Skip to main content

Mondoo 6.16 is out!

ยท 4 min read

๐Ÿฅณ Mondoo 6.16 is out! This release includes new policies and always-up-to-date Kubernetes results.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

Scan Kubernetes Resources on Add/Updateโ€‹

Problem: You rapidly deploy new and updated workloads to your Kubernetes cluster and you want to know that the Mondoo scan results reflect the latest state of your cluster.

Solution: Mondoo now scans your Kubernetes resources as they are updated or added to the cluster, so the fleet view always has the latest information on cluster-wide security.

Note: This requires the Mondoo Operator for Kubernetes 1.5 or later. To update to this new release run:

kubectl delete --ignore-not-found -n mondoo-operator deployment mondoo-operator-controller-manager
kubectl apply -f https://install.mondoo.com/k8s/operator

Mondoo Policy for Google Cloud Terraform Plansโ€‹

Problem: You want to find Google Cloud security issues early in your infrastructure development cycle to prevent insecure changes from ever reaching production.

Solution: This week, we're introducing a new policy, Terraform Plan - CIS Google Cloud Platform Foundation Benchmark. It lets you run Mondoo security scans directly against HashiCorp Terraform plans for your Google Cloud infrastructure.

Problem: Mondoo found a lot of security issues for your asset and you're overwhelmed. It's hard to know what to fix first.

Solution: The asset view now shows the five most important actions you should take to improve an asset's security.

Top 5 Recommended Actions

View All Controls for an Assetโ€‹

Problem: You want to find a specific control that is applied to an asset, but you don't know which policy it's in.

Solution: Mondoo now lists all of an asset's controls independently from their policies. You can filter controls by policy or by search string.

Controls

๐Ÿงน IMPROVEMENTSโ€‹

New Security and Best Practices Controls for Kubernetesโ€‹

Problem: You want to scan your workloads for common security and best practice misconfigurations before deploying them to your Kubernetes cluster.

Solution: We've expanded our Kubernetes Security Benchmark and Kubernetes Best Practices Benchmark to expose more common misconfigurations in Kubernetes workloads.

  • Workloads should not run in the default namespaceโ€”This new Kubernetes Best Practices Benchmark control discovers workloads that haven't defined a non-default namespace in which to run. It's best to group workloads into non-default namespaces to better organize work by teams and to isolate workloads.

  • Workloads should not run with SYS_ADMIN capabilityโ€”This new Kubernetes Security Benchmark policy discovers workloads with the SYS_ADMIN or ALL capabilities. The SYS_ADMIN capability is risky because it provides a pod with root capabilities.

  • Workloads should not run with NET_RAW capabilityโ€”This new Kubernetes Security Benchmark policy discovers workloads with the NET_RAW or ALL capabilities. Attackers can use the NET_RAW capability to craft fake packets on the host, which they can use to redirect network traffic bound for other pods.

  • Pods should have an ownerโ€”This new Kubernetes Best Practices Benchmark control discovers pods that do not have an owner. These pods, commonly called naked pods, don't respawn if the node they're running on fails or terminates.

BIOS Updates Control Added to Client Linux Security Baseline by Mondooโ€‹

Problem: To secure the boot process, you need to ensure that all Linux systems have the most up-to-date BIOS releases.

Solution: The Client Linux Security Baseline by Mondoo now includes a control to validate that systems have the most up-to-date BIOS when the fwupd utility is installed.

Error Messages for Unavailable Assetsโ€‹

Problem: You need to know when Mondoo can't connect to an asset. Solution: Mondoo now shows an error message on the asset page when it fails to reach the asset.

Unavailable Asset

๐Ÿ› BUG FIXESโ€‹

  • Renames potentially confusing control titles in Linux Security Baseline by Mondoo policy.
  • Skips internal fields in the mondoo shell help output.
  • Improves error handling in the AWS Lamba scans.
  • Changes Mondoo agent searches to not be case sensitive.
  • Returns more helpful error messages from Mondoo Client when a necessary environment variable is missing on CI platforms.
  • Fixes missing available packages in asset Platform Vulnerabilities pages.
  • Improves the handling of null data for regular data types: We now consistently return non-null data from the upstream service. In the next major release, we will support storing other null data.
  • Fixes failures parsing Linux kernel parameters when files in /proc/sys can't be read.
  • Networks and domains are now properly grouped in the fleet view.