Skip to main content

Β· 5 min read

πŸ₯³ Mondoo 6.17 is out! This release includes a new asset explorer UI and Kubernetes MQL resources!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Explore Asset Relationships​

Problem: Your environment is complex, and so is the job of securing it. You want to understand not just the security of a single asset, but how each asset relates to your overall infrastructure security.

Solution: Mondoo now exposes the complex relationships that make up your infrastructure security in a new Explorer tab for each asset. The Explorer view lets you quickly evaluate the security of related assets so you can better understand the security of complex infrastructure like cloud accounts or Kubernetes clusters. Each related asset is shown as a color-coded tile, which you can hover over for additional scan information. Here we see the results of Kubernetes job scans, including a Mondoo Operator job, which scored an A:

Asset Explorer

Bundesamt fΓΌr Sicherheit in der Informationstechnik (BSI) Windows Policy​

Problem: You want to secure your Windows systems according to the Federal Office for Information Security (BSI) and pass a BSI audit.

Solution: Mondoo now includes a new BSI SYS.1.2 Windows Server 2016/2019/2022 policy. BSI is a German standard for IT security, similar to SOC2 in the US. This new policy complements our existing BSI SYS.1.3 Linux and Unix Servers policy for Debian- and Red Hat-based Linux systems. These policies are especially helpful for users in the DACH region and Germany in particular.

BSI Windows Policy

Automatic Cleanup of Kubernetes Resources​

Problem: Resources come and resources go, but they sure add up quickly. Kubernetes clusters often contain large numbers of ephemeral resources, and over time Mondoo's scanning of resources results in spaces full of long-dead assets.

Solution:

Mondoo now automatically cleans up Kubernetes assets older than 24 hours, keeping your spaces tidy and full of relevant scans.

New k8s.admissionreview and k8s.admissionrequest Resources​

Problem: You want to write policies against incoming Kubernetes deployments to understand the security of the deployment request itself.

Solution: Mondoo now includes new k8s.admissionreview and k8s.admissionrequest resources that allow you to write policies against incoming deployments. Stay tuned as we expand this functionality over time to allow additional control over the workloads that make it into your cluster.

New k8s.kubelet Resource​

Problem: You need to secure your Kubernetes cluster nodes to secure your infrastructure, but the Kubelet configuration system is complex. How do you handle the different names for the same configs and different defaults depending on the config location? Should you check the CLI flags, the YAML config, or the JSON config?

Solution: We've abstracted the complexity of parsing the Kubelet config options into a new k8s.kubelet resource. The resource parses all three configuration locations, handles defaults, and understands the changing default values when config files are loaded. With this resource, you can write simple queries to check for Kubelet config options and let Mondoo handle the heavy lifting of parsing Kubernetes configuration logic.

A manual query that does not account for default values:

if (props.kubeletconfigpath != null) {
cfg = parse.yaml(props.kubeletconfigpath).params
cfg["featureGates"]["RotateKubeletServerCertificate"] != null
cfg["featureGates"]["RotateKubeletServerCertificate"] == true
} else {
processes.where( executable.contains("kubelet")).all(flags["feature-gates"] == "RotateKubeletServerCertificate=true")
}

An updated query that includes default value evaluation:

k8s.kubelet.configuration["featureGates"]["RotateKubeletServerCertificate"] == true

We've also updated our existing Kubernetes policies to use this new resource. This dramatically improves the reliability of configuration parsing in these policies, removing potential false positives.

🧹 IMPROVEMENTS​

env and envFrom in Kubernetes Container Resources​

Problem: You want to write policies to ensure that only secure environment variables are passed into your Kubernetes workloads.

Solution: Container resources now expose the env and envFrom configs. This allows you to inspect manifests with plain text secrets being passed in via env vars like this:

apiVersion: v1
kind: Pod
metadata:
name: luna-frontend
namespace: prod
spec:
containers:
- name: luna-frontend
image: lunalectric/frontend:1.0
env:
- name: LOGIN
value: "oh_no"
- name: PASSWORD
value: "they_are_really_doing_this!"

Using a query to check for env var names:

k8s.pods.all(
containers.all(
env["LOGIN"] == null && env["PASSWORD"] == null
)
)

Expanded Kubernetes Security & Best Practices Policies​

We continue to expand our Kubernetes Security Benchmark policy to better secure workloads in your clusters. This week we added two new controls:

  • Pods should mount any host path volumes as read-only: Ensures that pods don't have write access to paths on the cluster node, which would allow modifying the host configuration.
  • Pods should not bind to a host port: Ensures pods aren't binding directly to cluster nodes where they can bypass network controls.

mondoo exec Is Now mondoo run​

We've updated the mondoo exec command to be mondoo run. The existing command will still work, but help will show just mondoo run. We're making this change to align CLI options for some exciting new releases coming soon. Stay tuned for more updates!

πŸ› BUG FIXES​

  • GitHub, Terraform, and cloud Kubernetes policies in the Policy Hub now include custom icons.
  • Updates Pods should not run with NET_RAW capability and Pods should not run with SYS_ADMIN capability controls in the Mondoo Kubernetes Security policy to not fail when no securityContext or capabilities are defined.
  • Resolves failures in Minimize the admission of root containers and Minimize the admission of containers with the NET_RAW capability controls in CIS Kubernetes policies.
  • Asset view once again includes the state of the asset's Mondoo Client.
  • Long policy names now truncate better in the asset view.
  • The --option command line flag is now properly passed through to AWS EBS-based scans.
  • The --token command line flag is now properly set when scanning GitHub organizations or repositories.
  • Scans in the CI/CD view no longer appear unscored.
  • Kubernetes cluster nodes are no longer part of the k8s-workload family.
  • Prevents failures checking kernel parameters if files in /proc/sys cannot be read.

Β· 4 min read

πŸ₯³ Mondoo 6.16 is out! This release includes new policies and always-up-to-date Kubernetes results.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Scan Kubernetes Resources on Add/Update​

Problem: You rapidly deploy new and updated workloads to your Kubernetes cluster and you want to know that the Mondoo scan results reflect the latest state of your cluster.

Solution: Mondoo now scans your Kubernetes resources as they are updated or added to the cluster, so the fleet view always has the latest information on cluster-wide security.

Note: This requires the Mondoo Operator for Kubernetes 1.5 or later. To update to this new release run:

kubectl delete --ignore-not-found -n mondoo-operator deployment mondoo-operator-controller-manager
kubectl apply -f https://install.mondoo.com/k8s/operator

Mondoo Policy for Google Cloud Terraform Plans​

Problem: You want to find Google Cloud security issues early in your infrastructure development cycle to prevent insecure changes from ever reaching production.

Solution: This week, we're introducing a new policy, Terraform Plan - CIS Google Cloud Platform Foundation Benchmark. It lets you run Mondoo security scans directly against HashiCorp Terraform plans for your Google Cloud infrastructure.

Problem: Mondoo found a lot of security issues for your asset and you're overwhelmed. It's hard to know what to fix first.

Solution: The asset view now shows the five most important actions you should take to improve an asset's security.

Top 5 Recommended Actions

View All Controls for an Asset​

Problem: You want to find a specific control that is applied to an asset, but you don't know which policy it's in.

Solution: Mondoo now lists all of an asset's controls independently from their policies. You can filter controls by policy or by search string.

Controls

🧹 IMPROVEMENTS​

New Security and Best Practices Controls for Kubernetes​

Problem: You want to scan your workloads for common security and best practice misconfigurations before deploying them to your Kubernetes cluster.

Solution: We've expanded our Kubernetes Security Benchmark and Kubernetes Best Practices Benchmark to expose more common misconfigurations in Kubernetes workloads.

  • Workloads should not run in the default namespaceβ€”This new Kubernetes Best Practices Benchmark control discovers workloads that haven't defined a non-default namespace in which to run. It's best to group workloads into non-default namespaces to better organize work by teams and to isolate workloads.

  • Workloads should not run with SYS_ADMIN capabilityβ€”This new Kubernetes Security Benchmark policy discovers workloads with the SYS_ADMIN or ALL capabilities. The SYS_ADMIN capability is risky because it provides a pod with root capabilities.

  • Workloads should not run with NET_RAW capabilityβ€”This new Kubernetes Security Benchmark policy discovers workloads with the NET_RAW or ALL capabilities. Attackers can use the NET_RAW capability to craft fake packets on the host, which they can use to redirect network traffic bound for other pods.

  • Pods should have an ownerβ€”This new Kubernetes Best Practices Benchmark control discovers pods that do not have an owner. These pods, commonly called naked pods, don't respawn if the node they're running on fails or terminates.

BIOS Updates Control Added to Client Linux Security Baseline by Mondoo​

Problem: To secure the boot process, you need to ensure that all Linux systems have the most up-to-date BIOS releases.

Solution: The Client Linux Security Baseline by Mondoo now includes a control to validate that systems have the most up-to-date BIOS when the fwupd utility is installed.

Error Messages for Unavailable Assets​

Problem: You need to know when Mondoo can't connect to an asset. Solution: Mondoo now shows an error message on the asset page when it fails to reach the asset.

Unavailable Asset

πŸ› BUG FIXES​

  • Renames potentially confusing control titles in Linux Security Baseline by Mondoo policy.
  • Skips internal fields in the mondoo shell help output.
  • Improves error handling in the AWS Lamba scans.
  • Changes Mondoo agent searches to not be case sensitive.
  • Returns more helpful error messages from Mondoo Client when a necessary environment variable is missing on CI platforms.
  • Fixes missing available packages in asset Platform Vulnerabilities pages.
  • Improves the handling of null data for regular data types: We now consistently return non-null data from the upstream service. In the next major release, we will support storing other null data.
  • Fixes failures parsing Linux kernel parameters when files in /proc/sys can't be read.
  • Networks and domains are now properly grouped in the fleet view.

Β· 3 min read

πŸ₯³ Mondoo 6.15 is out! This release includes a whole new fleet UI and new CIS Kubernetes policies!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

All New Fleet View Experience​

Problem: You have hundreds or thousands of assets in Mondoo. Finding types of systems and understanding the relationships between assets is difficult.

Solution We added a whole new fleet view experience to Mondoo that groups your assets by type. You can quickly assess the security of different elements in your infrastructure and grasp interconnected security relationships.

Updated Fleet UI

CIS AKS and GKE Benchmarks​

Problem: You want secure your AKS and GKE clusters and workloads.

Solution: Mondoo now includes CIS Level 1 and 2 benchmarks for both Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE). These policies include critical controls for securing your cluster nodes and cluster workloads.

Kubernetes Policies

Scan All Kubernetes Resources in Manifests​

Problem: You need to scan each Kubernetes resource in your manifests as an individual asset in Mondoo so you can apply the new Mondoo Kubernetes Security and Best Practices policies.

Solution: Mondoo scans now respect the --discover all command line flag when scanning local manifests. This lets you scan individual Kubernetes resources and even the containers defined in your manifests.

Kubernetes Policies

🧹 IMPROVEMENTS​

Quickly Find Kubernetes Operator Scanned Assets​

Problem: You set up your Kubernetes Mondoo integration and now you want to view the discovered assets.

Solution: We added a new See Your Asset Scores link in the Kubernetes Integration pages that takes you right to all the assets discovered by the Mondoo Operator.

Asset Score Link

Priorities in Kubernetes Policies​

Problem: You've scanned your Kubernetes cluster, and there's a mountain of work to do. Where should you start?

Solution: We've added priorities to the controls in CIS and Mondoo Kubernetes policies. You can now sort your scan results by priority and tackle the most important security issues first.

Policy with priorities

Improved mondoo shell and mondoo exec Experiences​

Problem: Mondoo 6.0 introduced new simpler command syntax and it's been so great that now you can't remember the old syntax when you run mondoo shell or mondoo exec.

Solution: We've updated mondoo shell and mondoo exec to use the same simpler syntax as mondoo scan. No more -t flag or :// format. Just run mondoo shell TRANSPORT_NAME.

Policy with priorities

Expanded and Improved CIS Kubernetes Policy​

We've made several improvements to the vanilla CIS Kubernetes Level 1 and 2 policies for Master and Worker Nodes. Many controls previously marked as not implemented are now implemented and all file permission controls now pass when permissions are more secure than those required by CIS.

πŸ› BUG FIXES​

  • Properly redirects users to the Welcome to Mondoo page after verifying their e-mail during sign-up.
  • Improves the error message guidance when an AWS fails to check-in.
  • Fixes the See Your Scores link in the AWS integrations pages to properly load the list of account assets.
  • Properly detects the path to Grub2 configs in CIS benchmarks on Amazon Linux.

Β· 4 min read

πŸ₯³ Mondoo 6.14 is out! This release includes CI/CD view filtering and improved scan results!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Kubernetes Control Plane Node Scanning​

Problem: You need to secure not just your Kubernetes workloads or cluster configuration, but the actual installation of Kubernetes on the control plane servers.

Solution This week, we added the first of many new Mondoo Kubernetes Security policy control plane checks to secure the kube-apiserver, kube-scheduler, kube-controller-manager, and etcd installations. These new controls check for secure permissions on critical configuration files and private key directories. Stay tuned for more controls to secure your control plane next week, along with kubelet controls.

Control Plane Scanning

Filtering in CI/CD Views​

Problem: You have a particular Mondoo scan you want to see, but there are hundreds of Kubernetes deployments in your admission controller scan results or your CI job results page.

Solution The CI/CD view now includes filtering so you can easily find the scan results of particular Kubernetes deployments or CI scans.

CI/CD Filtering

🧹 IMPROVEMENTS​

Faster, Faster, Faster!​

Problem: You're a busy person. You don't have time to wait for Mondoo.

Solution: This week, we greased the gears and tightened the belts in the Mondoo engine. Mondoo scans now sync their asset data faster, and asset deletion time is reduced as well. These speed improvements should be especially pronounced when scanning a Kubernetes cluster with a large number of resources or when bulk deleting assets in the Mondoo Console.

Show the Right Instructions First​

Problem: Mondoo helps you to set up your workstation for security scanning, but what if you run Arch, not Windows or macOS? You don't want to see setup instructions for operating systems you're not using.

Solution: The Workstation Integration setup page now takes you to the instructions for your platform by default. Use Windows: See Windows steps. Use macOS: See macOS steps. Use Arch, Fedora, etc: See Linux steps.

Workstation Setup

Expanded CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks​

Problem: You need to secure your EKS clusters to achieve compliance.

Solution: We've rewritten much of our CIS Amazon Elastic Kubernetes Service (EKS) Benchmarks to give you the best possible results in securing your EKS clusters. Our updated policies feature seven all-new controls and improvements to the existing controls to provide the best possible results.

Improved Linux Kernel Parameter Scanning​

Problem: You want to secure the Linux kernel parameters on your systems, but you don't see results when scanning Kubernetes nodes from the Mondoo Kubernetes Operator.

Solution: Mondoo now directly scans kernel parameters by checking the contents of /proc/sys. Not only is this method faster because we don't have to run the systcl command on the system, but it also allows us to validate Linux kernel parameters when scanning without Mondoo Client installed. With this update, you should see improved scoring in the Linux Security Baseline policy on Kubernetes cluster nodes.

Updated Windows 2016 CIS Benchmarks​

Problem: You run Windows 2016 and need the latest CIS policies to achieve compliance in your infrastructure.

Solution: We've updated our Windows 2016 CIS Benchmarks to the CIS 1.4.0 release. This includes new and improved controls to secure your Windows 2016 hosts.

πŸ› BUG FIXES​

  • Properly detects the OS of the Ubiquiti Dream Machine Pro / SE as ubios.
  • Resolves a permission denied message when storing discovery results.
  • Prevents unnecessary write operations in the AWS Integration Lamba.
  • Detects rate limiting in the AWS Integration Lamba to avoid causing failures in other account operations.
  • Properly scans and displays Jenkins jobs that have no Git commit.
  • Fixes the incorrect spelling of exceptions data in the macos.alf resource.
  • Includes Docker tag labels for assets when scanning container registries.

Β· 2 min read

πŸ₯³ Mondoo 6.13.1 is out! This release includes a new modular GitHub Action and updated EKS policies!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

All New Modular GitHub Action​

The Mondoo GitHub Action has been entirely rewritten to better integrate within modular workflows in your projects. The action now includes individual GitHub Actions for scanning AWS accounts, Kubernetes Clusters, Kubernetes manifests, Docker images, and Terraform configuration files. There's also a new action for uploading Mondoo Policies to PolicyHub and an action for configuring Mondoo Client, so you can run whatever scan commands you may need. Keep in mind that this new setup is entirely different than our previous releases and breaks existing workflow configurations. Make sure to check out the project Readme and each new action's readme for more information on usage. As always, let us know if you have any questions at hello@mondoo.com or join us on our Mondoo Community Slack

Find the new action on the GitHub Actions Marketplace.

GitHub Marketplace

🧹 IMPROVEMENTS​

Up-to-Date EOL Data​

Problem: You want to ensure that no systems in your fleet have reached EOL status, but this requires you to update Mondoo Client for the latest EOL data.

Solution: EOL data is now stored in Mondoo Platform and updated automatically each time the client runs. With this change, your systems will always have the latest EOL data as vendors publish new or updated EOL dates.

Expanded CIS Amazon EKS Benchmarks​

We've greatly expanded the CIS Amazon EKS Level 1 and 2 benchmarks with additional queries and improved the overall reliability of many policies. Stay tuned for next week's release for more updates to this policy.

EKS Policy

πŸ› BUG FIXES​

  • Prevents sending duplicate Organization or Space invitations if you add a space character to an e-mail address.
  • Prevents display of duplicate informational alerts in AWS Integrations.
  • Resolves failures querying EC2 instances that lacked assigned key pairs.

Β· 4 min read

πŸ₯³ Mondoo 6.12.2 is out! This release includes private image scanning in Kubernetes clusters and an improved CI/CD UI experience!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Continuous Kubernetes Workload Scanning​

Problem: You want to continuously evaluate the security of all the running workloads in your cluster.

Solution: The Mondoo Operator for Kubernetes now automatically discovers all workload resources in the cluster, including Deployments, CronJobs, and Pods. These new resources, when combined with the recently released Kubernetes Security and Best Practices Benchmarks, provide deep insight into the security of deployed workloads at a moment's glance.

Workload Scanning

Kubernetes Private Container Image Scanning​

Problem: You scan your container images using Mondoo in CI to ensure they are secure when you deploy them. However, you want to ensure that they stay secure as new security best practices are developed, and CVEs in container images are discovered.

Solution: Mondoo now utilizes imagePullSecrets in your Kubernetes cluster to fetch and scan container images in private registries. When you enable image scanning in the Mondoo Kubernetes Operator and use imagePullSecrets to store secrets for private container registries, you receive continuous scan results for public and private container images. This gives you quick access to the misconfigurations and CVEs running in your applications.

Image Scanning

Simpler Getting Started Experience​

Problem: You created your first space with Mondoo, but what's next?

Solution A new Workstation setup page is available directly from your new Space page. This setup experience helps you to install Mondoo Client onto your Mac, Windows, or Linux workstation. It then guides you through remote scans you can perform to quickly evaluate the security of your infrastructure without deploying agents or installing integrations.

Workstation Setup

RPM Package CVE Scanning without RPM​

Problem: You want to analyze Red Hat- or SUSE-based containers or images to find CVEs, but you can't see package information unless you run on a system with the rpm CLI.

Solution Mondoo now remotely scans for package information on Red Hat-based containers and container images without needing the rpm CLI on your workstation. Fire up your Mac, Windows, or Ubuntu system and scan any Red Hat or SUSE container or container image to find outdated packages with CVEs, all without any additional setup.

CVE Scan from macOS

🧹 IMPROVEMENTS​

Hashicorp Packer Plugin Officially Verified​

The Mondoo Provisioner for HashiCorp Packer is now available as a HashiCorp verified provisioner on Packer.io.

Improved CI Project UI​

Problem: You want to apply multiple Mondoo scans within your CI projects and view each scan individually.

Solution We've made improvements to Mondoo Client, our GitHub Action, and the CI project UI to make working with complex CI projects a breeze. Mondoo Client CI integrations can now run multiple times within a single CI pipeline. This includes multiple executions within stage/workflow (GitLab/GitHub) and even multiple executions within a job. This makes it possible to use Mondoo to test different assets like Docker containers or Kubernetes manifests in a single pipeline, or to perform before-and-after scans of the same asset.

CI Screenshot

New AWS Backup Vaults MQL Resources​

Mondoo now includes a new aws.backup.vaults resource for working with backup vaults in AWS Backup.

Returning the ARN and recover points of all backup vaults:

mondoo> aws.backup.vaults { arn recoveryPoints { * }}
aws.backup.vaults: [
0: {
arn: "arn:aws:backup:us-east-1:1234567891011:backup-vault:aws/efs/automatic-backup-vault"
recoveryPoints: [
0: {
creationDate: 2022-08-17 05:00:00 +0000 UTC
isEncrypted: true
completionDate: 2022-08-17 07:14:15.311 +0000 UTC
arn: "arn:aws:backup:us-east-1:1234567891011:recovery-point:1234b01b-da45-40a2-8a3a-d1d01234a8e7"
resourceType: "EFS"
createdBy: {
BackupPlanArn: "arn:aws:backup:us-east-1:1234567891011:backup-plan:aws/efs/73d922fb-9312-3a70-99c3-e69123f9fdad"
BackupPlanId: "aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad"
BackupPlanVersion: "NDdhZGMxMmUtMTA5Zi00NDgzLThhNzItYmI1Mjk3ZWRlY2M4"
BackupRuleId: "2e8b7566-8ec3-4e4b-8911-3c11dfdb1123"
}
iamRoleArn: "arn:aws:iam::1234567891011:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup"
encryptionKeyArn: "arn:aws:kms:us-east-1:1234567891011:key/9461a123-05ae-48d0-a90b-7d5123f2578f"
status: "COMPLETED"
}
]
}
]

Improved RunAsNonRoot Policy Queries​

We've improved the Kubernetes RunAsNonRoot queries in our Kubernetes Security Benchmark and Kubernetes Application Benchmark policies. These policies now take into account settings in the PodSecurityContext, eliminating false positives when the PodSecurityContext is used to control RunAsNonRoot behavior.

Easier to navigate MQL Docs​

The simple list of resources in the MQL documentation may have worked initially, but the team is just far too fast adding new resources. We've broken up the resources by category for easier navigation.

Improved Navigation

πŸ› BUG FIXES​

  • Resolves incorrect platform description values in the Fleet view.
  • Adds a missing tooltip for control status in the policy results.
  • Resolves failures scanning Kubernetes ReplicaSets.
  • Resolves Amazon Linux EKS nodes not displaying their platform correctly.
  • Updates Amazon Linux 2022 CVE data to the 2022-08-17 release
  • Evaluates config files in the /etc/ssh/sshd_config.d when parsing sshd configuration.
  • Resolves failures to parse some container images when scanning AKS clusters.
  • Improves the reliability of SSH algorithm checks in CIS, BSI, and Linux Baseline by Mondoo policies
  • Resolves failures in some MQL queries

Β· 5 min read

πŸ₯³ Mondoo 6.11.1 is out! This release includes supply chain security resources/policies, updated CIS policies, and Kubernetes enhancements!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Supply Chain Security Resources and Policies​

Problem: In the aftermath of numerous high profile software supply chain hacks, you want to secure your software supply chain against attackers. Mondoo provided initial resources, but didn't offer a security policy out of the box.

Solution: Mondoo now includes a preview of the CIS Software Supply Chain Security Guide policy. This policy includes 18 controls to help you secure your GitHub organization and repositories. It includes important guidelines like ensuring all organization members enable MFA and limiting repository deletion to particular users. This policy is in preview as we work to implement more controls and improve the remediation guidance for failures.

As part of the development of this policy we've also greatly expanded the Mondoo git and GitHub resources. We've expanded the data returned in the github.repository, github.file, and github.branchprotection resources and added the following new resources:

  • github.team
  • github.collaborator
  • github.package
  • github.webhook
  • github.workflow
  • git.commit
  • git.commitAuthor
  • git.gpgSignature

Supply Chain Policy

Policy Downloads​

Problem: You want to download policies from the Mondoo Policy Hub to customize the policies for your own organization

Solution: You can now download policies from the Policy Hub's policy pages.

Policy Downloads

Terraform State File Resource Preview​

Problem: Instead of scanning the security of various Terraform configuration files, you'd rather go straight to the source and inspect the Terraform state file.

Solution: Mondoo now includes new preview resources for scanning the security of Terraform state files.

These new resources can be used as part of your Terraform development and deployment cycle:

terraform init
terraform apply
terraform show -json > state.json
mondoo shell -t tfstate --path state_file.json
mondoo> tfstate { * }
tfstate: {
terraformVersion: "1.2.6"
rootModule: tfstate.module id = tfmodule
modules: [
0: tfstate.module id = tfmodule
]
formatVersion: "1.0"
outputs: []
}

# root module
mondoo> tfstate.rootModule { * }
tfstate.rootModule: {
address: ""
childModules: []
resources: [
0: tfstate.resource id = aws_instance.app_server
]
}

# recursive list of modules
mondoo> tfstate.modules { * }
tfstate.modules: [
0: {
address: ""
resources: [
0: tfstate.resource id = aws_instance.app_server
]
childModules: []
}
]

🧹 IMPROVEMENTS​

Updated CIS Policies​

We've been hard at work to get you the latest and greatest CIS benchmarks to secure your systems. This week we've updated the following policies to the latest releases with new and updated controls:

  • AlmaLinux OS 8 Benchmark - Level 1 and Level 2 updated to 2.0
  • Apple macOS 10.15 Catalina Benchmark - Level 1 and Level 2 to 2.1.0
  • Apple macOS 11.0 Big Sur Benchmark - Level 1 and Level 2 to 2.1.0
  • Apple macOS 12.0 Monterey Benchmark - Level 1 and Level 2 to 1.1.0
  • Amazon Elastic Kubernetes Service (EKS) Benchmark - Level 1 and Level 2 to 1.1.0

AWS Best Practices Policies​

We've massively revamped our AWS Best Practices policies with over 8000 lines of improved queries, expanded descriptions, and remediation steps that include Terraform code to correct AWS misconfigurations.

Remediation Steps

Elevate Privileges with --sudo flag in Local Mondoo Scans​

You can now use the --sudo flag with mondo scan local. This gives you a consistent way to execute scans with elevated privileges, regardless of the type of Mondoo scan you run.

Improved Platform Information​

The Mondoo Fleet view now includes more detailed information on each asset's platform and where that asset is running. This information helps you trace assets scanned in Kubernetes/cloud integrations to the infrastructure code that is responsible for their creation. We've also broken out each Kubernetes resource so you can more easily distinguish between Deployments and the resulting ReplicaSets or Pods they spawn. This new information makes it easier to tell running containers apart from container images or server instances.

Platform Titles in Fleet

Kubernetes Clusters Now Match Integration Name​

The Kubernetes clusters listed in the Mondoo CI/CD view now match the name configured in the Kubernetes Integration, making it easier to find your cluster when multiple integrations have been set up.

CI/CD Cluster Name

Add podSpec and containers to Kubernetes Resources​

All Mondoo Kubernetes workloads resources now include podSpec, initContainers, and containers values, allowing you to better secure these resources.

mondoo> k8s.deployment(name: 'luna-frontend' namespace:'default').podSpec{}
k8s.deployment.podSpec: {
containers: [
0: {
image: "nginx:1.14.2"
name: "nginx"
ports: [
0: {
containerPort: 80.000000
}
]
resources: {}
}
]
}

Simpler Kubernetes Manifest Scanning​

You can now scan Kubernetes manifests files without the need to specify the --path flag:

mondoo scan k8s my_deployment.yml

Scanning of Single Terraform Files​

You can now scan just a single Terraform configuration file instead of a whole directory of files:

mondoo scan terraform my_tf_deploy.tf

πŸ› BUG FIXES​

  • Resolves incorrect CRI-O and containerd socket check titles in the Kubernetes Security policy.
  • Updates remediation steps for some Auditd checks in the Linux Baseline to work with Debian/Ubuntu systems.
  • Resolves errors querying Kubernetes rolebindings or clusterrolebindings.
  • Mondoo Kubernetes Security and Kubernetes Best Practices policies now appear as recommended policies when setting up a Kubernetes integration.
  • Resolves page rendering problems in the ... menu on the AWS Integrations page.
  • Resolves buttons rendering too close together on Policy Hub pages.
  • Resolves failures in some if/else blocks in MQL queries.
  • Resolves failures delivering some Mondoo invites.
  • Properly detects busybox when in containers.

Β· 4 min read

πŸ₯³ Mondoo 6.10 is out! This release includes Kubernetes resource scanning and expanded OS support.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Kubernetes Resource Scanning​

Problem: You want to secure not just your Kubernetes cluster control plane and nodes, but also the workloads you deploy to your cluster. You need visibility into the security of each of the running workloads.

Solution: Mondoo now scans each workload type as a dedicated asset, with new security and best practice policies applied to each asset. This means you'll now get not only scans of your cluster nodes and overall cluster control plane configuration, but also Pods, CronJobs, StatefulSets, DaemonSets, Jobs, and Deployments. These new assets provide more granular visibility into the workloads deployed onto your clusters and make it easy to disable or skip controls on particular workloads.

Results of Pod Scans:

Fleet View for PostgreSQL

In addition to these new assets we're also shipping new Kubernetes Security and Kubernetes Best Practice policies. These new policies replace the existing Kubernetes Application Benchmark policy and apply only to the new Kubernetes resource assets. We decided to break out our combined security and best practices policy so that it would be easier to determine security vs. best practice violations at a glance. Since these policies scan individual Kubernetes assets instead of the cluster as a whole, they also feature greatly improved scan output and new remediation steps, so you can more easily resolve findings.

Pod Asset with New Policies:

PostgreSQL Pod Asset

Improved Kubernetes Policy Controls:

PostgreSQL Pod Scan Result

To enable scanning of all Kubernetes resources as individual Mondoo assets, pass the --discover all flag when scanning clusters:

mondoo scan k8s --discover all

Stay tuned for resource scanning directly in the Mondoo Kubernetes Operator and even more improvements to out-of-the-box Kubernetes policies in the coming weeks!

Google Container Operating System Support Preview​

Problem: When scanning Google Kubernetes Engine (GKE) clusters, you want to ensure the security of the cluster nodes running the Google Container OS Linux distribution.

Solution: Mondoo now includes preview support for the Google Container Operating System (GCOS). With this release, you will now see GCOS hosts properly report their release version, EOL date, and package/service states. Stay tuned for improved detection and policy support in the coming weeks.

GCOS Asset

Kubernetes k8s.initContainer Resource​

Problem: You want to write Mondoo policies that examine the configuration of Kubernetes Init Containers in your workloads.

Solution A new k8s.initContainer allows you to write policy against Kubernetes Init Containers.

InitContainer Query

🧹 IMPROVEMENTS​

Expanded Operating System Support​

We've updated Mondoo with enhanced platform end-of-life and package vulnerability data so you can scan the latest and greatest operating systems:

  • Added Alpine 3.16, Fedora 33/34/35, and VMware Photon 4 package vulnerability data.
  • Updated Amazon Linux 2022 vulnerability data for the latest preview release packages.
  • Added EOL date detection for openSUSE Tumbleweed and Clear Linux OS.
  • Updated EOL date detection for the new patch version format of VMware 7.x.x.

Linux Baseline Policy Improvements​

We continue to improve our out-of-the-box Linux Baseline policy to provide better remediation steps and to support different Linux distros.

  • Skips the Ensure permissions on /etc/shadow- are configured control instead of failing when /etc/shadow- doesn't exist on the system.
  • Updates the query in the Ensure Samba is stopped and not enabled control to support Debian/Ubuntu-based Linux distros.
  • Updates the query and remediation steps for the Ensure core dumps are restricted control to support more distros.
  • Updates the query in the Ensure login and logout events are collected control to support Ubuntu.
  • Improves remediation steps and formatting throughout the policy.

Filtering in Asset Lists​

You can now quickly filter assets by their score by clicking the A-F values at the top of the fleet page.

Asset Filtering

πŸ› BUG FIXES​

  • Resolves failures running scans in the Kubernetes Operator.
  • VMware Mondoo appliance now includes timesyncd to prevent platform registration failures due to time drift.
  • Resolves duplicate AWS resource counts in the AWS integration pages.
  • Resolves potential failures in Mondoo Client when reporting scan results.
  • Reports all Mondoo Client scans within GitHub Actions when running the Mondoo action in multiple jobs or steps within the same workflow.
  • Resolves incorrect steps in the VMware Integration page.
  • Resolves failures in MQL when using if/else statements that have single-valued blocks.
  • Resolves the fleet summary pages sometimes showing an incorrect summary breakdown of asset scores.

Β· 4 min read

πŸ₯³ Mondoo 6.9 is out! This release includes new Kubernetes pod scanning and top CVEs in the space overview!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Top Platform Vulnerabilities on Overview​

Problem: You want to find the critical CVEs in your environment quickly

Solution: The Mondoo Overview page now shows your space's top five platform vulnerabilities. This new view lets you quickly determine the most impacting vendor advisories and how many assets are affected by each advisory. The individual advisories link to detailed information pages summarizing the included CVEs and impact. You can also click View All to see all security advisories in your space.

Container CVEs

Kubernetes Pod Scanning​

Problem: You have hundreds or even thousands of different workloads in your Kubernetes clusters, and you want to see the security status of individual workloads instead of just the cluster as a whole.

Solution: This week, we're shipping our first slice of Kubernetes resource scanning with pod scanning. With this new discovery mode, each pod in your cluster becomes an asset within Mondoo. Policies are applied at the pod level, and you can write MQL queries against these pods instead of the whole cluster. This gives you more granular workflow scanning and improved alerting.

Pod Asset

To start scanning discovery pods as assets during your Kubernetes scans, run mondoo scan k8s --discover pods.

Stay tuned for next week's release when we introduce more new Kubernetes resources as Mondoo assets, along with new out-of-the-box policies for scanning these assets.

Mondoo Kubernetes Operator 1.0​

We started our open source Mondoo Operator for Kubernetes project in January of this year. Since then, the Mondoo team has been busy extending the functionality, ensuring stability, and squeezing every ounce of performance out of the codebase. This week after 300 pull requests merged, we shipped the 1.0 release.

What does 1.0 mean for me?

1.0 means we're confident in the functionality and stability of the project. Additionally, since Mondoo follows Semantic Versioning, we won't intentionally break any configuration interfaces in subsequent 1.x releases. Config stability between minor releases makes upgrades easier without requiring stepped upgrades.

If you're still on an older Mondoo Operator release, we strongly encourage you to upgrade to 1.0. We've introduced significant new capabilities over the last few months, including pod container image scanning, rootless/read-only execution, and CronJob-based scanning. See our Mondoo Operator Upgrade documentation for more information on upgrading to 1.0.

🧹 IMPROVEMENTS​

Show Disabled and Ignored Controls​

Disabled and Ignored controls in policies are now visually indicated in assets' policies, making it clear which policies impact scoring.

Status Indication in Policies

Simpler Asset Deletion​

You can now delete assets directly on the asset page by clicking the delete icon.

Asset Deletion

If you're one to live dangerously, you can even opt out of warnings and delete assets with just a single click.

Opt Out of Warnings

Improved Linux EOL Detection​

We've improved the EOL operating system detection in Mondoo Client to support the following new Linux releases:

  • Alpine 3.16
  • openSUSE 15.4
  • Oracle Linux 9
  • Rocky Linux 9
  • SUSE Linux Enterprise 15.4

MQL Improvements​

We've updated MQL's platform resource to improve gathering information on assets. A new platform.title value exposes a human-friendly version of the platform's name, and the platform.version value has been deprecated in favor of platform.release.

Mondoo Shell

πŸ› BUG FIXES​

  • Resolves incorrect EOL dates for Rocky Linux 9 and SLES 15.3.
  • Adds a timeout for long running Kubernetes Operator scans.
  • Updates the VMware Appliance from Debian 11.2 to 11.4 to resolve CVEs in the underlying Debian installation.
  • Resolves failures during container image scanning.
  • Resolves failures during Terraform config file scans.
  • Resolves failures during EBS volume scans.
  • Remove references to "asset" in CI/CD run scan pages.
  • Client Linux Security Baseline's control 'Ensure / and /home are encrypted' now executes correctly on btrfs formatted partitions.
  • Users with the Mondoo viewer role can now list ChatOps integrations

Β· 3 min read

πŸ₯³ Mondoo 6.8 is out! This release includes Azure Pipeline / Jenkins CI/CD support and Kubernetes container image scanning!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Azure Pipelines and Jenkins Support​

Problem: You want to set up security scanning of projects in your CI pipelines, but you're not using a CI platform supported by Mondoo.

Solution: Mondoo now supports CI integrations with Azure Pipelines and Jenkins, raising our out-of-the-box CI/CD integrations to six. Still don't see the CI/CD integration you need? Let us know at hello@mondoo.com.

CI Setup Window

Mondoo Operator for Kubernetes Container Image Scanning​

Problem: You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.

Solution: Following up on last week's new CLI-based container image scanning, we're now integrating public container image scanning directly into the Mondoo Operator. When enabled, the Mondoo Operator will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.

Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the kube-apiserver pod:

Cluster Scan Results

We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:

Container CVEs

🧹 IMPROVEMENTS​

Policy and MQL Improvements​

Solution: We continue to improve the out-of-the-box Mondoo policies and the MQL resources that power those policies, giving your the most reliable scan results with Mondoo:

  • Replaced platform.runtimeEnv with the simpler platform.runtime. platform.runtimeEnv is now deprecated and will be removed in Mondoo Client 7.0.
  • Deprecated platform.virtualization.isContainer in favor of either platform.kind or platform.runtime. platform.virtualization.isContainer will be removed in Mondoo Client 7.0.
  • Added the ability to determine if a branch is the default branch with isDefault in the github.branch resource.
  • Resolved failures in the github.branch resource when branch protection is not configured.
  • Resolved failures that could occur in some valid MQL blocks, which caused failures in the Kubernetes Application Benchmark policy.
  • Resolved incorrect policy scores when all controls in a policy fail.
  • Added severity scores to the Kubernetes Application Benchmark policy to make prioritizing fixes easier.
  • Expanded the Ensure HTTP Proxy server is stopped and not enabled control in the Linux Security Baseline policy to check for the Tinyproxy proxy service.
  • Added a new platform.runtime.

πŸ› BUG FIXES​

  • Resolve Mondoo Operator for Kubernetes node scans of Minikube not scanning all nodes.
  • Fully clean up all Mondoo Operator resources when uninstalling.
  • Use a Red Hat UBI-based Mondoo image when scanning in Red Hat OpenShift.
  • Fix handling of the Mondoo Operator's running UID when running in OpenShift.
  • Add a liveness probe to the Mondoo Operator pods to improve Mondoo scan scores.
  • Resolve potential panics when the first Kubernetes Operator check-in occurs.
  • Resolve failures to properly exit in the Kubernetes Operator when a scan request failed.
  • Reduce resource utilization by lowering the initial requested CPU and memory limits for the Kubernetes Operator's node scanning pods.