Skip to main content

Mondoo 7.8 is out!

ยท 5 min read

๐Ÿฅณ Mondoo 7.8 is out! This release includes new resources for OS updates, packages, and simpler IaC file scanning!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

More intuitive resource namesโ€‹

Problem: When running cnquery it can be difficult to know which resources are available and what individual resources do.

Solution: We've renamed several resources to better match the objects scanned (rather than the underlying technology). This makes it easier to discover resources and navigate your infrastructure with cnquery.

Updated resource names:

  • msgraph.beta -> microsoft (MS365 + Azure Active Directory)
  • gcloud -> gcp
  • azurerm -> azure

Don't worry though; the old resource names still work. You don't need to update policies before rolling out this new release.

Software update data for macOS and Windowsโ€‹

Problem: To secure your hosts, you want to find available software updates for all platforms.

Solution: Mondoo now exposes os.updates resource data for macOS and Windows hosts. You can now write cnspec policies to ensure systems are fully patched, or use cnquery to remotely identify unpatched systems.

os.updates: [
0: os.update name="MSU_UPDATE_21G217_patch_12.6.1"
1: os.update name="Command Line Tools beta 3 for Xcode"
2: os.update name="Command Line Tools for Xcode"
3: os.update name="Safari16.1MontereyAuto"
]

Windows MSI package inspectionโ€‹

Problem: The packages installed on your Windows hosts are critical to their security. You want to write a policy that checks for specific packages and package versions.

Solution: Mondoo now includes support for querying MSI packages (and continues to support Appx packages). With cnspec, use the packages resource to write policies enforcing package versions. With cnquery, explore what's installed on hosts:

packages.list: [
0: package name="Python 3.10.4 pip Bootstrap (64-bit)" version="3.10.4150.0"
1: package name="Python 3.10.4 Core Interpreter (64-bit)" version="3.10.4150.0"
2: package name="VMware Tools" version="11.3.0.18090558"
3: package name="Python 3.10.4 Development Libraries (64-bit)" version="3.10.4150.0"
4: package name="Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29913" version="14.28.29913"
5: package name="Python 3.10.4 Utility Scripts (64-bit)" version="3.10.4150.0"
6: package name="Mondoo" version="7.4.0"
7: package name="Python 3.10.4 Test Suite (64-bit)" version="3.10.4150.0"
8: package name="Python 3.10.4 Tcl/Tk Support (64-bit)" version="3.10.4150.0"
9: package name="Python 3.10.4 Documentation (64-bit)" version="3.10.4150.0"
10: package name="Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29913" version="14.28.29913"
11: package name="Python 3.10.4 Executables (64-bit)" version="3.10.4150.0"
12: package name="Python 3.10.4 Standard Library (64-bit)" version="3.10.4150.0"
13: package name="Python 3.10.4 (64-bit)" version="3.10.4150.0"
14: package name="Microsoft Edge" version="108.0.1462.42"
]

Scan all Terraform configs or Kubernetes manifests in directoriesโ€‹

Problem: You have a repository full of Terraform configs or Kubernetes manifests you want to scan, but you don't want to scan them one command at a time.

Solution: Let Mondoo do the heavy lifting: Scan your IaC configs by directory. cnspec automatically finds all the relevant files to scan, even those nested deep in directories.

In this example, cnspec scans all of our Lunalectric repositories to find Kubernetes manifest files in the postgresql and frontend repositories, while ignoring other non-Kubernetes YAML files:

cnspec scan k8s dev/lunalectric/
โ†’ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
โ†’ using service account credentials
โ†’ discover related assets for 1 asset(s)
โ†’ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
โ†’ resolved assets resolved-assets=5
โ†’ connecting to asset K8s Manifest lunalectric (code)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% K8s Manifest lunalectric
โ†’ connecting to asset luna/postgres (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/postgres
โ†’ connecting to asset luna/luna-frontend (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/luna-frontend
โ†’ connecting to asset luna/postgres (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/postgres
โ†’ connecting to asset luna/luna-frontend (k8s-object)

โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100% luna/luna-frontend

๐Ÿงน IMPROVEMENTSโ€‹

Default values for GCP resourcesโ€‹

GCP resources now include default values, so it's easier to explore your infrastructure with cnquery. You no longer have to provide the field for each query; you can simply rely on the default values and skip the field names. We picked the most important values for each resource to save you time.

Old: gcp.sql.instances{name}

New: gcp.sql.instances

Instance names from EBS volume scansโ€‹

EBS volume scans from the CLI or the AWS integration now include asset names that match scans over SSM or SSH.

Process information in the ports resourceโ€‹

The ports resource now includes process information so you can see which process is binding to an open port:

ports.list: [
0: port port=53 protocol="tcp" address="127.0.0.53" process.executable="/lib/systemd/systemd-resolved"
1: port port=22 protocol="tcp" address="0.0.0.0" process.executable="sshd:"
2: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
3: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
4: port port=22 protocol="tcp" address="10.0.2.15" process.executable="sshd:"
5: port port=53 protocol="udp" address="127.0.0.53" process.executable="/lib/systemd/systemd-resolved"
6: port port=68 protocol="udp" address="10.0.2.15" process.executable="/lib/systemd/systemd-networkd"
7: port port=22 protocol="tcp" address="::" process.executable="sshd:"
8: port port=80 protocol="tcp" address="::" process.executable="/usr/sbin/apache2"
]

Improved Linux policy reliabilityโ€‹

We rewrote much of the Linux Security policy to improve the reliability of scans when commands cannot run directly. This provides additional security context, particularly auditd configuration context when scanning container images and side-scanning AWS instances using EBS volumes. As a bonus, it also reduces CPU and memory use during the scan.

๐Ÿ› BUG FIXESโ€‹

  • Don't panic when inspecting an empty certificate on a host.
  • Properly parse out Kubernetes custom resources in manifest files.
  • Update the service accounts page to allow sorting by the last date used.
  • Properly discover containers when running cnquery scan docker --discover container.
  • Add missing help output for multiple resources.
  • Improve several error messages to make required user action more apparent.
  • Ignore case when parsing SSHd config include statements to support both Include and include.
  • Update invalid example commands on the Terraform integration page.
  • Explicitly set our Kubernetes operator workflows to run unprivileged.
  • Better raise errors encountered in malformed MQL queries.
  • Fix an issue where the console cursor could disappear after running a scan.