Skip to main content

158 posts tagged with "release"

View All Tags

Mondoo 5.26.0 is out!

Β· One min read
Mondoo Core Team

πŸ₯³ mondoo 5.26.0 is out!

πŸŽ‰ NEW FEATURES​

Add MQL resource to query k8s secret resources

mondoo> k8s.secrets.where(namespace == "default") { name namespace manifest["kind"] }
k8s.secrets.where: [
0: {
name: "default-token-89ft8"
namespace: "default"
manifest[kind]: "Secret"
}
]

πŸ› BUG FIXES AND UPDATES​

  • Fix false positive for Debian postgresql-common advisory
  • Fix issue where first keystroke was ignored by pager when running mondoo scan
  • Fix case where APK versions where not compared properly when prefixed with epochs
  • Fix pager to work with more
  • Fix k8s namespace resource instantiation

Mondoo 5.25.0 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ mondoo 5.25.0 is out!

πŸŽ‰ NEW FEATURES​

Improved mondoo inventory command

Debugging the inventory was not easy since most of the details were hidden. This made it difficult to tell users when to e.g. convert files. To mitigate this, we are adding two new commands:

  • mondoo inventory init - creates a new sample inventory file
  • mondoo inventory convert - e.g converts an ansible inventory to a Mondoo inventory

Example:

mondoo inventory convert --inventory-fileraspi-scan.json --inventory-ansible
β†’ load inventory inventory=raspi-scan.json
metadata: {}
spec:
assets:
- connections:
- Sudo: {}
backend: 3
credentials:
- secret_id: 24SXpBDcZRg85oDU4MSsqm6S2iH
host: raspberrypi
name: instance1
credentials:
24SXpBDcZRg85oDU4MSsqm6S2iH:
private_key_path: /Users/chris/.ssh/chris-rock.rsa
secret: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUl
secret_id: 24SXpBDcZRg85oDU4MSsqm6S2iH
type: private_key
user: pi

Organization Resolver for Google Cloud

With this new change, we are adding support to discover projects for GCP organizations. There are two methods to scan projects in GCP listed below.

Method 1: Auto-discovers current project from gcloud

mondoo scan -t gcp

Method 2: Provide a specific project

mondoo scan -t gcp --option project=your_project

We added the ability to discover all projects by adding the --option organization=12345678 and --discover projects flags. Here is an example:

$ gcloud organizations list
mondoo.com 12345678 AAAAB7cc5

$ mondoo scan -t gcp --option organization=12345678 --discover projects

🧹 IMPROVEMENTS​

  • Allow user to specify pagination command using the PAGER environment variable or --pager 'pagerCmd' flag
  • Add createTime field to aws.ec2.volume resource
  • The inventory flags for the mondoo CLI have been harmonized:
    • --inventory has been deprecated in favor of --inventory-file
    • --ansible-inventory has been deprecated in favor of --inventory-ansible
    • --domainlist-inventory has been deprecated in favor of --inventory-domainlist

πŸ› BUG FIXES AND UPDATES​

  • Fix bug where mondoo command would try to use less pager when it wasn't available on the system
  • Fix bug where an incorrect stop execution error message was printed
  • Fix bug where certain errors could cause execution to stall

Mondoo 5.24.0 is out!

Β· One min read
Mondoo Core Team

πŸ₯³ mondoo 5.24.0 is out!

🧹 IMPROVEMENTS​

  • mondoo scan now pages the output by default. This behavior can be disabled with the --no-pager flag

πŸ› BUG FIXES AND UPDATES​

  • Fix bug where queries with multiple properties of the same value cause the execution to timeout
  • Fix bug where certain queries that error cause the execution to timeout

Mondoo 5.23.0 is out!

Β· One min read
Mondoo Core Team

πŸ₯³ mondoo 5.23.0 is out!

πŸŽ‰ NEW FEATURES​

AWS EC2 SSM Session Support

Use Mondoo to scan all your AWS SSM instances:

mondoo scan -t aws-ec2-ssm://ec2-user@instance-id

Specify the region and/or profile to use by including options:

mondoo scan -t aws-ec2-ssm://ec2-user@instance-id --option region=us-east-2 profile=test_profile

K8s Transport Improvements

Scan a directory of Kubernetes manifests:

mondoo scan -t k8s --path test/integration/k8s

🧹 IMPROVEMENTS​

  • Include the macOS build number in platform information
  • Improved asset name for the github transport
  • Add AWS account alias to AWS Account asset name
  • Scoring consistency improvements
  • Improved naming for Kubernetes cluster
  • macOS package installation path no longer contains version number (eg: /Library/Mondoo/bin instead of /Library/Mondoo/5.22.0/bin)

πŸ› BUG FIXES AND UPDATES​

  • Do not require AWS RDS encryption checks on instance types that do not support encryption

Mondoo 5.22.0 is out!

Β· One min read
Mondoo Core Team

πŸ₯³ mondoo 5.22.0 is out!

πŸŽ‰ NEW FEATURES​

** Add the where method to map types **

Maps now have a where method that allows filtering by keys and values:

mondoo> {a: 1, b: 2, c: 3}.where(key == 'c')
where: {
c: 3;
}
mondoo> {a: 1, b: 2, c: 3}.where(value < 3)
where: {
a: 1;
b: 2;
}

Currently, this only works with map types whose key is a string.

🧹 IMPROVEMENTS​

  • Allow using the --insecure flag with --inventory when using the Mondoo CLI
  • Automatically delete the CloudFormation stack when the AWS integration is deleted
  • Add ownerAlias field to the aws.ec2.image resource

πŸ› BUG FIXES AND UPDATES​

  • Fix potential panic when using mondoo scan with the --inventory flag
  • Fix Ansible inventory loading for tags and multiple groups
  • Fix echo warning when using PowerShell over SSH
  • Fix bug where AWS EBS volume scan did not work for SUSE

Mondoo 5.21.0 is out!

Β· One min read
Mondoo Core Team

πŸ₯³ mondoo 5.21.0 is out!

🧹 IMPROVEMENTS​

  • Assets can be filtered by state
  • The AWS integration uses the AWS account alias for the name
  • Adds additional GCP Compute, DNS, BigQuery, and GKE checks
  • Updates AWS policy with messages and new docs and metadata
  • Allow mondoo scan -t docker instead of requiring mondoo scan -t docker:// ...

πŸ› BUG FIXES AND UPDATES​

  • Fix issue where aws.ec2.instances { vpc {*} } would print errors about fields not being found
  • Fix aws.iam.credentialReport.accessKey2Active field incorrectly mapping to access key 1

Mondoo 5.20.0 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ mondoo 5.20.0 is out!

πŸŽ‰ NEW FEATURES​

Support for Terraform Objects

Given a Terraform definition for:

resource "google_compute_instance" "default" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"

boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}

// Local SSD disk
scratch_disk {
interface = "SCSI"
}

metadata = {
enable-oslogin = false
}
}

metadata is a defined object and not a block. The following query requests the arguments:

terraform.resources.where( nameLabel  == "google_compute_instance" ) {
arguments
}

Before this, the metadata was null because key/value pairs have not been parsed:

terraform.resources.where: [
0: {
arguments: {
machine_type: "e2-medium"
metadata: null
name: "test"
zone: "us-central1-a"
}
}
]

With this latest release:

terraform.resources.where[0].arguments: {
machine_type: "e2-medium"
metadata: {
enable-oslogin: true
}
name: "test"
zone: "us-central1-a"
}

Support Linux kernel vault

Storing credentials on disk is not recommended and Mondoo strongly advises doing so for production environments. Therefore we support various vault backends that allow you to store credentials in a secure way.

Given a simple inventory file that scans a Linux machine via SSH and password authentication:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-ssh-inventory
labels:
environment: production
spec:
assets:
# Linux with password authentication
- id: linux-with-password
connections:
- host: 192.168.178.28
backend: ssh
credentials:
- user: chris
password: password1! # implicit type password

With this inventory, you can scan the machine:

mondoo scan β€”inventory inventory.yml
β†’ load inventory inventory=inventory.yml

Of course, we do not want to store credentials in plain text files. In the past we assumed that we can do that via systemd secret service. The problem is that this interface is only working well with Gnome and KDE and is mostly bundled with Desktop environments. This is problematic for headless server.

To solve the issue meet Linux Kernel Key Management:

NOTE: An introduction to [Kernel key management](Kernel key management LWN.net) explains how it works. See keyutils man page for more details

On Debian keyutils need to be present to use the kernel key management:

apt-get install keyutils

Configure Mondoo’s vault to use the keyring mondoo-client-vault for secrets:

mondoo vault set mondoo-client-vault β€”type linux-kernel-keyring
β†’ set new vault configuration name=mondoo-client-vault
β†’ stored vault configuration successfully

Mondoo itself stores its configuration for vaults via Linux Kernel Key Management. The configuration is stored in mondoo-cli-keyring keyring and user-vaults key.

keyctl list @u
1 key in keyring:
599473326: --alswrv 1000 1000 keyring: mondoo-cli-keyring

keyctl show 599473326
Keyring
599473326 --alswrv 1000 1000 keyring: mondoo-cli-keyring
988442797 --alswrv 1000 1000 \_ user: user-vaults

Now we need to add a secret for a remove ssh connection. We set mondoo-client-vault as the key ring that Mondoo Client will use.

# The format to add a key is as following
# keyctl add user {desc} {data} @u
keyctl add user 'secret for 192.168.178.28' '{ "user": "chris", "password": "password1!", "type": "password" }' @u
52720293

# Next, lets display the key within the keyring
keyctl list @u
1 key in keyring:
52720293: --alswrv 1000 1000 user: secret for 192.168.178.28

# lets display the created key
keyctl print 52720293
{ "user": "chris", "password": "password1!", "type": "password" }

# Later, we can delete the key from user scope via:
# keyctl purge -p user "secret for 192.168.178.28"

Now we can adapt the inventory:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-ssh-inventory
labels:
environment: production
spec:
assets:
# Linux with password authentication
- id: linux-with-password
connections:
- host: 192.168.178.28
backend: ssh
credentials:
- secret_id: secret for 192.168.178.28
vault:
name: mondoo-client-vault

🧹 IMPROVEMENTS​

  • Add end-of-life information for vSphere 7.0.0
  • Improved handling for miss-configured sudo where SSH connections do not return the platform name properly
  • Asset search is now case insensitive
  • The AWS CloudFormation can be customized when creating the stack

πŸ› BUG FIXES AND UPDATES​

  • Fix Linux policies to check correct cron package name based on distribution
  • Fix not found handling in AWS S3 resource. This would cause fields to error out instead of returning null when they were not set
  • Fix awsec2ebs transport to not error out when there are multiple volumes

Mondoo 5.19.0 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ mondoo 5.19.0 is out!

🧹 IMPROVEMENTS​

  • Make asset name consistent for AWS instances regardless of the transport or discovery mechanism used
  • Add additional fields to theaws.rds.dbinstance resource
    • dbInstanceClass: name of the compute and memory capacity class of the DB instance
    • dbInstanceIdentifier: user-supplied unique key that identifies a DB instance
    • engine: name of the database engine for this DB instance
    • securityGroups: list of VPC security group elements that the DB instance belongs to
    • status: current state of this database
  • Detect services managed by systemd for FS based transports
  • Handle Terraform template wrap expressions
  • Add advisory support for Ubuntu 21.10
  • Improve printing of assessments for blocks

πŸ› BUG FIXES AND UPDATES​

  • mondoo scan -o now accepts json and yml for report output formats. Before, json support was claimed but did not work, and yaml support worked, but did not accept yml
  • Fix panic when using the AWS S3 resource
  • Fix potential panic if scan results fail to store
  • Fix issue where the assessment for package("foo").installed would be missing, but package("foo").installed == true would work
  • Fix bug where AWS S3 buckets without tags return an error when no tags are present
  • Update asset filter for CIS Distribution Independent Linux Benchmark Level 1 for Container so that it only runs for containers
  • Use public IP instead of public DNS for EC2 Instance Connect since not all instances have a public DNS entry

Mondoo 5.18.0 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ mondoo 5.18.0 is out!

πŸŽ‰ NEW FEATURES​

** Use Mondoo to verify certificate chains **

You can now use the isVerified field on the certificate resource to check whether or not a certificate chain is valid:

tls("mondoo.com").certificates {
subject.commonName
isVerified
}
tls.certificates: [
0: {
isVerified: true
subject.commonName: "mondoo.com"
}
1: {
isVerified: true
subject.commonName: "R3"
}
2: {
isVerified: true
subject.commonName: "ISRG Root X1"
}
]

** Use Mondoo to query CloudWatch metrics on AWS resources **

Mondoo can now pull CloudWatch statistics for AWS resources. For instance, you can use Mondoo to query the number of invocations and errors for a Lambda function. This can be used to assess error rates, or to detect un-used resources.

Note: Mondoo queries CloudWatch Statistics for the last 24h of data, in 1h intervals.

aws.cloudwatch.metricstatistics(namespace: "AWS/EBS", region: "us-east-1", name: "VolumeTotalReadTime") {
label
datapoints {
maximum
average
sum
}
}
aws.cloudwatch.metricstatistics: {
datapoints: [
0: {
average: 0.0004509803921568627
maximum: 0
sum: 0.22999999999999998
}
]
label: "VolumeTotalReadTime"

or

aws.cloudwatch.metrics {
name
namespace
statistics {
label
datapoints
}
}
  1512: {
statistics: {
datapoints: []
label: "CallCount"
}
namespace: "AWS/Logs"
name: "CallCount"
}
1513: {
statistics: {
datapoints: []
label: "CallCount"
}
namespace: "AWS/Usage"
name: "CallCount"
}
1514: {
statistics: {
datapoints: []
label: "ThrottleCount"
}
namespace: "AWS/Usage"
name: "ThrottleCount"
}
1515: {
statistics: {
datapoints: []
label: "CallCount"
}
namespace: "AWS/Usage"
name: "CallCount"
}

** Enhanced assessment of yum repo file contents through file field **

Prior to this release, Mondoo could display a list of all configured yum repos. With this new improvement, Mondoo can now not only list all the configured repositories, but inspect the file for each yum repo definition in /etc/yum.repos.d.

With the new file field, the contents are also now available to Mondoo:

yum.repos {
name
file {
path
content
}
}
yum.repos: [
0: {
name: "AlmaLinux 8 - AppStream"
file: {
path: "/etc/yum.repos.d/almalinux.repo"
content: "# almalinux.repo

[baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

## Sources
[baseos-source]
name=AlmaLinux $releasever - BaseOS Source
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos-source
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/Source/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream-source]
name=AlmaLinux $releasever - AppStream Source
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream-source
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/Source/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras-source]
name=AlmaLinux $releasever - Extras Source
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras-source
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/Source/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

## Debuginfo
[baseos-debuginfo]
name=AlmaLinux $releasever - BaseOS debuginfo
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos-debuginfo
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/debug/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream-debuginfo]
name=AlmaLinux $releasever - AppStream debuginfo
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream-debuginfo
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/debug/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras-debuginfo]
name=AlmaLinux $releasever - Extras debuginfo
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras-debuginfo
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/debug/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
"
}
}
...
}

** Use Mondoo to test that files exist, but have no content **

Mondoo can now detect that an empty file exists at an expected location. One common use case for this test is to detect files written in error to a location that would otherwise be a filesystem or chroot mount point.

We've added a new field to the file resource to query if the file or directory is empty:

file("/my/empty/file").empty;
file.empty: true

🧹 IMPROVEMENTS​

  • The AWS integration reports long-failing CloudFormation update
  • Save more information to improve assessments
  • Add support for Rocky Linux
  • Add support for AlmaLinux

πŸ› BUG FIXES AND UPDATES​

  • Fix bug where AWS Lambda environment would get too big and fail to update
  • Fix queries that were not working in the Mondoo AWS Baseline policy

Mondoo 5.17.1 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ mondoo 5.17.1 is out!

πŸŽ‰ NEW FEATURES​

Terraform Policy

  • Added Terraform Static Analysis Policy for AWS (Early Access)

terraform

Network targets

We first released the tls resource back in 5.12.2, and the dns resource in 5.11.0. This was 1 month ago and today we are taking the next step at making them applicable by adding new ways to target assets.

First, we added the host:// target:

> mondoo shell -t host://mondoo.com

Once connected, you can run queries like this:

TLS on host://

Additionally, we expose this information via the platform resource:

Platform on host://

Alternatively you can also use the tls:// target for this use-case as well, and we are planning to expand these to provide contextual information to the MQL engine.

DNS policy

We added a baseline policy to check your DNS security called: Mondoo DNS Baseline (Early Access). As you can see, it's still in early access and we'd love to hear what else you might want to see!

dns-policy

To scan mondoo.com for DNS, run the following:

mondoo scan -t host://mondoo.com --incognito --policy '//policy.api.mondoo.app/policies/mondoo-dns-baseline'

TLS policy

We also added a policy for TLS security called: Mondoo TLS/SSL Baseline. This policy will be expanded over the course of time with more tests. Check out our community channel and let us know if you want to test more features!

tls-policy

To scan mondoo.com for TLS, run the following

mondoo scan -t host://mondoo.com --incognito --policy '//policy.api.mondoo.app/policies/mondoo-tls-baseline'

Scanning multiple Hosts

To scan multiple hosts, create a new domainlist.txt file that includes domains separated by newlines:

mondoo.com
google.com

Then you can pipe that domain inventory to mondoo:

cat domainlist.txt | mondoo scan --domainlist-inventory

Certificate resource

You can now check if a certificate has been revoked. This is done via OCSP requests to see if that certificate has been revoked. In all cases where OCSP information has not been provided, the value for this field will be null.

When a certificate is revoked, you can additionally access the revocation time via the field revokedAt.

TLS is revoked check

Note: This feature is currently limited to TLS checks. Please ping us in our community channel if you need it for standalone certificates as well!

TLS extensions

Additionally, we added tests for a few TLS extensions. Amongst others, we now support 3 extensions:

  • server_name Indicates that the serve supports Server Name Indication (SNI). You can access all SNI certificates via the certificates field and non-SNI certificates via nonSniCertificates
  • fake_server_name When a fake SNI name is sent to the server, this indicates that we get a response without any alerts from the server. This means that the server doesn't leak information about the name.
  • renegotiation_info Shows that the server supports secure TLS renegotiations (via TLS 1.2 and 1.3)

TLS extensions

🧹 IMPROVEMENTS​

  • Map fields via the #map( .. ) function to flatten list. For example: users.map(name) to get a flat list of user names.
  • Include tags on more AWS resources for discoverability
  • Allow machineid as a platform identifier
  • More AWS resource MQL documentation

πŸ› BUG FIXES AND UPDATES​

  • Use numbers for the entry.shadow resource (was string)
  • Properly detect AWS arm instances
  • Ensure asset state and asset name are always updated
  • Only update platform name when valid
  • Fix ec2-managedinstance-association-compliance-status-check query
  • Ensure incognito runs do not try to report to Mondoo Platform
  • Resolve refs in arrays
  • Fix recursive operator with arrays and maps
  • Array to nil comparison
  • Fix url parsing on domain list inventory
  • Fix displayed errors for missing upstream policies