Skip to main content

Mondoo 6.14 is out!

ยท 4 min read

๐Ÿฅณ Mondoo 6.14 is out! This release includes CI/CD view filtering and improved scan results!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

Kubernetes Control Plane Node Scanningโ€‹

Problem: You need to secure not just your Kubernetes workloads or cluster configuration, but the actual installation of Kubernetes on the control plane servers.

Solution This week, we added the first of many new Mondoo Kubernetes Security policy control plane checks to secure the kube-apiserver, kube-scheduler, kube-controller-manager, and etcd installations. These new controls check for secure permissions on critical configuration files and private key directories. Stay tuned for more controls to secure your control plane next week, along with kubelet controls.

Control Plane Scanning

Filtering in CI/CD Viewsโ€‹

Problem: You have a particular Mondoo scan you want to see, but there are hundreds of Kubernetes deployments in your admission controller scan results or your CI job results page.

Solution The CI/CD view now includes filtering so you can easily find the scan results of particular Kubernetes deployments or CI scans.

CI/CD Filtering

๐Ÿงน IMPROVEMENTSโ€‹

Faster, Faster, Faster!โ€‹

Problem: You're a busy person. You don't have time to wait for Mondoo.

Solution: This week, we greased the gears and tightened the belts in the Mondoo engine. Mondoo scans now sync their asset data faster, and asset deletion time is reduced as well. These speed improvements should be especially pronounced when scanning a Kubernetes cluster with a large number of resources or when bulk deleting assets in the Mondoo Console.

Show the Right Instructions Firstโ€‹

Problem: Mondoo helps you to set up your workstation for security scanning, but what if you run Arch, not Windows or macOS? You don't want to see setup instructions for operating systems you're not using.

Solution: The Workstation Integration setup page now takes you to the instructions for your platform by default. Use Windows: See Windows steps. Use macOS: See macOS steps. Use Arch, Fedora, etc: See Linux steps.

Workstation Setup

Expanded CIS Amazon Elastic Kubernetes Service (EKS) Benchmarksโ€‹

Problem: You need to secure your EKS clusters to achieve compliance.

Solution: We've rewritten much of our CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks to give you the best possible results in securing your EKS clusters. Our updated policies feature seven all-new controls and improvements to the existing controls to provide the best possible results.

Improved Linux Kernel Parameter Scanningโ€‹

Problem: You want to secure the Linux kernel parameters on your systems, but you don't see results when scanning Kubernetes nodes from the Mondoo Kubernetes Operator.

Solution: Mondoo now directly scans kernel parameters by checking the contents of /proc/sys. Not only is this method faster because we don't have to run the systcl command on the system, but it also allows us to validate Linux kernel parameters when scanning without Mondoo Client installed. With this update, you should see improved scoring in the Linux Security Baseline policy on Kubernetes cluster nodes.

Updated Windows 2016 CIS Benchmarksโ€‹

Problem: You run Windows 2016 and need the latest CIS policies to achieve compliance in your infrastructure.

Solution: We've updated our Windows 2016 CIS Benchmarks to the CIS 1.4.0 release. This includes new and improved controls to secure your Windows 2016 hosts.

๐Ÿ› BUG FIXESโ€‹

  • Properly detects the OS of the Ubiquiti Dream Machine Pro / SE as ubios.
  • Resolves a permission denied message when storing discovery results.
  • Prevents unnecessary write operations in the AWS Integration Lamba.
  • Detects rate limiting in the AWS Integration Lamba to avoid causing failures in other account operations.
  • Properly scans and displays Jenkins jobs that have no Git commit.
  • Fixes the incorrect spelling of exceptions data in the macos.alf resource.
  • Includes Docker tag labels for assets when scanning container registries.