Skip to main content

Mondoo 7.13 is out!

ยท 3 min read

๐Ÿฅณ Mondoo 7.13 is out! This release includes new GCP and Azure resources and cnspec as a service!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

New OpenPGP resourceโ€‹

Problem You want to validate that OpenPGP keys for YUM or APT repositories have not expired.

Solution You can now use new OpenPGP resources to validate that repository signatures are still valid.

cnquery>  parse.openpgp(path: "./expires.asc").all( identities.all( signatures.all( keyExpiresIn.days > 30 )))
[ok] value: true

Inspect OpenPGP keys with the following MQL query:

parse.openpgp(path: "./expires.asc")  {
primaryPublicKey { * }
identities {
id
signatures { * }
}
}

Result from cnquery

cnquery> parse.openpgp(path: "./expires.asc")  { primaryPublicKey { * } identities { id signatures { * }  } }
parse.openpgp.list: [
0: {
primaryPublicKey: {
id: "7312FA356E7DB13F"
bitLength: 4096
version: 4
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyAlgorithm: "rsa"
creationTime: 2023-01-14 17:24:58 +0100 CET
}
identities: [
0: {
id: "Test Expiration <test2@example.com>"
signatures: [
0: {
keyAlgorithm: "rsa"
version: 4
keyExpiresIn: 363 days 23 hours 43 minutes 5 seconds
identityName: "Test Expiration <test2@example.com>"
signatureType: "positive_cert"
hash: "SHA-256"
creationTime: 2023-01-14 17:24:58 +0100 CET
lifetimeSecs: -1
expiresIn: null
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyLifetimeSecs: 31449568
}
]
}
]
}
]

New GCP and Azure resourcesโ€‹

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender.defenderForContainers resource
  • NEW azure.cloudDefender.defenderForServers resource
  • NEW azure.resourceGroups resource
  • NEW gcp.project.cloudFunctions resource
  • NEW gcp.project.cloudRun resource
  • NEW gcp.project.dataproc.clusters resource
  • NEW gcp.project.iam.serviceAccounts resource
  • gcp.bigquery is now gcp.project.bigquery
  • gcp.compute is now gcp.project.compute
  • gcp.dns is now gcp.project.dns
  • gcp.project.compute.networks now includes subnetworks data
  • gcp.project.compute.instances now includes confidentialInstanceConfig data
  • gcp.project.dns.managedZones now includes dnssecConfig data
  • gcp.project.kms.keyrings { cryptokeys { * } } now includes created, nextRotation, rotationPeriod, versionTemplate, labels, importOnly, destroyScheduledDuration, and cryptoKeyBackend data
  • gcp.project now includes commonInstanceMetadata data

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

Run cnspec as a serviceโ€‹

Problem You want to move from the existing Mondoo Client to the new and expanded cnspec client to scan your servers, but cnspec can't run as a service

Solution You can now run cnspec as a service to continuously scan servers and workstations. cnspec is our next-generation open source client with capabilities not found in the existing Mondoo command line interface (Mondoo Client). We highly recommend that you migrate your system to use this new and improved client as we begin the process of deprecating Mondoo Client.

Learn about cnspec ->

Install cnspec ->

After deploying the cnspec package to your systems, you can migrate to the cnspec service with the following commands on systemd-based Linux hosts:

systemctl stop mondoo.service
systemctl disable mondoo.service
systemctl enable cnspec.service
systemctl start cnspec.service

๐Ÿ› BUG FIXESโ€‹

  • Ensure that gcp.project.bigquery resource IDs are always unique.
  • Change the default values in github.repository from id to fullName to make it easier to find repositories.
  • Print labels when running MQL queries that use variables inside blocks.
  • Show an error instead of crashing if the config file contains malformed keys.
  • Avoid a potential crash when running cnspec login on a fresh installation.