Skip to main content

Β· 4 min read

πŸ₯³ Mondoo 6.16 is out! This release includes new policies and always-up-to-date Kubernetes results.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Scan Kubernetes Resources on Add/Update​

Problem: You rapidly deploy new and updated workloads to your Kubernetes cluster and you want to know that the Mondoo scan results reflect the latest state of your cluster.

Solution: Mondoo now scans your Kubernetes resources as they are updated or added to the cluster, so the fleet view always has the latest information on cluster-wide security.

Note: This requires the Mondoo Operator for Kubernetes 1.5 or later. To update to this new release run:

kubectl delete --ignore-not-found -n mondoo-operator deployment mondoo-operator-controller-manager
kubectl apply -f https://install.mondoo.com/k8s/operator

Mondoo Policy for Google Cloud Terraform Plans​

Problem: You want to find Google Cloud security issues early in your infrastructure development cycle to prevent insecure changes from ever reaching production.

Solution: This week, we're introducing a new policy, Terraform Plan - CIS Google Cloud Platform Foundation Benchmark. It lets you run Mondoo security scans directly against HashiCorp Terraform plans for your Google Cloud infrastructure.

Problem: Mondoo found a lot of security issues for your asset and you're overwhelmed. It's hard to know what to fix first.

Solution: The asset view now shows the five most important actions you should take to improve an asset's security.

Top 5 Recommended Actions

View All Controls for an Asset​

Problem: You want to find a specific control that is applied to an asset, but you don't know which policy it's in.

Solution: Mondoo now lists all of an asset's controls independently from their policies. You can filter controls by policy or by search string.

Controls

🧹 IMPROVEMENTS​

New Security and Best Practices Controls for Kubernetes​

Problem: You want to scan your workloads for common security and best practice misconfigurations before deploying them to your Kubernetes cluster.

Solution: We've expanded our Kubernetes Security Benchmark and Kubernetes Best Practices Benchmark to expose more common misconfigurations in Kubernetes workloads.

  • Workloads should not run in the default namespaceβ€”This new Kubernetes Best Practices Benchmark control discovers workloads that haven't defined a non-default namespace in which to run. It's best to group workloads into non-default namespaces to better organize work by teams and to isolate workloads.

  • Workloads should not run with SYS_ADMIN capabilityβ€”This new Kubernetes Security Benchmark policy discovers workloads with the SYS_ADMIN or ALL capabilities. The SYS_ADMIN capability is risky because it provides a pod with root capabilities.

  • Workloads should not run with NET_RAW capabilityβ€”This new Kubernetes Security Benchmark policy discovers workloads with the NET_RAW or ALL capabilities. Attackers can use the NET_RAW capability to craft fake packets on the host, which they can use to redirect network traffic bound for other pods.

  • Pods should have an ownerβ€”This new Kubernetes Best Practices Benchmark control discovers pods that do not have an owner. These pods, commonly called naked pods, don't respawn if the node they're running on fails or terminates.

BIOS Updates Control Added to Client Linux Security Baseline by Mondoo​

Problem: To secure the boot process, you need to ensure that all Linux systems have the most up-to-date BIOS releases.

Solution: The Client Linux Security Baseline by Mondoo now includes a control to validate that systems have the most up-to-date BIOS when the fwupd utility is installed.

Error Messages for Unavailable Assets​

Problem: You need to know when Mondoo can't connect to an asset. Solution: Mondoo now shows an error message on the asset page when it fails to reach the asset.

Unavailable Asset

πŸ› BUG FIXES​

  • Renames potentially confusing control titles in Linux Security Baseline by Mondoo policy.
  • Skips internal fields in the mondoo shell help output.
  • Improves error handling in the AWS Lamba scans.
  • Changes Mondoo agent searches to not be case sensitive.
  • Returns more helpful error messages from Mondoo Client when a necessary environment variable is missing on CI platforms.
  • Fixes missing available packages in asset Platform Vulnerabilities pages.
  • Improves the handling of null data for regular data types: We now consistently return non-null data from the upstream service. In the next major release, we will support storing other null data.
  • Fixes failures parsing Linux kernel parameters when files in /proc/sys can't be read.
  • Networks and domains are now properly grouped in the fleet view.

Β· 3 min read

πŸ₯³ Mondoo 6.15 is out! This release includes a whole new fleet UI and new CIS Kubernetes policies!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

All New Fleet View Experience​

Problem: You have hundreds or thousands of assets in Mondoo. Finding types of systems and understanding the relationships between assets is difficult.

Solution We added a whole new fleet view experience to Mondoo that groups your assets by type. You can quickly assess the security of different elements in your infrastructure and grasp interconnected security relationships.

Updated Fleet UI

CIS AKS and GKE Benchmarks​

Problem: You want secure your AKS and GKE clusters and workloads.

Solution: Mondoo now includes CIS Level 1 and 2 benchmarks for both Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE). These policies include critical controls for securing your cluster nodes and cluster workloads.

Kubernetes Policies

Scan All Kubernetes Resources in Manifests​

Problem: You need to scan each Kubernetes resource in your manifests as an individual asset in Mondoo so you can apply the new Mondoo Kubernetes Security and Best Practices policies.

Solution: Mondoo scans now respect the --discover all command line flag when scanning local manifests. This lets you scan individual Kubernetes resources and even the containers defined in your manifests.

Kubernetes Policies

🧹 IMPROVEMENTS​

Quickly Find Kubernetes Operator Scanned Assets​

Problem: You set up your Kubernetes Mondoo integration and now you want to view the discovered assets.

Solution: We added a new See Your Asset Scores link in the Kubernetes Integration pages that takes you right to all the assets discovered by the Mondoo Operator.

Asset Score Link

Priorities in Kubernetes Policies​

Problem: You've scanned your Kubernetes cluster, and there's a mountain of work to do. Where should you start?

Solution: We've added priorities to the controls in CIS and Mondoo Kubernetes policies. You can now sort your scan results by priority and tackle the most important security issues first.

Policy with priorities

Improved mondoo shell and mondoo exec Experiences​

Problem: Mondoo 6.0 introduced new simpler command syntax and it's been so great that now you can't remember the old syntax when you run mondoo shell or mondoo exec.

Solution: We've updated mondoo shell and mondoo exec to use the same simpler syntax as mondoo scan. No more -t flag or :// format. Just run mondoo shell TRANSPORT_NAME.

Policy with priorities

Expanded and Improved CIS Kubernetes Policy​

We've made several improvements to the vanilla CIS Kubernetes Level 1 and 2 policies for Master and Worker Nodes. Many controls previously marked as not implemented are now implemented and all file permission controls now pass when permissions are more secure than those required by CIS.

πŸ› BUG FIXES​

  • Properly redirects users to the Welcome to Mondoo page after verifying their e-mail during signup.
  • Improves the error message guidance when an AWS fails to check-in.
  • Fixes the See Your Scores link in the AWS integrations pages to properly load the list of account assets.
  • Properly detects the path to Grub2 configs in CIS benchmarks on Amazon Linux.

Β· 4 min read

πŸ₯³ Mondoo 6.14 is out! This release includes CI/CD view filtering and improved scan results!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Kubernetes Control Plane Node Scanning​

Problem: You need to secure not just your Kubernetes workloads or cluster configuration, but the actual installation of Kubernetes on the control plane servers.

Solution This week, we added the first of many new Mondoo Kubernetes Security policy control plane checks to secure the kube-apiserver, kube-scheduler, kube-controller-manager, and etcd installations. These new controls check for secure permissions on critical configuration files and private key directories. Stay tuned for more controls to secure your control plane next week, along with kubelet controls.

Control Plane Scanning

Filtering in CI/CD Views​

Problem: You have a particular Mondoo scan you want to see, but there are hundreds of Kubernetes deployments in your admission controller scan results or your CI job results page.

Solution The CI/CD view now includes filtering so you can easily find the scan results of particular Kubernetes deployments or CI scans.

CI/CD Filtering

🧹 IMPROVEMENTS​

Faster, Faster, Faster!​

Problem: You're a busy person. You don't have time to wait for Mondoo.

Solution: This week, we greased the gears and tightened the belts in the Mondoo engine. Mondoo scans now sync their asset data faster, and asset deletion time is reduced as well. These speed improvements should be especially pronounced when scanning a Kubernetes cluster with a large number of resources or when bulk deleting assets in the Mondoo Console.

Show the Right Instructions First​

Problem: Mondoo helps you to set up your workstation for security scanning, but what if you run Arch, not Windows or macOS? You don't want to see setup instructions for operating systems you're not using.

Solution: The Workstation Integration setup page now takes you to the instructions for your platform by default. Use Windows: See Windows steps. Use macOS: See macOS steps. Use Arch, Fedora, etc: See Linux steps.

Workstation Setup

Expanded CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks​

Problem: You need to secure your EKS clusters to achieve compliance.

Solution: We've rewritten much of our CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks to give you the best possible results in securing your EKS clusters. Our updated policies feature seven all-new controls and improvements to the existing controls to provide the best possible results.

Improved Linux Kernel Parameter Scanning​

Problem: You want to secure the Linux kernel parameters on your systems, but you don't see results when scanning Kubernetes nodes from the Mondoo Kubernetes Operator.

Solution: Mondoo now directly scans kernel parameters by checking the contents of /proc/sys. Not only is this method faster because we don't have to run the systcl command on the system, but it also allows us to validate Linux kernel parameters when scanning without Mondoo Client installed. With this update, you should see improved scoring in the Linux Security Baseline policy on Kubernetes cluster nodes.

Updated Windows 2016 CIS Benchmarks​

Problem: You run Windows 2016 and need the latest CIS policies to achieve compliance in your infrastructure.

Solution: We've updated our Windows 2016 CIS Benchmarks to the CIS 1.4.0 release. This includes new and improved controls to secure your Windows 2016 hosts.

πŸ› BUG FIXES​

  • Properly detects the OS of the Ubiquiti Dream Machine Pro / SE as ubios.
  • Resolves a permission denied message when storing discovery results.
  • Prevents unnecessary write operations in the AWS Integration Lamba.
  • Detects rate limiting in the AWS Integration Lamba to avoid causing failures in other account operations.
  • Properly scans and displays Jenkins jobs that have no Git commit.
  • Fixes the incorrect spelling of exceptions data in the macos.alf resource.
  • Includes Docker tag labels for assets when scanning container registries.

Β· 2 min read

πŸ₯³ Mondoo 6.13.1 is out! This release includes a new modular GitHub Action and updated EKS policies!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

All New Modular GitHub Action​

The Mondoo GitHub Action has been entirely rewritten to better integrate within modular workflows in your projects. The action now includes individual GitHub Actions for scanning AWS accounts, Kubernetes Clusters, Kubernetes manifests, Docker images, and Terraform configuration files. There's also a new action for uploading Mondoo Policies to PolicyHub and an action for configuring Mondoo Client, so you can run whatever scan commands you may need. Keep in mind that this new setup is entirely different than our previous releases and breaks existing workflow configurations. Make sure to check out the project Readme and each new action's readme for more information on usage. As always, let us know if you have any questions at hello@mondoo.com or join us on our Mondoo Community Slack

Find the new action on the GitHub Actions Marketplace.

GitHub Marketplace

🧹 IMPROVEMENTS​

Up-to-Date EOL Data​

Problem: You want to ensure that no systems in your fleet have reached EOL status, but this required you to update Mondoo Client for the latest EOL data.

Solution: EOL data is now stored in Mondoo Platform and so are updated automatically. With this change, your systems will always have the latest EOL data as vendors publish new or updated EOL dates.

Expanded CIS Amazon EKS Benchmarks​

We've greatly expandeded the CIS Amazon EKS Level 1 and 2 benchmarks with additional queries and improved the overall reliability of many of the policies. Stay tuned for next week's release for more updates to this policy.

EKS Policy

πŸ› BUG FIXES​

  • Prevents sending duplicate Organization or Space invitations if you add a space chatacter to an e-mail address.
  • Prevents display of duplicate informational alerts in AWS Integrations.
  • Resolves failures querying EC2 instances that lacked assigned key pairs.

Β· 4 min read

πŸ₯³ Mondoo 6.12.2 is out! This release includes private image scanning in Kubernetes clusters and an improved CI/CD UI experience!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Continuous Kubernetes Workload Scanning​

Problem: You want to continuously evaluate the security of all the running workloads in your cluster.

Solution: The Mondoo Operator for Kubernetes now automatically discovers all workload resources in the cluster, including Deployments, CronJobs, and Pods. These new resources, when combined with the recently released Kubernetes Security and Best Practices Benchmarks, provide deep insight into the security of deployed workloads at a moment's glance.

Workload Scanning

Kubernetes Private Container Image Scanning​

Problem: You scan your container images using Mondoo in CI to ensure they are secure when you deploy them. However, you want to ensure that they stay secure as new security best practices are developed, and CVEs in container images are discovered.

Solution: Mondoo now utilizes imagePullSecrets in your Kubernetes cluster to fetch and scan container images in private registries. When you enable image scanning in the Mondoo Kubernetes Operator and use imagePullSecrets to store secrets for private container registries, you receive continuous scan results for public and private container images. This gives you quick access to the misconfigurations and CVEs running in your applications.

Image Scanning

Simpler Getting Started Experience​

Problem: You created your first space with Mondoo, but what's next?

Solution A new Workstation setup page is available directly from your new Space page. This setup experience helps you to install Mondoo Client onto your Mac, Windows, or Linux workstation. It then guides you through remote scans you can perform to quickly evaluate the security of your infrastructure without deploying agents or installing integrations.

Workstation Setup

RPM Package CVE Scanning without RPM​

Problem: You want to analyze Red Hat- or SUSE-based containers or images to find CVEs, but you can't see package information unless you run on a system with the rpm CLI.

Solution Mondoo now remotely scans for package information on Red Hat-based containers and container images without needing the rpm CLI on your workstation. Fire up your Mac, Windows, or Ubuntu system and scan any Red Hat or SUSE container or container image to find outdated packages with CVEs, all without any additional setup.

CVE Scan from macOS

🧹 IMPROVEMENTS​

Hashicorp Packer Plugin Officially Verified​

The Mondoo Provisioner for HashiCorp Packer is now available as a HashiCorp verified provisioner on Packer.io.

Improved CI Project UI​

Problem: You want to apply multiple Mondoo scans within your CI projects and view each scan individually.

Solution We've made improvements to Mondoo Client, our GitHub Action, and the CI project UI to make working with complex CI projects a breeze. Mondoo Client CI integrations can now run multiple times within a single CI pipeline. This includes multiple executions within stage/workflow (GitLab/GitHub) and even multiple executions within a job. This makes it possible to use Mondoo to test different assets like Docker containers or Kubernetes manifests in a single pipeline, or to perform before-and-after scans of the same asset.

CI Screenshot

New AWS Backup Vaults MQL Resources​

Mondoo now includes a new aws.backup.vaults resource for working with backup vaults in AWS Backup.

Returning the ARN and recover points of all backup vaults:

mondoo> aws.backup.vaults { arn recoveryPoints { * }}
aws.backup.vaults: [
0: {
arn: "arn:aws:backup:us-east-1:1234567891011:backup-vault:aws/efs/automatic-backup-vault"
recoveryPoints: [
0: {
creationDate: 2022-08-17 05:00:00 +0000 UTC
isEncrypted: true
completionDate: 2022-08-17 07:14:15.311 +0000 UTC
arn: "arn:aws:backup:us-east-1:1234567891011:recovery-point:1234b01b-da45-40a2-8a3a-d1d01234a8e7"
resourceType: "EFS"
createdBy: {
BackupPlanArn: "arn:aws:backup:us-east-1:1234567891011:backup-plan:aws/efs/73d922fb-9312-3a70-99c3-e69123f9fdad"
BackupPlanId: "aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad"
BackupPlanVersion: "NDdhZGMxMmUtMTA5Zi00NDgzLThhNzItYmI1Mjk3ZWRlY2M4"
BackupRuleId: "2e8b7566-8ec3-4e4b-8911-3c11dfdb1123"
}
iamRoleArn: "arn:aws:iam::1234567891011:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup"
encryptionKeyArn: "arn:aws:kms:us-east-1:1234567891011:key/9461a123-05ae-48d0-a90b-7d5123f2578f"
status: "COMPLETED"
}
]
}
]

Improved RunAsNonRoot Policy Queries​

We've improved the Kubernetes RunAsNonRoot queries in our Kubernetes Security Benchmark and Kubernetes Application Benchmark policies. These policies now take into account settings in the PodSecurityContext, eliminating false positives when the PodSecurityContext is used to control RunAsNonRoot behavior.

Easier to navigate MQL Docs​

The simple list of resources in the MQL documentation may have worked initially, but the team is just far too fast adding new resources. We've broken up the resources by category for easier navigation.

Improved Navigation

πŸ› BUG FIXES​

  • Resolves incorrect platform description values in the Fleet view.
  • Adds a missing tooltip for control status in the policy results.
  • Resolves failures scanning Kubernetes ReplicaSets.
  • Resolves Amazon Linux EKS nodes not displaying their platform correctly.
  • Updates Amazon Linux 2022 CVE data to the 2022-08-17 release
  • Evaluates config files in the /etc/ssh/sshd_config.d when parsing sshd configuration.
  • Resolves failures to parse some container images when scanning AKS clusters.
  • Improves the reliability of SSH algorithm checks in CIS, BSI, and Linux Baseline by Mondoo policies
  • Resolves failures in some MQL queries

Β· 5 min read

πŸ₯³ Mondoo 6.11.1 is out! This release includes supply chain security resources/policies, updated CIS policies, and Kubernetes enhancements!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Supply Chain Security Resources and Policies​

Problem: In the aftermath of numerous high profile software supply chain hacks, you want to secure your softare supply chain against attackers. Mondoo provided initial resources, but didn't offer a security policy out of the box.

Solution: Mondoo now includes a preview of the CIS Software Supply Chain Security Guide policy. This policy includes 18 controls to help you secure your GitHub organization and repositories. It includes important guidelines like ensuring all organization members enable MFA and limiting repository deletion to particular users. This policy is in preview as we work to implement more controls and improve the remediation guidance for failures.

As part of the development of this policy we've also greatly expanded the Mondoo git and GitHub resources. We've expanded the data returned in the github.repository, github.file, and github.branchprotection resources and added the following new resources:

  • github.team
  • github.collaborator
  • github.package
  • github.webhook
  • github.workflow
  • git.commit
  • git.commitAuthor
  • git.gpgSignature

Supply Chain Policy

Policy Downloads​

Problem: You want to be able to download policies from the Mondoo Policy Hub to customize the policies for your own organization

Solution: You can now download policies from the Policy Hub's policy pages.

Policy Downloads

Terraform State File Resource Preview​

Problem: Instead of scanning the security of various Terraform configuration files, you'd rather go straight to the source and inspect the Terraform state file.

Solution: Mondoo now includes new preview resources for scanning the security of Terraform state files.

These new resources can be used as part of your Terraform development and deployment cycle:

terraform init
terraform apply
terraform show -json > state.json
mondoo shell -t tfstate --path state_file.json
mondoo> tfstate { * }
tfstate: {
terraformVersion: "1.2.6"
rootModule: tfstate.module id = tfmodule
modules: [
0: tfstate.module id = tfmodule
]
formatVersion: "1.0"
outputs: []
}

# root module
mondoo> tfstate.rootModule { * }
tfstate.rootModule: {
address: ""
childModules: []
resources: [
0: tfstate.resource id = aws_instance.app_server
]
}

# recursive list of modules
mondoo> tfstate.modules { * }
tfstate.modules: [
0: {
address: ""
resources: [
0: tfstate.resource id = aws_instance.app_server
]
childModules: []
}
]

🧹 IMPROVEMENTS​

Updated CIS Policies​

We've been hard at work to get you the latest and greatest CIS benchmarks to secure your systems. This week we've updated the following policies to the latest releases with new and updated controls:

  • AlmaLinux OS 8 Benchmark - Level 1 and Level 2 updated to 2.0
  • Apple macOS 10.15 Catalina Benchmark - Level 1 and Level 2 to 2.1.0
  • Apple macOS 11.0 Big Sur Benchmark - Level 1 and Level 2 to 2.1.0
  • Apple macOS 12.0 Monterey Benchmark - Level 1 and Level 2 to 1.1.0
  • Amazon Elastic Kubernetes Service (EKS) Benchmark - Level 1 and Level 2 to 1.1.0

AWS Best Practices Policies​

We've massively revamped our AWS Best Practices policies with over 8000 lines of improved queries, expanded descriptions, and remediation steps that include Terraform code to correct AWS misconfigurations.

Remediation Steps

Elevate Privileges with --sudo flag in Local Mondoo Scans​

You can now use the --sudo flag with mondo scan local. This gives you a consistent way to execute scans with elevated privileges, regardless of the type of Mondoo scan you run.

Improved Platform Information​

The Mondoo Fleet view now includes more detailed information on each asset's platform and where that asset is running. This information helps you trace assets scanned in Kubernetes/cloud integrations to the infrastructure code that is responsible for their creation. We've also broken out each Kubernetes resource so you can more easily distinguish between Deployments and the resulting ReplicaSets or Pods they spawn. This new information makes it easier to tell running containers apart from container images or server instances.

Platform Titles in Fleet

Kubernetes Clusters Now Match Integration Name​

The Kubernetes clusters listed in the Mondoo CI/CD view now match the name configured in the Kubernetes Integration, making it easier to find your cluster when multiple integrations have been set up.

CI/CD Cluster Name

Add podSpec and containers to Kubernetes Resources​

All Mondoo Kubernetes workloads resources now include podSpec, initContainers, and containers values, allowing you to better secure these resources.

mondoo> k8s.deployment(name: 'luna-frontend' namespace:'default').podSpec{}
k8s.deployment.podSpec: {
containers: [
0: {
image: "nginx:1.14.2"
name: "nginx"
ports: [
0: {
containerPort: 80.000000
}
]
resources: {}
}
]
}

Simpler Kubernetes Manifest Scanning​

You can now scan Kubernetes manifests files without the need to specify the --path flag:

mondoo scan k8s my_deployment.yml

Scanning of Single Terraform Files​

You can now scan just a single Terraform configuration file instead of a whole directory of files:

mondoo scan terraform my_tf_deploy.tf

πŸ› BUG FIXES​

  • Resolves incorrect CRI-O and containerd socket check titles in the Kubernetes Security policy.
  • Updates remediation steps for some Auditd checks in the Linux Baseline to work with Debian/Ubuntu systems.
  • Resolves errors querying Kubernetes rolebindings or clusterrolebindings.
  • Mondoo Kubernetes Security and Kubernetes Best Practices policies now appear as recommended policies when setting up a Kubernetes integration.
  • Resolves page rendering problems in the ... menu on the AWS Integrations page.
  • Resolves buttons rendering too close together on Policy Hub pages.
  • Resolves failures in some if/else blocks in MQL queries.
  • Resolves failures delivering some Mondoo invites.
  • Properly detects busybox when in containers.

Β· 4 min read

πŸ₯³ Mondoo 6.10 is out! This release includes Kubernetes resource scanning and expanded OS support.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Kubernetes Resource Scanning​

Problem: You want to secure not just your Kubernetes cluster control plane and nodes, but also the workloads you deploy to your cluster. You need visibility into the security of each of the running workloads.

Solution: Mondoo now scans each workload type as a dedicated asset, with new security and best practice policies applied to each asset. This means you'll now get not only scans of your cluster nodes and overall cluster control plane configuration, but also Pods, CronJobs, StatefulSets, DaemonSets, Jobs, and Deployments. These new assets provide more granular visibility into the workloads deployed onto your clusters and make it easy to disable or skip controls on particular workloads.

Results of Pod Scans:

Fleet View for PostgreSQL

In addition to these new assets we're also shipping new Kubernetes Security and Kubernetes Best Practice policies. These new policies replace the existing Kubernetes Application Benchmark policy and apply only to the new Kubernetes resource assets. We decided to break out our combined security and best practices policy so that it would easier to determine security vs. best practice violations at a glance. Since these policies scan individual Kubernetes assets instead of the cluster as a whole, they also feature greatly improved scan output and new remediation steps, so you can more easily resolve findings.

Pod Asset with New Policies:

PostgreSQL Pod Asset

Improved Kubernetes Policy Controls:

PostgreSQL Pod Scan Result

To enable scanning of all Kubernetes resources as individual Mondoo assets, pass the --discover all flag when scanning clusters:

mondoo scan k8s --discover all

Stay tuned for resource scanning directly in the Mondoo Kubernetes Operator and even more improvements to out-of-the-box Kubernetes policies in the coming weeks!

Google Container Operating System Support Preview​

Problem: When scanning Google Kubernetes Engine (GKE) clusters, you want to ensure the security of the cluster nodes running the Google Container OS Linux distribution.

Solution: Mondoo now includes preview support for the Google Container Operating System (GCOS). With this release, you will now see GCOS hosts properly report their release version, EOL date, and package/service states. Stay tuned for improved detection and policy support in the coming weeks.

GCOS Asset

Kubernetes k8s.initContainer Resource​

Problem: You want to write Mondoo policies that examine the configuration of Kubernetes Init Containers in your workloads.

Solution A new k8s.initContainer allows you to write policy against Kubernetes Init Containers.

InitContainer Query

🧹 IMPROVEMENTS​

Expanded Operating System Support​

We've updated Mondoo with enhanced platform end-of-life and package vulnerability data so you can scan the latest and greatest operating systems:

  • Added Alpine 3.16, Fedora 33/34/35, and VMware Photon 4 package vulnerability data.
  • Updated Amazon Linux 2022 vulnerability data for the latest preview release packages.
  • Added EOL date detection for openSUSE Tumbleweed and Clear Linux OS.
  • Updated EOL date detection for the new patch version format of VMware 7.x.x.

Linux Baseline Policy Improvements​

We continue to improve our out-of-the-box Linux Baseline policy to provide better remediation steps and to support different Linux distros.

  • Skips the Ensure permissions on /etc/shadow- are configured control instead of failing when /etc/shadow- doesn't exist on the system.
  • Updates the query in the Ensure Samba is stopped and not enabled control to support Debian/Ubuntu-based Linux distros.
  • Updates the query and remediation steps for the Ensure core dumps are restricted control to support more distros.
  • Updates the query in the Ensure login and logout events are collected control to support Ubuntu.
  • Improves remediation steps and formatting throughout the policy.

Filtering in Asset Lists​

You can now quickly filter assets by their score by clicking the A-F values at the top of the fleet page.

Asset Filtering

πŸ› BUG FIXES​

  • Resolves failures running scans in the Kubernetes Operator.
  • VMware Mondoo appliance now includes timesyncd to prevent platform registration failures due to time drift.
  • Resolves duplicate AWS resource counts in the AWS integration pages.
  • Resolves potential failures in Mondoo Client when reporting scan results.
  • Reports all Mondoo Client scans within GitHub Actions when running the Mondoo action in multiple jobs or steps within the same workflow.
  • Resolves incorrect steps in the VMware Integration page.
  • Resolves failures in MQL when using if/else statements that have single-valued blocks.
  • Resolves the fleet summary pages sometimes showing an incorrect summary breakdown of asset scores.

Β· 4 min read

πŸ₯³ Mondoo 6.9 is out! This release includes new Kubernetes pod scanning and top CVEs in the space overview!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Top Platform Vulnerabilities on Overview​

Problem: You want to find the critical CVEs in your environment quickly

Solution: The Mondoo Overview page now shows your space's top five platform vulnerabilities. This new view lets you quickly determine the most impacting vendor advisories and how many assets are affected by each advisory. The individual advisories link to detailed information pages summarizing the included CVEs and impact. You can also click View All to see all security advisories in your space.

Container CVEs

Kubernetes Pod Scanning​

Problem: You have hundreds or even thousands of different workloads in your Kubernetes clusters, and you want to see the security status of individual workloads instead of just the cluster as a whole.

Solution: This week, we're shipping our first slice of Kubernetes resource scanning with pod scanning. With this new discovery mode, each pod in your cluster becomes an asset within Mondoo. Policies are applied at the pod level, and you can write MQL queries against these pods instead of the whole cluster. This gives you more granular workflow scanning and improved alerting.

Pod Asset

To start scanning discovery pods as assets during your Kubernetes scans, run mondoo scan k8s --discover pods.

Stay tuned for next week's release when we introduce more new Kubernetes resources as Mondoo assets, along with new out-of-the-box policies for scanning these assets.

Mondoo Kubernetes Operator 1.0​

We started our open source Mondoo Operator for Kubernetes project in January of this year. Since then, the Mondoo team has been busy extending the functionality, ensuring stability, and squeezing every ounce of performance out of the codebase. This week after 300 pull requests merged, we shipped the 1.0 release.

What does 1.0 mean for me?

1.0 means we're confident in the functionality and stability of the project. Additionally, since Mondoo follows Semantic Versioning, we won't intentionally break any configuration interfaces in subsequent 1.x releases. Config stability between minor releases makes upgrades easier without requiring stepped upgrades.

If you're still on an older Mondoo Operator release, we strongly encourage you to upgrade to 1.0. We've introduced significant new capabilities over the last few months, including pod container image scanning, rootless/read-only execution, and CronJob-based scanning. See our Mondoo Operator Upgrade documentation for more information on upgrading to 1.0.

🧹 IMPROVEMENTS​

Show Disabled and Ignored Controls​

Disabled and Ignored controls in policies are now visually indicated in assets' policies, making it clear which policies impact scoring.

Status Indication in Policies

Simpler Asset Deletion​

You can now delete assets directly on the asset page by clicking the delete icon.

Asset Deletion

If you're one to live dangerously, you can even opt out of warnings and delete assets with just a single click.

Opt Out of Warnings

Improved Linux EOL Detection​

We've improved the EOL operating system detection in Mondoo Client to support the following new Linux releases:

  • Alpine 3.16
  • openSUSE 15.4
  • Oracle Linux 9
  • Rocky Linux 9
  • SUSE Linux Enterprise 15.4

MQL Improvements​

We've updated MQL's platform resource to improve gathering information on assets. A new platform.title value exposes a human-friendly version of the platform's name, and the platform.version value has been deprecated in favor of platform.release.

Mondoo Shell

πŸ› BUG FIXES​

  • Resolves incorrect EOL dates for Rocky Linux 9 and SLES 15.3.
  • Adds a timeout for long running Kubernetes Operator scans.
  • Updates the VMware Appliance from Debian 11.2 to 11.4 to resolve CVEs in the underlying Debian installation.
  • Resolves failures during container image scanning.
  • Resolves failures during Terraform config file scans.
  • Resolves failures during EBS volume scans.
  • Remove references to "asset" in CI/CD run scan pages.
  • Client Linux Security Baseline's control 'Ensure / and /home are encrypted' now executes correctly on btrfs formatted partitions.
  • Users with the Mondoo viewer role can now list ChatOps integrations

Β· 3 min read

πŸ₯³ Mondoo 6.8 is out! This release includes Azure Pipeline / Jenkins CI/CD support and Kubernetes container image scanning!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Azure Pipelines and Jenkins Support​

Problem: You want to set up security scanning of projects in your CI pipelines, but you're not using a CI platform supported by Mondoo.

Solution: Mondoo now supports CI integrations with Azure Pipelines and Jenkins, raising our out-of-the-box CI/CD integrations to six. Still don't see the CI/CD integration you need? Let us know at hello@mondoo.com.

CI Setup Window

Moondoo Operator for Kubernetes Container Image Scanning​

Problem: You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.

Solution: Following up on last week's new CLI-based container image scanning, we're now integrating public container image scanning directly into the Mondoo Operator. When enabled, the Mondoo Operator will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.

Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the kube-apiserver pod:

Cluster Scan Results

We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:

Container CVEs

🧹 IMPROVEMENTS​

Policy and MQL Improvements​

Solution: We continue to improve the out-of-the-box Mondoo policies and the MQL resources that power those policies, giving your the most reliable scan results with Mondoo:

  • Replaced platform.runtimeEnv with the simpler platform.runtime. platform.runtimeEnv is now deprecated and will be removed in Mondoo Client 7.0.
  • Deprecated platform.virtualization.isContainer in favor of either platform.kind or platform.runtime. platform.virtualization.isContainer will be removed in Mondoo Client 7.0.
  • Added the ability to determine if a branch is the default branch with isDefault in the github.branch resource.
  • Resolved failures in the github.branch resource when branch protection is not configured.
  • Resolved failures that could occur in some valid MQL blocks, which caused failures in the Kubernetes Application Benchmark policy.
  • Resolved incorrect policy scores when all controls in a policy fail.
  • Added severity scores to the Kubernetes Application Benchmark policy to make prioritizing fixes easier.
  • Expanded the Ensure HTTP Proxy server is stopped and not enabled control in the Linux Security Baseline policy to check for the Tinyproxy proxy service.
  • Added a new platform.runtime.

πŸ› BUG FIXES​

  • Resolve Mondoo Operator for Kubernetes node scans of Minikube not scanning all nodes.
  • Fully clean up all Mondoo Operator resources when uninstalling.
  • Use a Red Hat UBI-based Mondoo image when scanning in Red Hat OpenShift.
  • Fix handling of the Mondoo Operator's running UID when running in OpenShift.
  • Add a liveness probe to the Mondoo Operator pods to improve Mondoo scan scores.
  • Resolve potential panics when the first Kubernetes Operator check-in occurs.
  • Resolve failures to properly exit in the Kubernetes Operator when a scan request failed.
  • Reduce resource utilization by lowering the initial requested CPU and memory limits for the Kubernetes Operator's node scanning pods.

Β· 6 min read

πŸ₯³ Mondoo 6.7 is out! This release includes a pile of new policies and policy updates


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Summary Scan Output​

Problem: Mondoo scans print all results for every query in the CLI. However, sometimes users just want to see a quick summary of how the scan went, especially when it's collected upstream for a deeper analysis.

Solution: Mondoo now includes a new summary output mode. This mode contains just the summary portion of the Mondoo scan so you can quickly determine the security posture of systems.

Summary Scan

NSA PowerShell Policy​

Problem: Mondoo has always provided comprehensive resources for Microsoft PowerShell, but we never shipped a policy for its security best practices. This forced users to research, author, and maintain their own PowerShell policies.

Solution: Mondoo includes a new PowerShell security policy NSA PowerShell: Security Measures to Use and Embrace. This policy implements the recommendations of the United States, New Zealand, and the United Kingdom cybersecurity agency's whitepaper Keeping PowerShell: Security Measures to Use and Embrace.

Time Synchronization Policy​

Problem: You want to be able to ensure accurate time across systems within your organization for authentication and logging purposes.

Solution: Mondoo now includes a new Operational Best Practices for Time Synchronization by Mondoo policy for macOS, Linux, and Windows hosts to ensure that systems are correctly syncing their time.

Bundesamt fΓΌr Sicherheit in der Informationstechnik (BSI) Policy​

Problem: You want to be able to secure your Debian- and Red Hat-based Linux systems according to the Federal Office for Information Security (BSI) and pass a BSI audit.

Solution: Mondoo now includes a new BSI SYS.1.3 Linux and Unix Servers by Mondoo policy. BSI is a German standard for IT security, similar to SOC2 in the US. We are releasing this first policy with support for Debian- and Red Hat-based Linux to ensure that systems are correctly hardened according to the BSI requirements. This is especially helpful for users in the DACH region overall and Germany in particular.```

macOS Ventura (13) support​

Problem: Apple is currently working on the next major version of its Mac operating system: macOS Ventura (release 13). It is slated for a release towards the end of this year. An early version of this new release is now available in beta and can be used today. However, the Mondoo baseline policy did not support it yet.

Solution: Mondoo Client has been tested on macOS Ventura beta and the macOS Security Baseline by Mondoo policy has been updated for this upcoming release.

New Kubernetes MQL Resources​

Solution: Mondoo now includes new StatefulSet and ReplicaSet resources so you can write policies for these resource types.

🧹 IMPROVEMENTS​

Improved Linux Policies​

Solution: Mondoo's Linux Baseline policy and various CIS Linux policies have been updated for improved reliability and to better secure your systems:

  • New: Ensure sudo logging is enabled control added to Mondoo Linux Security Baseline
  • Bugfix: Ensure SSH access is limited now passes if SSH access is limited using only AllowUsers/AllowGroups
  • Bugfix: Failures running Ensure all GIDs in /etc/passwd exist in /etc/group have been resolved
  • Bugfix: Improved reliability in Ensure that strong Key Exchange algorithms are used and Ensure only strong MAC algorithms are used control
  • Improved: Impact scores added to many controls
  • Improved: Ensure permissions on bootloader config are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on /etc/motd are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on /etc/issue are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on /etc/issue.net are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on all logfiles are configured now shows which log files do not have the proper permission in the output
  • Bugfix: Fix errors running Ensure automatic mounting of removable media is disabled
  • Bugfix: Improved compatibility with Debian in Ensure access to the su command is restricted
  • Improved: Define the hardened ciphers for all SSH configurations control now better runs on RHEL-derivative distros
  • Bugfix: Improved compatibility with Debian/Ubuntu in Define the hardened ciphers for all SSH configurations
  • Improved: Ensure permissions on all logfiles are configured now includes remediation steps to ensure future log files have the correct permissions
  • Improved: Ensure SSH root login is disabled control now allows prohibit-password value
  • Improved: Improved compatibility with Arch Linux derivatives
  • Bugfix: Fix false positives in Ensure journald is configured to compress large log files control

Improved K8s Application Policy​

Problem: Your Kubernetes workloads include not just Pods, but many other kinds of Kubernetes resources. Mondoo's Kubernetes Application Benchmark scans only Pods, missing the root cause of many security misconfigurations.

Solution: The Kubernetes Application Benchmark by Mondoo now scans not just Pods, but also StatefulSets, DaemonSets, Jobs, CronJobs, and Deployments, ensuring all the resources on your cluster are secured. With these additional queries and expanded audit instructions in the policy, you can more easily find the parent resource with the identified misconfiguration, saving you time securing your cluster.

Improved Kubernetes Operator​

Solution: The Mondoo Operator for Kubernetes has been improved to increase the security and performance of scanning. The operator now runs all Mondoo Client containers without root privileges for increased security. The operator's admission controller also now runs scans ~30% faster, while reducing memory consumption in the cluster.

πŸ› BUG FIXES​

  • Resolves inconsistent results when scanning Kubernetes manifests using mondoo scan vs. Mondoo Operator admission controller scans
  • Resolves failures running scans on Windows systems with the system language set to German
  • Resolves failures scanning Azure when the current stack is not set
  • Resolves two failures in MQL that could result in inconsistent or incorrect results
  • Provide user friendly error messages when scanning container images in private registries
  • Improved readability within policy results
  • Wrap long asset names in the fleet view and the asset pages