the security posture of complex systems like Kubernetes in cnspec.

An example scan of a small Kubernetes cluster:

Scanned 29 assets

Debian GNU/Linux 9 (stretch)
F index.docker.io/library/nginx@f7988fb6c02e
F index.docker.io/library/postgres@3f4441460029

Distroless
B registry.k8s.io/etcd@6f72b8515449
B registry.k8s.io/kube-apiserver@4188262a351f
B registry.k8s.io/kube-controller-manager@d3a06262256f
B registry.k8s.io/kube-proxy@6bf25f038543
B registry.k8s.io/kube-scheduler@f478aa916568

Kubernetes Cluster
F K8s Cluster minikube

Kubernetes DaemonSet
D kube-system/kube-proxy

Kubernetes Deployment
C kube-system/coredns
D luna/luna-frontend
D luna/postgres

Kubernetes Pod
C kube-system/coredns-565d847f94-b4pcx
C kube-system/etcd-minikube
D kube-system/kube-apiserver-minikube
D kube-system/kube-controller-manager-minikube
D kube-system/kube-proxy-bqthk
D kube-system/kube-scheduler-minikube
D kube-system/storage-provisioner
D luna/luna-frontend-7fb96c846b-jjnhz
D luna/luna-frontend-7fb96c846b-tmg95
D luna/luna-frontend-7fb96c846b-xrl6c
D luna/postgres-5bb9d69b96-d9zzg

Kubernetes ReplicaSet
C kube-system/coredns-565d847f94
D luna/luna-frontend-7fb96c846b
D luna/postgres-5bb9d69b96
D luna/postgres-655d75f54b

scratch
U gcr.io/k8s-minikube/storage-provisioner@18eb69d1418e
U registry.k8s.io/coredns/coredns@8e352a029d30

Summary
=======

Score Distribution Asset Distribution
------------------ ------------------
A 0 assets Kubernetes ReplicaSet 4
B 5 assets Kubernetes Pod 11
C 4 assets Kubernetes DaemonSet 1
D 15 assets Distroless 5
F 3 assets Kubernetes Cluster 1
U 2 assets scratch 2
Debian GNU/Linux 9 (stretch) 2
Kubernetes Deployment 3

For detailed output, run this scan with "-o full".

See more scan results and asset relationships on the Mondoo Console: https://console.mondoo.com/space/fleet?spaceId=lunalectric-prod-eks

Iterating over keys and valuesโ€‹

MQL already supports accessing keys and values via key and value in maps:

> sshd.config.params.where( key == /p/ )
sshd.config.params.where: {
ChallengeResponseAuthentication: "no"
Ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
}

We've extended this support to include parsed JSON and YAML structures:

> parse.json("my.json").params.where( value == 1 )
parse.json.params.where: {
apples: 1.000000
oranges: 1.000000
}

You can use these structures to quickly filter maps via key and value or to make assertions. For example you can ensure that certain keys exist:

> parse.json("my.json").params.where( key == /or/ )
parse.json.params.where: {
"hawthorn berries": 16.000000
oranges: 1.000000
}

๐Ÿงน IMPROVEMENTSโ€‹

Asset counts on integration tilesโ€‹

Integration tiles in the integration tab now show a summary of discovered assets, applied policies, and total applied controls. Now you can more easily see where assets are discovered.

Integration Summary

Detect missing asset filters in cnspec bundle lintโ€‹

cnspec bundle lint now includes a new check to ensure the policy's spec section includes an asset filter. This new check raises an error for policies that have no asset filter defined:

policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security by Mondoo
version: 1.0.0
specs:
- scoring_queries:
mondoo-azure-security-ensure-os-disk-are-encrypted: null
mondoo-azure-security-ssh-access-restricted-from-internet: null

The policy should be updated with an asset filter like this:

policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security by Mondoo
version: 1.0.0
specs:
- asset_filter:
query: |
platform.name == "azure"
platform.kind == "api"
scoring_queries:
mondoo-azure-security-ensure-os-disk-are-encrypted: null
mondoo-azure-security-ssh-access-restricted-from-internet: null

Expanded vault support for storing secretsโ€‹

cnquery and cnspec now have expanded vault support for short-term secret storage when using inventory files. You can now store secrets with an in-memory vault or using GCP KMS encryption and GCP Cloud Storage through the Berglas project.

Example inventory file storing secrets with gcp-berglas:

apiVersion: v1
kind: Inventory
metadata:
name: inventory
spec:
assets:
- name: cool-stuff
connections:
- backend: 0
credentials:
- secret_id: storage/my-secrets/secret
type: 1
secret_encoding: 3
options:
discover:
targets:
- all
vault:
name: gcp-berglas
type: gcp-berglas
options:
project_id: id

Fine-grained control over Azure subscription scanningโ€‹

You can now control particular Azure subscriptions to include or exclude during scans with new --subscriptions and --subscriptions-exclude flags. You can use these new flags to control which subscriptions you want to inspect. For example, to run the cnquery shell on all subscriptions except for two, you can exclude those subscriptions explicitly: cnquery shell azure --subscriptions-exclude=984df67f-fc2e-4ebf-80a2-1234567891011,1e829eb0-e6a3-4c7b-8212-1234567891011

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Show better results for failures in the Google Cloud (GCP) Security by Mondoo policy.
  • Only check SSH server configuration when the SSH server is installed in the Linux Server Security by Mondoo. Thanks. @stdevel!
  • Avoid failures when the Kubernetes Ingress has no certificates.
  • Fix queries in Linux Workstation Security by Mondoo, BSI SYS.1.2 Windows Server, and Amazon Web Services (AWS) Operational Best Practices, CIS Distribution Independent Linux Benchmark, and CIS VMware ESXi 6.7 Benchmark policies that were not executing.
  • Don't show a policy lint error if the policy spec has either scoring queries or data queries attached.
  • Improve reliability when scanning instances using SSM in cnquery, cnspec, and the Mondoo AWS Integration.
  • Better describe when a directory of Terraform or Kubernetes files is scanned.
  • Improve reliability in MQL queries that execute commands concurrently.
  • Don't silently fail to run the socketstats resource when it's not supported.
  • Improve the reliability of scanning ECR images.

Mondoo 7.11 is out!

ยท 5 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.11 is out! This release includes new GCP resources, GitHub Code Scanning of policies, and simplified Windows deployment!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

MQL policy lintingโ€‹

Problem: Custom MQL policies can become large quickly, making it difficult to make sure they are properly formatted.

Solution: cnspec now includes a new cnspec bundle lint command that helps you find incorrectly formatted policies. This new command checks for the following conditions:

  • MQL compile error
  • UID is not valid
  • Missing policy UID
  • Missing policy name
  • No unique policy UID
  • Policy is missing checks
  • Assigned query missing
  • Policy version is missing
  • Policy version is invalid
  • Missing query UID
  • Missing query title
  • No unique query UID
  • Unassigned query

Run linting of policies from CLI

But wait, there's more! This new linting works with GitHub Code Scanning through our Mondoo GitHub Action. Applying the updated action scans your repository for Mondoo policies, annotates pull requests with any problems it finds, and even opens GitHub Code Scanning issues for problems.

The action is compact and doesn't require a service account or any other additional setup:

---
name: Lint Policies

on:
pull_request:
push:
branches:
- main

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Lint cnspec policies and output SARIF
uses: mondoohq/actions/cnspec-lint@main
with:
path: .
output-file: "results.sarif"
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

This action scans each opened PR and merge, giving you annotations directly in the GitHub UI:

GitHub Annotation

The GitHub Action integrates with GitHub Code Scanning to open GitHub Code Scanning issues for each problem in your policy:

GitHub Code Scanning

New GCP resourcesโ€‹

Problem: You want to explore and secure your GCP Pub/Sub and KMS services using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP Pub/Sub and KMS services.

We added new resources to query GCP KMS Key Rings and their cryptographic keys:

cnquery> gcp.project.kms.keyrings { * }
gcp.project.kms.keyrings: [
0: {
resourcePath: "projects/example-project/locations/global/keyRings/testring"
created: 2022-12-19 15:17:46.974842182 +0000 UTC
projectId: "example-project"
cryptokeys: [
0: gcp.project.kmsService.keyring.cryptokey name="testring-key" purpose="ENCRYPT_DECRYPT"
]
name: "testring"
location: "global"
}
]

Inspect details for Crypto Keys:

cnquery> gcp.project.kms.keyrings { name cryptokeys { * } }
gcp.project.kms.keyrings: [
0: {
name: "testring"
cryptokeys: [
0: {
purpose: "ENCRYPT_DECRYPT"
resourcePath: "projects/example-project/locations/global/keyRings/testring/cryptoKeys/testring-key"
versions: [
0: gcp.project.kmsService.keyring.cryptokey.version name="1" state="ENABLED"
]
name: "testring-key"
primary: gcp.project.kmsService.keyring.cryptokey.version name="1" state="ENABLED"
}
]
}
]

We also added support for GCP Pubsub Subscriptions, Topics and Snapshots:

cnquery> gcp.project.pubsub { * }
gcp.project.pubsub: {
topics: [
0: gcp.project.pubsubService.topic name="gke-cluster-event-queue"
]
snapshots: []
projectId: "example-project"
subscriptions: [
0: gcp.project.pubsubService.subscription name="gke-cluster-event-queue-subscription"
]
}

See full documentation for all GCP resources in our GCP Resource Pack docs.

Mondoo installation PowerShell moduleโ€‹

Problem: You need to deploy trusted binaries from Mondoo to Windows hosts using Active Directory Group Policy or MDM solutions.

Solution: You can now install Mondoo using a new Mondoo.Installer signed PowerShell module that is published on the PowerShell Gallery at https://www.powershellgallery.com/packages/Mondoo.Installer/1.0. You can use this new signed module to deploy Mondoo CLIs to managed Windows hosts by running Install-Mondoo.

Install-Module -Name Mondoo.Installer
Install-Mondoo

Because our scripts and binaries are fully signed, the rollout of cnquery and cnspec was never easier. The module automatically validates if the latest version is already installed, or it updates to the newest version if required:

PowerShell module installation

After the installation script is complete, cnquery and cnspec are available for use:

cnquery and cnspec installed with PowerShell module

๐Ÿงน IMPROVEMENTSโ€‹

Detect expiring certs in Kubernetes Ingressesโ€‹

A new Ingress certificates less than 15 days from expiration query in the Kubernetes Best Practices by Mondoo policy detects certificates nearing their expiration data in your Kubernetes cluster. This query looks at all certificates defined in a Kubernetes Ingress resource that are stored as a Secret and fails when the expiration data is less than 15 days.

Better asset scanning with the Mondoo AWS Lambda integrationโ€‹

The Mondoo AWS integration has been improved to better scan large and complex AWS environments:

  • Scan regions with more than 1,000 running instances.
  • Use AWS Instance Connect to scan instances if SSH scans fail.

Add cnquery/cnspec to the integrations pageโ€‹

You can now set up cnquery and cnspec to communicate with Mondoo Platform directly on the Integrations page of the console.

cnspec and cnquery Integrations

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix some help descriptions not being displayed.
  • Don't cut off the beginning of some help descriptions.
  • Using two or more search filters in the console requires all filters to match instead of just one.
  • Allow organization owners to delete invites.
  • Improve the default output of the kernel resource.
  • Fix terraform.module not discovering all modules.
  • Fix invalid command examples in some console integration pages.
  • Update Workstation integrations page text to better match terms used by cloud vendors.

Mondoo 7.10 is out!

ยท 3 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.10 is out! This release includes support for K8s Ingress certificates and a resource for GCP GKE clusters!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

New GCP GKE resourceโ€‹

Problem: You've secured your Kubernetes workloads and kubelet configs with Mondoo and NSA Kubernetes security policies, but you need to secure your GKE cluster configuration as well.

Solution: A new gcp.project.clusters resource lets you explore your GKE clusters and write policies to secure your cluster control plane.

cnquery> gcp.project.clusters { * }
gcp.project.clusters: [
0: {
resourceLabels: {}
name: "luna-gke-cluster-2"
projectId: "luna-edge"
locations: [
0: "us-central1-b"
1: "us-central1-c"
2: "us-central1-f"
]
created: 2022-12-15 20:43:41 +0000 +0000
status: "RUNNING"
zone: "us-central1"
description: ""
nodePools: [
0: gcp.project.cluster.nodepool name="generic-pool"
]
loggingService: "logging.googleapis.com/kubernetes"
expirationTime: null
enableKubernetesAlpha: false
initialClusterVersion: "1.24.5-gke.600"
network: "luna-gke-cluster-2"
clusterIpv4Cidr: "10.20.0.0/16"
autopilotEnabled: false
endpoint: "63.192.209.236"
currentMasterVersion: "1.24.5-gke.600"
id: "123abcbcada644fcb3b83c30ea0efcfc3cd6d8f42a814bccbcb3503181e12b5a"
subnetwork: "luna-gke-cluster-2-subnet"
monitoringService: "monitoring.googleapis.com/kubernetes"
}
]

Examine Kubernetes Ingress certificatesโ€‹

Problem: You've secured your Kubernetes Ingresses with the new k8s.ingress resource, but you need to examine and secure the certificates associated with those Ingresses as well.

Solution: A new k8s.ingress.certificates resource allows you to explore and secure certificates associated with Kubernetes Ingress objects.

$ ./cnquery run k8s --discover ingresses -c
'k8s.ingress.certificates{ expiresIn }'
โ†’ discover related assets for 1 asset(s)
โ†’ use cluster name from kube config cluster-name=minikube
โ†’ resolved assets resolved-assets=1
k8s.ingress.certificates: [
0: {
expiresIn: 12 days 2 hours 12 minutes 14 seconds
}
]

๐Ÿงน IMPROVEMENTSโ€‹

Continued migration to cnspecโ€‹

Our migration from the legacy Mondoo CLI to cnspec continues this week with CI and Kubernetes. CI integration examples in the console now show simpler cnspec steps, and the Mondoo Kubernetes Operator uses the new cnspec container images for all cluster scans. Stay tuned as we continue to migrate to our improved open source cnspec CLI over the coming weeks.

See errors from the Kubernetes operatorโ€‹

Kubernetes integration pages show any errors reported by the Mondoo Kubernetes Operator so you can more easily troubleshoot operator failures.

Kubernetes Integration

Improved help descriptionsโ€‹

cnspec and cnquery now include improved help and resource descriptions: We've improved many command descriptions to help new users, added descriptions for many resources, and removed some invalid resources that were showing up in auto-complete in the cnquery/cnspec shells.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix MachineType error in gcp.compute.instances resource.
  • Fix integer comparisons in MQL failing when resources returned a 32-bit integer instead of the assumed 64-bit integer.
  • Allow users to navigate the console tabs with the keyboard.
  • Allow users to upload policies that use alternative YAML MIME types to the Policy Hub.
  • Fix errors in Ensure default user umask is 027 or more restrictive and Ensure default user umask is configured controls within Mondoo and CIS Linux policies.

Mondoo 7.9 is out!

ยท 2 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.9 is out! This release includes a new Kubernetes Ingress resource and automatic discovery of Amazon ECR registries!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

Kubernetes Ingress resourceโ€‹

Problem: You want to ensure the security of Kubernetes Ingresses.

Solution: Mondoo now includes new resources for exploring and securing Kubernetes Ingress objects. New resources support exploring the Ingress objects themselves as well as the HTTP rules in each Ingress.

New Ingress resources:

Example cnspec shell query:

k8s.ingresses: [
0: {
annotations: {}
namespace: "default"
labels: {}
manifest: {
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata: {
creationTimestamp: null
name: "no-tls-ingress"
namespace: "default"
}
spec: {
ingressClassName: "nginx"
rules: [
0: {
host: "api.nexus.info"
http: {
paths: [
0: {
backend: {
resource: {
apiGroup: "k8s.example.io"
kind: "MyKind"
name: "my-resource"
}
}
path: "/"
pathType: "Prefix"
}
]
}
}
...

You can also automatically discover Ingress objects during your cluster scan with the --discover ingresses flag. With this flag, each Ingress object is scanned as an asset available in the Mondoo Console.

Stay tuned for new Ingress security policies and auto-discovery of HTTP/HTTPS endpoints so you can automatically discover incorrectly configured or expiring certificates.

Amazon ECR discovery supportโ€‹

Problem: To scan an AWS ECR registry, you have to know its address.

Solution: The cnquery/cnspec AWS scanner now automatically discovers and scans ECR registries.

Just type cnspec scan aws --discover ecs, or cnspec scan aws --discover all.

๐Ÿงน IMPROVEMENTSโ€‹

Improve EC2 instance discoveryโ€‹

When running cnspec scan aws --discover instances cnspec now uses EC2 Instance Connect and SSM to connect and remotely scan EC2 instances.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Improve the reliability of many controls in CIS and Mondoo Linux policies.
  • Change SSM-scanned instances to not show up as "Other" scans.
  • Avoid rate limiting in the AWS Lambda integration by reducing total API calls.
  • Improve help and resource autocomplete text.
  • Remove some unhelpful warning log messages in cnspec and cnquery.
  • Fix the display of long Kubernetes integration names in the Kubernetes integration page.
  • Fix login failures using the latest release of Safari on macOS and iOS.
  • Fix incorrect display of long organization IDs in the create organization window.

Mondoo 7.8 is out!

ยท 5 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.8 is out! This release includes new resources for OS updates, packages, and simpler IaC file scanning!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

More intuitive resource namesโ€‹

Problem: When running cnquery it can be difficult to know which resources are available and what individual resources do.

Solution: We've renamed several resources to better match the objects scanned (rather than the underlying technology). This makes it easier to discover resources and navigate your infrastructure with cnquery.

Updated resource names:

  • msgraph.beta -> microsoft (Microsoft 365 + Azure Active Directory)
  • gcloud -> gcp
  • azurerm -> azure

Don't worry though; the old resource names still work. You don't need to update policies before rolling out this new release.

Software update data for macOS and Windowsโ€‹

Problem: To secure your hosts, you want to find available software updates for all platforms.

Solution: Mondoo now exposes os.updates resource data for macOS and Windows hosts. You can now write cnspec policies to ensure systems are fully patched, or use cnquery to remotely identify unpatched systems.

os.updates: [
0: os.update name="MSU_UPDATE_21G217_patch_12.6.1"
1: os.update name="Command Line Tools beta 3 for Xcode"
2: os.update name="Command Line Tools for Xcode"
3: os.update name="Safari16.1MontereyAuto"
]

Windows MSI package inspectionโ€‹

Problem: The packages installed on your Windows hosts are critical to their security. You want to write a policy that checks for specific packages and package versions.

Solution: Mondoo now includes support for querying MSI packages (and continues to support Appx packages). With cnspec, use the packages resource to write policies enforcing package versions. With cnquery, explore what's installed on hosts:

packages.list: [
0: package name="Python 3.10.4 pip Bootstrap (64-bit)" version="3.10.4150.0"
1: package name="Python 3.10.4 Core Interpreter (64-bit)" version="3.10.4150.0"
2: package name="VMware Tools" version="11.3.0.18090558"
3: package name="Python 3.10.4 Development Libraries (64-bit)" version="3.10.4150.0"
4: package name="Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29913" version="14.28.29913"
5: package name="Python 3.10.4 Utility Scripts (64-bit)" version="3.10.4150.0"
6: package name="Mondoo" version="7.4.0"
7: package name="Python 3.10.4 Test Suite (64-bit)" version="3.10.4150.0"
8: package name="Python 3.10.4 Tcl/Tk Support (64-bit)" version="3.10.4150.0"
9: package name="Python 3.10.4 Documentation (64-bit)" version="3.10.4150.0"
10: package name="Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29913" version="14.28.29913"
11: package name="Python 3.10.4 Executables (64-bit)" version="3.10.4150.0"
12: package name="Python 3.10.4 Standard Library (64-bit)" version="3.10.4150.0"
13: package name="Python 3.10.4 (64-bit)" version="3.10.4150.0"
14: package name="Microsoft Edge" version="108.0.1462.42"
]

Scan all Terraform configs or Kubernetes manifests in directoriesโ€‹

Problem: You have a repository full of Terraform configs or Kubernetes manifests you want to scan, but you don't want to scan them one command at a time.

Solution: Let Mondoo do the heavy lifting: Scan your IaC configs by directory. cnspec automatically finds all the relevant files to scan, even those nested deep in directories.

In this example, cnspec scans all of our Lunalectric repositories to find Kubernetes manifest files in the postgresql and frontend repositories, while ignoring other non-Kubernetes YAML files:

cnspec scan k8s dev/lunalectric/
โ†’ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
โ†’ using service account credentials
โ†’ discover related assets for 1 asset(s)
โ†’ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
โ†’ resolved assets resolved-assets=5
โ†’ connecting to asset K8s Manifest lunalectric (code)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% K8s Manifest lunalectric
โ†’ connecting to asset luna/postgres (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/postgres
โ†’ connecting to asset luna/luna-frontend (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/luna-frontend
โ†’ connecting to asset luna/postgres (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/postgres
โ†’ connecting to asset luna/luna-frontend (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/luna-frontend

๐Ÿงน IMPROVEMENTSโ€‹

Default values for GCP resourcesโ€‹

GCP resources now include default values, so it's easier to explore your infrastructure with cnquery. You no longer have to provide the field for each query; you can simply rely on the default values and skip the field names. We picked the most important values for each resource to save you time.

Old: gcp.sql.instances{name}

New: gcp.sql.instances

Instance names from EBS volume scansโ€‹

EBS volume scans from the CLI or the AWS integration now include asset names that match scans over SSM or SSH.

Process information in the ports resourceโ€‹

The ports resource now includes process information so you can see which process is binding to an open port:

ports.list: [
0: port port=53 protocol="tcp" address="127.0.0.53" process.executable="/lib/systemd/systemd-resolved"
1: port port=22 protocol="tcp" address="0.0.0.0" process.executable="sshd:"
2: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
3: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
4: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
5: port port=53 protocol="udp" address="127.0.0.53" process.executable="/lib/systemd/systemd-resolved"
6: port port=68 protocol="udp" address="10.0.2.15" process.executable="/lib/systemd/systemd-networkd"
7: port port=22 protocol="tcp" address="::" process.executable="sshd:"
8: port port=80 protocol="tcp" address="::" process.executable="/usr/sbin/apache2"
]

Improved Linux policy reliabilityโ€‹

We rewrote much of the Linux Security policy to improve the reliability of scans when commands cannot run directly. This provides additional security context, particularly auditd configuration context when scanning container images and side-scanning AWS instances using EBS volumes. As a bonus, it also reduces CPU and memory use during the scan.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Don't panic when inspecting an empty certificate on a host.
  • Properly parse out Kubernetes custom resources in manifest files.
  • Update the service accounts page to allow sorting by the last date used.
  • Properly discover containers when running cnquery scan docker --discover container.
  • Add missing help output for multiple resources.
  • Improve several error messages to make required user action more apparent.
  • Ignore case when parsing SSHd config include statements to support both Include and include.
  • Update invalid example commands on the Terraform integration page.
  • Explicitly set our Kubernetes operator workflows to run unprivileged.
  • Better raise errors encountered in malformed MQL queries.
  • Fix an issue where the console cursor could disappear after running a scan.

Mondoo 7.7 is out!

ยท 5 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 7.7 is out! This release includes new Kubernetes integration pages & VMware Cloud Director scanning!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

VMware Cloud Director scanningโ€‹

Problem: Your organization uses VMware Cloud Director, and you'd like to secure your deployments with Mondoo policies.

Solution:

Mondoo now includes a set of new VMware vCloud Director resources to help you secure your VMware infrastructure.

Sample queries:

# display vCloud Director version
asset { platform version build }
asset: {
build: "20079017"
version: "10.4.0"
platform: "vcd"
}

# show all vCenter server
vcd.serverInstances { * }

# list all vCenter organizations
vcd.organizations

# list all external networks
vcd.externalNetworks

For additional use cases, see the VMware Cloud Director Resource Pack MQL documentation.

New Kubernetes integrations pagesโ€‹

Problem: Once you've set up a Kubernetes integration in Mondoo, it's difficult to see the status of the resources, including the version of the operator that's running.

Solution: Mondoo has a whole new Kubernetes integration page to help you understand what's running and what's been detected. This page includes essential status information such as the Kubernetes release, operator release, and the enabled scanning methods. It also includes a quick summary of everything that's been detected by the operator with a link to view operator-scanned assets in the fleet view.

New Kubernetes integration page

Overview data for assetsโ€‹

Problem: In scan results, it can be hard to understand an asset's location or platform.

Solution: We redesigned the Mondoo asset pages to make finding details about your assets easier. We've combined multiple tabs into a new summarized main page that folds asset metadata into the main view.

New asset page

Debian 11 and Ubuntu 22.04 CIS level 1 & 2 policiesโ€‹

Problem: You're running the latest Debian and Ubuntu releases and you need to apply CIS policies to meet regulatory requirements.

Solution: Mondoo now includes CIS Level 1 and 2 policies for Ubuntu 22.04 and Debian 11.

๐Ÿงน IMPROVEMENTSโ€‹

Assets now display their last scanned timeโ€‹

We've updated the asset pages to better describe when assets were scanned and when they last checked into Mondoo Platform. Previously we tracked only the update time, which showed the last time the asset had checked in either through a CLI scan or a non-scanning integration discovery. This led to confusion since some AWS assets looked as though they had just been scanned after the integration discovery ran. You now see both the scan time and the update time so you can better understand how old scan results are and when assets were last seen.

Update vs. Scanned Time

Automatic stale service account cleanupโ€‹

Mondoo now automatically cleans up service accounts that sit unused for 30 days. This reduces both clutter and the risk of account compromise.

Policy improvementsโ€‹

This week we made several improvements to Linux and Kubernetes policies with new and updated controls:

  • Add new Ensure the kubelet is not configured with the AlwaysAllow authorization mode and The default namespace should not be used controls to the NSA Kubernetes Hardening Guide policy.
  • Add new Use clear naming for external channels control to the Slack Security Best Practices policy.
  • Add new Ensure system accounts are non-login control to the BSI SYS.1.3 Linux and Unix Servers policy.
  • Update the Slack Security Best Practices policy to collect the names of all Slack workstation admins.
  • Update the Slack Security Best Practices policy to ignore the SlackBot users when ensuring users have 2FA enabled.
  • Ensure the Linux Security policy's auditd controls can run when scanning containers, EBS volumes, or Kubernetes nodes.
  • Update the Ensure system accounts are non-login control in CIS policies to treat accounts with a UID < 1000 as non-system accounts instead of < 500.

MQL Improvementsโ€‹

Empty arrays evaluate as falseโ€‹

We've updated MQL to treat an empty array as a false-like (falsey) value. This means queries like list.where(a == 1), which return an empty array, now evaluate as false instead of true. This may correct code in your environment that was intended to fail, but didn't due to the empty array result.

IPv6 data in the port resourceโ€‹

The port resource now includes TCP/UDP port information for IPv6 addresses in additional to IPv4 addresses.

Indexed array outputโ€‹

Query results that return an array now include the array index in the results so you can more easily find flagged issues or dig deeper into specific results.

Indexed Results

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Only attempt to delete EBS volumes if there's a failure during the scan.
  • Fix failures checking file ownership when running under sudo.
  • Fix incorrectly formatted output of scan results on Windows.
  • Fix an error message that included a typo in the suggested --incognito flag.
  • Default to us-east-1 in cnquery/mondoo if no AWS region is provided to avoid failures.
  • Exit with 1 when cnspec fails to connect to an asset.
  • Avoid a crash if asset data cannot be synced to Mondoo Platform.
  • Improve some error messages that included legacy components and client names.
  • Set asset name when EBS scanning if it is provided.
  • Avoid a crash when working with certain dict values in MQL.
  • Avoid a crash when viewing some older service accounts in the console.