Skip to main content

ยท 7 min read

๐Ÿฅณ Mondoo 7.14 is out! This release includes expanded GitHub support, new GCP resources, and more!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ NEW FEATURESโ€‹

Dive deeper into GitHubโ€‹

Problem: You need out-of-the-box functionality to help you secure your GitHub organization, repositories, and users.

Solution: We've been busy improving nearly every aspect of the GitHub experience with cnspec, making it easier to apply out-of-the-box policy to secure your GitHub infrastructure and providing the resources and UI experience you need to create custom policies.

The GitHub Organization Security by Mondoo policy has been rewritten from the ground up to focus on critical security settings in your organization and repository. Existing queries focused on open source repository best practices have been removed and replaced with additional security queries to ensure settings like important branch protections are in place.

While building out this updates policy, we realized the various GitHub resources were missing important data necessary to write our out of the box policy and custom policies for your organizations. We made the following changes to improve the GitHub resources:

  • github.repository resources now support repository stargazer counts, repo fork resolution, and support for repository issues.
  • github.organization resource now includes avatar, followers and following data
  • github.user resource is greatly expanded to help examine user accounts
  • github.organization and github.user now support collecting information on gists

Finally, we improved the cnquery to make exploring your GitHub infrastructure easier. The cnquery shell github command now shows a list of repositories to examine, making it easier to find the repository you want to explore. We also added a new cnquery shell github user command allows you to examine details on GitHub users using the expanded github.user resource.

Shell GitHub Repository Selection

New and updated GCP Resourcesโ€‹

Problem: You want to explore and secure your GCP projects using cnquery and cnspec.

Solution: cnquery and cnspec now include new and improved resources for exploring and securing GCP services:

  • New gcp.project.compute.backendServices resource
  • New gcp.project.monitoring.alertPolicies resource
  • Add access data to gcp.project.bigquery.datasets resource
  • Add accessApprovalSettings data to gcp.organizations and gcp.projects resources
  • Add cryptokeys data to gcp.project.kms.keyrings resource
  • Add network data to gcp.project.dns.policies resource
  • Add storageBucket data to gcp.project.logging.sinks resource
  • Add retentionPolicy data to gcp.project.storage.buckets resource
  • Fix errors when using gcp.project.kms when key status is not available
  • Rename gcp.storage resource to gcp.project.storage

New CIS policies for GCP and Azureโ€‹

Problem: You need CIS policies to keep your cloud accounts secure and compliant.

Solution: Mondoo now includes the latest CIS benchmark policies for Azure, GCP, AWS, and VMware so you can secure the most complex multi-cloud and hybrid-cloud infrastructure. The CIS Microsoft Azure Foundations Benchmark policy is updated from 1.1.0 to 1.5.0, and the CIS Google Cloud Platform Foundation Benchmark is updated from 1.1.0 to 2.0.0. Both of these policies utilize the latest new resource shipped with new version of cnspec and include many new queries as well as audit and remediation steps for all queries.

Store GCP service account in an inventory file vaultโ€‹

Problem: You want to use an inventory file to store a set of GCP assets to scan, but you don't want to insecurely store credentials in the yaml config.

Solution: You can now store your GCP service account data in a secure inventory vault so you can share inventory files without worrying about credentials. This example inventory file stores the credentials used to access GCP infrastructure using the GCP Berglas project.

apiVersion: v1
kind: Inventory
metadata:
name: inventory
spec:
assets:
- name: cool-stuff
connections:
- backend: 13
credentials:
- secret_id: storage/random-bucket2/foo
type: 1
secret_encoding: 3
options:
discover:
targets:
- auto
vault:
name: gcp-berglas
type: gcp-berglas
options:
project_id: mondoo-dev-262313

You can then run this inventory on the CLI without passing credentials on the CLI or within env vars:

cnquery scan --inventory-file inv.yaml

Junit output format for cnspecโ€‹

Problem: You want to run cnspec in your CI pipelines, but the output is hard to understand.

Solution: The cnspec CLI can now produce JUnit output on the CLI for integration with popular CI/CD platforms such as Jenkins or GitLab:

cnspec scan docker debian:10 --output junit > report.junit
<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite name="Policy Report for debian:10@edcf96f9d9d9" tests="85" failures="43" errors="0" id="0" time="">
<testcase name="Ensure auditd is installed" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
<testcase name="Ensure no duplicate UIDs exist" classname="score"></testcase>
<testcase name="Ensure root group is empty" classname="score"></testcase>
<testcase name="Ensure no duplicate group names exist" classname="score"></testcase>
<testcase name="Ensure source routed packets are not accepted" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
...
<testcase name="Ensure login and logout events are collected" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
</testsuite>
</testsuites>

Multi-Role service accountsโ€‹

Problem: You need to set additional permissions for your service accounts, but you don't want to give unnecessary permissions by using the owner role.

Solution: You can now assign more than one role to a service account in the console to provide more fine grained permissions for service accounts. To set permissions on a service account select the Settings tab, select Service Accounts, select the account you wish to edit, and then select the Permissions button.

Permissions selection modal

Trigger AWS integration scans directly in the consoleโ€‹

Problem: Hassle free continuous scanning of your AWS accounts is great, but sometimes you need to trigger a scan to evaluate the current security state.

Solution: Now you can trigger a one time scan of your AWS account in the AWS Integration page.

Scan Now in AWS

Filter namespaces to scan in the Kubernetes Operatorโ€‹

Problem: Different teams are responsible for different parts of a Kubernetes cluster and you need to control which namespaces the Mondoo Kubernetes Operator scans.

Solution: Mondoo now gives you more control over which namespaces are scanned by the Kubernetes Operator. Scan all namespaces, scan all namespaces except a list of specific namespaces, or take full control and only scan specified namespaces.

Namespace Filtering

๐Ÿงน IMPROVEMENTSโ€‹

Improved multi-asset scanning CLIโ€‹

We've reworked how progress bars behave when scanning complex, multi-asset infrastructure such as Kubernetes systems. The new progress bar format will allow you to see better what is currently scanning and the total progress for the cluster scan.

CLI Scan

AWS integrations show asset countsโ€‹

The AWS integration pages now show the total number of assets at the top of the page, similar to other integration pages.

AWS Integration

๐Ÿ› BUG FIXESโ€‹

  • Fix an issue where the fallback to ssh-agent authentication was not working properly
  • Improve client setup instructions in the console to resolve failures
  • Simplify the workstation setup instructions
  • Update Packer integration instructions to use cnspec and the latest Mondoo packer plugin
  • Update long-lived token instructions to use cnspec
  • Make sure that query result data displays in the console scan results
  • Improve the reliability of Kubernetes integration status data in the console
  • Fix the loading of inventory files when cnspec is running in serve mode
  • Fix BSI/CIS/Mondoo Windows policies to account for users on a system that have not yet logged in
  • Improve remediation steps in Mondoo and CIS policies
  • Resolves slow loading times on the integrations tab
  • Fix vendor specific icons not always displaying for policies in Policy Hub
  • Add alias for mondoo login to the existing mondoo register command so that cnspec and mondoo commands match

ยท 3 min read

๐Ÿฅณ Mondoo 7.13 is out! This release includes new GCP and Azure resources and cnspec as a service!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

New OpenPGP resourceโ€‹

Problem You want to validate that OpenPGP keys for YUM or APT repositories have not expired.

Solution You can now use new OpenPGP resources to validate that repository signatures are still valid.

cnquery>  parse.openpgp(path: "./expires.asc").all( identities.all( signatures.all( keyExpiresIn.days > 30 )))
[ok] value: true

Inspect OpenPGP keys with the following MQL query:

parse.openpgp(path: "./expires.asc")  {
primaryPublicKey { * }
identities {
id
signatures { * }
}
}

Result from cnquery

cnquery> parse.openpgp(path: "./expires.asc")  { primaryPublicKey { * } identities { id signatures { * }  } }
parse.openpgp.list: [
0: {
primaryPublicKey: {
id: "7312FA356E7DB13F"
bitLength: 4096
version: 4
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyAlgorithm: "rsa"
creationTime: 2023-01-14 17:24:58 +0100 CET
}
identities: [
0: {
id: "Test Expiration <test2@example.com>"
signatures: [
0: {
keyAlgorithm: "rsa"
version: 4
keyExpiresIn: 363 days 23 hours 43 minutes 5 seconds
identityName: "Test Expiration <test2@example.com>"
signatureType: "positive_cert"
hash: "SHA-256"
creationTime: 2023-01-14 17:24:58 +0100 CET
lifetimeSecs: -1
expiresIn: null
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyLifetimeSecs: 31449568
}
]
}
]
}
]

New GCP and Azure resourcesโ€‹

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender.defenderForContainers resource
  • NEW azure.cloudDefender.defenderForServers resource
  • NEW azure.resourceGroups resource
  • NEW gcp.project.cloudFunctions resource
  • NEW gcp.project.cloudRun resource
  • NEW gcp.project.dataproc.clusters resource
  • NEW gcp.project.iam.serviceAccounts resource
  • gcp.bigquery is now gcp.project.bigquery
  • gcp.compute is now gcp.project.compute
  • gcp.dns is now gcp.project.dns
  • gcp.project.compute.networks now includes subnetworks data
  • gcp.project.compute.instances now includes confidentialInstanceConfig data
  • gcp.project.dns.managedZones now includes dnssecConfig data
  • gcp.project.kms.keyrings { cryptokeys { * } } now includes created, nextRotation, rotationPeriod, versionTemplate, labels, importOnly, destroyScheduledDuration, and cryptoKeyBackend data
  • gcp.project now includes commonInstanceMetadata data

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

Run cnspec as a serviceโ€‹

Problem You want to move from the existing Mondoo Client to the new and expanded cnspec client to scan your servers, but cnspec can't run as a service

Solution You can now run cnspec as a service to continuously scan servers and workstations. cnspec is our next-generation open source client with capabilities not found in the existing Mondoo command line interface (Mondoo Client). We highly recommend that you migrate your system to use this new and improved client as we begin the process of deprecating Mondoo Client.

Learn about cnspec ->

Install cnspec ->

After deploying the cnspec package to your systems, you can migrate to the cnspec service with the following commands on systemd-based Linux hosts:

systemctl stop mondoo.service
systemctl disable mondoo.service
systemctl enable cnspec.service
systemctl start cnspec.service

๐Ÿ› BUG FIXESโ€‹

  • Ensure that gcp.project.bigquery resource IDs are always unique.
  • Change the default values in github.repository from id to fullName to make it easier to find repositories.
  • Print labels when running MQL queries that use variables inside blocks.
  • Show an error instead of crashing if the config file contains malformed keys.
  • Avoid a potential crash when running cnspec login on a fresh installation.

ยท 7 min read

๐Ÿฅณ Mondoo 7.12 is out! This release includes new GCP/Azure resources, New/Updated CIS Policies, AWS ECS scanning, and more!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

New GCP and Azure resourcesโ€‹

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender resource
  • NEW azure.sql.server.vulnerabilityassessment resource
  • NEW azure.authorization.roleDefinition resource
  • NEW azure.mysql.flexibleServer resource
  • NEW azure.storage.account.queueService.properties resource
  • NEW azure.storage.account.blobService.properties resource
  • NEW azure.storage.account.tableService.properties resource
  • NEW azure.storage.account.dataProtection resource
  • NEW azure.network.watcher.flowlog resource
  • NEW azure.monitor.diagnosticSettings resource
  • NEW azure.monitor.activitylog resource
  • NEW gcp.project.apiKeys resource
  • NEW gcp.project.essentialContacts resource
  • NEW gcp.project.logging resource
  • NEW gcp.project.sql resource
  • gcp.compute.firewall now includes allowed and denied data
  • gcp.compute.network now includes mode data
  • gcp.project.clusters moved to gcp.project.gke.clusters

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

New and updated CIS policiesโ€‹

Problem: Your infrastructure is complex, with an ever growing number of operating systems you need to secure.

Solution: Mondoo now includes the latest macOS and Linux CIS policies with new policies for the latest OS releases.

New CIS policies:

  • CIS Red Hat Enterprise Linux 9 Benchmark 9 1.0
  • CIS AlmaLinux OS 9 Benchmark 1.0
  • CIS Rocky Linux 9 Benchmark 1.0
  • CIS Oracle Linux 9 Benchmark 1.0
  • CIS Apple macOS 13.0 Ventura Benchmark 1.0.0

Updated CIS policies:

  • CIS CentOS Linux 8 Benchmark updated from 1.0.1 to 2.0.0
  • CIS Oracle Linux 8 Benchmark updated from 1.0.1 to 2.0.0
  • CIS SUSE Linux Enterprise 11 Benchmark updated from 2.0.0 to 2.1.1
  • CIS Apple macOS 10.15 Catalina Benchmark updated from 2.1.0 to 3.0.0
  • CIS Apple macOS 11.0 Big Sur Benchmark updated from 2.1.0 to 3.0.0
  • CIS Apple macOS 12.0 Monterey updated from 1.1.0 to 2.0.0

AWS ECS container scanningโ€‹

You can now scan all AWS ECS containers when scanning your AWS account with a new --discover flag option, ecs. Use this flag with cnquery and cnspec to explore and secure ECS containers in your infrastructure.

Scan ECS Containers on the CLI

Multiple log in methods in the Mondoo Consoleโ€‹

Problem: You signed up with your email account, and now you want to sign in with your Google, Microsoft, or GitHub login.

Solution: You can now add multiple authentication methods to your Mondoo Platform account, so you can log in with any combination of email, Microsoft, Google, or GitHub accounts.

To change your login method:

  1. In the top-right corner of the Mondoo Console, select your user icon.
  2. Select User Settings.
  3. In the left navigation, select Security. Under Connected Accounts, you can connect and disconnect accounts to update your login methods.

Managing Connected Accounts

New scan summaries for multiple asset scansโ€‹

Problem: cnspec scan output gives you quick insight into the security posture of assets. However, when scanning complex systems like Kubernetes clusters with hundreds or thousands of assets, there is often too much data to consume.

Solution: We've developed an all-new summary view for asset scans that allows you to more easily understand the security posture of complex systems like Kubernetes in cnspec.

An example scan of a small Kubernetes cluster:

Scanned 29 assets

Debian GNU/Linux 9 (stretch)
F index.docker.io/library/nginx@f7988fb6c02e
F index.docker.io/library/postgres@3f4441460029

Distroless
B registry.k8s.io/etcd@6f72b8515449
B registry.k8s.io/kube-apiserver@4188262a351f
B registry.k8s.io/kube-controller-manager@d3a06262256f
B registry.k8s.io/kube-proxy@6bf25f038543
B registry.k8s.io/kube-scheduler@f478aa916568

Kubernetes Cluster
F K8s Cluster minikube

Kubernetes DaemonSet
D kube-system/kube-proxy

Kubernetes Deployment
C kube-system/coredns
D luna/luna-frontend
D luna/postgres

Kubernetes Pod
C kube-system/coredns-565d847f94-b4pcx
C kube-system/etcd-minikube
D kube-system/kube-apiserver-minikube
D kube-system/kube-controller-manager-minikube
D kube-system/kube-proxy-bqthk
D kube-system/kube-scheduler-minikube
D kube-system/storage-provisioner
D luna/luna-frontend-7fb96c846b-jjnhz
D luna/luna-frontend-7fb96c846b-tmg95
D luna/luna-frontend-7fb96c846b-xrl6c
D luna/postgres-5bb9d69b96-d9zzg

Kubernetes ReplicaSet
C kube-system/coredns-565d847f94
D luna/luna-frontend-7fb96c846b
D luna/postgres-5bb9d69b96
D luna/postgres-655d75f54b

scratch
U gcr.io/k8s-minikube/storage-provisioner@18eb69d1418e
U registry.k8s.io/coredns/coredns@8e352a029d30

Summary
=======

Score Distribution Asset Distribution
------------------ ------------------
A 0 assets Kubernetes ReplicaSet 4
B 5 assets Kubernetes Pod 11
C 4 assets Kubernetes DaemonSet 1
D 15 assets Distroless 5
F 3 assets Kubernetes Cluster 1
U 2 assets scratch 2
Debian GNU/Linux 9 (stretch) 2
Kubernetes Deployment 3

For detailed output, run this scan with "-o full".

See more scan results and asset relationships on the Mondoo Console: https://console.mondoo.com/space/fleet?spaceId=lunalectric-prod-eks

Iterating over keys and valuesโ€‹

MQL already supports accessing keys and values via key and value in maps:

> sshd.config.params.where( key == /p/ )
sshd.config.params.where: {
ChallengeResponseAuthentication: "no"
Ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
}

We've extended this support to include parsed JSON and YAML structures:

> parse.json("my.json").params.where( value == 1 )
parse.json.params.where: {
apples: 1.000000
oranges: 1.000000
}

You can use these structures to quickly filter maps via key and value or to make assertions. For example you can ensure that certain keys exist:

> parse.json("my.json").params.where( key == /or/ )
parse.json.params.where: {
"hawthorn berries": 16.000000
oranges: 1.000000
}

๐Ÿงน IMPROVEMENTSโ€‹

Asset counts on integration tilesโ€‹

Integration tiles in the integration tab now show a summary of discovered assets, applied policies, and total applied controls. Now you can more easily see where assets are discovered.

Integration Summary

Detect missing asset filters in cnspec bundle lintโ€‹

cnspec bundle lint now includes a new check to ensure the policy's spec section includes an asset filter. This new check raises an error for policies that have no asset filter defined:

policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security by Mondoo
version: 1.0.0
specs:
- scoring_queries:
mondoo-azure-security-ensure-os-disk-are-encrypted: null
mondoo-azure-security-ssh-access-restricted-from-internet: null

The policy should be updated with an asset filter like this:

policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security by Mondoo
version: 1.0.0
specs:
- asset_filter:
query: |
platform.name == "azure"
platform.kind == "api"
scoring_queries:
mondoo-azure-security-ensure-os-disk-are-encrypted: null
mondoo-azure-security-ssh-access-restricted-from-internet: null

Expanded vault support for storing secretsโ€‹

cnquery and cnspec now have expanded vault support for short-term secret storage when using inventory files. You can now store secrets with an in-memory vault or using GCP KMS encryption and GCP Cloud Storage through the Berglas project.

Example inventory file storing secrets with gcp-berglas:

apiVersion: v1
kind: Inventory
metadata:
name: inventory
spec:
assets:
- name: cool-stuff
connections:
- backend: 0
credentials:
- secret_id: storage/my-secrets/secret
type: 1
secret_encoding: 3
options:
discover:
targets:
- all
vault:
name: gcp-berglas
type: gcp-berglas
options:
project_id: id

Fine-grained control over Azure subscription scanningโ€‹

You can now control particular Azure subscriptions to include or exclude during scans with new --subscriptions and --subscriptions-exclude flags. You can use these new flags to control which subscriptions you want to inspect. For example, to run the cnquery shell on all subscriptions except for two, you can exclude those subscriptions explicitly: cnquery shell azure --subscriptions-exclude=984df67f-fc2e-4ebf-80a2-1234567891011,1e829eb0-e6a3-4c7b-8212-1234567891011

๐Ÿ› BUG FIXESโ€‹

  • Show better results for failures in the Google Cloud (GCP) Security by Mondoo policy.
  • Only check SSH server configuration when the SSH server is installed in the Linux Server Security by Mondoo. Thanks. @stdevel!
  • Avoid failures when the Kubernetes Ingress has no certificates.
  • Fix queries in Linux Workstation Security by Mondoo, BSI SYS.1.2 Windows Server, and Amazon Web Services (AWS) Operational Best Practices, CIS Distribution Independent Linux Benchmark, and CIS VMware ESXi 6.7 Benchmark policies that were not executing.
  • Don't show a policy lint error if the policy spec has either scoring queries or data queries attached.
  • Improve reliability when scanning instances using SSM in cnquery, cnspec, and the Mondoo AWS Integration.
  • Better describe when a directory of Terraform or Kubernetes files is scanned.
  • Improve reliability in MQL queries that execute commands concurrently.
  • Don't silently fail to run the socketstats resource when it's not supported.
  • Improve the reliability of scanning ECR images.

ยท 5 min read

๐Ÿฅณ Mondoo 7.11 is out! This release includes new GCP resources, GitHub Code Scanning of policies, and simplified Windows deployment!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

MQL policy lintingโ€‹

Problem: Custom MQL policies can become large quickly, making it difficult to make sure they are properly formatted.

Solution: cnspec now includes a new cnspec bundle lint command that helps you find incorrectly formatted policies. This new command checks for the following conditions:

  • MQL compile error
  • UID is not valid
  • Missing policy UID
  • Missing policy name
  • No unique policy UID
  • Policy is missing checks
  • Assigned query missing
  • Policy version is missing
  • Policy version is invalid
  • Missing query UID
  • Missing query title
  • No unique query UID
  • Unassigned query

Run linting of policies from CLI

But wait, there's more! This new linting works with GitHub Code Scanning through our Mondoo GitHub Action. Applying the updated action scans your repository for Mondoo policies, annotates pull requests with any problems it finds, and even opens GitHub Code Scanning issues for problems.

The action is compact and doesn't require a service account or any other additional setup:

---
name: Lint Policies

on:
pull_request:
push:
branches:
- main

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Lint cnspec policies and output SARIF
uses: mondoohq/actions/cnspec-lint@main
with:
path: .
output-file: "results.sarif"
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

This action scans each opened PR and merge, giving you annotations directly in the GitHub UI:

GitHub Annotation

The GitHub Action integrates with GitHub Code Scanning to open GitHub Code Scanning issues for each problem in your policy:

GitHub Code Scanning

New GCP resourcesโ€‹

Problem: You want to explore and secure your GCP Pub/Sub and KMS services using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP Pub/Sub and KMS services.

We added new resources to query GCP KMS Key Rings and their cryptographic keys:

cnquery> gcp.project.kms.keyrings { * }
gcp.project.kms.keyrings: [
0: {
resourcePath: "projects/example-project/locations/global/keyRings/testring"
created: 2022-12-19 15:17:46.974842182 +0000 UTC
projectId: "example-project"
cryptokeys: [
0: gcp.project.kmsService.keyring.cryptokey name="testring-key" purpose="ENCRYPT_DECRYPT"
]
name: "testring"
location: "global"
}
]

Inspect details for Crypto Keys:

cnquery> gcp.project.kms.keyrings { name cryptokeys { * } }
gcp.project.kms.keyrings: [
0: {
name: "testring"
cryptokeys: [
0: {
purpose: "ENCRYPT_DECRYPT"
resourcePath: "projects/example-project/locations/global/keyRings/testring/cryptoKeys/testring-key"
versions: [
0: gcp.project.kmsService.keyring.cryptokey.version name="1" state="ENABLED"
]
name: "testring-key"
primary: gcp.project.kmsService.keyring.cryptokey.version name="1" state="ENABLED"
}
]
}
]

We also added support for GCP Pubsub Subscriptions, Topics and Snapshots:

cnquery> gcp.project.pubsub { * }
gcp.project.pubsub: {
topics: [
0: gcp.project.pubsubService.topic name="gke-cluster-event-queue"
]
snapshots: []
projectId: "example-project"
subscriptions: [
0: gcp.project.pubsubService.subscription name="gke-cluster-event-queue-subscription"
]
}

See full documentation for all GCP resources in our GCP Resource Pack docs.

Mondoo installation PowerShell moduleโ€‹

Problem: You need to deploy trusted binaries from Mondoo to Windows hosts using Active Directory Group Policy or MDM solutions.

Solution: You can now install Mondoo using a new Mondoo.Installer signed PowerShell module that is published on the PowerShell Gallery at https://www.powershellgallery.com/packages/Mondoo.Installer/1.0. You can use this new signed module to deploy Mondoo CLIs to managed Windows hosts by running Install-Mondoo.

Install-Module -Name Mondoo.Installer
Install-Mondoo

Because our scripts and binaries are fully signed, the rollout of cnquery and cnspec was never easier. The module automatically validates if the latest version is already installed, or it updates to the newest version if required:

Powershell module installation

After the installation script is complete, cnquery and cnspec are available for use:

cnquery and cnspec installed with Powershell module

๐Ÿงน IMPROVEMENTSโ€‹

Detect expiring certs in Kubernetes Ingressesโ€‹

A new Ingress certificates less than 15 days from expiration query in the Kubernetes Best Practices by Mondoo policy detects certificates nearing their expiration data in your Kubernetes cluster. This query looks at all certificates defined in a Kubernetes Ingress resource that are stored as a Secret and fails when the expiration data is less than 15 days.

Better asset scanning with the Mondoo AWS Lambda integrationโ€‹

The Mondoo AWS integration has been improved to better scan large and complex AWS environments:

  • Scan regions with more than 1,000 running instances.
  • Use AWS Instance Connect to scan instances if SSH scans fail.

Add cnquery/cnspec to the integrations pageโ€‹

You can now set up cnquery and cnspec to communicate with Mondoo Platform directly on the Integrations page of the console.

cnspec and cnquery Integrations

๐Ÿ› BUG FIXESโ€‹

  • Fix some help descriptions not being displayed.
  • Don't cut off the beginning of some help descriptions.
  • Using two or more search filters in the console requires all filters to match instead of just one.
  • Allow organization owners to delete invites.
  • Improve the default output of the kernel resource.
  • Fix terraform.module not discovering all modules.
  • Fix invalid command examples in some console integration pages.
  • Update Workstation integrations page text to better match terms used by cloud vendors.

ยท 3 min read

๐Ÿฅณ Mondoo 7.10 is out! This release includes support for K8s Ingress certificates and a resource for GCP GKE clusters!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

New GCP GKE resourceโ€‹

Problem: You've secured your Kubernetes workloads and kubelet configs with Mondoo and NSA Kubernetes security policies, but you need to secure your GKE cluster configuration as well.

Solution: A new gcp.project.clusters resource lets you explore your GKE clusters and write policies to secure your cluster control plane.

cnquery> gcp.project.clusters { * }
gcp.project.clusters: [
0: {
resourceLabels: {}
name: "luna-gke-cluster-2"
projectId: "luna-edge"
locations: [
0: "us-central1-b"
1: "us-central1-c"
2: "us-central1-f"
]
created: 2022-12-15 20:43:41 +0000 +0000
status: "RUNNING"
zone: "us-central1"
description: ""
nodePools: [
0: gcp.project.cluster.nodepool name="generic-pool"
]
loggingService: "logging.googleapis.com/kubernetes"
expirationTime: null
enableKubernetesAlpha: false
initialClusterVersion: "1.24.5-gke.600"
network: "luna-gke-cluster-2"
clusterIpv4Cidr: "10.20.0.0/16"
autopilotEnabled: false
endpoint: "63.192.209.236"
currentMasterVersion: "1.24.5-gke.600"
id: "123abcbcada644fcb3b83c30ea0efcfc3cd6d8f42a814bccbcb3503181e12b5a"
subnetwork: "luna-gke-cluster-2-subnet"
monitoringService: "monitoring.googleapis.com/kubernetes"
}
]

Examine Kubernetes Ingress certificatesโ€‹

Problem: You've secured your Kubernetes Ingresses with the new k8s.ingress resource, but you need to examine and secure the certificates associated with those Ingresses as well.

Solution: A new k8s.ingress.certificates resource allows you to explore and secure certificates associated with Kubernetes Ingress objects.

$ ./cnquery run k8s --discover ingresses -c
'k8s.ingress.certificates{ expiresIn }'
โ†’ discover related assets for 1 asset(s)
โ†’ use cluster name from kube config cluster-name=minikube
โ†’ resolved assets resolved-assets=1
k8s.ingress.certificates: [
0: {
expiresIn: 12 days 2 hours 12 minutes 14 seconds
}
]

๐Ÿงน IMPROVEMENTSโ€‹

Continued migration to cnspecโ€‹

Our migration from the legacy Mondoo CLI to cnspec continues this week with CI and Kubernetes. CI integration examples in the console now show simpler cnspec steps, and the Mondoo Kubernetes Operator uses the new cnspec container images for all cluster scans. Stay tuned as we continue to migrate to our improved open source cnspec CLI over the coming weeks.

See errors from the Kubernetes operatorโ€‹

Kubernetes integration pages show any errors reported by the Mondoo Kubernetes Operator so you can more easily troubleshoot operator failures.

Kubernetes Integration

Improved help descriptionsโ€‹

cnspec and cnquery now include improved help and resource descriptions: We've improved many command descriptions to help new users, added descriptions for many resources, and removed some invalid resources that were showing up in auto-complete in the cnquery/cnspec shells.

๐Ÿ› BUG FIXESโ€‹

  • Fix MachineType error in gcp.compute.instances resource.
  • Fix integer comparisons in MQL failing when resources returned a 32-bit integer instead of the assumed 64-bit integer.
  • Allow users to navigate the console tabs with the keyboard.
  • Allow users to upload policies that use alternative YAML MIME types to the Policy Hub.
  • Fix errors in Ensure default user umask is 027 or more restrictive and Ensure default user umask is configured controls within Mondoo and CIS Linux policies.

ยท 2 min read

๐Ÿฅณ Mondoo 7.9 is out! This release includes a new Kubernetes Ingress resource and automatic discovery of Amazon ECR registries!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

Kubernetes Ingress resourceโ€‹

Problem: You want to ensure the security of Kubernetes Ingresses.

Solution: Mondoo now includes new resources for exploring and securing Kubernetes Ingress objects. New resources support exploring the Ingress objects themselves as well as the HTTP rules in each Ingress.

New Ingress resources:

Example cnspec shell query:

k8s.ingresses: [
0: {
annotations: {}
namespace: "default"
labels: {}
manifest: {
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata: {
creationTimestamp: null
name: "no-tls-ingress"
namespace: "default"
}
spec: {
ingressClassName: "nginx"
rules: [
0: {
host: "api.nexus.info"
http: {
paths: [
0: {
backend: {
resource: {
apiGroup: "k8s.example.io"
kind: "MyKind"
name: "my-resource"
}
}
path: "/"
pathType: "Prefix"
}
]
}
}
...

You can also automatically discover Ingress objects during your cluster scan with the --discover ingresses flag. With this flag, each Ingress object is scanned as an asset available in the Mondoo Console.

Stay tuned for new Ingress security policies and auto-discovery of HTTP/HTTPS endpoints so you can automatically discover incorrectly configured or expiring certificates.

Amazon ECR discovery supportโ€‹

Problem: To scan an AWS ECR registry, you have to know its address.

Solution: The cnquery/cnspec AWS scanner now automatically discovers and scans ECR registries.

Just type cnspec scan aws --discover ecs, or cnspec scan aws --discover all.

๐Ÿงน IMPROVEMENTSโ€‹

Improve EC2 instance discoveryโ€‹

When running cnspec scan aws --discover instances cnspec now uses EC2 Instance Connect and SSM to connect and remotely scan EC2 instances.

๐Ÿ› BUG FIXESโ€‹

  • Improve the reliability of many controls in CIS and Mondoo Linux policies.
  • Change SSM-scanned instances to not show up as "Other" scans.
  • Avoid rate limiting in the AWS Lambda integration by reducing total API calls.
  • Improve help and resource autocomplete text.
  • Remove some unhelpful warning log messages in cnspec and cnquery.
  • Fix the display of long Kubernetes integration names in the Kubernetes integration page.
  • Fix login failures using the latest release of Safari on macOS and iOS.
  • Fix incorrect display of long organization IDs in the create organization window.

ยท 5 min read

๐Ÿฅณ Mondoo 7.8 is out! This release includes new resources for OS updates, packages, and simpler IaC file scanning!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

More intuitive resource namesโ€‹

Problem: When running cnquery it can be difficult to know which resources are available and what individual resources do.

Solution: We've renamed several resources to better match the objects scanned (rather than the underlying technology). This makes it easier to discover resources and navigate your infrastructure with cnquery.

Updated resource names:

  • msgraph.beta -> microsoft (MS365 + Azure Active Directory)
  • gcloud -> gcp
  • azurerm -> azure

Don't worry though; the old resource names still work. You don't need to update policies before rolling out this new release.

Software update data for macOS and Windowsโ€‹

Problem: To secure your hosts, you want to find available software updates for all platforms.

Solution: Mondoo now exposes os.updates resource data for macOS and Windows hosts. You can now write cnspec policies to ensure systems are fully patched, or use cnquery to remotely identify unpatched systems.

os.updates: [
0: os.update name="MSU_UPDATE_21G217_patch_12.6.1"
1: os.update name="Command Line Tools beta 3 for Xcode"
2: os.update name="Command Line Tools for Xcode"
3: os.update name="Safari16.1MontereyAuto"
]

Windows MSI package inspectionโ€‹

Problem: The packages installed on your Windows hosts are critical to their security. You want to write a policy that checks for specific packages and package versions.

Solution: Mondoo now includes support for querying MSI packages (and continues to support Appx packages). With cnspec, use the packages resource to write policies enforcing package versions. With cnquery, explore what's installed on hosts:

packages.list: [
0: package name="Python 3.10.4 pip Bootstrap (64-bit)" version="3.10.4150.0"
1: package name="Python 3.10.4 Core Interpreter (64-bit)" version="3.10.4150.0"
2: package name="VMware Tools" version="11.3.0.18090558"
3: package name="Python 3.10.4 Development Libraries (64-bit)" version="3.10.4150.0"
4: package name="Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29913" version="14.28.29913"
5: package name="Python 3.10.4 Utility Scripts (64-bit)" version="3.10.4150.0"
6: package name="Mondoo" version="7.4.0"
7: package name="Python 3.10.4 Test Suite (64-bit)" version="3.10.4150.0"
8: package name="Python 3.10.4 Tcl/Tk Support (64-bit)" version="3.10.4150.0"
9: package name="Python 3.10.4 Documentation (64-bit)" version="3.10.4150.0"
10: package name="Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29913" version="14.28.29913"
11: package name="Python 3.10.4 Executables (64-bit)" version="3.10.4150.0"
12: package name="Python 3.10.4 Standard Library (64-bit)" version="3.10.4150.0"
13: package name="Python 3.10.4 (64-bit)" version="3.10.4150.0"
14: package name="Microsoft Edge" version="108.0.1462.42"
]

Scan all Terraform configs or Kubernetes manifests in directoriesโ€‹

Problem: You have a repository full of Terraform configs or Kubernetes manifests you want to scan, but you don't want to scan them one command at a time.

Solution: Let Mondoo do the heavy lifting: Scan your IaC configs by directory. cnspec automatically finds all the relevant files to scan, even those nested deep in directories.

In this example, cnspec scans all of our Lunalectric repositories to find Kubernetes manifest files in the postgresql and frontend repositories, while ignoring other non-Kubernetes YAML files:

cnspec scan k8s dev/lunalectric/
โ†’ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
โ†’ using service account credentials
โ†’ discover related assets for 1 asset(s)
โ†’ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
โ†’ resolved assets resolved-assets=5
โ†’ connecting to asset K8s Manifest lunalectric (code)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% K8s Manifest lunalectric
โ†’ connecting to asset luna/postgres (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/postgres
โ†’ connecting to asset luna/luna-frontend (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/luna-frontend
โ†’ connecting to asset luna/postgres (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/postgres
โ†’ connecting to asset luna/luna-frontend (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/luna-frontend

๐Ÿงน IMPROVEMENTSโ€‹

Default values for GCP resourcesโ€‹

GCP resources now include default values, so it's easier to explore your infrastructure with cnquery. You no longer have to provide the field for each query; you can simply rely on the default values and skip the field names. We picked the most important values for each resource to save you time.

Old: gcp.sql.instances{name}

New: gcp.sql.instances

Instance names from EBS volume scansโ€‹

EBS volume scans from the CLI or the AWS integration now include asset names that match scans over SSM or SSH.

Process information in the ports resourceโ€‹

The ports resource now includes process information so you can see which process is binding to an open port:

ports.list: [
0: port port=53 protocol="tcp" address="127.0.0.53" process.executable="/lib/systemd/systemd-resolved"
1: port port=22 protocol="tcp" address="0.0.0.0" process.executable="sshd:"
2: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
3: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
4: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
5: port port=53 protocol="udp" address="127.0.0.53" process.executable="/lib/systemd/systemd-resolved"
6: port port=68 protocol="udp" address="10.0.2.15" process.executable="/lib/systemd/systemd-networkd"
7: port port=22 protocol="tcp" address="::" process.executable="sshd:"
8: port port=80 protocol="tcp" address="::" process.executable="/usr/sbin/apache2"
]

Improved Linux policy reliabilityโ€‹

We rewrote much of the Linux Security policy to improve the reliability of scans when commands cannot run directly. This provides additional security context, particularly auditd configuration context when scanning container images and side-scanning AWS instances using EBS volumes. As a bonus, it also reduces CPU and memory use during the scan.

๐Ÿ› BUG FIXESโ€‹

  • Don't panic when inspecting an empty certificate on a host.
  • Properly parse out Kubernetes custom resources in manifest files.
  • Update the service accounts page to allow sorting by the last date used.
  • Properly discover containers when running cnquery scan docker --discover container.
  • Add missing help output for multiple resources.
  • Improve several error messages to make required user action more apparent.
  • Ignore case when parsing SSHd config include statements to support both Include and include.
  • Update invalid example commands on the Terraform integration page.
  • Explicitly set our Kubernetes operator workflows to run unprivileged.
  • Better raise errors encountered in malformed MQL queries.
  • Fix an issue where the console cursor could disappear after running a scan.

ยท 5 min read

๐Ÿฅณ Mondoo 7.7 is out! This release includes new Kubernetes integration pages & VMware Cloud Director scanning!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

VMware Cloud Director scanningโ€‹

Problem: Your organization uses VMware Cloud Director, and you'd like to secure your deployments with Mondoo policies.

Solution:

Mondoo now includes a set of new VMware vCloud Director resources to help you secure your VMware infrastructure.

Sample queries:

# display vCloud Director version
asset { platform version build }
asset: {
build: "20079017"
version: "10.4.0"
platform: "vcd"
}

# show all vCenter server
vcd.serverInstances { * }

# list all vCenter organizations
vcd.organizations

# list all external networks
vcd.externalNetworks

For additional use cases, see the VMware Cloud Director Resource Pack MQL documentation.

New Kubernetes integrations pagesโ€‹

Problem: Once you've set up a Kubernetes integration in Mondoo, it's difficult to see the status of the resources, including the version of the operator that's running.

Solution: Mondoo has a whole new Kubernetes integration page to help you understand what's running and what's been detected. This page includes essential status information such as the Kubernetes release, operator release, and the enabled scanning methods. It also includes a quick summary of everything that's been detected by the operator with a link to view operator-scanned assets in the fleet view.

New Kubernetes integration page

Overview data for assetsโ€‹

Problem: In scan results, it can be hard to understand an asset's location or platform.

Solution: We redesigned the Mondoo asset pages to make finding details about your assets easier. We've combined multiple tabs into a new summarized main page that folds asset metadata into the main view.

New asset page

Debian 11 and Ubuntu 22.04 CIS level 1 & 2 policiesโ€‹

Problem: You're running the latest Debian and Ubuntu releases and you need to apply CIS policies to meet regulatory requirements.

Solution: Mondoo now includes CIS Level 1 and 2 policies for Ubuntu 22.04 and Debian 11.

๐Ÿงน IMPROVEMENTSโ€‹

Assets now display their last scanned timeโ€‹

We've updated the asset pages to better describe when assets were scanned and when they last checked into the Mondoo Platform. Previously we tracked only the update time, which showed the last time the asset had checked in either through a CLI scan or a non-scanning integration discovery. This led to confusion since some AWS assets looked as though they had just been scanned after the integration discovery ran. You now see both the scan time and the update time so you can better understand how old scan results are and when assets were last seen.

Update vs. Scanned Time

Automatic stale service account cleanupโ€‹

Mondoo now automatically cleans up service accounts that sit unused for 30 days. This reduces both clutter and the risk of account compromise.

Policy improvementsโ€‹

This week we made several improvements to Linux and Kubernetes policies with new and updated controls:

  • Add new Ensure the kubelet is not configured with the AlwaysAllow authorization mode and The default namespace should not be used controls to the NSA Kubernetes Hardening Guide policy.
  • Add new Use clear naming for external channels control to the Slack Security Best Practices policy.
  • Add new Ensure system accounts are non-login control to the BSI SYS.1.3 Linux and Unix Servers policy.
  • Update the Slack Security Best Practices policy to collect the names of all Slack workstation admins.
  • Update the Slack Security Best Practices policy to ignore the SlackBot users when ensuring users have 2FA enabled.
  • Ensure the Linux Security policy's auditd controls can run when scanning containers, EBS volumes, or Kubernetes nodes.
  • Update the Ensure system accounts are non-login control in CIS policies to treat accounts with a UID < 1000 as non-system accounts instead of < 500.

MQL Improvementsโ€‹

Empty arrays evaluate as falseโ€‹

We've updated MQL to treat an empty array as a false-like (falsey) value. This means queries like list.where(a == 1), which return an empty array, now evaluate as false instead of true. This may correct code in your environment that was intended to fail, but didn't due to the empty array result.

IPv6 data in the port resourceโ€‹

The port resource now includes TCP/UDP port information for IPv6 addresses in additional to IPv4 addresses.

Indexed array outputโ€‹

Query results that return an array now include the array index in the results so you can more easily find flagged issues or dig deeper into specific results.

Indexed Results

๐Ÿ› BUG FIXESโ€‹

  • Only attempt to delete EBS volumes if there's a failure during the scan.
  • Fix failures checking file ownership when running under sudo.
  • Fix incorrectly formatted output of scan results on Windows.
  • Fix an error message that included a typo in the suggested --incognito flag.
  • Default to us-east-1 in cnquery/mondoo if no AWS region is provided to avoid failures.
  • Exit with 1 when cnspec fails to connect to an asset.
  • Avoid a crash if asset data cannot be synced to the Mondoo Platform.
  • Improve some error messages that included legacy components and client names.
  • Set asset name when EBS scanning if it is provided.
  • Avoid a crash when working with certain dict values in MQL.
  • Avoid a crash when viewing some older service accounts in the console.

ยท 2 min read

๐Ÿฅณ Mondoo 7.6 is out! This release includes improvements to asset naming and bug fixes.โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐Ÿงน IMPROVEMENTSโ€‹

New --asset-name CLI flagโ€‹

The mondoo and cnspec CLIs include a new --asset-name flag that allows you to control the name of the asset when registering with the Mondoo Platform.

Fetch instance name using EC2 metadataโ€‹

When connecting to instances using EC2 Instance Connect or SSM, Mondoo now identifies assets based on the instance name (from AWS metadata).

๐Ÿ› BUG FIXESโ€‹

  • Remove deprecated mondoo scan syntax from the deprecated Mondoo policies to prevent failures on Mondoo Client 7.x.
  • Fix warnings when scanning Kubernetes clusters.
  • Update invalid credential message from the Slack provider to mention Slack.
  • Improve the warning in the kernel resource when running on an unsupported platform.
  • Add missing Google Workspaces, Slack, and Okta scan examples to the Workstation integration page.
  • Update the suggested policies during the Kubernetes integration setup to include the latest Mondoo and NSA Kubernetes policies.
  • Remove references to Windows from the Ubuntu integration page.
  • Lower memory usage in the Kubernetes admission controller.
  • Skip scanning events in the Kubernetes admission controller when only the managedFields changed.

ยท 3 min read

๐Ÿฅณ Mondoo 7.5 is out! This release includes faster GitHub Actions execution and improved CIS policies!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

Faster GitHub Action Executionโ€‹

Problem: The Mondoo GitHub Action could rapidly scan content in your CI pipelines, but was slow to install and setup Mondoo Client during each run.

Solution: We've refactored the Mondoo GitHub Action to use our new cnspec container image. Not only do you get our latest command line experience, but also there's no need to install Mondoo Client during your GitHub jobs. This can reduce the time it takes to run your job by 30 seconds to 1 minute, getting you results quicker in your CI pipelines.

๐Ÿงน IMPROVEMENTSโ€‹

Additional CIS Linux Controlsโ€‹

We've updated our CIS Linux policies to implement the following controls:

  • AlmaLinux 8: Ensure FTP client is not installed
  • AlmaLinux 8: Ensure rsync-daemon is not installed or the rsyncd service is masked
  • Debian 8: Ensure inetd is not installed
  • Debian 9: Ensure SELinux is enabled in the bootloader configuration
  • Debian 10: Ensure syslog-ng is configured to send logs to a remote log host
  • RHEL 6: Ensure augenrules is enabled
  • RHEL 8: Ensure journald is not configured to receive logs from a remote client
  • RHEL 8: Ensure rsyslog is not configured to receive logs from a remote client
  • RHEL 8: Ensure rsyslog is not configured to receive logs from a remote client
  • SLES 11: Ensure only approved ciphers are used
  • SLES 11: Ensure password expiration is 90 days or less
  • SLES 12: Ensure IPv6 firewall rules exist for all open ports
  • Ubuntu 14.04: Ensure password expiration is 90 days or less
  • Ubuntu 20.04: Ensure syslog-ng is configured to send logs to a remote log host

๐Ÿ› BUG FIXESโ€‹

  • Fail early and show an error when an invalid GitHub token is provided instead of creating an asset with all errored scans.
  • Correctly detect AWS EC2 asset names when scanning them over EC2 Instance Connect or SSM.
  • Correctly detect platform names when scanning containers.
  • Fix loading of spaces when older assets with an unrecognized asset type are present.
  • Fix login failures for some users in the Mondoo EU region.
  • Improve the reliability of CI/CD asset cleanup.
  • Improve fetching of CVE data for Rocky Linux.