Skip to main content

Β· 8 min read

πŸ₯³ Mondoo 6.0 is out.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


We have just hit a major milestone - Mondoo’s 6.0 release! This version includes many changes we’re eager to share with you:

Most of these changes have been available hidden behind feature flags and CLI options for a while now. This release changes the default experience to make them available to everyone.

Is it difficult to upgrade?

Not at all! We have kept most things backwards-compatible with v5. In most cases you should only see a few deprecation warnings asking you to use new CLI options. The few breaking changes are outlined below.

Breaking changes

  • mondoo scan now uses the exit code 0 whenever the scan is successfully executed. Previously we used non-zero exit codes when a scan didn’t achieve a perfect score. This change makes it easier to use Mondoo in a CI/CD. See [the section on exit codes] below.
  • mondoo scan without additional arguments no longer automatically scans your local system. We changed this to prevent you from accidentally scanning your local OS. Run mondoo scan local to scan your local system. Check out our new [scan providers] for more targets below.
  • The default CLI reporter has changed to compact mode, which doesn’t rely on pagination and prints a much shorter summary. See [CLI reports] for more information.
  • When you run mondoo scan with a --policy-bundle, the option --incognito is now used by default instead of printing an error and aborting.

Deprecations

All deprecations will be supported throughout the lifetime of Mondoo v6. We will remove them when we release Mondoo v7.

  • The -t and --connection options for mondoo scan, mondoo exec and mondoo shell have been deprecated. Please use [scan providers] instead.
  • The --exit-0-on-success option has been deprecated and is the new default. Feel free to remove it. See [the section on exit codes].

πŸŽ‰ FEATURES​

CLI scan providers​

Problem: Mondoo can scan many different targets, from your local machine, to remote machines via SSH or WinRM, to cloud systems like AWS or Azure, and even arbitrary APIs. These are specified via the --connection or -t option in the CLI. Unfortunately, it was difficult to use this option effectively, partly due to the wide range of targets and parameters that were supported.

Solution: We are providing a new way to target assets with this release. The scan command has changed from:

mondoo scan -t <schema>://<options>
mondoo scan --connection <schema>://<options>

to

mondoo scan <provider>

To access a list of all available providers, type:

mondoo scan -h
Usage:
mondoo scan [flags]
mondoo scan [command]

Available commands:
arista Scan an Arista endpoint
aws Scan an AWS account or instance
azure Scan a Microsoft Azure account or instance
container Scan a container, an image, or a registry
docker Scan a Docker container or image
gcp Scan a Google Cloud Platform (GCP) account
github Scan a GitHub organization
gitlab Scan a GitLab group
host Scan a host endpoint
k8s Scan a Kubernetes cluster
local Scan a local target
mock Scan a mock target (a simulated asset)
ms365 Scan a MS365 endpoint
ssh Scan a SSH target
terraform Scan all Terraform files in a path (.tf files)
vagrant Scan a Vagrant host
vsphere Scan a VMware vSphere API endpoint
winrm Scan a WinRM target

You can find more information on every provider with the -h or --help option. For example:

mondoo scan container -h

Here are a few more examples of mondoo scan with different providers:

mondoo scan local
mondoo scan ssh user@host
mondoo scan container b62b
mondoo scan container image ubuntu:20.04
mondoo scan aws

CLI reports overhaul​

Problem: The default CLI reports used a lot of screen space to convey their findings. They also printed from top to bottom, with a summary and a lot of information below, which forced us to default to pagination for these reports to avoid scrolling. These reports are helpful for security audits, but they didn’t help most other CLI users.

Solution: We have designed a new report whose primary audience is developers and operations experts. This means that we now print a list of controls and data queries first, then list vulnerabilities, and then finish with a short summary. We deactivated the pagination. The default report is also much more compact:

mondoo scan local
# OR
mondoo scan local -o compact

To get more information about individual controls, use the full formatter:

mondoo scan local -o full

Here is an example of compact (left) versus full (right) output side-by-side for the scan scan:

Mondoo6 Compact vs Full Output

You can access the auditor- and security-centric report via -o report. This was the default output before v6.

You can list all output formats:

mondoo scan -o help
Available output formats: junit, compact, full, report, json, csv, yaml

Exit codes and score thresholds​

Problem: Whenever Mondoo scans ran in CI/CD pipes, unless they had perfect scores (an A+ with a score of 100), they finished with a non-zero exit code. This caused the pipeline to fail, even with only minor issues.

We had previously introduced the --exit-0-on-success option to address this use case. It changed the behavior to always finish with an exit code of 0 whenever the scan was successfulβ€”even if it produced an F.

While this helped remedy the original problem with failing pipeline runs, it didn’t help users who wanted to fail their tests if certain conditions were met. This was technically possible, by knowing all the available exit codes mondoo scan generated, but was impractical and hard to use.

Solution: Mondoo scans now always return an exit code of 0 by default when a scan is successful. Both As and Fs show a successful run.

With the previously introduced --score-threshold you can change this behavior to fail the execution (exit code 1) whenever the score falls too low. For example, this command fails all scans that result in an F (if their score is below 10):

mondoo scan … --score-threshold 10

AWS Organization integration​

We are excited to release the AWS Organization integration, which allows you to set up AWS integrations across your entire AWS Organization or organizational unit.

Mondoo6 AWS Organization Integration

We previously only supported single account installs. With this change, you can use AWS CloudFormation StackSets to install the integration across all accounts in your AWS Organization and automatically have the integration be installed to all new accounts added to that AWS Organization.

🧹 IMPROVEMENTS​

MQL improvements​

Problem: It was impossible to use variables across blocks in MQL, which made a lot of queries more difficult to write. We have wanted to fix this issue for a while, which required a major change in MQL’s execution engine.

Solution: Variables can now be used across blocks like you would in many other programming languages. Here is a simple example:

aws.dynamodb.tables {
x = region
aws.dynamodb.
limits.
where(region == x) {*}
}

In this example, we define a new variable x and set its value to the region of the table. We can then use the variable to access the limits entry that matches this region. Previously this was not possible, since both fields had the same name (region) and variables weren’t accessible across blocks.

CI/CD detection​

We now automatically detect the client running in CI/CD environments. Once detected, we collect more contextual information about the run, like the repository, PR/MR number, and git reference. This allows CI/CD runs to automatically show up in the CI/CD tab in the UI, where you can explore more details.

Today, we support this feature for GitHub, GitLab, and Kubernetes out of the box. We are expanding to other systems soon, so stay tuned!

πŸ› BUGFIXES​

  • update Kubernetes doc links in the UI
  • fix colors for the score display
  • fix EBS volume scanning targeting incorrect instances in some cases
  • fix "see your asset scores" (on aws integrations) button navigation
  • ensure asset labels link out to AWS when appropriate
  • ensure project jobs load more button loads more items
  • added error msg for when a user tries to cancel an invitation that is not their own
  • correct breadcrumb on cicd page
  • default Kubernetes integrations admission controller to off

Β· 2 min read

πŸ₯³ Mondoo 5.39 is out. Lots of significant features in this release! We're all about continuous integration/continuous delivery and Kubernetes. Also, check out Mondoo on the Github Actions marketplace!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

New CI/CD integrations​

To help you better visualize scans of CI/CD pipelines, we've added new specialized views to the Mondoo Console. Of course, Mondoo already lets you scan infrastructure artifacts during the build process, such as Kubernetes Manifests, Terraform code, and Docker images. But now, you can use Mondoo to compare different builds and branches and see how they compare to one another.

Check out the official documentation and get started today!

CI-CD Examples

Mondoo is in the Github Marketplace​

To go with our new Github CI/CD views, Mondoo is now available as an action in the Github Marketplace. Use Mondoo with Github Actions to scan Kubernetes Manifests, Terraform configuration files, and Docker images. See examples and full setup instructions on our page in the Github Marketplace.

Github Marketplace - Mondoo Scan Github Marketplace

Kubernetes integrations​

With the Mondoo Kubernetes Operator, you can now continuously validate your deployed workloads and assess the configuration and security of the nodes running your kubelets. Couple this with the Mondoo Admission Controller and Mondoo's support for scanning Kubernetes Manifests in the CI/CD pipeline. Mondoo provides a complete, end-to-end solution for securing Kubernetes from commit to production.

Kubernetes in Mondoo

🧹 IMPROVEMENTS​

New asset page​

We've given the individual asset view a beautiful new makeover. Graphs and scorecards help you understand how your assets stack up against policy at a glance, and the integrated filters make it easy to find the most relevant policies.

New Asset View

Kubernetes policy improvements​

We've added new controls and queries to the Kubernetes policies.

πŸ› BUGFIXES​

  • Fix to offline EBS volume scanning for AWS - Resolves an issue where the Mondoo Client would sometimes mount the wrong filesystem during offline EBS volume scans.

Β· 2 min read

πŸ₯³ Mondoo 5.38.1 is out. This release includes policy updates and lays the foundation for big things to come​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Ubuntu 20.04 CIS Benchmark Certification​

The Mondoo Ubuntu 20.04 Level 1 and Level 2 CIS Benchmarks are now officially CIS certified. See the Mondoo cissecurity.org page for a complete list of our CIS certified benchmarks and stay tuned for more certified benchmarks in the coming weeks.

🧹 IMPROVEMENTS​

Kubernetes Operator Updates

Our Mondoo Kubernetes Operator has seen yet another round of important improvements as we work towards the general availability of the operator next week. Kubernetes cluster node scanning now occurs using a Kubernetes CronJob instead of running the agent at all times on each node, saving CPU and memory resources. We've also added some behind the scenes capabilities required for registering the operator using a shortlived registration token instead of a full Mondoo service account. This keeps secrets out of the user's shell history when configuring the operator in the cluster. Our upcoming integrations setup workflow in the Mondoo console will use this new capability to securely deploy the operator to your clusters.

πŸ› BUGFIXES​

  • Fix incorrect remediation steps for multiple queries in the Linux Security Baseline by Mondoo policy:
    • Ensure the audit configuration is immutable
    • Ensure permissions on /etc/passwd- are configured
    • Ensure permissions on /etc/group- are configured
  • Fix errors in Linux Security Baseline by Mondoo policy when /etc/passwd- or /etc/gshadow- doesn't exist.
  • Fix errors in Kubernetes Application Benchmark by Mondoo's query Pod should not run with default service account.

Β· 3 min read

πŸ₯³ Mondoo 5.37.0 is out. This release's big features: Windows Windows Windows! Updated CIS benchmarks, expanded vulnerability scanning, and much more.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Expanded Windows Platform Support​

New and Updated CIS Benchmarks

New CIS Windows 11 and Windows 2022 benchmarks version 1.0 are available in the Mondoo Policy Hub. We've also updated our existing CIS benchmarks for Windows to the latest CIS releases:

  • Windows 2016 updated to 1.3.0
  • Windows 2019 updated to 1.3.0
  • Windows 10 updated to 1.12.0

Windows 10 and 11 Security Advisories

The Mondoo Platform Vulnerability Policy now includes security advisory and CVE reporting for Windows 10 and 11. We've also made improvements to ensure that systems with many security advisories correctly report the complete set.

Unpatched Windows 10 Scan

Windows 10 and 11 Platform EOL Dates

The Mondoo Platform End-of-Life Policy includes EOL data for Windows 10 and 11.

Non-EOL Windows 10 Scan

Kubernetes Deployment Scans

The Mondoo Kubernetes operator's admission controller now includes full scanning of each Kubernetes deployment and pod. With the admission controller enabled, these scans will show up in the fleet view. See the mondoo-operator repo for more details. Stay tuned for a guided operator setup and improved UI experience coming soon.

🧹 IMPROVEMENTS​

New ssh-host-key id-detector

You can now identify the system you're scanning through the ssh-host-key with the --id-detector CLI flag.

mondoo scan --id-detector ssh-host-key

New Ubuntu Security Advisory Data

The Mondoo Platform Vulnerability Policy now includes security advisory data for Ubuntu 22.04 and the upcoming Ubuntu 22.10 release.

New UI Color Theme

The Mondoo CLI output has a new color theme to better match the output you see in the Mondoo console.

Improved Output in Kubernetes Application Benchmark

The output in the Kubernetes Application Benchmark by Mondoo now displays the pod name and namespace in the query output. With this information, you can trace vulnerable pods back to their manifests.

Pop!_OS Support

Mondoo now detects and scans the Pop!_OS Linux distribution by System76.

πŸ› BUGFIXES​

  • Fix loading of id-detector config option for mondoo scan
  • Fix handling of non-existing registry keys on Windows
  • Fix several detection errors in Mondoo Security Baseline policies:
    • Improve reliability of Auditd state to prevent errors checking state
    • Don't fail when /etc/group- doesn't exist on a system
    • Add a new query on Windows hosts to make sure users don't have the privilege to attach debuggers

Β· 2 min read

πŸ₯³ Mondoo 5.36.1 is out. This release's big features: EBS Volume based instance Scanning, Colorblind mode, and policy updates!

πŸŽ‰ FEATURES​

Colorblind Mode​

A new user setting allows you to change to a colorblind-friendly color palette throughout the UI.

User Settings

Colorblind Space

AWS EBS Volume based Instance Scanning​

The Mondoo AWS Integration now includes the ability to scan instances using instance EBS volume data. This method does not require credentials or a client installation for scanning and can even scan stopped instances. Users can enable this feature and change how scanning occurs in this AWS integration configuration page.

EBS Settings

🧹 IMPROVEMENTS​

Linux Security Baseline Updates​

We've made a number of improvements to our out of the box security policy this week. Our Linux Security Baseline by Mondoo is now more reliable. Many queries have been improved to work better on different Linux distributions and to better handle running in containers. We've also improved the query output and remediation instructions to make it easier to resolve discovered issues.

Rocky Linux CIS Benchmarks​

Mondoo now includes the Rocky Linux CIS Level 1 and 2 Server benchmarks. See the CIS Rocky Linux Benchmarks page for more information on these benchmarks.

Mondoo Kubernetes Operator Improvements​

The Mondoo Kubernetes Operator 0.2.5 has been released with Kubernetes Workload scanning and the ability to scan Rancher provisioned controlplane and etcd nodes.

πŸ› BUGFIXES​

  • Fixed a crash when scanning with invalid credentials
  • Fixed a crash when retrieving anti-spyware security product details on Windows

Β· 2 min read

πŸ₯³ Mondoo 5.35.0 is out. This release's big features: Search assets by tags, new UI elements, and new Windows resources.

πŸŽ‰ FEATURES​

Search assets by tag and annotation key/value​

The search box in the fleet view now filters assets by tags and annotations. This simple feature adds a lot of power! For example, you can now search across multiple AWS accounts for assets with the same tag. But as cool as that is, we'll do you one better: You can also search across multiple cloud providers. Or GitHub accounts. Or... you get the idea.

New graphs on the web console​

The Mondoo Web Console has two new sets of graphs to help you see the state of your assets at a glance! First, the new radial graphs now show the breakdown of your assets by score. Mouse hovers provide more detailed information from the dashboard.

New radial graphs

If you click into the fleet view, you'll see a new bar graph showing the same distribution of assets by letter grade.

New bar graphs

And of course, it all looks great!

Add annotations to assets via the config​

To create specific annotations for all assets when scanning via the mondoo agent, set the following config string:

---
annotations:
mdm: newannotation

New Windows Resources​

Mondoo now includes new resources for better examining the security of Windows systems out of the box:

🧹 IMPROVEMENTS​

Additional CI System Data​

Mondoo now gathers more CI environment labels on GitLab, GitHub Actions, and Travis-CI.

Mondoo Kubernetes Operator Improvements​

The Mondoo Kubernetes operator now scans Kubernetes Deployments in addition to Pods. See the full Operator release notes on the GitHub project.

πŸ› BUGFIXES​

  • Fixed harbor integration scanning
  • Updated the CLI output colors on macOS systems to improve the readability of error messages
  • Fixed the display of Spaces on mobile devices

Β· 2 min read

πŸ₯³ Mondoo 5.34.1 is out. The big features this release: User defined asset tags and new Mondoo.com API endpoints

🚚 Mondoo Domain Change​

Mondoo has moved to .com! As of April 12th we’ve officially migrated our web console to https://console.mondoo.com and API to https://us.api.mondoo.com. The previous URL’s will redirect to the new locations until they are EOL’ed later this year. We encourage you to update your bookmarks and Mondoo Client configurations. All new configurations generated by Mondoo will use the new API location.

Mondoo 5.34.1 includes a migrate sub-command that can automatically update your Mondoo configuration to the new API endpoint:

## Check which API Endpoint we're using:
$ cat .config/mondoo/mondoo.yml | yq .api_endpoint
https://api.mondoo.app

## Upgrade the config:
$ mondoo migrate
β†’ Migrate Mondoo CLI configuration:
β†’ loaded configuration from /home/benr/.config/mondoo/mondoo.yml
β†’ saving mondoo config path=/home/benr/.config/mondoo/mondoo.yml
β†’ migrated configuration successfully

## Check the new API endpoint:
$ cat .config/mondoo/mondoo.yml | yq .api_endpoint
https://us.api.mondoo.com # <-- Good!

πŸŽ‰ FEATURES​

User Defined, Editable Tags for Assets​

Organization is the name of the game, and we're ready to help you spring clean. No more wondering what belongs where. Create custom tags right from the UI to help better manage your growing list of Assets. Get started today by clicking the 'plus' button next to Annotations in your Asset Configuration tab - your future self will thank you.

console-annotations

🧹 IMPROVEMENTS:​

Improved EOL OS Detection​

Mondoo now includes improved end-of-life operating systems detection with new VMware Photon / Oracle Linux support and updated EOL information for Ubuntu, Scientific Linux, Fedora, and macOS.

Kubernetes Operator Improvements​

Our preview Kubernetes Operator release 0.2.3 shipped with several improvements for added reliability in scanning:

  • Operator pods now include readiness probes.
  • Operator status information reports in the MondooAuditConfig CR
  • Users can now skip the resolution of the Mondoo Client container image if necessary.
  • Operator resource limits have been lowered to limit cluster impact.

Updated Output in mondoo policy commands​

The mondoo policy describe and mondoo policy list commands have been updated with a fresh new output format to improve readability. mondoo policy list now also includes policy version information, and a new --list-all flag lets you list all private, public, and enabled policies at once.

Β· One min read

πŸ₯³ Mondoo 5.33.0 is out. The Big features this release: New CIS certified policies!

πŸŽ‰ FEATURES​

CIS Certified Red Hat Linux Policies​

This week we welcome more new additions to Mondoo's suite of CIS-certified policies. Mondoo now offers CIS-certified policies for Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8.

The full list of CIS certified Mondoo Policies is always visible on the Center for Internet Security's website.

🧹 IMPROVEMENTS:​

Better, stronger, faster​

  • Several minor bug fixes and improvements for forthcoming features.

Β· 2 min read

Mondoo 5.32.0 is out. The Big features this release: A re-designed and improved Policy Hub, full support for AlmaLinux, and a new color scheme for the UI!

πŸŽ‰ FEATURES​

Re-designed Policy Hub​

We've re-designed the Policy Hub with many new features. The Policy Hub now helps you quickly understand much greater nuance about your policies. Policy scores let you see at a glance which policies have the broadest adherence or divergence in your organization. The assets count shows which policies have the widest impact across your fleet of assets. And un-used policies are now hidden by default.

policy_hub

Asset View

The individual policy view now has an asset tab. This tab displays the policy score for each asset to which the policy applies.

policy_hub

Hide un-used policies

The Policy Hub now only shows policies that have been enabled in the Space.

Previously, the Policy Hub would display all available policies, even if those policies had not been enabled for the Space. To show new policies, use the "Add Policy" button.

AlmaLinux Support​

Mondoo now includes support for the latest Red Hat Linux derivative, AlmaLinux. This includes updates to the client install scripts, Chef Infra cookbook support, and new AlmaLinux OS 8 CIS Level 1 and 2 benchmarks.

New Colors​

The Mondoo console has been refreshed with a new color scheme. As a result, text pops and graphs are much easier to differentiate.

🧹 IMPROVEMENTS​

New and Improved Policies

We've been busy this week expanding and improving our out of the box policies with a number of new early access policies now available:

  • New Amazon Elastic Kubernetes Service (EKS) Level 1 / 2 CIS benchmarks
  • New early access Terraform Static Analysis Policy for AWS EKS policy
  • New early access GitLab Baseline by Mondoo
  • Updated SLES 12 and 15 CIS benchmarks to version 1.1.1
  • Expanded the queries in our RHEL 8 CIS benchmarks
  • Improved the Kubernetes Application Benchmark by Mondoo

Updated Client Install Script

Our Mondooo Client install.sh script now supports AlmaLinux, Rocky Linux, and macOS systems without Homebrew.

Β· 2 min read

πŸ₯³ mondoo 5.31.0 is out!

πŸŽ‰ FEATURES​

New Getting Started Guide for AWS

We've launched a new getting started path for people who want to Try out Mondoo with AWS. Learn how to set up Mondoo in AWS CloudShell or your local laptop, and policy scan your AWS account in just a few minutes.

We've also revamped the Getting Started section of the Mondoo documentation site. We've released new tutorials for getting started not just with AWS, but also Azure, Google Cloud, Kubernetes, VMWare, Docker, and more.

CIS Amazon Linux 2 Policy Certification

This week, the "CIS Amazon Linux 2" policy becomes the eleventh addition to Mondoo's suite of CIS-certified policies. For more information about our growing collection of CIS-certified policies, see the Mondoo 5.29.1 Release Notes from earlier this month.

Expanded Platform Support with Chef

The Mondoo Chef Infra Cookbook 0.3.0 is out with expanded platform support for openSUSE, SLES, Fedora, Rocky Linux, and Scientific Linux distros. Use this cookbook to install Mondoo Client and register new nodes automatically with Mondoo Platform.

🧹 IMPROVEMENTS​

Terraform Improvements

  • πŸ› Bugfixes to the Terraform AWS policy.
  • ⭐️ Terraform support has been updated to better support breaking changes in Terraform providers.

Kubernetes Operator Improvements

  • ⭐️ Prometheus metrics are now exposed by the operator.

MQL Improvements

  • containerImage and containerRepository are now supported MQL resources.