Mondoo 7.13 is out!
๐ฅณ Mondoo 7.13 is out! This release includes new GCP and Azure resources and cnspec as a service!โ
Get this release: Installation Docs | Package Downloads | Docker Container
๐ NEW FEATURESโ
New OpenPGP resourceโ
Problem You want to validate that OpenPGP keys for YUM or APT repositories have not expired.
Solution You can now use new OpenPGP resources to validate that repository signatures are still valid.
cnquery>  parse.openpgp(path: "./expires.asc").all( identities.all( signatures.all( keyExpiresIn.days > 30 )))
[ok] value: true
Inspect OpenPGP keys with the following MQL query:
parse.openpgp(path: "./expires.asc")  {
   primaryPublicKey { * }
   identities {
      id
      signatures { * }
   }
}
Result from cnquery
cnquery> parse.openpgp(path: "./expires.asc")  { primaryPublicKey { * } identities { id signatures { * }  } }
parse.openpgp.list: [
  0: {
    primaryPublicKey: {
      id: "7312FA356E7DB13F"
      bitLength: 4096
      version: 4
      fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
      keyAlgorithm: "rsa"
      creationTime: 2023-01-14 17:24:58 +0100 CET
    }
    identities: [
      0: {
        id: "Test Expiration <test2@example.com>"
        signatures: [
          0: {
            keyAlgorithm: "rsa"
            version: 4
            keyExpiresIn: 363 days 23 hours 43 minutes 5 seconds
            identityName: "Test Expiration <test2@example.com>"
            signatureType: "positive_cert"
            hash: "SHA-256"
            creationTime: 2023-01-14 17:24:58 +0100 CET
            lifetimeSecs: -1
            expiresIn: null
            fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
            keyLifetimeSecs: 31449568
          }
        ]
      }
    ]
  }
]
New GCP and Azure resourcesโ
Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.
Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:
- NEW azure.cloudDefender.defenderForContainersresource
- NEW azure.cloudDefender.defenderForServersresource
- NEW azure.resourceGroupsresource
- NEW gcp.project.cloudFunctionsresource
- NEW gcp.project.cloudRunresource
- NEW gcp.project.dataproc.clustersresource
- NEW gcp.project.iam.serviceAccountsresource
- gcp.bigqueryis now- gcp.project.bigquery
- gcp.computeis now- gcp.project.compute
- gcp.dnsis now- gcp.project.dns
- gcp.project.compute.networksnow includes- subnetworksdata
- gcp.project.compute.instancesnow includes- confidentialInstanceConfigdata
- gcp.project.dns.managedZonesnow includes- dnssecConfigdata
- gcp.project.kms.keyrings { cryptokeys { * } }now includes- created,- nextRotation,- rotationPeriod,- versionTemplate,- labels,- importOnly,- destroyScheduledDuration, and- cryptoKeyBackenddata
- gcp.projectnow includes- commonInstanceMetadatadata
See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.
Run cnspec as a serviceโ
Problem You want to move from the existing Mondoo Client to the new and expanded cnspec client to scan your servers, but cnspec can't run as a service
Solution You can now run cnspec as a service to continuously scan servers and workstations. cnspec is our next-generation open source client with capabilities not found in the existing Mondoo command line interface (Mondoo Client). We highly recommend that you migrate your system to use this new and improved client as we begin the process of deprecating Mondoo Client.
After deploying the cnspec package to your systems, you can migrate to the cnspec service with the following commands on systemd-based Linux hosts:
systemctl stop mondoo.service
systemctl disable mondoo.service
systemctl enable cnspec.service
systemctl start cnspec.service
๐ BUG FIXES AND UPDATESโ
- Ensure that gcp.project.bigqueryresource IDs are always unique.
- Change the default values in github.repositoryfromidtofullNameto make it easier to find repositories.
- Print labels when running MQL queries that use variables inside blocks.
- Show an error instead of crashing if the config file contains malformed keys.
- Avoid a potential crash when running cnspec loginon a fresh installation.
