Skip to main content

Β· 4 min read

πŸ₯³ Mondoo 8.2 is out! This release includes GCP BigQuery exports, new Azure resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Google BigQuery data exports​

Love your security data, but need to analyze it more deeply? Now you can automatically export your Mondoo data directly to Google BigQuery.

Exports are configured just like other integrations in Mondoo, and run daily without the need to install anything into your infrastructure.

BigQuery Setup

Once the data is exported it can be combined with other data in BigQuery and analyzed with BigQuery's machine learning and BI features.

BigQuery Data

New Azure resources​

cnspec and cnquery now ship with additional Azure resources so you can inventory and secure all aspects of your Azure infrastructure:

azure.subscription.monitor.applicationinsights​

This new Azure resource lets you query each instance of Application Insights:

cnquery> azure.subscription.monitor.applicationInsights
azure.subscription.monitor.applicationInsights: [
0: azure.subscription.monitorService.applicationinsight id = /subscriptions/f1a2873a-6b27-4097-aa7c-3df51f103e96/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/components/app-insight-test
]
cnquery> azure.subscription.monitor.applicationInsights {name kind location}
azure.subscription.monitor.applicationInsights: [
0: {
name: "app-insight-test"
location: "centralus"
kind: "web"
}
]

azure.subscription.network.bastionHost​

This new Azure resource lets you query all bastion hosts, including their names, locations, and product SKUs:

cnquery> azure.subscription.network.bastionHosts
azure.subscription.network.bastionHosts: [
0: azure.subscription.networkService.bastionHost id="/subscriptions/f1a2873a-6b27-4097-aa7c-3df51f103e96/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/bastionHosts/test-bastion-host" name="test-bastion-host" location="uksouth"
]
cnquery> azure.subscription.network.bastionHosts{name location sku}
azure.subscription.network.bastionHosts: [
0: {
name: "test-bastion-host"
sku: {
name: "Standard"
}
location: "uksouth"
}
]

azure.subscription.sql.virtualNetworkRule​

This new Azure resource lets you query the virtual network rules on an SQL server and is similar to firewall rules resources:

cnquery> azure.sql.servers[1].virtualNetworkRules{*}
azure.sql.servers[1].virtualNetworkRules: [
0: {
id: "/subscriptions/f1a2873a-6b27-4097-aa7c-3df51f103e96/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/sql-server-mondoo-test/virtualNetworkRules/newVnetRule1"
properties: {
id: "/subscriptions/f1a2873a-6b27-4097-aa7c-3df51f103e96/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Sql/servers/sql-server-mondoo-test/virtualNetworkRules/newVnetRule1"
name: "newVnetRule1"
properties: {
ignoreMissingVnetServiceEndpoint: false
state: "Ready"
virtualNetworkSubnetId: "/subscriptions/f1a2873a-6b27-4097-aa7c-3df51f103e96/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Network/virtualNetworks/prelav-test-VN/subnets/default"
}
type: "Microsoft.Sql/servers/virtualNetworkRules"
}
virtualNetworkSubnetId: "/subscriptions/f1a2873a-6b27-4097-aa7c-3df51f103e96/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Network/virtualNetworks/prelav-test-VN/subnets/default"
type: "Microsoft.Sql/servers/virtualNetworkRules"
name: "newVnetRule1"
}
]

azure.subscription.cosmosdb​

This new Azure resource lets you query the Azure Cosmos DB service.

Query databases:

cnquery> azure.subscription.cosmosDb.accounts
azure.subscription.cosmosDb.accounts: [
0: azure.subscription.cosmosdbService.account name="test-cosmosdb-mondoo" location="West US"
1: azure.subscription.cosmosdbService.account name="test-mondoo-cassandra" location="West US"
]

Write assertions to secure configuration:

cnquery> azure.cosmosDb.accounts{properties['isVirtualNetworkFilterEnabled'] name}
azure.cosmosDb.accounts: [
0: {
properties[isVirtualNetworkFilterEnabled]: true
name: "test-cosmosdb-mondoo"
}
1: {
properties[isVirtualNetworkFilterEnabled]: true
name: "test-mondoo-cassandra"
}
]

🧹 IMPROVEMENTS​

Kubernetes namespace scoped scanning​

You can now scan a single namespace in a Kubernetes cluster even if you don't have access to resources outside that namespace. This allows you to scan all workloads in your namespace and browse asset relationships under the namespace in the Mondoo Console.

Example cnquery query against a single namespace:

./cnquery run k8s --namespaces default -c "k8s.pods" --discover namespaces
β†’ loaded configuration from /Users/ivanmilchev/.config/mondoo/mondoo.yml using source default
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
k8s.pods: [
0: k8s.pod namespace="default" name="nginx" created=2023-03-14 16:59:07 +0100 CET
]

Homebrew now installs cnspec/cnquery along with Mondoo​

The Mondoo Homebrew tap now installs both cnquery and cnspec as dependencies, giving you the complete power of Mondoo in one installation.

Homebrew install

All macOS binaries are now signed and notarized​

We now sign and notarize all binaries for macOS, not just those installed with the Mondoo .pkg file. This means no matter where you consume Mondoo packages, you will always have a fully secured binary that passes all of Apple's security requirements.

πŸ› BUG FIXES​

  • Fix failure if the ps command column has no data and warn if data otherwise can't be parsed correctly.
  • Fix failures setting the AWS integration.
  • Fix parsing of policies with arrays of remediations instead of simple strings.
  • Improve the audit/remediation steps in Mondoo security policies.
  • Update cnspec bundle lint and cnspec bundle fmt commands to support the Mondoo version 8.0+ policy structure.
  • Update the Ensure events that modify the system's Mandatory Access Controls are collected query in the Linux Security by Mondoo policy to support either SELinux or AppArmor. Thanks @micheelengronne!
  • Improve reliability of queries in the Okta Organization Security by Mondoo policy.

Β· 6 min read

πŸ₯³ Mondoo 8.1 is out! This release includes policy variants, new security policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Policy variants​

Sometimes queries differ slightly when executed in different environments. This can happen with:

  • Highly related queries, like OS checks that run differently on physical servers than they do on containers

  • Queries that test for similar things on entirely different targets

Let's take a look at the latter example:

queries:
- uid: no-public-ip
title: No public IPs are allowed on internal instances
variants:
- uid: no-public-ip-aws
- uid: no-public-ip-terraform-aws
- uid: no-public-ip-aws
mql: |
aws.ec2.instances.all( publicIp == "" )
filters: |
asset.platform == "aws"
- uid: no-public-ip-terraform-aws
mql: |
terraform.resources.
where( nameLabel == "aws_instance" ).
all( arguments['associate_public_ip_address'] != true )
filters: |
asset.platform == "terraform-hcl"

This query ensures that β€œNo public IPs are allowed on internal instances.” This query is implemented in two different ways: one for the AWS API (no-public-ip-aws) and one for Terraform (no-public-ip-terraform-aws). You can run this check against both AWS accounts and Terraform files and get consistent reporting.

Additionally, this addresses a common use case where there's a split between things that happen in development and things that run in production. If you have separate tools in different environments, or even separate policies, you previously had to manage exceptions to certain checks across both ends of the lifecycle. Now with variants, you can instead define exceptions on the combined check, making sure that they are treated consistently between development and production.

New Okta Security policy + MQL enhancements​

Last week we shipped continuous Okta scanning integration in the Mondoo Console. This week we have a new Mondoo security policy and improvements to Okta MQL resources so you can secure your Okta environment in just minutes.

Our new Okta Security Policy by Mondoo includes 11 checks to keep your Okta environment secure out of the box:

  • Ensure MFA is active for everybody accessing Okta platform
  • Ensure a limited session lifetime has been enforced
  • Ensure OpenID or SAML authentication is used for app access
  • Ensure normal users cannot unlock themselves
  • Ensure Secure Web Authentication (SWA) is disabled for critical apps
  • Ensure the option "at every sign-in" is enabled for MFA
  • Ensure "Persist session cookies across browser sessions" is disabled
  • Ensure the users with Super Admin rights are limited to 3
  • Ensure the strong factor is used for MFA
  • Ensure that MFA is configured to use password/IdP plus another authentication factor
  • Ensure the "Password/IdP plus Another" factor is chosen for MFA

If you want to define your own business policies for Okta, you're in luck. We've improved our Okta MQL policies, giving your access to more information on your environment:

  • Gather okta.role and user.roles, allowing you to query which roles are assigned to a user
  • Gather access policy rules
  • Fix okta.trustedOrigin.scopes parsing

New Microsoft Workstation Security policy​

Our all-new Microsoft Workstation Security policy provides security guidance for workstations running Windows 10 and 11.

New Windows Workstation Policy

New and updated Kubernetes policies​

Kubernetes moves fast, so ensuring your security policy matches the latest and greatest security recommendations is essential. Mondoo now includes the latest CIS benchmarks for Kubernetes distributions with updated auditing and remediation steps as well as new checks for the control plane in cloud distributions:

  • New: CIS Kubernetes V1.24 Benchmark 1.0
  • Updated: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark 1.2
  • Updated: CIS Google Kubernetes Engine (GKE) Benchmark 1.3
  • Updated: CIS Azure Kubernetes Service (AKS) Benchmark 1.2
  • Updated: CIS RedHat OpenShift Container Platform v4 Benchmark 1.1

🧹 IMPROVEMENTS​

Smaller installation size​

The Mondoo package has been optimized to reduce the space on disk consumed by Mondoo, cnquery, and cnspec commands. The legacy Mondoo CLI is now 200MB smaller on all platforms. Additionally, the cnquery and cnspec CLIs are each ~150MB smaller on Windows systems.

More AWS ElasticCache data in MQL​

We've deprecated aws.elasticache.clusters in favor of a new aws.elasticache.cacheClusters resource that presents cluster data in an easier to consume format.

cnquery> aws.elasticache.cacheClusters { * }
aws.elasticache.cacheClusters: [
0: {
arn: "arn:aws:elasticache:us-east-1:ID:cluster:vjtest-001"
notificationConfiguration: ""
cacheSubnetGroupName: "vjtest"
atRestEncryptionEnabled: false
logDeliveryConfigurations: []
ipDiscovery: "ipv4"
authTokenLastModifiedDate: null
numCacheNodes: 1
engine: "redis"
networkType: "ipv4"
region: "us-east-1"
securityGroups: []
transitEncryptionMode: ""
cacheNodeType: "cache.t3.medium"
engineVersion: "7.0.7"
preferredAvailabilityZone: "us-east-1c"
transitEncryptionEnabled: false
cacheClusterId: "vjtest-001"
authTokenEnabled: false
snapshotRetentionLimit: 0

Expanded Azure Security policy​

We've updated the Microsoft Azure Security by Mondoo policy with seven new checks to keep your Azure environment secure out of the box:

  • Ensure that App services can authenticate with Active Directory
  • Ensure that Web App takes advantage of latest version of TLS encryption
  • Ensure that the expiration date is set for all keys and secrets in key vaults
  • Ensure it is possible to recover key vaults
  • Ensure all operations on key vault are logged
  • Ensure that activity log alerts exist for the commands Create, Update, and Delete Network Security Group
  • Ensure that "Notify about alerts with high severity" is enabled

Expanded Google Workspace policy​

We've updated our Google Workspace Security by Mondoo policy with three new checks:

  • Ensure more than one user has Super Admin permissions
  • Users should not be allowed less secure app access
  • Super users should use hardware-based security keys

Remove v7 deprecations​

Now that v8 is out, we've cleaned up several old flags and options that were deprecated during v7.

Deprecated GCP flags​

We removed the deprecated cnspec and cnquery flags for GCP --project and --organization. We also marked the --project-id and --organization-id flags as deprecated. Use cnspec scan gcp organization MY_ORG or cnspec scan gcp project MY_PROJECT instead.

Deprecated K8s flag​

We removed the deprecated cnspec and cnquery Kubernetes --namespace flag. Use --namespaces instead.

Deprecated Azure/Microsoft 365 inventory options​

We removed the deprecated tenantId, clientId, and subscriptionId Azure/Microsoft 365 inventory file configuration options. Use tenant-id, client-id, and subscription-id instead.

Deprecated azure.subscription.sqlService.database fields​

We removed the deprecated containmentState, currentServiceObjectiveId, requestedServiceObjectiveId, and serviceTierAdvisors fields from the azure.subscription.sqlService.database resource.

πŸ› BUG FIXES​

  • Don't fail an entire AWS account scan when a single service has a region restriction set.
  • Fail better when a Kubernetes namespace cannot be scanned due to permissions failures.
  • Fix cnspec bundle format failure introduced in 8.0.
  • Update the scanning progress bar to make it more clear when an asset was not scored.
  • Fix console login page text field text color to be black.
  • Fix console login page links to user agreement and privacy policy to load in new windows.
  • Don't display 0 Others for Azure assets in the fleet page.
  • Fix off-center spinner loaders on the integration pages.
  • Rename "Latest Advisories" on the overview page to be "Top Advisories" to better match what the widget shows.
  • Show accurate billing plan data in the console.
  • Improve rendering on the welcome page on small displays.

Β· 15 min read

πŸ₯³ Mondoo 8.0 is out! This release includes a whole new policy experience, new SaaS integrations, and much more!​

Get this release: Installation Docs | Package Downloads | Docker Container


We are excited to announce Mondoo v8, the new major release of cnspec, cnquery, and Mondoo Platform.

πŸš€ NEW POLICY EXPERIENCE​

This release significantly improves policies and query packs by simplifying their structure and adding major new features like properties, variants, and embedded queries. We continue to keep the Mondoo upgrade process incredibly simple, so you don’t have to worry about moving to v8.

Policies and query packs​

Problem: Some of our old fields were confusing to use. For example: query defined the MQL query inside of the query with metadata. (Why use it twice?) The scoring_queries and data_queries inside policies were unnecessarily convoluted. And what were specs?

policies
- specs:
- scoring_queries:
sshd-01:
- data_queries:
sshd-02:
queries:
- uid: sshd-01:
query: sshd.config.params["StrictModes"] == "yes"
- uid: sshd-02:
query: sshd.config.params

Solution: We have overhauled a lot of commonly used terms in policies and query packs. Queries now contain an mql field to store the MQL snippet. Policies are now built around groups that can generate chapters and contain checks (which are scored) and queries (which are not scored). Additionally, we have removed all instances of key-value maps (see sshd-01: above) and replaced them with named fields (see - uid: sshd-01 below).

policies:
- groups:
- checks:
- uid: sshd-01
- queries:
- uid: sshd-02
queries:
- uid: sshd-01
mql: sshd.config.params["StrictModes"] == "yes"
- uid: sshd-02
mql: sshd.config.params

Problem: The old YAML files we used in cnspec and cnquery required users to create references for queries and checks to use them. This forced people to write policies and separately reference all queries they wanted to use. See the example above.

Solution: We have introduced embedded queries. It’s now much easier to write policies that stand on their own. You don’t have to explicitly reference queries and checks anymore. Instead, you can embed queries and checks directly into the policy that describes them.

policies:
- groups:
- checks: # embedded query vv
- uid: sshd-01
mql: sshd.config.params["StrictModes"] == "yes"
- queries:
- uid: sshd-02
mql: sshd.config.params

If you want to re-use queries, you can continue to use them globally as well, as seen above. If you prefer not to set a uid for any of these embedded queries and checks, cnspec generates one for you: Just run cnspec bundle format FILENAME. Stable UIDs (and, in turn, MRNs) are still important for anyone who uses your policy and defines overrides, exceptions, or processes policy results.

Problem: The ability to override queries and checks was very limiting. You could only affect a limited number of fields and had to understand how these were referenced. (We will skip the example to avoid even more confusion.)

Solution: Making changes to individual queries is now simple and intuitive. For example, here is a globally shared query that is modified in a policy:

policies:
- groups:
- checks:
# reference the shared query and change its title and impact
- uid: sshd-01
title: Make sure to enforce StrictMode
impact: 80

queries:
- uid: sshd-01
mql: sshd.config.params["StrictModes"] == "yes"
impact: 50

Problem: Policies containing a lot of queries flooded users with an unstructured list of all of their contents. However, most policy documents aren’t written this way. Instead, they contain chapters and sections that group together checks and controls.

Solution: Policy groups now have a type to specify their function. For example, the most common type in a policy is a chapter:

policies:
- uid: policy1
groups:
- type: chapter
title: Kernel checks
docs:
desc: |
Long description about what kernel checks do...
checks:
- uid: kernel-check-01
...

Other types include import (for referencing imported policies) and override (for making changes to any policies, queries, and checks).

Properties​

Properties are a way to make adjustments to existing queries in pre-defined ways. For example, you can change the list of allowed TLS ciphers to include ciphers you need or you can change the location of files that are tested.

Properties existed before v8, but weren’t exposed to users. With this release we make properties configurable in the CLI, with configuration in the UI to follow in the coming weeks.

Configuration

Policy authors can add properties to their queries in YAML using props:

- uid: home-info
mql: file(props.home) { * }
title: Gather info about the user's home
props:
- uid: home
mql: |
"/home"

The uid is required. It provides the name for accessing properties in MQL. These follow standards for identifiers (such as no spaces or control characters allowed).

CLI usage

By default, the query uses the configured property. If you want to adjust it, such as for the above example, you can use the --props CLI argument:

cnspec scan -f examples/example.mql.yaml --props "home='/home/zero'"

Note: This example overwrites a string property. Doing this properly requires escaping the CLI arguments so they retain the quotation (’) characters in MQL. Properties can be any MQL snippet, but must adhere to the expected type. For example: You can't overwrite a string property into a number.

Deprecations​

All deprecations will be supported throughout the lifetime of Mondoo v8. We will remove them when we release Mondoo v9.

  • With the new policy format established in this release, we are deprecating the old policy format. If you only use existing policies created and maintained by Mondoo, you don’t need to take any action. We are serving both v7 and v8 clients and will keep things compatible.

  • If you have written your own policies, these will automatically work with v7 and v8 clients after you upload them to the Policy Hub. To take advantage of the many simplifications and features we have added, we encourage you to convert your policies to v8 with this simple command:

    cnspec bundle format FILE

    The formatter in cnspec always store files in the latest format.

  • All public policies in our community repo https://github.com/mondoohq/cnspec-policies will remain in the v7 format for a little longer. This is to support users who are still using v7 and manually downloading policy files. We will transition these policies throughout the v8 lifespan to allow some new capabilities, like configurable properties, context, and variants.

πŸŽ‰ OTHER NEW FEATURES​

Continuous scanning of Google Workspace and Okta​

You can now continuously scan your Google Workspace and Okta SaaS environments directly from the Mondoo console. There's nothing to download or install in order to get started. Set up integrations with service accounts or tokens for these SaaS services, and they will securely scan every 8 hours.

New Integrations

Scan GCP orgs, projects, and folders​

No matter what you want to inspect in your GCP infrastructure, Mondoo has your back with new scanning support from your whole organizationβ€”down to a single folder:

cnquery scan gcp org 342423 # <-- scan GCP organization
cnquery scan gcp project mondoo-dev # <-- scan GCP project
cnquery scan gcp folder 3421423 # <-- scan GCP folder

Secure your GKE control plane​

There's more to Cloud Kubernetes security than just the kubelet and cluster workloads, so we've added new data-gathering capabilities for the GKE control plan. Use this new data to take inventory of your GKE configuration or to write custom security policies for your organization.

Cluster addonsConfig​

cnquery> gcp.project.gke.clusters{ addonsConfig{*} }
gcp.project.gke.clusters: [
0: {
addonsConfig: {
horizontalPodAutoscaling: {
disabled: false
}
id: "gcp.project.gkeService.cluster/12345/addonsConfig"
gkeBackupAgentConfig: {}
gcePersistentDiskCsiDriverConfig: {
enabled: true
}
networkPolicyConfig: {
disabled: false
}
gcpFilestoreCsiDriverConfig: {
enabled: false
}
dnsCacheConfig: {
enabled: false
}
httpLoadBalancing: {
disabled: false
}
kubernetesDashboard: {
disabled: true
}
configConnectorConfig: {}
cloudRunConfig: {}
}
}
]

Cluster nodePools management​

cnquery> gcp.project.gke.clusters{ nodePools{ management } }
gcp.project.gke.clusters: [
0: {
nodePools: [
0: {
management: {
autoRepair: true
autoUpgrade: true
upgradeOptions: {}
}
}
1: {
management: {
autoRepair: true
autoUpgrade: true
upgradeOptions: {}
}
}
]
}
]

Cluster networkConfig​

cnquery> gcp.project.gke.clusters{ networkConfig{*} }
gcp.project.gke.clusters: [
0: {
networkConfig: {
enableL4IlbSubsetting: false
id: "gcp.project.gkeService.cluster/12345/networkConfig"
dnsConfig: {}
serviceExternalIpsConfig: {
enabled: false
}
subnetworkPath: "projects/project-1/regions/us-central1/subnetworks/mondoo-gke-cluster-2-subnet"
privateIpv6GoogleAccess: "PRIVATE_IPV6_GOOGLE_ACCESS_UNSPECIFIED"
datapathProvider: "DATAPATH_PROVIDER_UNSPECIFIED"
networkPath: "projects/project-1/global/networks/mondoo-gke-cluster-2"
subnetwork: gcp.project.computeService.subnetwork name="mondoo-gke-cluster-2-subnet"
enableIntraNodeVisibility: false
defaultSnatStatus: {
disabled: false
}
network: gcp.project.computeService.network name="mondoo-gke-cluster-2"
}
}
]

Cluster workloadIdentityConfig​

cnquery> gcp.project.gke.clusters{ workloadIdentityConfig }
gcp.project.gke.clusters: [
0: {
workloadIdentityConfig: {
workloadPool: "mondoo-edge.svc.id.goog"
}
}
]

Cluster ipAllocationPolicy​

cnquery> gcp.project.gke.clusters{ ipAllocationPolicy{*} }
gcp.project.gke.clusters: [
0: {
ipAllocationPolicy: {
id: "gcp.project.gkeService.cluster/12345/ipAllocationPolicy"
stackType: "IPV4"
tpuIpv4CidrBlock: ""
useRoutes: false
createSubnetwork: false
nodeIpv4CidrBlock: ""
subnetworkName: ""
servicesSecondaryRangeName: "cluster-2-ip-range-svc"
useIpAliases: true
clusterSecondaryRangeName: "cluster-ip-range-pods"
clusterIpv4CidrBlock: "10.20.0.0/16"
ipv6AccessType: "IPV6_ACCESS_TYPE_UNSPECIFIED"
servicesIpv4CidrBlock: "10.30.0.0/16"
}
}
]

Cluster binaryAuthorization​

cnquery> gcp.project.gke.clusters{ binaryAuthorization }
gcp.project.gke.clusters: [
0: {
binaryAuthorization: {
enabled: false
evaluationMode: "EVALUATION_MODE_UNSPECIFIED"
}
}
]

Cluster legacyAbac​

cnquery> gcp.project.gke.clusters{ legacyAbac }
gcp.project.gke.clusters: [
0: {
legacyAbac: {
enabled: false
}
}
]

Cluster masterAuth​

cnquery> gcp.project.gke.clusters{ masterAuth }
gcp.project.gke.clusters: [
0: {
masterAuth: {
clientCertificate: ""
clientCertificateConfig: {}
clientKey: ""
clusterCaCertificate: "***"
password: ""
username: ""
}
}
]

Identify public IPs in Azure​

Identifying publicly exposed assets is critical to securing your cloud infrastructure. Use the new publicIpAddresses data available in the azure.subscription.computeservice.vm and azure.subscription.networkservice to quickly identify assets that may be incorrectly publicly exposed.

Identify all public IP addresses in a subscription:

cnquery> azure.subscription.network.publicIpAddresses{*}
azure.subscription.network.publicIpAddresses: [
0: {
name: "super-cool-public-ip"
id: "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Network/publicIPAddresses/<redacted>"
location: "uksouth"
tags: {}
ipAddress: "255.255.255.255"
}
]

Identify public IP addresses on specific VMs:

cnquery> azure.subscription.compute.vms{publicIpAddresses{*}}
azure.subscription.compute.vms: [
0: {
publicIpAddresses: [
0: {
name: "super-cool-public-ip"
id: "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Network/publicIPAddresses/<redacted>"
location: "uksouth"
tags: {}
ipAddress: "255.255.255.255"
}
]
name: "vm-name"
}
]

Query Google Workspace connected apps​

You can now fetch Google Workspace connected apps with a new googleworkspace.connectedApps MQL resource:

googleworkspace.connectedApps { name clientid }
googleworkspace.connectedApps: [
0: {
clientId: "11234434534-abcdefg.apps.googleusercontent.com"
name: "Slack"
}
...
]

You can also filter this data to return specific connected apps:

googleworkspace.connectedApps.where( name == /Slack/) { * }
googleworkspace.connectedApps.where: [
0: {
users: [
0: googleworkspace.user primaryEmail="user1@example.com"
]
tokens: [
0: googleworkspace.token displayText="Slack"
]
scopes: [
0: "https://www.googleapis.com/auth/activity"
1: "https://www.googleapis.com/auth/drive.activity"
2: "https://www.googleapis.com/auth/userinfo.profile"
3: "https://www.googleapis.com/auth/userinfo.email"
4: "openid"
5: "https://www.googleapis.com/auth/calendar.readonly"
6: "https://www.googleapis.com/auth/drive"
7: "https://www.googleapis.com/auth/calendar.events"
]
name: "Slack"
clientId: "11234434534-abcdefg.apps.googleusercontent.com"
}
1: {
users: [
0: googleworkspace.user primaryEmail="user1@example.com"
1: googleworkspace.user primaryEmail="user2@example.com"
2: googleworkspace.user primaryEmail="user3@example.com"
3: googleworkspace.user primaryEmail="user4@example.com"
]
tokens: [
0: googleworkspace.token displayText="Slack"
1: googleworkspace.token displayText="Slack"
2: googleworkspace.token displayText="Slack"
3: googleworkspace.token displayText="Slack"
]
scopes: [
0: "https://www.googleapis.com/auth/userinfo.profile"
1: "https://www.googleapis.com/auth/userinfo.email"
2: "openid"
]
name: "Slack"
clientId: "3321342421-abcdefg.apps.googleusercontent.com"
}
2: {
users: [
0: googleworkspace.user primaryEmail="user1@example.com"
1: googleworkspace.user primaryEmail="user2@example.com"
2: googleworkspace.user primaryEmail="user3@example.com"
3: googleworkspace.user primaryEmail="user4@example.com"
]
tokens: [
0: googleworkspace.token displayText="Slack"
1: googleworkspace.token displayText="Slack"
2: googleworkspace.token displayText="Slack"
3: googleworkspace.token displayText="Slack"
]
scopes: [
0: "https://www.googleapis.com/auth/userinfo.profile"
1: "https://www.googleapis.com/auth/userinfo.email"
2: "openid"
]
name: "Slack"
clientId: "6060606090-abcdefg.apps.googleusercontent.com"
}
]

Python packages inspection​

Outdated packages don't end at the operating system, so we've introduced our first application package resource with the python.packages MQL resource. This new resource discovers packages automatically on macOS, Windows, and Linux in the following locations:

  • /usr/local/lib/python/*
  • /usr/local/lib64/python/*
  • /usr/lib/python/*
  • /usr/lib64/python/*
  • /opt/homebrew/lib/python/*
  • C:/Python/*
  • /System/Library/Frameworks/Python.framework/Versions
  • /Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions

Each package returns data similar to this pytz package:

cnquery> python.packages[0]{ * }
python.packages[0]: {
author: "Armin Ronacher"
name: "Babel"
dependencies: [
0: python.package name="pytz" version="2022.7.1"
]
summary: "Internationalization utilities"
id: "/usr/lib/python3.11/site-packages/Babel-2.10.3-py3.11.egg-info/PKG-INFO"
file: file path="/usr/lib/python3.11/site-packages/Babel-2.10.3-py3.11.egg-info/PKG-INFO" size=1283 permissions.string="-rw-r--r--"
license: "BSD"
version: "2.10.3"
}

To query a specific package on disk you can provide the path to the METADATA file:

cnquery> python.package("/home/jdiaz/.local/lib/python3.11/site-packages/python_ftp_server-1.3.17.dist-info/METADATA"){ * }
python.package: {
version: "1.3.17"
summary: "Command line FTP server tool designed for performance and ease of use."
file: file path="/home/jdiaz/.local/lib/python3.11/site-packages/python_ftp_server-1.3.17.dist-info/METADATA" size=1186 permissions.string="-rw-r--r--"
author: "Vadym Stupakov"
dependencies: data is not a map to auto-expand
id: "/home/jdiaz/.local/lib/python3.11/site-packages/python_ftp_server-1.3.17.dist-info/METADATA"
license: "MIT"
name: "python-ftp-server"
}

This is the first of many new application package resources we plan to introduce, allowing you to audit and secure your application dependencies. If you have particular application packaging systems you want to see in cnquery and cnspec, be sure to let us know on our GitHub Discussions page.

🧹 IMPROVEMENTS​

Support for connecting to IPv6 hosts​

Some day we'll all take the leap and migrate to IPv6. When you do, Mondoo will be there for you. We've updated both cnquery and cnspec to connect to IPv6 hosts directly over SSH or using Ansible inventory files.

cnquery shell ssh chris@fd00::20c:30ff:fe8a:9da0 --ask-pass
Enter password:
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery>

Expanded support for AWS ECS in MQL​

In this release we've greatly expanded MQL's AWS ECS support with new data and resources:

  • aws.ecs.task now includes platformVersion data.
  • aws.ecs.container now includes platformVersion, runtimeId, and containerName data.
  • aws.ecs.cluster now includes containerInstances data.
  • aws.ecs.image now includes uri data exposing the URI of the image repository.
  • New aws.ecs.instance resource.

New and improved policies​

  • New Microsoft 365 Security by Mondoo

    This all-new policy by Mondoo helps you to secure your Microsoft 365 configuration.

  • New Microsoft Vulnerability Policy by Mondoo

    This all-new policy helps you find critical vulnerabilities in Microsoft Office and SharePoint.

  • New VMware vCenter Incident Response Pack

    Gather critical information on your vSphere and ESXi systems in the event of a security incident with this new incident response pack.

  • Updated CIS Microsoft 365 Foundations Benchmark from 1.2 to 1.5

    This updated policy is nearly entirely rewritten with dozens of new controls, more reliable queries, and updated remediation steps.

  • Updated CIS Google Kubernetes Engine (GKE) Benchmark to 1.3.0

    This updated policy includes new policies for securing not just the Kubelets, but now also the Kubernetes control plane.

  • Updated CIS Google Cloud Platform Foundation Benchmark policy

    Ten updated controls in the CIS Google Cloud Platform Foundation Benchmark policy improve the reliability of results.

  • Updated Microsoft Azure Security

    We added nine new queries to the Microsoft Azure Security to help you better secure the base directory configuration.

  • Updated Linux Workstation Security

    We expanded boot loader security to include permissions on /boot/loader/loader.conf so you can rest assured your boot sequence hasn't been tampered with.

  • Updated Linux Security Policy

    We improved the reliability of auditd package checks on some SUSE releases.

Specify GCP and Google Workspace credential path​

You can now specify the path to your GCP or Google Workspace credentials using a new --credentials-path flag. Shell environmental variables will continue to take precedence when defining the path, but this is a great method of setting the path if you don't have shell ENV vars set.

With env var:

GOOGLE_APPLICATION_CREDENTIALS=~/mondoo-dev-1111111.json cnquery shell gcp

With --credentials-path:

cnquery shell gcp --credentials-path ~/mondoo-dev-1111111.json

Find spaces more easily in large organizations​

It was hard to find a particular asset when you had a large number of organizations or spaces. We've made things easier to track down with new links to open individual organizations and alphabetical sorting of all spaces.

New Sorting of Spaces

Login with a splash​

Our old login page didn't feel fancy enough, so we redesigned it with splashes of Mondoo purple and orange to spruce up your login experience.

New Login Screen

Red Hat Universal Base Image cnspec containers on Docker Hub​

We are now publishing Red Hat Universal Base Image-based cnspec and cnquery containers to Docker Hub. These containers are perfect for running cnspec and cnquery in OpenShift clusters. You can find these images along with our standard Alpine-based images at https://hub.docker.com/r/mondoo/cnspec and https://hub.docker.com/r/mondoo/cnquery.

Improved scan error output​

Gone are cryptic asset connection error messages when scanning multiple assets! In their place you now see better formatted and parsed error messages that make it easier to track down exactly why assets can't be scanned.

Better error output

πŸ› BUG FIXES​

  • We now correctly detect services on Kali Linux.
  • Mondoo EOL policy now executes on FreeBSD hosts.
  • cnquery run and cnspec run now properly load Mondoo Platform config to support EOL and package vulnerability queries.
  • Fix parsing of timestamps in Google Workspace.
  • Fix setup instructions for Windows on the Integrations page to copy/paste correctly.
  • Add missing breadcrumbs to the Vulnerabilities page.
  • Add form validation to the GCP and Okta Integration setup pages.
  • Don't report successful vulnerability scanning on an asset when zero packages were discovered.
  • Fix incorrect quoting in the GitLab Docker scanning example
  • Don't show the hour when reporting an EOL date for an asset.
  • Fix incorrect GCP project ID validation in the GCP integration setup page.
  • If an integration has never scanned, then display Never instead of Jan 01, 0001.
  • Update links on integration pages to go to specific documentation.
  • Use the latest Microsoft 365 logo on the integrations page.
  • Improve performance of container image scanning in the Mondoo Kubernetes Operator.
  • Update tabs on asset pages to match the new navigation UX.
  • Add the missing Okta token field to the Okta integration setup page.
  • Link to new CloudShell documentation in the AWS integration setup wizard.
  • Fix GCP console links in the GCP integration setup page to load properly when logged out of GCP.
  • Specify UDP or TCP in the ports.listening resource so specific protocols can be queried instead of just ipv4/ipv6.
  • Resolve failures scanning container registries.
  • Label container image assets with all discovered tags when scanning container registries.

Β· 3 min read

πŸ₯³ Mondoo 7.18 is out! This release includes updated GCP resources, expanded EOL detection, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


🧹 IMPROVEMENTS​

GCP resource updates​

We've continued to expand the data you can query using MQL in your GCP projects to make asset inventory and security easier:

  • Add new gcp.project.compute.addresses resource

    gcp.project.compute.addresses[0]: {
    ipv6EndpointType: ""
    created: 2022-12-15 12:45:25.62 -0800 -0800
    address: "10.10.0.2"
    network: data is not a map to auto-expand
    networkTier: "PREMIUM"
    id: "2700460578865297802"
    userUrls: [
    0: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1/forwardingRules/gke-mondoo-gke-cluster-2-c255f8bc-73b71c8f-pe"
    ]
    ipVersion: ""
    name: "gke-mondoo-gke-cluster-2-c255f8bc-73b71c8f-pe"
    status: "IN_USE"
    subnetworkUrl: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1/subnetworks/mondoo-gke-cluster-2-subnet"
    prefixLength: 0
    networkUrl: ""
    regionUrl: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1"
    addressType: "INTERNAL"
    purpose: "GCE_ENDPOINT"
    description: ""
    subnetwork: gcp.project.computeService.subnetwork name="mondoo-gke-cluster-2-subnet"
    }
  • Add new gcp.project.compute.forwardingRules resource

    gcp.project.compute.forwardingRules: [
    0: {
    description: ""
    ipProtocol: "TCP"
    serviceDirectoryRegistrations: []
    id: "1374403102344"
    labels: {}
    name: "front-lb-1-test"
    serviceName: ""
    network: gcp.project.computeService.network name="test-vpc-3"
    networkUrl: "https://www.googleapis.com/compute/v1/projects/manuel-development-2/global/networks/test-vpc-3"
    allPorts: false
    targetUrl: "https://www.googleapis.com/compute/v1/projects/manuel-development-2/regions/us-central1/targetHttpProxies/lb-1-test-target-proxy"
    ipAddress: "35.209.226.183"
    allowGlobalAccess: false
    networkTier: "STANDARD"
    backendService: ""
    isMirroringCollector: false
    subnetwork: data is not a map to auto-expand
    noAutomateDnsZone: false
    serviceLabel: ""
    ports: []
    loadBalancingScheme: "EXTERNAL_MANAGED"
    ipVersion: ""
    created: 2023-01-19 10:56:30.873 -0800 -0800
    metadataFilters: []
    regionUrl: "https://www.googleapis.com/compute/v1/projects/manuel-development-2/regions/us-central1"
    portRange: "80-80"
    subnetworkUrl: ""
    }
    ]
  • gcp.project.dataproc.clusters data is now only gathered if if the DataProc Cloud service is enabled in the project.

  • Improve reliability of parsing GCP alert policies conditions.

New and improved EOL detection​

We've improved support for detecting end of life (EOL) platforms with new and updates EOL detection support:

  • Added EOL detection support for FreeBSD.
  • Added EOL detection support for Linux Mint.
  • Added EOL date for Alpine 3.17.
  • Added EOL date for Fedora 36 and 37.
  • Updated Debian EOL dates to use the end of LTS dates.
  • Updated Photon 2.0 EOL date for the revised date of Dec 31, 2022.
  • Updated Amazon 2022 EOL date for the revised date of Nov 1, 2027.

Support storing Okta token in OKTA_CLIENT_TOKEN env var​

If you don't want to pass your Okta token on the CLI with the --token flag, cnquery and cnspec now support fetching the token from the OKTA_CLIENT_TOKEN env var in your shell.

πŸ› BUG FIXES​

  • Improve consistency of the icons in each integrations page and ensure they are all using the latest vendor logos.
  • Allow opening assets in the fleet view in new windows.
  • Don't show advisories with 0 impacted assets on the space overview page if there are no advisories for any assets in the space.

Β· 5 min read

πŸ₯³ Mondoo 7.17 is out! This release includes Amazon ECR/ECS scanning, new Amazon and Azure resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Continuous Amazon ECR and ECS scanning​

Problem: You want to continuously scan Amazon Elastic Container Registry (ECR) registries and Amazon Elastic Container Service (ECS) containers using the Mondoo AWS integration.

Solution: You can now configure the Mondoo AWS integration to continuously scan your ECR and ECS infrastructure, providing security insight to your critical container infrastructure.

ECR &amp; ECS Scanning

New azure.subscription.aks.cluster resource​

Problem: You want to write policies to secure your Azure Kubernetes Service (AKS) clusters

Solution: A new azure.subscription.aks.cluster resource allows you to explore and secure the settings in your Kubernetes control plane.

To list all AKS clusters:

cnquery> azure.subscription.aks.clusters
azure.subscription.aks.clusters: [
0: azure.subscription.aksService.cluster name="aks-dev-cluster" location="westeurope"
]

To select particular properties for each cluster:

cnquery> azure.subscription.aks.clusters{name rbacEnabled kubernetesVersion powerState}
azure.subscription.aks.clusters: [
0: {
rbacEnabled: true
powerState: "Running"
kubernetesVersion: "1.24.9"
name: "aks-dev-cluster"
}
]

Detect and secure PLCnext programmable logic controllers​

Problem: You need to secure Phoenix PLCnext programmable logic controllers to protect your physical infrastructure.

Solution: cnspec and cnquery now detect Phoenix PLCnext PLCs, and we've introduced a new community Phoenix PLCnext Security Policy that includes 22 security guidelines based on recommendations from PLCnext community.

cnquery PLCnext platform output:

platform: {
name: "plcnext"
build: "d755854b5b21ecb8dca26b0a560e6842a0c638d7"
title: "PLCnext"
version: "23.0.0.65"
}

New aws.ssm resource​

Problem: You want to write policies to secure your AWS Systems Manager (SSM) instances.

Solution: A new aws.ssm resource allows you to explore and secure the settings in your AWS Systems Manager (SSM) infrastructure.

To query SSM data using cnquery:

cnquery> aws.ssm.instances { * }
aws.ssm.instances: [
0: {
arn: "arn:aws:ssm:us-east-1:185972261234:instance/i-0f58c727dc7ca1337"
platformName: "Microsoft Windows Server 2022 Datacenter"
ipAddress: "172.1.89.50"
instanceId: "i-0f58c727dc7ca1337"
region: "us-west-2"
pingStatus: "Online"
tags: {
Name: "test-win"
}
}
1: {
arn: "arn:aws:ssm:us-east-1:185972261234:instance/i-04680e19801302600"
platformName: "Amazon Linux"
ipAddress: "172.1.80.30"
instanceId: "i-04680e19801302600"
region: "us-west-2"
pingStatus: "Online"
tags: {
Name: "badssm"
}
}
...

Or write a query for a policy:

cnquery> aws.ssm.instances.all(pingStatus == "Online")
[ok] value: true

🧹 IMPROVEMENTS​

Better integrations navigation menu​

We received tons of great feedback on the new navigation menu we released last week with Mondoo 7.16. Many of you asked for a simpler integrations menu that better represented the integrations in your spaces. This week we reworked the integrations menu to only show the integrations you've already set up and to always include a link to add new integrations. Thank you, everyone, for all the great feedback.

Integrations

Input validation when setting up Azure and Microsoft 365 integrations​

Securing your cloud can be difficult, but Mondoo shouldn't be. We've added example text and input validation to the Azure and Microsoft 365 integration setup pages to ensure you set up integrations with the correct values.

Integration Validation

Immediately scan GCP, Azure, and Microsoft 365 after setup​

Our GCP, Azure, and Microsoft 365 integrations now start scanning your infrastructure after setup so you can see results in minutes.

Improved platform names and grouping for cloud & SaaS assets​

To make it easier to find your assets, we've renamed several platforms and added new groups in the fleet view. azure, slack, and okta assets are now azure-subscription, slack-team, and okta-org to better represent what they contain. The fleet view includes new Okta, Google Workspace, and Slack groups for filtering assets by SaaS service.

Fleet

Show asset advisory counts in CVE views​

CVE pages now show information on the asset score for each affected asset as well as the total number of advisories for each asset so you can better prioritize which assets to patch first.

CVE View

Deploy cnspec with Chef Infra​

The mondoo cookbook 0.5.0 is now available on Chef Supermarket. This updated release now configures systems to use the cnspec service. If your system was configured with the existing cookbook release, don't worry; this release will automatically update systems from the mondoo service to the cnspec service.

Improve Google Workspace command​

googleworkspace is a tricky one to read so we renamed the Google Workspace provider to google-workspace. Now you can scan Google Workspace with the cnspec scan google-workspace command. Don't worry though; the old command still works to maintain backwards compatibility for automation.

Identify scratch containers​

cnspec now detects the platform and architecture of containers built from scratch. Many projects, including Kubernetes, use scratch-built containers.

Scratch container

πŸ› BUG FIXES​

  • Allow showing asset utilization even if billing is not configured.
  • Improve the reliability of CIS GCP Foundation benchmark results.
  • Update help and errors for cnspec and cnquery Azure commands to make it more clear you can use both a .pfx and a .pem certificate file.
  • Fix parsing of certificate data on Linux with ports.listening resource.
  • Fix parsing of IPv6 data with the ports.listening resource.
  • Fix discovery of Google Workspace assets.
  • Fix a remediation step typo in the AWS Security by Mondoo policy.
  • Add a tooltip to the Get Support link in the navigation menu.
  • Fix links to ChatOps integrations in the navigation menu.
  • Fix errors running some Google Workspace resources.
  • Improve help for GitHub resources.
  • Improve the error message when Okta API requests fail.
  • Fix a cnspec panic when using the -o output reporter when all results produce an error.
  • Show errors when scanning systems with cnspec.
  • Show asset names with cnspec when using the -o report reporter.

Β· 6 min read

πŸ₯³ Mondoo 7.16 is out! This release includes new Azure, GCP, and Microsoft 365 integrations plus a whole new UI experience!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

New UI navigation experience​

Problem: There are many things you can do in the Mondoo console, but sometimes it's hard to find what you need.

Solution: We rebuilt the navigation in the Mondoo console from the ground up to make finding information and navigating your infrastructure easier. We replaced the top navigation tabs with a new navigation menu on the left side of the page. This menu includes frequently accessed sections of the UI that were previously tabs, such as Fleet, CI/CD, Integrations, and Policy Hub.

New UI

Sub-items in the menu make it easier to find what you're looking for without having to navigate through multiple pages. For example to view Kubernetes integrations you can select Integrations -> Kubernetes in the menu instead of loading the Integrations page and then selecting Kubernetes. This new menu also includes quick access to the Mondoo Vulnerability Database, which was previously buried deep in the Policy Hub. If you're thinking "I didn't know there was a Mondoo Vulnerability Database," well, that's why we have new menu.

Mondoo Vulnerability Database

We have plenty more planned to fill out this new navigation menu, so stay tuned for new releases.

New GCP, Azure, and Microsoft 365 integrations​

Problem: You need to continuously assess the security of all your cloud and SaaS resources.

Solution: You can now configure continuous scanning of GCP, Azure, and even Microsoft 365 services through the Mondoo console. There's no need to download an agent or deploy any code into your infrastructure. Configure ready-only service credentials in the Mondoo console and let Mondoo do the rest.

New Integrations Page

Manage vault secrets data with cnspec and cnquery​

Problem: You want to use a Mondoo inventory file to scan multiple assets, but you also need to securely store any required secrets.

Solution: cnspec and cnquery now include the ability to manage secrets data in vaults directly using the command line.

Given an existing Mondoo inventory file:

kind: Inventory
spec:
assets:
- id: 34.122.119.102
connections:
- host: 34.122.119.102
backend: ssh
credentials:
- type: password
user: chris
password: mypwd

You can use this inventory file to scan all defined assets:

cnspec scan --inventory-file inventory.yml

To securely store the secrets in this vault, you can define a keychain vault:

cnspec vault set mondoo-client-vault --type keyring
β†’ set new vault configuration name=mondoo-client-vault
β†’ stored vault configuration successfully

Then confirm that the vault is configured with the vault list command:

cnspec vault list
vault : mondoo-client-vault (keyring)

Next, add your secret to the keychain vault with the vault add-secret command:

cnspec vault add-secret mondoo-client-vault my-linux-user-secret '{ "user": "chris", "type": "password", "password: mypwd" }'

Now, you can reference the secret from the vault in your inventory:

kind: Inventory
spec:
assets:
- id: 34.122.119.102
connections:
- host: 34.122.119.102
backend: ssh
credentials:
- secret_id: my-linux-user-secret
vault:
name: mondoo-client-vault
type: keyring

Re-run the scan, and you will see that the secret was picked up:

cnspec scan --inventory-file inventory.yml

New AWS MQL resources​

Problem: You want to write policies to secure your Amazon ECR images and Amazon CloudFront distributions.

Solution: Mondoo now includes new resources for Amazon ECR and CloudFront so you can explore and secure even more of your Amazon infrastructure using MQL.

Querying ECR images:

cnquery> aws.ecr.images { * }
aws.ecr.images: [
0: {
registryId: "172746783610"
tags: [
0: "latest"
]
digest: "sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca"
repoName: "vjtestpriv"
mediaType: "application/vnd.docker.distribution.manifest.v2+json"
}
]
cnquery> aws.ecr.publicRepositories { * }
aws.ecr.publicRepositories: []
cnquery> aws.ecr.privateRepositories { * }
aws.ecr.privateRepositories: [
0: {
uri: "172746783610.dkr.ecr.us-east-1.amazonaws.com/vjtestpriv"
public: false
region: "us-east-1"
registryId: "172746783610"
name: "vjtestpriv"
arn: "arn:aws:ecr:us-east-1:172746783610:repository/vjtestpriv"
images: [
0: aws.ecr.image id = vjtestpriv/sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca
]
}
]

Querying CloudFront distributions and functions:

cnquery> aws.cloudfront { distributions { *} functions { * } }
aws.cloudfront: {
distributions: [
0: {
origins: [
0: aws.cloudfront.distribution.origin id = 185972265011/test-1be01d1424077260.elb.us-east-1.amazonaws.com
]
status: "Deployed"
cacheBehaviors: []
domainName: "d1w4eig1i8et92.cloudfront.net"
arn: "arn:aws:cloudfront::185972265011:distribution/E3J92HBG5Z8S6Q"
defaultCacheBehavior: {
AllowedMethods: {
CachedMethods: {
Items: [
0: "HEAD"
1: "GET"
]
Quantity: 2.000000
}
Items: [
0: "HEAD"
1: "GET"
]
Quantity: 2.000000
}
CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
Compress: true
DefaultTTL: null
FieldLevelEncryptionId: ""
ForwardedValues: null
FunctionAssociations: {
Items: null
Quantity: 0.000000
}
LambdaFunctionAssociations: {
Items: null
Quantity: 0.000000
}
MaxTTL: null
MinTTL: null
OriginRequestPolicyId: null
RealtimeLogConfigArn: null
ResponseHeadersPolicyId: null
SmoothStreaming: false
TargetOriginId: "test-1be01d1424077260.elb.us-east-1.amazonaws.com"
TrustedKeyGroups: {
Enabled: false
Items: null
Quantity: 0.000000
}
TrustedSigners: {
Enabled: false
Items: null
Quantity: 0.000000
}
ViewerProtocolPolicy: "allow-all"
}
}
]
functions: [
0: {
status: ""
arn: "arn:aws:cloudfront:global:185972265011::/functions/vjtest"
comment: ""
stage: "DEVELOPMENT"
name: "vjtest"
runtime: "cloudfront-js-1.0"
lastModifiedTime: "2023-01-29T21:07:01Z"
createdTime: "2023-01-29T21:07:01Z"
}
]
}

GitHub Repository Best Practices policy​

Problem: You want to see the state of your GitHub repositories, including both security and best practices violations.

Solution: We split out non-security checks in the GitHub Repository Security by Mondoo policy into a new policy, GitHub Repository Best Practices by Mondoo, so you can report security and best practices issues independently from one another. We've also added a new query to the GitHub Repository Security by Mondoo policy to ensure repositories are configured to use Dependabot to report available updates for package management lock files, GitHub Actions, or Docker base images.

New Policy

🧹 IMPROVEMENTS​

Terraform configs now scan as terraform-hcl platform​

It isn't always clear that the terraform platform in fleet view was Terraform HCL configuration files, so we've renamed the terraform platform to terraform-hcl. Existing assets will continue to scan and display as terraform until scanned with an updated client.

Add publicAccessPrevention to gcp.storage.buckets resource​

The gcp.storage.buckets resource now includes publicAccessPrevention data. Here's an example of querying this data out for all buckets in a project:

gcp.storage.buckets { iamConfiguration['publicAccessPrevention'] }
gcp.storage.buckets: [
0: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
1: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
2: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
3: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
]

πŸ› BUG FIXES​

  • The + button on the Managed Clients page now properly links to "Server & Endpoint Security" integrations.
  • The platform column in the Managed Clients page now displays platform values
  • Notification bell now indicates the number of unread notifications.
  • Update several integration logos to use high-resolution logos for retina displays.
  • Update integration pages with more consistent headers.
  • Handle errors when setting up integrations.
  • Add back the missing link to documentation on the Kubernetes integration page.
  • Change all references to Amazon AWS to be just AWS. No ATM machines here!
  • Fix the AWS Integration counts on the overview page not always matching actual counts.
  • Improve reliability of results in the CIS Microsoft Azure Foundations and CIS GCP Foundations policies
  • Don't mention the legacy Library name in the Mondoo Vulnerability Database
  • Update VMware examples in the console to use cnspec

Β· 4 min read

πŸ₯³ Mondoo 7.15 is out! This release includes CSV output support, a new GCP CIS policy, and UI improvements!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

CSV output format for cnquery​

Problem: You want to export cnquery results to a spreadsheet for analysis.

Solution: The cnquery CLI can now produce CSV output on the CLI for integration spreadsheet apps or other systems that parse CSV input.

cnquery scan docker debian:11 --output csv > report.csv

CSV output in spreadsheet

Terraform in the Fleet view​

Problem: You want to use cnspec to secure your Terraform code, but it's hard to find Terraform code results when they show up as uncategorized assets.

Solution: A new Terraform section in the Fleet view makes it easy to find all your Terraform scans in one place.

Terraform in the console

🧹 IMPROVEMENTS​

Only show applicable controls in the console​

Controls that are cnspec automatically skipped are no longer shown as disabled in the Mondoo console. Depending on the policy and infrastructure scanned, there could be several dozen controls that cnspec skipped automatically. This new behavior simplifies the asset controls view and makes it more clear which controls ran and which you disabled.

Improved CLI scanning UX​

After launching our updated CLI UX last week, we got loads of great feedback from the community on how we could continue to improve the experience. This week we shipped several improvements to make it easier to read the scan output and to improve the experience when scans fail.

Updated CLI scan behavior

Org names in shared space titles​

Differentiating between shared spaces can be difficult if the space names are the same. Shared spaces now include the org and space name, so you can better tell spaces apart.

Shared Spaces with Org names

Updated GCP CIS policy​

Mondoo now includes the latest CIS Google Cloud Platform Foundation Benchmark policy version 2.0.0. This updated policy uses the latest new resources shipped with the latest versions of cnspec. It includes many new queries as well as audit and remediation steps for all queries.

Install cnspec using Ansible​

The Mondoo Ansible role has been updated to make deploying and migrating to cnspec at scale easier. This updated role deploys cnspec and cnquery to new systems and upgrades existing installations to use cnspec and cnquery. Just run this role against systems, and you'll automatically have the latest cnspec release running as a service.

πŸ› BUG FIXES​

  • Enable the Mondoo install script to handle GPG key updates to package repositories to prevent update failures
  • Improve the error message when an incorrect repository is passed to scan github repo
  • Fix a race condition in the cnspec/cnquery scan progress bars
  • Print status of assets that can't be scanned in the progress bars
  • Expose the actual error from GCP when unable to connect to resources
  • Remove an extra warning that was incorrectly printed while scanning Terraform configs
  • Ignore Terraform content in the .terraform directory
  • Properly display policies in Policy Hub that have zero queries
  • Fix links to integration pages from the Service Accounts
  • Improve reliability in some Azure CIS Foundation policy queries
  • Improve the reliability of Kubernetes status in the Kubernetes integration pages
  • Operating system integration pages no longer mention the setup of Mondoo Client
  • Kubernetes Integration page once again enables workload scanning by default
  • Mondoo GitHub action supports scanning GitHub organizations again
  • Fix MQL queries hanging with aliased and direct resource in the same policy
  • Show the scan trigger button on the AWS integrations when they are in an errored state
  • Only call the Google Cloud CLI when scanning GCP if neither project or project-id were provided
  • Fix errors using the gcp.project.gkeService when a GKE cluster hasn't finished provisioning
  • Fix failures when scanning GCP storage buckets
  • Add projectID to many GCP resources so asset relationships can be determined
  • Deprecate the zone value for GKE clusters in favor of a new location value

Β· 7 min read

πŸ₯³ Mondoo 7.14 is out! This release includes expanded GitHub support, new GCP resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Dive deeper into GitHub​

Problem: You need out-of-the-box functionality to help you secure your GitHub organization, repositories, and users.

Solution: We've been busy improving nearly every aspect of the GitHub experience with cnspec, making it easier to apply out-of-the-box policy to secure your GitHub infrastructure and providing the resources and UI experience you need to create custom policies.

The GitHub Organization Security by Mondoo policy has been rewritten from the ground up to focus on critical security settings in your organization and repository. Existing queries focused on open source repository best practices have been removed and replaced with additional security queries to ensure settings like important branch protections are in place.

While building out this updates policy, we realized the various GitHub resources were missing important data necessary to write our out of the box policy and custom policies for your organizations. We made the following changes to improve the GitHub resources:

  • github.repository resources now support repository stargazer counts, repo fork resolution, and support for repository issues.
  • github.organization resource now includes avatar, followers and following data
  • github.user resource is greatly expanded to help examine user accounts
  • github.organization and github.user now support collecting information on gists

Finally, we improved the cnquery to make exploring your GitHub infrastructure easier. The cnquery shell github command now shows a list of repositories to examine, making it easier to find the repository you want to explore. We also added a new cnquery shell github user command allows you to examine details on GitHub users using the expanded github.user resource.

Shell GitHub Repository Selection

New and updated GCP Resources​

Problem: You want to explore and secure your GCP projects using cnquery and cnspec.

Solution: cnquery and cnspec now include new and improved resources for exploring and securing GCP services:

  • New gcp.project.compute.backendServices resource
  • New gcp.project.monitoring.alertPolicies resource
  • Add access data to gcp.project.bigquery.datasets resource
  • Add accessApprovalSettings data to gcp.organizations and gcp.projects resources
  • Add cryptokeys data to gcp.project.kms.keyrings resource
  • Add network data to gcp.project.dns.policies resource
  • Add storageBucket data to gcp.project.logging.sinks resource
  • Add retentionPolicy data to gcp.project.storage.buckets resource
  • Fix errors when using gcp.project.kms when key status is not available
  • Rename gcp.storage resource to gcp.project.storage

Updated Azure CIS Policy​

Problem: You need CIS policies to keep your Azure subscriptions secure and compliant.

Solution: Mondoo now includes the latest CIS Microsoft Azure Foundations Benchmark version to 1.5.0. This updated policy utilizes the latest new resources shipped with the latest versions of cnspec and includes many new queries as well as audit and remediation steps for all queries.

Store GCP service account in an inventory file vault​

Problem: You want to use an inventory file to store a set of GCP assets to scan, but you don't want to insecurely store credentials in the yaml config.

Solution: You can now store your GCP service account data in a secure inventory vault so you can share inventory files without worrying about credentials. This example inventory file stores the credentials used to access GCP infrastructure using the GCP Berglas project.

apiVersion: v1
kind: Inventory
metadata:
name: inventory
spec:
assets:
- name: cool-stuff
connections:
- backend: 13
credentials:
- secret_id: storage/random-bucket2/foo
type: 1
secret_encoding: 3
options:
discover:
targets:
- auto
vault:
name: gcp-berglas
type: gcp-berglas
options:
project_id: mondoo-dev-262313

You can then run this inventory on the CLI without passing credentials on the CLI or within env vars:

cnquery scan --inventory-file inv.yaml

Junit output format for cnspec​

Problem: You want to run cnspec in your CI pipelines, but the output is hard to understand.

Solution: The cnspec CLI can now produce JUnit output on the CLI for integration with popular CI/CD platforms such as Jenkins or GitLab:

cnspec scan docker debian:10 --output junit > report.junit
<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
<testsuite name="Policy Report for debian:10@edcf96f9d9d9" tests="85" failures="43" errors="0" id="0" time="">
<testcase name="Ensure auditd is installed" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
<testcase name="Ensure no duplicate UIDs exist" classname="score"></testcase>
<testcase name="Ensure root group is empty" classname="score"></testcase>
<testcase name="Ensure no duplicate group names exist" classname="score"></testcase>
<testcase name="Ensure source routed packets are not accepted" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
...
<testcase name="Ensure login and logout events are collected" classname="score">
<failure message="results do not match" type="fail"></failure>
</testcase>
</testsuite>
</testsuites>

Multi-Role service accounts​

Problem: You need to set additional permissions for your service accounts, but you don't want to give unnecessary permissions by using the owner role.

Solution: You can now assign more than one role to a service account in the console to provide more fine grained permissions for service accounts. To set permissions on a service account select the Settings tab, select Service Accounts, select the account you wish to edit, and then select the Permissions button.

Permissions selection modal

Trigger AWS integration scans directly in the console​

Problem: Hassle free continuous scanning of your AWS accounts is great, but sometimes you need to trigger a scan to evaluate the current security state.

Solution: Now you can trigger a one time scan of your AWS account in the AWS Integration page.

Scan Now in AWS

Filter namespaces to scan in the Kubernetes Operator​

Problem: Different teams are responsible for different parts of a Kubernetes cluster and you need to control which namespaces the Mondoo Kubernetes Operator scans.

Solution: Mondoo now gives you more control over which namespaces are scanned by the Kubernetes Operator. Scan all namespaces, scan all namespaces except a list of specific namespaces, or take full control and only scan specified namespaces.

Namespace Filtering

🧹 IMPROVEMENTS​

Improved multi-asset scanning CLI​

We've reworked how progress bars behave when scanning complex, multi-asset infrastructure such as Kubernetes systems. The new progress bar format will allow you to see better what is currently scanning and the total progress for the cluster scan.

CLI Scan

AWS integrations show asset counts​

The AWS integration pages now show the total number of assets at the top of the page, similar to other integration pages.

AWS Integration

πŸ› BUG FIXES​

  • Fix an issue where the fallback to ssh-agent authentication was not working properly
  • Improve client setup instructions in the console to resolve failures
  • Simplify the workstation setup instructions
  • Update Packer integration instructions to use cnspec and the latest Mondoo packer plugin
  • Update long-lived token instructions to use cnspec
  • Make sure that query result data displays in the console scan results
  • Improve the reliability of Kubernetes integration status data in the console
  • Fix the loading of inventory files when cnspec is running in serve mode
  • Fix BSI/CIS/Mondoo Windows policies to account for users on a system that have not yet logged in
  • Improve remediation steps in Mondoo and CIS policies
  • Resolves slow loading times on the integrations tab
  • Fix vendor specific icons not always displaying for policies in Policy Hub
  • Add alias for mondoo login to the existing mondoo register command so that cnspec and mondoo commands match

Β· 3 min read

πŸ₯³ Mondoo 7.13 is out! This release includes new GCP and Azure resources and cnspec as a service!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ FEATURES​

New OpenPGP resource​

Problem You want to validate that OpenPGP keys for YUM or APT repositories have not expired.

Solution You can now use new OpenPGP resources to validate that repository signatures are still valid.

cnquery>  parse.openpgp(path: "./expires.asc").all( identities.all( signatures.all( keyExpiresIn.days > 30 )))
[ok] value: true

Inspect OpenPGP keys with the following MQL query:

parse.openpgp(path: "./expires.asc")  {
primaryPublicKey { * }
identities {
id
signatures { * }
}
}

Result from cnquery

cnquery> parse.openpgp(path: "./expires.asc")  { primaryPublicKey { * } identities { id signatures { * }  } }
parse.openpgp.list: [
0: {
primaryPublicKey: {
id: "7312FA356E7DB13F"
bitLength: 4096
version: 4
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyAlgorithm: "rsa"
creationTime: 2023-01-14 17:24:58 +0100 CET
}
identities: [
0: {
id: "Test Expiration <test2@example.com>"
signatures: [
0: {
keyAlgorithm: "rsa"
version: 4
keyExpiresIn: 363 days 23 hours 43 minutes 5 seconds
identityName: "Test Expiration <test2@example.com>"
signatureType: "positive_cert"
hash: "SHA-256"
creationTime: 2023-01-14 17:24:58 +0100 CET
lifetimeSecs: -1
expiresIn: null
fingerprint: "07a453f8aea248e1e9b8eae27312fa356e7db13f"
keyLifetimeSecs: 31449568
}
]
}
]
}
]

New GCP and Azure resources​

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender.defenderForContainers resource
  • NEW azure.cloudDefender.defenderForServers resource
  • NEW azure.resourceGroups resource
  • NEW gcp.project.cloudFunctions resource
  • NEW gcp.project.cloudRun resource
  • NEW gcp.project.dataproc.clusters resource
  • NEW gcp.project.iam.serviceAccounts resource
  • gcp.bigquery is now gcp.project.bigquery
  • gcp.compute is now gcp.project.compute
  • gcp.dns is now gcp.project.dns
  • gcp.project.compute.networks now includes subnetworks data
  • gcp.project.compute.instances now includes confidentialInstanceConfig data
  • gcp.project.dns.managedZones now includes dnssecConfig data
  • gcp.project.kms.keyrings { cryptokeys { * } } now includes created, nextRotation, rotationPeriod, versionTemplate, labels, importOnly, destroyScheduledDuration, and cryptoKeyBackend data
  • gcp.project now includes commonInstanceMetadata data

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

Run cnspec as a service​

Problem You want to move from the existing Mondoo Client to the new and expanded cnspec client to scan your servers, but cnspec can't run as a service

Solution You can now run cnspec as a service to continuously scan servers and workstations. cnspec is our next-generation open source client with capabilities not found in the existing Mondoo command line interface (Mondoo Client). We highly recommend that you migrate your system to use this new and improved client as we begin the process of deprecating Mondoo Client.

Learn about cnspec ->

Install cnspec ->

After deploying the cnspec package to your systems, you can migrate to the cnspec service with the following commands on systemd-based Linux hosts:

systemctl stop mondoo.service
systemctl disable mondoo.service
systemctl enable cnspec.service
systemctl start cnspec.service

πŸ› BUG FIXES​

  • Ensure that gcp.project.bigquery resource IDs are always unique.
  • Change the default values in github.repository from id to fullName to make it easier to find repositories.
  • Print labels when running MQL queries that use variables inside blocks.
  • Show an error instead of crashing if the config file contains malformed keys.
  • Avoid a potential crash when running cnspec login on a fresh installation.

Β· 7 min read

πŸ₯³ Mondoo 7.12 is out! This release includes new GCP/Azure resources, New/Updated CIS Policies, AWS ECS scanning, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ FEATURES​

New GCP and Azure resources​

Problem: You want to explore and secure your GCP and Azure cloud accounts using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP and Azure cloud services:

  • NEW azure.cloudDefender resource
  • NEW azure.sql.server.vulnerabilityassessment resource
  • NEW azure.authorization.roleDefinition resource
  • NEW azure.mysql.flexibleServer resource
  • NEW azure.storage.account.queueService.properties resource
  • NEW azure.storage.account.blobService.properties resource
  • NEW azure.storage.account.tableService.properties resource
  • NEW azure.storage.account.dataProtection resource
  • NEW azure.network.watcher.flowlog resource
  • NEW azure.monitor.diagnosticSettings resource
  • NEW azure.monitor.activitylog resource
  • NEW gcp.project.apiKeys resource
  • NEW gcp.project.essentialContacts resource
  • NEW gcp.project.logging resource
  • NEW gcp.project.sql resource
  • gcp.compute.firewall now includes allowed and denied data
  • gcp.compute.network now includes mode data
  • gcp.project.clusters moved to gcp.project.gke.clusters

See the full documentation for all GCP resources in our GCP Resource Pack docs and Azure Resource Pack docs.

New and updated CIS policies​

Problem: Your infrastructure is complex, with an ever growing number of operating systems you need to secure.

Solution: Mondoo now includes the latest macOS and Linux CIS policies with new policies for the latest OS releases.

New CIS policies:

  • CIS Red Hat Enterprise Linux 9 Benchmark 9 1.0
  • CIS AlmaLinux OS 9 Benchmark 1.0
  • CIS Rocky Linux 9 Benchmark 1.0
  • CIS Oracle Linux 9 Benchmark 1.0
  • CIS Apple macOS 13.0 Ventura Benchmark 1.0.0

Updated CIS policies:

  • CIS CentOS Linux 8 Benchmark updated from 1.0.1 to 2.0.0
  • CIS Oracle Linux 8 Benchmark updated from 1.0.1 to 2.0.0
  • CIS SUSE Linux Enterprise 11 Benchmark updated from 2.0.0 to 2.1.1
  • CIS Apple macOS 10.15 Catalina Benchmark updated from 2.1.0 to 3.0.0
  • CIS Apple macOS 11.0 Big Sur Benchmark updated from 2.1.0 to 3.0.0
  • CIS Apple macOS 12.0 Monterey updated from 1.1.0 to 2.0.0

AWS ECS container scanning​

You can now scan all AWS ECS containers when scanning your AWS account with a new --discover flag option, ecs. Use this flag with cnquery and cnspec to explore and secure ECS containers in your infrastructure.

Scan ECS Containers on the CLI

Multiple login methods in the Mondoo Console​

Problem: You signed up with your email account, and now you want to sign in with your Google, Microsoft, or GitHub login.

Solution: You can now add multiple authentication methods to your Mondoo Platform account, so you can log in with any combination of email, Microsoft, Google, or GitHub accounts.

To change your login method:

  1. In the top-right corner of the Mondoo Console, select your user icon.
  2. Select User Settings.
  3. In the left navigation, select Security. Under Connected Accounts, you can connect and disconnect accounts to update your login methods.

Managing Connected Accounts

New scan summaries for multiple asset scans​

Problem: cnspec scan output gives you quick insight into the security posture of assets. However, when scanning complex systems like Kubernetes clusters with hundreds or thousands of assets, there is often too much data to consume.

Solution: We've developed an all-new summary view for asset scans that allows you to more easily understand the security posture of complex systems like Kubernetes in cnspec.

An example scan of a small Kubernetes cluster:

Scanned 29 assets

Debian GNU/Linux 9 (stretch)
F index.docker.io/library/nginx@f7988fb6c02e
F index.docker.io/library/postgres@3f4441460029

Distroless
B registry.k8s.io/etcd@6f72b8515449
B registry.k8s.io/kube-apiserver@4188262a351f
B registry.k8s.io/kube-controller-manager@d3a06262256f
B registry.k8s.io/kube-proxy@6bf25f038543
B registry.k8s.io/kube-scheduler@f478aa916568

Kubernetes Cluster
F K8s Cluster minikube

Kubernetes DaemonSet
D kube-system/kube-proxy

Kubernetes Deployment
C kube-system/coredns
D luna/luna-frontend
D luna/postgres

Kubernetes Pod
C kube-system/coredns-565d847f94-b4pcx
C kube-system/etcd-minikube
D kube-system/kube-apiserver-minikube
D kube-system/kube-controller-manager-minikube
D kube-system/kube-proxy-bqthk
D kube-system/kube-scheduler-minikube
D kube-system/storage-provisioner
D luna/luna-frontend-7fb96c846b-jjnhz
D luna/luna-frontend-7fb96c846b-tmg95
D luna/luna-frontend-7fb96c846b-xrl6c
D luna/postgres-5bb9d69b96-d9zzg

Kubernetes ReplicaSet
C kube-system/coredns-565d847f94
D luna/luna-frontend-7fb96c846b
D luna/postgres-5bb9d69b96
D luna/postgres-655d75f54b

scratch
U gcr.io/k8s-minikube/storage-provisioner@18eb69d1418e
U registry.k8s.io/coredns/coredns@8e352a029d30

Summary
=======

Score Distribution Asset Distribution
------------------ ------------------
A 0 assets Kubernetes ReplicaSet 4
B 5 assets Kubernetes Pod 11
C 4 assets Kubernetes DaemonSet 1
D 15 assets Distroless 5
F 3 assets Kubernetes Cluster 1
U 2 assets scratch 2
Debian GNU/Linux 9 (stretch) 2
Kubernetes Deployment 3

For detailed output, run this scan with "-o full".

See more scan results and asset relationships on the Mondoo Console: https://console.mondoo.com/space/fleet?spaceId=lunalectric-prod-eks

Iterating over keys and values​

MQL already supports accessing keys and values via key and value in maps:

> sshd.config.params.where( key == /p/ )
sshd.config.params.where: {
ChallengeResponseAuthentication: "no"
Ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
}

We've extended this support to include parsed JSON and YAML structures:

> parse.json("my.json").params.where( value == 1 )
parse.json.params.where: {
apples: 1.000000
oranges: 1.000000
}

You can use these structures to quickly filter maps via key and value or to make assertions. For example you can ensure that certain keys exist:

> parse.json("my.json").params.where( key == /or/ )
parse.json.params.where: {
"hawthorn berries": 16.000000
oranges: 1.000000
}

🧹 IMPROVEMENTS​

Asset counts on integration tiles​

Integration tiles in the integration tab now show a summary of discovered assets, applied policies, and total applied controls. Now you can more easily see where assets are discovered.

Integration Summary

Detect missing asset filters in cnspec bundle lint​

cnspec bundle lint now includes a new check to ensure the policy's spec section includes an asset filter. This new check raises an error for policies that have no asset filter defined:

policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security by Mondoo
version: 1.0.0
specs:
- scoring_queries:
mondoo-azure-security-ensure-os-disk-are-encrypted: null
mondoo-azure-security-ssh-access-restricted-from-internet: null

The policy should be updated with an asset filter like this:

policies:
- uid: mondoo-azure-security
name: Microsoft Azure Security by Mondoo
version: 1.0.0
specs:
- asset_filter:
query: |
platform.name == "azure"
platform.kind == "api"
scoring_queries:
mondoo-azure-security-ensure-os-disk-are-encrypted: null
mondoo-azure-security-ssh-access-restricted-from-internet: null

Expanded vault support for storing secrets​

cnquery and cnspec now have expanded vault support for short-term secret storage when using inventory files. You can now store secrets with an in-memory vault or using GCP KMS encryption and GCP Cloud Storage through the Berglas project.

Example inventory file storing secrets with gcp-berglas:

apiVersion: v1
kind: Inventory
metadata:
name: inventory
spec:
assets:
- name: cool-stuff
connections:
- backend: 0
credentials:
- secret_id: storage/my-secrets/secret
type: 1
secret_encoding: 3
options:
discover:
targets:
- all
vault:
name: gcp-berglas
type: gcp-berglas
options:
project_id: id

Fine-grained control over Azure subscription scanning​

You can now control particular Azure subscriptions to include or exclude during scans with new --subscriptions and --subscriptions-exclude flags. You can use these new flags to control which subscriptions you want to inspect. For example, to run the cnquery shell on all subscriptions except for two, you can exclude those subscriptions explicitly: cnquery shell azure --subscriptions-exclude=984df67f-fc2e-4ebf-80a2-1234567891011,1e829eb0-e6a3-4c7b-8212-1234567891011

πŸ› BUG FIXES​

  • Show better results for failures in the Google Cloud (GCP) Security by Mondoo policy.
  • Only check SSH server configuration when the SSH server is installed in the Linux Server Security by Mondoo. Thanks. @stdevel!
  • Avoid failures when the Kubernetes Ingress has no certificates.
  • Fix queries in Linux Workstation Security by Mondoo, BSI SYS.1.2 Windows Server, and Amazon Web Services (AWS) Operational Best Practices, CIS Distribution Independent Linux Benchmark, and CIS VMware ESXi 6.7 Benchmark policies that were not executing.
  • Don't show a policy lint error if the policy spec has either scoring queries or data queries attached.
  • Improve reliability when scanning instances using SSM in cnquery, cnspec, and the Mondoo AWS Integration.
  • Better describe when a directory of Terraform or Kubernetes files is scanned.
  • Improve reliability in MQL queries that execute commands concurrently.
  • Don't silently fail to run the socketstats resource when it's not supported.
  • Improve the reliability of scanning ECR images.