Skip to main content

89 posts tagged with "mondoo"

View All Tags

Β· 5 min read

πŸ₯³ Mondoo 7.7 is out! This release includes new Kubernetes integration pages & VMware Cloud Director scanning!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

VMware Cloud Director scanning​

Problem: Your organization uses VMware Cloud Director, and you'd like to secure your deployments with Mondoo policies.

Solution:

Mondoo now includes a set of new VMware vCloud Director resources to help you secure your VMware infrastructure.

Sample queries:

# display vCloud Director version
asset { platform version build }
asset: {
build: "20079017"
version: "10.4.0"
platform: "vcd"
}

# show all vCenter server
vcd.serverInstances { * }

# list all vCenter organizations
vcd.organizations

# list all external networks
vcd.externalNetworks

For additional use cases, see the VMware Cloud Director Resource Pack MQL documentation.

New Kubernetes integrations pages​

Problem: Once you've set up a Kubernetes integration in Mondoo, it's difficult to see the status of the resources, including the version of the operator that's running.

Solution: Mondoo has a whole new Kubernetes integration page to help you understand what's running and what's been detected. This page includes essential status information such as the Kubernetes release, operator release, and the enabled scanning methods. It also includes a quick summary of everything that's been detected by the operator with a link to view operator-scanned assets in the fleet view.

New Kubernetes integration page

Overview data for assets​

Problem: In scan results, it can be hard to understand an asset's location or platform.

Solution: We redesigned the Mondoo asset pages to make finding details about your assets easier. We've combined multiple tabs into a new summarized main page that folds asset metadata into the main view.

New asset page

Debian 11 and Ubuntu 22.04 CIS level 1 & 2 policies​

Problem: You're running the latest Debian and Ubuntu releases and you need to apply CIS policies to meet regulatory requirements.

Solution: Mondoo now includes CIS Level 1 and 2 policies for Ubuntu 22.04 and Debian 11.

🧹 IMPROVEMENTS​

Assets now display their last scanned time​

We've updated the asset pages to better describe when assets were scanned and when they last checked into the Mondoo Platform. Previously we tracked only the update time, which showed the last time the asset had checked in either through a CLI scan or a non-scanning integration discovery. This led to confusion since some AWS assets looked as though they had just been scanned after the integration discovery ran. You now see both the scan time and the update time so you can better understand how old scan results are and when assets were last seen.

Update vs. Scanned Time

Automatic stale service account cleanup​

Mondoo now automatically cleans up service accounts that sit unused for 30 days. This reduces both clutter and the risk of account compromise.

Policy improvements​

This week we made several improvements to Linux and Kubernetes policies with new and updated controls:

  • Add new Ensure the kubelet is not configured with the AlwaysAllow authorization mode and The default namespace should not be used controls to the NSA Kubernetes Hardening Guide policy.
  • Add new Use clear naming for external channels control to the Slack Security Best Practices policy.
  • Add new Ensure system accounts are non-login control to the BSI SYS.1.3 Linux and Unix Servers policy.
  • Update the Slack Security Best Practices policy to collect the names of all Slack workstation admins.
  • Update the Slack Security Best Practices policy to ignore the SlackBot users when ensuring users have 2FA enabled.
  • Ensure the Linux Security policy's auditd controls can run when scanning containers, EBS volumes, or Kubernetes nodes.
  • Update the Ensure system accounts are non-login control in CIS policies to treat accounts with a UID < 1000 as non-system accounts instead of < 500.

MQL Improvements​

Empty arrays evaluate as false​

We've updated MQL to treat an empty array as a false-like (falsey) value. This means queries like list.where(a == 1), which return an empty array, now evaluate as false instead of true. This may correct code in your environment that was intended to fail, but didn't due to the empty array result.

IPv6 data in the port resource​

The port resource now includes TCP/UDP port information for IPv6 addresses in additional to IPv4 addresses.

Indexed array output​

Query results that return an array now include the array index in the results so you can more easily find flagged issues or dig deeper into specific results.

Indexed Results

πŸ› BUG FIXES​

  • Only attempt to delete EBS volumes if there's a failure during the scan.
  • Fix failures checking file ownership when running under sudo.
  • Fix incorrectly formatted output of scan results on Windows.
  • Fix an error message that included a typo in the suggested --incognito flag.
  • Default to us-east-1 in cnquery/mondoo if no AWS region is provided to avoid failures.
  • Exit with 1 when cnspec fails to connect to an asset.
  • Avoid a crash if asset data cannot be synced to the Mondoo Platform.
  • Improve some error messages that included legacy components and client names.
  • Set asset name when EBS scanning if it is provided.
  • Avoid a crash when working with certain dict values in MQL.
  • Avoid a crash when viewing some older service accounts in the console.

Β· 2 min read

πŸ₯³ Mondoo 7.6 is out! This release includes improvements to asset naming and bug fixes.​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


🧹 IMPROVEMENTS​

New --asset-name CLI flag​

The mondoo and cnspec CLIs include a new --asset-name flag that allows you to control the name of the asset when registering with the Mondoo Platform.

Fetch instance name using EC2 metadata​

When connecting to instances using EC2 Instance Connect or SSM, Mondoo now identifies assets based on the instance name (from AWS metadata).

πŸ› BUG FIXES​

  • Remove deprecated mondoo scan syntax from the deprecated Mondoo policies to prevent failures on Mondoo Client 7.x.
  • Fix warnings when scanning Kubernetes clusters.
  • Update invalid credential message from the Slack provider to mention Slack.
  • Improve the warning in the kernel resource when running on an unsupported platform.
  • Add missing Google Workspaces, Slack, and Okta scan examples to the Workstation integration page.
  • Update the suggested policies during the Kubernetes integration setup to include the latest Mondoo and NSA Kubernetes policies.
  • Remove references to Windows from the Ubuntu integration page.
  • Lower memory usage in the Kubernetes admission controller.
  • Skip scanning events in the Kubernetes admission controller when only the managedFields changed.

Β· 3 min read

πŸ₯³ Mondoo 7.5 is out! This release includes faster GitHub Actions execution and improved CIS policies!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Faster GitHub Action Execution​

Problem: The Mondoo GitHub Action could rapidly scan content in your CI pipelines, but was slow to install and setup Mondoo Client during each run.

Solution: We've refactored the Mondoo GitHub Action to use our new cnspec container image. Not only do you get our latest command line experience, but also there's no need to install Mondoo Client during your GitHub jobs. This can reduce the time it takes to run your job by 30 seconds to 1 minute, getting you results quicker in your CI pipelines.

🧹 IMPROVEMENTS​

Additional CIS Linux Controls​

We've updated our CIS Linux policies to implement the following controls:

  • AlmaLinux 8: Ensure FTP client is not installed
  • AlmaLinux 8: Ensure rsync-daemon is not installed or the rsyncd service is masked
  • Debian 8: Ensure inetd is not installed
  • Debian 9: Ensure SELinux is enabled in the bootloader configuration
  • Debian 10: Ensure syslog-ng is configured to send logs to a remote log host
  • RHEL 6: Ensure augenrules is enabled
  • RHEL 8: Ensure journald is not configured to receive logs from a remote client
  • RHEL 8: Ensure rsyslog is not configured to receive logs from a remote client
  • RHEL 8: Ensure rsyslog is not configured to receive logs from a remote client
  • SLES 11: Ensure only approved ciphers are used
  • SLES 11: Ensure password expiration is 90 days or less
  • SLES 12: Ensure IPv6 firewall rules exist for all open ports
  • Ubuntu 14.04: Ensure password expiration is 90 days or less
  • Ubuntu 20.04: Ensure syslog-ng is configured to send logs to a remote log host

πŸ› BUG FIXES​

  • Fail early and show an error when an invalid GitHub token is provided instead of creating an asset with all errored scans.
  • Correctly detect AWS EC2 asset names when scanning them over EC2 Instance Connect or SSM.
  • Correctly detect platform names when scanning containers.
  • Fix loading of spaces when older assets with an unrecognized asset type are present.
  • Fix login failures for some users in the Mondoo EU region.
  • Improve the reliability of CI/CD asset cleanup.
  • Improve fetching of CVE data for Rocky Linux.

Β· 6 min read

πŸ₯³ Mondoo 7.4 is out! This release includes Google Workspaces, Slack, and Okta security scanning!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Builds for Linux on IBM Z​

Problem: You need to ensure the security of Linux distributions running on IBM Z mainframes.

Solution: Mondoo now includes packages for Ubuntu, SLES, and Red Hat running on IBM Z mainframes. You can find these packages in our releases repository at releases.mondoo.com.

New SaaS scanning capabilities​

Problem: Securing your business isn't just about the servers that your operations run on. It's also critical to safeguard the many SaaS services your teams rely on. How can you extend policies and security practices to protect this critical infrastructure?

Solution: We've expanded our SaaS Security Posture Management (SSPM) capabilities by introducing resources, security policies, and incident response packs for Google Workspace, Okta, and Slack. These new policies let you codify and continuously apply security policies to these critical SaaS services.

Google Workspace​

The new googleworkspace MQL resource pack allows you to query the state of your Google Workspace:

cnquery scan googleworkspace --customer-id <CUSTOMER_ID> --impersonated-user-email <EMAIL>
# list all domains
googleworkspace.domains { * }

# list all groups for your Google Workspace customer
googleworkspace.groups { * }

# find the group for a specific email
googleworkspace.groups.where( email == "myemail@example.com") { * }

# list all users for your Google Workspace customer
googleworkspace.users { * }

# search a specific user
googleworkspace.users.where ( primaryEmail == "myuser@example.com") { * }

# find all users that have Slack authorized
googleworkspace.users.where(tokens.one( displayText == "Slack") ) {
fullName
primaryEmail
}

# list all super admins
googleworkspace.report.users.where(security["isSuperAdmin"] == true) { userEmail }

# check that all users are enrolled with MFA
googleworkspace.report.users.all( security["isS2SvEnrolled"] == true )

Okta​

The new okta MQL resource pack allows you to query the state of your Okta organization:

cnquery shell okta --organization <ORG_URL> --token <OKTA_TOKEN>
# display information about the org
okta.organization { * }

# display registered applications
okta.applications { * }

# display all users
okta.users { * }

# display policies
okta.policies.password { id name rules { * } }

Slack​

The new slack MQL resources will allow you to query the state of your Slack workspace.

cnquery shell slack --token <SLACK_TOKEN>
# display team info
slack.team { * }

# display members
slack.users.members { * }

# display bots
slack.users.bots { * }

# display all users
slack.users { * }

# list all users that have no MFA (members + bots)
slack.users.where( has2FA == false) { * }

# list all members that have no MFA
slack.users.members.where( has2FA == false) { * }

# list all conversation and their creator
slack.conversations { name id creator { id name } }

# display user groups (only on Slack paid plan)
slack.userGroups { * }

# display access logs (only on Slack paid plan)
slack.accessLogs { * }

🧹 IMPROVEMENTS​

Package CVE support for Fedora 37​

The Fedora Project team released Fedora 37 this week. Mondoo is ready for upgrades, with CVE scanning support for this new release.

terraform.module now includes the full block for modules​

The terraform.module now returns the full block for the module if it is included in the hcl files:

cnquery> terraform.modules { block key }
terraform.modules: [
0: {
key: "consul.consul_servers.security_group_rules"
block: null
}
1: {
key: "consul.consul_servers.security_group_rules.client_security_group_rules"
block: null
}
2: {
key: ""
block: null
}
3: {
key: "consul"
block: terraform.block id = terraform.block/modules.tf/1/1
}
4: {
key: "consul.consul_clients.iam_policies"
block: null
}
5: {
key: "consul.consul_servers"
block: null
}
6: {
key: "gke"
block: terraform.block id = terraform.block/gke.tf/10/1
}
7: {
key: "consul.consul_clients"
block: null
}
8: {
key: "consul.consul_clients.security_group_rules"
block: null
}
9: {
key: "consul.consul_clients.security_group_rules.client_security_group_rules"
block: null
}
10: {
key: "consul.consul_servers.iam_policies"
block: null
}
]

Array deletion in MQL​

You can now perform array subtraction within MQL. For example:

> [1,2,3,3,4] - [3,4,5]
[1,2]

TLS configuration within the port resource​

The ports resource now includes information on any TLS certificates on the port:

cnquery> ports.listening[1] { port tls{*} }
ports.listening[1]: {
port: 8080
tls: {
socket: socket protocol="tcp" port=8080 address="127.0.0.1"
nonSniCertificates: [
certificate serial="3e:44:c8:e3:2c:bc:2a:6e:0a:1f:f8:9e:53:57:69:91:eb:3f:c4:dd" subject.commonName="mondoo.dev" subject.dn="CN=mondoo.dev,OU=n/a,O=Mondoo,L=LA,ST=California,C=US,1.2.840.113549.1.9.1=#0c0e646f6d406d6f6e646f6f2e636f6d"
]
ciphers: [
0: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
1: "TLS_RSA_WITH_AES_256_CCM_8"
2: "TLS_RSA_WITH_AES_128_GCM_SHA256"
3: "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"
4: "TLS_CHACHA20_POLY1305_SHA256"
5: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
6: "TLS_AES_256_GCM_SHA384"
7: "TLS_RSA_WITH_AES_256_CBC_SHA256"
8: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
9: "TLS_RSA_WITH_AES_128_CBC_SHA"
10: "TLS_RSA_WITH_AES_128_CCM"
11: "TLS_RSA_WITH_AES_128_CCM_8"
12: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
13: "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"
14: "TLS_AES_128_GCM_SHA256"
15: "TLS_RSA_WITH_ARIA_256_GCM_SHA384"
16: "TLS_RSA_WITH_AES_256_CCM"
17: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
18: "TLS_RSA_WITH_AES_128_CBC_SHA256"
19: "TLS_RSA_WITH_ARIA_128_GCM_SHA256"
20: "TLS_RSA_WITH_AES_256_GCM_SHA384"
21: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
22: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
23: "TLS_RSA_WITH_AES_256_CBC_SHA"
]
versions: [
0: "tls1.3"
1: "tls1.2"
]
params: {
certificates: [
0: id:"certificate:f157279e8a7f6b819e8fbcaaa980f069a318bb9ea90ef9ea0c89204cffae4e94" name:"certificate"
]
ciphers: {
OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: false
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: false
OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: false
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: false
SSL_DHE_DSS_WITH_DES_CBC_SHA: false
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA: false
SSL_DHE_RSA_WITH_DES_CBC_SHA: false
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA: false
SSL_DH_DSS_WITH_DES_CBC_SHA: false
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA: false
SSL_DH_RSA_WITH_DES_CBC_SHA: false
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: false
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: false
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA: false
SSL_DH_anon_WITH_DES_CBC_SHA: false
SSL_DH_anon_WITH_RC4_128_MD5: false
SSL_NULL_WITH_NULL_NULL: false
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: false
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: false
SSL_RSA_EXPORT_WITH_RC4_40_MD5: false
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: false
SSL_RSA_FIPS_WITH_DES_CBC_SHA: false
SSL_RSA_WITH_3DES_EDE_CBC_SHA: false
SSL_RSA_WITH_DES_CBC_SHA: false
SSL_RSA_WITH_IDEA_CBC_SHA: false
SSL_RSA_WITH_NULL_MD5: false
SSL_RSA_WITH_NULL_SHA: false
SSL_RSA_WITH_RC4_128_MD5: false
SSL_RSA_WITH_RC4_128_SHA: false
TLS_AES_128_CCM_8_SHA256: false
TLS_AES_128_CCM_SHA256: false
TLS_AES_128_GCM_SHA256: true
TLS_AES_256_GCM_SHA384: true
TLS_CHACHA20_POLY1305_SHA256: true
TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: false
TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: false
TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: false
TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: false
TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: false
TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: false
TLS_DHE_PSK_WITH_AES_128_CCM: false
TLS_DHE_PSK_WITH_AES_256_CCM: false
TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: false
TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: false
TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: false
TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: false
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: false
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: false
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: false
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: false
TLS_DHE_PSK_WITH_CHACHA20_POLY1305: false
TLS_DHE_RSA_WITH_AES_128_CCM: false
TLS_DHE_RSA_WITH_AES_128_CCM_8: false
... (197 lines left)

Extend Kubernetes queries for ephemeralContainers​

We've updated our Kubernetes policies to scan the security of ephemeralContainers defined in Kubernetes workloads. This ensures the security of any containers attached to workloads for debugging.

πŸ› BUG FIXES​

  • Significantly reduce memory usage when syncing data to the Mondoo Platform.
  • Tag cnspec/cnquery container images on DockerHub for the major version (7, 8, etc) to match mondoo image tagging.
  • Publish cnspec/cnquery rootless container images to DockerHub to match mondoo rootless container builds.
  • cnspec -o json now produces properly formatted JSON and includes the policy scores.
  • Resolve errors in some MQL queries using { * } such as docker.containers { * }.
  • Automatically discover Google organizations when --discover is set to auto or the --discover flag is not specified.
  • Resolve authentication failures against MS365.
  • Update the chevrons in the Fleet view so it's clear when there are hidden lists of assets.
  • Improve CVE pages to show data more reliably.
  • Improve mondoo update reliability on Windows.
  • Update the example setup commands for Debian/Ubuntu on the Integrations page to overwrite repository GPG keys.
  • Improve GitHub Actions examples in the Integrations page.

Β· 3 min read

πŸ₯³ Mondoo 7.3 is out! This release includes UI and policy improvements!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

New Azure authentication options​

Problem: You want to secure your Azure infrastructure, but you don't want to authenticate using less secure methods like token authentication.

Solution: Mondoo now includes additional options for authenticating against your Azure infrastructure, including those that enable security features such as MFA. You can now authenticate to your Azure infrastructure using certificates or a client ID and secret.

Certificate authentication:

cnquery shell azure --client-id <id> --certificate-path /Users/stella/certificate.pfx --tenant-id <tenant-id> --certificate-secret supersecret

Client ID/secret authentication:

cnquery shell azure --client-id <id> --tenant-id <tenant-id> --client-secret my_secret

If you don't specify an authentication method, Mondoo uses the method you've set up for the az CLI. So if you prefer shorter CLI commands, feel free to leave out the authentication flags entirely.

We also know you often have multiple subscriptions, so we've made it easy to select subscriptions. If the subscription flag is not set, you'll get a CLI menu of possible subscriptions to use:

Multiple Subscriptions

Policies for OpenSSL​

Problem: You want to apply a specific policy to find instances or containers running OpenSSL versions vulnerable to the recently announced CVE-2022-3786 and CVE-2022-3602 CVEs.

Solution: We've introduced a new policy, OpenSSL Vulnerability Policy by Mondoo, to specifically report on CVEs in OpenSSL so you can more easily target these systems for remediation.

🧹 IMPROVEMENTS​

Status tabs on top of asset pages​

Asset pages now include tabs for navigating between policies, controls, configuration, and vulnerabilities at the top of the page. Not only are these a bit easier to find here, the content of these tabs now shows on the whole screen so you can better explore the data.

Asset Tabs

Resource improvements​

We continue to improve the cnquery resource to give you the best insight into servers, clouds, Kubernetes clusters, and more. This week we shipped the following fixes and improvements:

  • Resolve errors running github.repository { webhooks } if no webhooks were found.
  • Resolve errors running aws.rds.dbClusters {*}.
  • Add state data to the aws.ec2.snapshot resource.

Policy improvements​

This week we made several improvements to Linux and Kubernetes policies with new and updated controls:

  • Added missing queries to controls in the AlmaLinux CIS benchmark.
  • Added new Limit the access of Pods to cloud metadata services control to the NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Added new Minimize and verify access to secrets control to the NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Updated Kubernetes Cluster and Workload Security policy to avoid failures scanning Kubernetes master nodes.

πŸ› BUG FIXES​

  • Resolve failures loading base64 configs from env vars in cnspec.
  • Resolve a panic when running cnspec in GitHub Actions.
  • The install script now points users to GitHub Discussions not Slack.
  • Improve cleanup of Kubernetes admissions controller scans older than 30 days to improve performance in spaces.
  • EOL warning banners now show up on asset pages after an asset becomes EOL with the OS vendor.
  • Show errors when policies cannot be uploaded to Policy Hub.
  • Resolve errors with pagination on the asset not behaving as expected.
  • Resolve incorrect links in Microsoft Teams notifications.

Β· 7 min read

πŸ₯³ Mondoo 7.2 is out! This release launches our new OSS projects cnquery and cnspec + much more!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Powered by new open source projects​

We are excited to announce the open-source release for: cnquery and cnspec. These are the core components of the Mondoo CLI and will replace it going forward.

cnquery is an asset inventory and search engine, which features an interactive shell, MQL runner, and query pack execution. Query packs are a new way to create a bundle of queries which are automatically executed and all data collected. This is useful for the creation of asset inventories and collection of data during incidents. They are a lightweight alternative to policies (without scoring).

cnspec is the security test project, which focuses on misconfigurations and vulnerabilities. It is built on top of cnquery and adds policies and scored controls. It is also a drop-in replacement to the Mondoo CLI today and uses the same commands to scan assets, run queries, open a shell, or work with policies.

Together with this open-source release, we are opening the ability to create custom resources and providers. In the coming weeks we will start to release more guides for developers who are interested in contributing.

Furthermore, we are solidifying MQL as and open standard for GraphQL-based infrastructure querying and assertions. Most of the engine can be found in cnquery and is highly extensible as well as embeddable.

We highly encourage you to try out cnquery and cnspec! Please let us know if you encounter any challenges switching from the Mondoo CLI to cnspec. We will continue to support the Mondoo CLI throughout the v7 release.

CLI CVE scanning​

Problem: Sometimes you only care about CVEs on a server, container, or container image, but you have to scan the system for security misconfigurations as well.

Solution: We've added a new cnspec vuln command that allows you to scan for CVEs on servers, containers, and container images without performing a full security scan. The command also offers more detailed CVE output so you can see what's best to patch first.

cnspec vuln scanning

FreeBSD scanning support​

Problem: You run a diverse infrastructure including FreeBSD hosts which need to be properly secured.

Solution: cnquery and cnspec now include initial support for remotely scanning FreeBSD hosts. With this update, you can now list packages and services, examine file contents, and execute commands. Stay tuned for more FreeBSD updates, and if you have thoughts or would like to contribute resource support for FreeBSD, join the Mondoo GitHub Discussions.

🧹 IMPROVEMENTS​

Add ephemeralContainers to k8s.pod​

The k8s.pods and k8s.pod and resources now includes information on ephemeralContainers attached to the pods. ephemeralContainers are a relatively new feature in Kubernetes. They let you attach containers to Pods for debugging. You can't remove them, and if you forget about them, they can introduce significant security risks to your environment.

Example workload with ephemeralContainers defined:

apiVersion: v1
kind: Pod
metadata:
annotations:
creationTimestamp: "2022-11-03T16:40:54Z"
labels:
admission-result: pass
name: passing-pod-yaml
namespace: debug-ns
resourceVersion: "75952"
uid: 823d82d5-890e-4d6a-9da6-404648144585
spec:
automountServiceAccountToken: false
containers:
...
dnsPolicy: ClusterFirst
enableServiceLinks: true
ephemeralContainers:
- args:
- sleep
- "9999"
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: ephemeral_junk
resources: {}
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
...

Improve CLI warnings when no provider is specified​

In cnquery, if the user specified an invalid provider, the CLI unexpectedly used the local provider instead:

cnquery shell rockylinux
β†’ no provider specified, using defaults.
Use --help for a list of available providers. provider=local
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

Now if a user accidentally forgets the provider usage information is provided:

$ cnquery shell rockylinux
x provider rockylinux does not exist
Allows for the interactive exploration of MQL queries

Usage:
cnquery shell [flags]
cnquery shell [command]

Available Commands:
arista Connect to an Arista endpoint
aws Connect to an AWS account or instance
azure Connect to a Microsoft Azure account or instance
container Connect to a container, an image, or a registry
...

Load base64 configuration directly from env vars​

cnspec now loads a Base64-encoded configuration from the MONDOO_CONFIG_BASE64 env var. This means you no longer need to load the Base64-encoded config in your CI jobs, write it out to a config file on disk and then run cnspec to scan your CI job.

Previously CI jobs had to write the config to disk:

echo $VARIABLE_WITH_BASE64_CONFIG > mondoo.json
cnspec scan k8s my_file.yml --config mondoo.json

Now with MONDOO_CONFIG_BASE64 set you can just run the CLI:

cnspec scan k8s my_file.yml

Add MQL ports resource for macOS and Windows​

The MQL ports resource now supports Windows and macOS hosts in addition to Linux hosts. Using this resource you can track ports to listening addresses and executables:

cnquery> ports.listening
ports.listening: [
port port=56863 protocol="ipv4" address="*" process.executable="/usr/libexec/rapportd"
port port=56863 protocol="ipv6" address="*" process.executable="/usr/libexec/rapportd"
port port=7000 protocol="ipv4" address="*" process.executable="/System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter"
port port=7000 protocol="ipv6" address="*" process.executable="/System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter"
port port=5000 protocol="ipv4" address="*" process.executable="/System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter"
port port=5000 protocol="ipv6" address="*" process.executable="/System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter"
port port=44960 protocol="ipv4" address="127.0.0.1" process.executable="/Users/chris/Library/Application"
port port=44950 protocol="ipv4" address="127.0.0.1" process.executable="/Users/chris/Library/Application"
port port=18412 protocol="ipv4" address="127.0.0.1" process.executable="/Users/chris/Library/Application"
port port=7335 protocol="ipv4" address="127.0.0.1" process.executable="/Users/chris/Library/Application"
port port=17223 protocol="ipv4" address="127.0.0.1" process.executable="/Users/chris/Library/Application"
port port=17223 protocol="ipv6" address="[::1]" process.executable="/Users/chris/Library/Application"
]

Auto discover ESXi hosts for vSphere​

When scanning VMware vSphere assets, Mondoo now automatically discovers all ESXi hosts.

New controls for macOS security policy​

We've added new controls to the macOS Security policy to make sure that automatic updates are securely configured:

  • Ensure automatic checking of software updates enabled
  • Ensure automatic download of software updates enabled
  • Ensure critical updates are installed automatically

New NSA Kubernetes Hardening Guide Version 1.2 controls​

We've added several new controls to the NSA Kubernetes Hardening Guide Version 1.2 policy to help you secure your Kubernetes cluster and workloads:

  • Protect Pod service account tokens
  • Minimize and verify access to cluster-admin binding via rolebindings
  • Minimize and verify access to cluster-admin binding
  • CVE-2021-25742 - checking nginx-ingress ConfigMaps for dangerous settings

πŸ› BUG FIXES​

  • Detect Rocky Linux 9 as platform family redhat so package and service resources function properly.
  • Better raise permission issues when running the ports resource.
  • Avoid panics in cnquery when there are no query bundles.
  • Escape JSON data to prevent errors parsing some values.
  • If an asset is terminated mid-scan, report it as unscored instead of an error.
  • Fix asset filter not properly applying Terraform HCL Security Static Analysis for AWS policy.
  • Update EOL dates for Debian releases to the latest versions on their wiki.
  • Improve spacing of EBS volume scans to reduce API throttling.
  • Greatly improve the speed of service account and space deletion.
  • Fix typos in NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Resolve errors when checking for default ingress/egress network rules in NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Resolve errors when checking for the PKI directory on Minikube in NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Avoid incorrect CVE counts for assets in the console.
  • Update the Amazon Linux 2 EOL date to reflect the updated date of June 30, 2024.
  • Detect the upcoming Fedora 37 release in the EOL policy.
  • Improve error messages in the Mondoo Kubernetes Operator when private images cannot be scanned.

Β· 7 min read

πŸ₯³ Mondoo 7.1 is out! This release includes UI and policy improvements!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

Local Provider by Default​

Problem: You just want to scan your local system for security misconfigurations without needing to think about scan providers.

Solution: We've make mondoo scan default to the local system once again. With this change you can easily scan you local system without the need to specify the local provider.

Bulk Delete Assets​

Problem: You have a large number of assets that you want to clean up, but deletion involves opening each asset and selecting the delete icon.

Solution: You can now multi-select and delete assets directly from the fleet view. Click the pencil icon in the top-right corner of the asset list, check each asset to delete. From the Batch Edit Selection pull down menu, select Delete.

Batch Delete Assets

Group Kubernetes Admissions Controller Scans by Namespace​

Problem: New deployments come into Kubernetes clusters at a dizzying pace and it's often hard to see which new workflows are being deployed to which namespaces.

Solution: We've reworked our the Kubernetes admission controller UI in the CI/CD tab to better show which namespaces workflows are being deployed into. This helps group similar scans so you can more easily escalate issues to the proper teams.

Grouped Namespaces

Group Multiple CI Scans​

Problem: It's often useful to run multiple Mondoo scans in your CI/CD pipelines, but the scans don't show up together in the Mondoo CI/CD project pages.

Solution: Scans are now grouped together in the CI/CD project pages so you can better tell which scans ran in the same branch commits or PRs.

CI Jobs

Ignore Kubernetes Namespaces in Scans​

Problem: You have a large Kubernetes cluster with different namespaces owned by different teams, and you don't want to scan the entire cluster at once.

Solution:

We've added two new CLI flags to allow you to control which namespaces to scan and which to skip. To scan all namespaces except ones that you specify, use the --namespaces-exclude flag. To scan just the namespaces you specify, use the --namespaces flag.

mondoo scan k8s --namespaces-exclude mondoo-operator
mondoo scan k8s --namespaces luna-ui,luna-backend

New Microsoft Azure Security by Mondoo policy​

Problem: You want to secure your Azure infrastructure against common security misconfigurations

Solution: Mondoo now includes a new Azure Security by Mondoo policy. This policy provides guidance for establishing minimum recommended security and operational best practices for Azure. This policy includes ten controls, with new controls planned for future Mondoo releases.

🧹 IMPROVEMENTS​

SSM Connections using Instance Name​

You can now scan AWS instances using Amazon's SSM using either the IP or the instance name. This makes it easier to scan instances using the names shown in the awscli or the AWS Management Console.

Use Shorter Container Names​

Mondoo now includes the shortened container SHAs to match the Docker experience. These short container names fit better in the UI and match the names shown when running Docker CLI commands.

Short Image Name

VMware Appliance Now Auto Upgrades Mondoo​

We know you want the latest Mondoo Client capabilities so you can run updated policies, so we've updated the Mondoo VMware appliance to automatically pull in the latest client releases. No more compatibility concerns or time spent manually updating the instance.

Better Examples in CI Integration Pages​

The CI/CD integration setup pages now include additional example configuration files, making it easier to setup Mondoo in your CI pipelines.

Additional CI Examples

NSA Kubernetes Hardening Guide Version 1.2 Generally Available​

The NSA Kubernetes Hardening Guide Version 1.2 policy is no longer considered to be a preview release after the addition of several new controls and fixes:

  • Add an improved policy description with example usage information.
  • Update remediation steps to improve clarity.
  • Switch policy scoring system so that the policy score on an asset matches the worst offense found rather than the average of all scores (which previously could mask critical issues).
  • Update controls to properly run on the Kubernetes cluster asset itself when appropriate.
  • Fix Ensure that the Kubernetes PKI/SSL directory is owned by root:root control to work on Minikube.
  • Split Pods should not run with NET_RAW or SYS_ADMIN capabilities control into two controls so it can be disabled at a more granular level.
  • Add new controls:
    • CVE-2021-25742 - checking nginx-ingress ConfigMaps for dangerous settings
    • Do not allow ClusterRoles that allow users execution privileges into containers
    • Do not allow roles that allow users execution privileges into containers
    • Minimize and verify access to cluster-admin binding via rolebindings
    • Minimize and verify access to cluster-admin binding

NSA Policy

Policy Improvements​

We continue to improve the descriptions, remediation steps, and reliability of our out-of-the-box Mondoo policies so you can secure your infrastructure with less effort. This week we've made the following policy improvements:

  • Add improved descriptions and remediation steps to all Kubernetes Security controls.
  • Add getting started guides to each Mondoo policy with usage information.
  • CIS and BSI Linux policies now accept the shadow group when checking permissions on /etc/shadow and /etc/shadow-.
  • Move additional queries in the CIS Kubernetes policies from the cluster asset to the individual workload assets. This helps more quickly identify the workload in question and allows for more granular skip/disables.
  • Adjust impact levels in the CIS and Mondoo Linux policies to lower levels where appropriate.
  • Disable alerting of Pod Security Standard policies in the mondoo-operator namespace as enabling PSS would break operator functionality.
  • Improve descriptions and remediation steps for /etc/* file check controls in Linux Security by Mondoo policy.
  • Remove livenessProbe and readinessProbe checks from CronJobs and Jobs in Kubernetes Best Practices by Mondoo as these recommendations don't apply to Job and CronJob workloads.
  • Update remediation steps in Linux Security policy's Ensure system accounts are non-login control to properly identify high UID system accounts.
  • Fix incorrect remediation step in Linux Security by Mondoo policy's Ensure secure permissions on SSH private host key files are set control.
  • Fix AWS Security by Mondoo policy's Ensure there is only one active access key available for any single IAM user control to properly check that one key is active.

Time + operator in MQL​

We've added a new + operator to the Time resource so you can more easily manipulate time values in your MQL queries. This makes queries like the ones below possible:

Time manipulation

πŸ› BUG FIXES​

  • Update the CI integrations pages to provide correctly encoded Mondoo credentials for use with CI platforms.
  • Add missing icons to Mondoo policies in the Policy Hub.
  • Improve alignment of enabled/selected policies in the Policy Hub.
  • Fix the MONDOO_CONFIG_PATH environmental variable not being honored in the Mondoo CLI.
  • Fix the progress bar not showing during Mondoo CLI scans.
  • Update the AWS integration to skip creating an EBS snapshot if one already exists.
  • Add workaround rate limiting with EBS snapshot scanning in large accounts.
  • Better handle long asset names in the fleet view.
  • Present the original case of the Kubernetes integration instead of uppercasing the name.
  • Fix top recommended action links on CI job assets to load controls properly.
  • Add missing page titles to some pages in the console.
  • Fix minor UI alignment and spelling mistakes.
  • Ensure that AWS account assets are created when scanning accounts.
  • Don't create empty k8s-node assets when scanning Kubernetes clusters.
  • Find GCP instances in all zones when scanning GCP accounts.
  • Don't return an error if all policy controls are skipped.
  • Add a friendly error message when trying to connect to assets of SSH without an identity file or password.
  • Improve the reliability of Kubernetes asset garbage collection in the Mondoo Kubernetes Operator.

Β· 7 min read

πŸ₯³ Mondoo 7.0 is out!​

I you have been following our past releases, you'll have seen a ton of improvements that were added during the last months, including:

  • Major new features for Kubernetes
    • Kubernetes resource, workload, node, pods, and control plane scanning
    • Automatic discovery of assets and related resources
    • Mondoo Kubernetes Operator 1.0
  • New and updated compliance policies, including:
    • NSA, NIST, BSI, AKS, EKS, Best Practices and too many updates to mention here
  • New UI for fleet views, asset relationships, recommended actions, control and policy views
  • Supply chain security, including GitHub and GitLab
  • Deeper CI/CD integrations (new UI, better filtering)
    • support for Azure pipelines, Jenkins, CircleCI
  • Extended integration for Terraform and Packer
  • AWS side scanning, GCOS, and GitHub Actions

Breaking changes

  • The previously deprecated features from v5.x have now been removed. If you have any old clients running v5.x, they will stop working with this release. Please upgrade to the latest version. All v6.x clients continue to be supported.
    • During v5.x policies were compiled differently. The changes are behind the scenes. Simply re-run policies with a new version of Mondoo.
  • Previously scanned results that were collected as null may now show up as empty values. Once the asset is re-scanned, this is fixed.

Deprecations

All deprecations will be supported throughout the lifetime of Mondoo v7. We will remove them when we release Mondoo v8.

  • We have a major open-source announcement coming next week. After it, we will start to deprecate the current mondoo CLI in favor of the new commands. Don't worry: it's a drop-in replacement and smooth transition.
  • We are removing the need to call .list for many resources that have required it so far. For example users.list now becomes users, ports.list becomes ports and so on. Please note, that blocks are now automatically applied to the child elements of such lists. For example users { name } is valid, but users { list } is now deprecated and will be removed in v8. This is relevant for e.g. ports.listening { ... }. Since the block applies to individual blocks, you don't want to write e.g. ports { listening } anymore.

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

CI Setup in Integration​

Problem: You want to set up Mondoo to scan projects through your favorite CI systems, but the setup is manual and requires jumping between the Mondoo console and documentation.

Solution: We've revamped how Mondoo CI integrations are set up to make them faster and more intuitive to set up. Gone is the manual service account setup process and documentation site, and in its place are CI projects set up through the Integrations tab in the console, just like other integrations. Service account tokens are automatically created, and the integration setup process now suggests helpful policies for use with your CI projects.

New CI Setup Page

🧹 IMPROVEMENTS​

Updated EOL Data​

We've updated our platform EOL data with new platform versions, so you always have the most up-to-date data:

  • Added Google Container OS 101 with a release date of Sept 15, 2002, and an EOL date of Sept 1, 2024.
  • Added Google Container OS release date information for milestone 97, 93, and 89.
  • Added macOS 13.0 with a release date of Oct 24, 2022.
  • Updated macOS 10.14 with an EOL date of Jul 21, 2021 when the last security update was released.

Improved Mondoo Operator Security​

We've improved the security of the Mondoo Kubernetes Operator by dropping unnecessary privileges from any pods that are created by the operator.

New and Improved Policies​

  • All Mondoo policies now include additional usage guidance with examples of how to run the policies using cnspec.
  • Linux Security by Mondoo policy's auditd controls now fail instead of erroring if auditd configs are not found.
  • Policy control UIDs in Mondoo TLS/SSL Security Baseline, Linux Workstation Security by Mondoo, and Linux Security by Mondoo policies better describe what is being checked.
  • Kubernetes Cluster and Workload Security by Mondoo policy's Ensure that the Kubernetes PKI/SSL directory is owned by root:root control properly handles paths on Minikube.
  • CIS Kubernetes Worker Node Level 1 policy's Ensure that the Kubelet only makes use of Strong Cryptographic Cipher no longer results in a query error on Minikube.
  • CIS Kubernetes Master Level 1 policy's Pod Security Standards controls have been updated to not run against workloads.
  • CIS Ubuntu 20.04 Server Level 1 policy's Ensure password creation requirements are configured no longer errors if PAM is not installed, such as when Mondoo is scanning a container or container image.
  • CIS Ubuntu 20.04 Server Level 1 policy's Ensure chrony is configured no longer errors if chrony's config is not found.
  • Terraform HCL Security Static Analysis for Google Cloud policy's Ensure that Cloud Storage bucket is not publicly accessible control was updated to improve reliability.
  • NSA Kubernetes Hardening Guide Version 1.2 policy's Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate and Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate checks now check for the proper values.
  • NSA Kubernetes Hardening Guide Version 1.2 policy now includes new controls to check for secure cryptographic ciphers on the API Server and Kubelets.

πŸ› BUG FIXES​

  • Add links to download Mondoo client to the manual setup instructions on the Workstation integration page.
  • Add missing breadcrumbs to the Policy Hub pages to make it easier to navigate
  • Avoid a scan failure when a /proc/sys file cannot be read.
  • Don't show controls skipped due to conditionals in policies as being disabled on assets.
  • Don't show double asset scans in the CI projects.
  • Fix container images being incorrectly classified as operating system assets.
  • Fix incorrect breadcrumb names on some integration pages.
  • Fix incorrect Kubernetes namespace IDs in k8s.namespaces{ id } if Kubernetes objects have no namespace.
  • Fix the --sudo flag not being honored when running mondoo scan
  • Fix themondoo.version MQL query not returning the correct version
  • Google Container OS systems are now properly categorized as operating systems instead of "Uncategorized Assets"
  • Mondoo platform links for CI/CD jobs on the CLI now go to the proper CI/CD asset view.
  • Only show asset scheduled EOL warning if the vendor has scheduled the EOL for less than one year in the future.
  • Performing an empty search in the Fleet view no longer goes to an error page.
  • Policy descriptions on Policy Hub no longer suggest the legacy mondoo scan -t CLI format.
  • Policy Hub no longer lists potentially incorrect manual scan instructions.
  • Properly render the list of assets when navigating through the pagination.
  • Remember the previous fleet filter selection when returning to the fleet page after viewing an asset.
  • Resolved failures running mondoo scan gitlab
  • Resolved multiple errors when running CIS Kubernetes Master Level 1 policy on Minikube clusters.
  • The initial load of the Mondoo console no longer flashes white when dark mode is enabled.
  • Updates the VMware and Azure integration pages to use the latest mondoo scan syntax.
  • Warn when using mondoo scan k8s --namespace if the namespace was not found on the cluster.

Β· 8 min read

πŸ₯³ Mondoo 6.19 is out! This release includes new Kubernetes content and UI improvements!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ IMPORTANT CHANGES​

New Mondoo Policies Replace Existing Policies​

We've introduced newly renamed Mondoo out-of-the-box policies. These policies include more consistent policy and UID names to communicate security vs. best practices as well as the new scoring system mentioned below. We've marked the existing policies as deprecated to avoid impacting users at this time. You can switch to these new policies by disabling the deprecated policy and enabling these new policies in the Policy Hub. At a date we will automatically migrate users from the existing policies to these new policies. Stay tuned for more details!

New Policy Scoring Evaluation​

We've updated our out-of-the-box Mondoo policies to use a more appropriate scoring system. With this change the overall score a policy receives is now always reflecting the most critical failure. Previously, we would compute an average for all failed controls, which sometimes hid critical controls. With this change high impact controls in policies are not hidden by a large number of low impact passing controls anymore. For many users this will increase the number of low scoring policies in their spaces by exposing controls that are failing.

GitHub Discussions open for business​

Problem: You have a question about writing policies or scanning hosts with Mondoo, but nothing comes up in search engines, and waiting on Slack responses can take forever.

Solution: We decided to move our main community presence to GitHub Discussions. Slack is fantastic for real-time discussions, but it's problematic for getting quick answers to common questions. With GitHub Discussions, every question asked in the past is available in search. Over time this builds up an extensive FAQ resource. You can find these discussions at https://github.com/orgs/mondoohq/discussions. We already started to move interesting topics there, so you'll find plenty of MQL guidance. We'll still be around on Slack and Discord for interactive chat, but prefer to discuss common topics on GitHub now.

πŸŽ‰ FEATURES​

New Kubernetes Security Policies​

Problem: Your Kubernetes workloads are secure, but you want to ensure that the cluster and cluster nodes are also secured.

Solution: We've introduced a number of new controls for the Kubernetes API Server and Kubelets to keep your cluster secure:

PolicyApplies To
Ensure the kube-apiserver is not listening on an insecure HTTP portAPI Server
Ensure the kube-apiserver does not allow anonymous authenticationAPI Server
Deployments should not run Tiller (Helm v2)Deployments
Pods should not run Tiller (Helm v2)Pods
Deployments should not run Kubernetes dashboardDeployments
Pods should not run Kubernetes dashboardPods
Disable anonymous authentication for kubeletKubelets
Configure kubelet to capture all event creationKubelets
Configure kubelet to ensure IPTables rules are set on hostKubelets
Configure kubelet to protect kernel defaultsKubelets
Do not allow unauthenticated read-only port on kubeletKubelets
Ensure the kubelet is not configured with the AlwaysAllow authorization mode.Kubelets
Configure kubelet to use only strong cryptographyKubelets
Run kubelet with a user-provided certificate/keyKubelets
Run kubelet with automatic certificate rotationKubelets
Ownership and permissions of kubelet configuration should be restrictedKubelets
Specify a kubelet certificate authorities file and ensure proper ownership and permissionsKubelets

NSA/CISA Kubernetes Hardening Guidelines Preview Policy​

Problem: You want to secure your Kubernetes infrastructure against the latest NSA/CISA guidance.

Solution: Mondoo now includes a preview policy implementing the NSA/CISA guidance. This guidance looks at Kubernetes security in the control plane, cluster nodes, and workloads. Stay tuned for updates to this policy in the coming weeks. Be sure to check out the NSA's press release announcing this new guidance document, which includes a link to the complete PDF: https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

Long Lived Registration Tokens​

Problem: You want to automate the registration of new nodes into the Mondoo Platform, but it's difficult when new registration tokens need to be generated constantly.

Solution: You can now generate long-lived aka non-expiring registration tokens in the UI. These are ideal for automated processes like auto-scaling groups where tokens are stored in secrets management systems and cannot expire.

Non-expiring Tokens

New Service Account UI​

Problem: Each integration you set up in Mondoo adds a service account, and managing these accounts can be difficult if you want to remove unused accounts or view usage.

Solution: We've updated the service account page to make it easier to manage service accounts. The new UI exposes important information like the creation date, the last used date, and what created the account. You can also expand each item in the list to link to the integration using the service account, change permissions, or delete the account.

New Service Accounts UI

🧹 IMPROVEMENTS​

EBS Volume Scanning in the Instance's Region​

Problem: You want to scan AWS instances without installing the Mondoo Client using the EBS volume scanning, but you run in multiple regions, making the cost prohibitive.

Solution: We now scan the EBS volume of instances in the regions where the instances run. This avoids potentially costly data transfer costs.

More Severity Data in Policies​

Problem: At first scan Mondoo finds an enormous pile of security issues in your environment for you to tackle, but which ones are the most important?

Solution: We've continued to improve our Mondoo's ability to help you prioritize your work with severities in policies. Our Windows policies now all include severity data and Linux policies have been adjusted to make sure you're tackling the most pressing issues first.

Better Prioritized Control Views​

Problem: Policies on your assets can have hundreds of controls and you need to evaluate the security of an asset at a glance.

Solution: We've improved how controls in policies are displayed to make it easier to quickly understand the security posture of your assets. Skipped policies are now displayed at the bottom of the results, allowing you to see the controls that have passed or failed more easily. This is particularly useful when viewing the results of the Mondoo Kubernetes Security policy, which has many workload controls skipped depending on the asset type. We're also now sorting by severity within each status so you can quickly see the highest severity failed controls.

You can now also manually sort on any column in the results, so you can always view the data just how you like.

Sorted Controls

Problem: The Top 5 Recommended Actions tile shows high-impact failures that should be resolved first, but it's often hard to determine which controls have failed due to the small size of the tile and the long control names.

Solution: If part of a control name is clipped due to the size of the Top 5 Recommended Actions tile, you can now hover over the titles for a tooltip with the complete name.

Hover over in top 5

All Kubernetes Namespaces Scanned by Default​

Problem: You want to scan your Kubernetes cluster, but it includes workloads from many different namespaces, which aren't scanned by default.

Solution: By default Mondoo will now scan all Kubernetes namespaces. This means a complete cluster scan can be achieved with just mondo scan k8s now. The --all-namespaces CLI flag has been deprecated and will be removed from a future release. If you'd like to limit your scans to just a single namespace, you can still do this by specifying the namespace on the CLI with --namespace FOO.

πŸ› BUG FIXES​

  • Fix failures to properly filter on tags when scanning AWS instances.
  • Fix failures parsing the contents of /proc/sys when a file was empty.
  • Fix incorrect asset counts in the fleet view after an asset was deleted.
  • Kubernetes manifest names in the shell now show as the file name and not the file's directory.
  • Improve help text to make it more clear what commands do.
  • Remove the undocumented mondoo scan github user sub-command. Stay tuned for the return of this command with more clear use cases for scanning all user repositories.
  • Use sysctl to scan Linux kernel parameters where we can to prevent failures scanning /proc/sys in some scenarios.
  • Properly read the exit codes of commands that are executed on Docker containers.
  • Improve error output when connecting to AWS accounts.
  • Do not panic when querying a single k8s resource without providing id/name.
  • Do not fail when using k8s.networkPolicies if a cluster has the Calico CNI.
  • Registration tokens properly refresh in the integrations setup UI pages.
  • Prevent failures to scan EC2 instances when a single keypair is missing.
  • Fix failures using MS365 certificate authentication.
  • Fix failures in search filtering for Kubernetes admission controller assets.

Β· 4 min read

πŸ₯³ Mondoo 6.18 is out! This release includes new policies and better out-of-the box Kubernetes scanning!

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


πŸŽ‰ FEATURES​

NIST Special Publication 800 Preview Policies for AWS​

Problem: You need to comply with NIST Special Publication 800 guidance in your AWS environment.

Solution: We're introducing a preview of five new NIST SP 800 policies to help you keep your systems in compliance with US federal government requirements.

NIST 800 Policies

Kubernetes Asset Scanning By Default​

Problem: You want to scan your Kubernetes cluster and apply the Mondoo Kubernetes Security and Kubernetes Best Practices policies to all of the workloads in your cluster. But without extra flags, only the cluster shows up and the new policies don't apply.

Solution: Mondoo Kubernetes scans now automatically scan cluster objects as assets. This provides a much more Kubernetes-friendly view of where security problems exist within your cluster. You can use our new policies with dozens of controls that aren't present in the legacy Kubernetes Application Benchmark policy.

Kubernetes Assets

Expanded HashiCorp Terraform GitHub Action Support​

Problem: You want to set up the Mondoo GitHub Action to ensure the security of HashiCorp Terraform plans and state files so you can be confident in your changes before you apply them.

Solution: The Mondoo GitHub Action 0.7.0 now includes two new actions for scanning your Terraform code:

🧹 IMPROVEMENTS​

Simplified Terraform State File Resource​

Problem: You want to query out resources in Terraform state files without writing complex queries that dig deep into the files.

Solution: We've simplified MQL access to resources from the Terraform state files.

Before this release, you had to iterate over all Terraform modules to get access to the resources:

cnquery> terraform.state.rootModule.resources { providerName == "registry.terraform.io/hashicorp/null" }
terraform.state.rootModule.resources: [
0: {
providerName == "registry.terraform.io/hashicorp/null": true
}

With this release, you can now access the resources directly from the state:

cnquery> terraform.state.resources
terraform.state.resources: [
0: terraform.state.resource id = null_resource.ls
]

πŸ› BUG FIXES​

  • Unknown scan status coloring is now always white throughout the console.
  • Corrects control counts on the asset pages.
  • Fixes small score donut charts on the asset pages.
  • Searches of scans from the Kubernetes Admission Controller are now case insensitive.
  • Adds missing breadcrumb links on the main Fleet page.
  • Corrects sample PowerShell setup commands on the Workstation Integration page.
  • Makes the asset type summary text more consistent.
  • Properly detects an asset's platform.
  • Improves the reliability and performance of removing policies and assets.
  • Improves reliability of EBS volume scans with the AWS integration.
  • mondoo.version queries now return the correct Mondoo Client version.
  • Resolves errors deleting CI/CD jobs.
  • Resolves Kubernetes cluster names reverting to UID from the friendly name in the CI/CD view.
  • Improves the reliability of CIS Kubernetes controls that inspect the state of the Kubelet.
  • mondoo scan aws ec2 ebs now respects the --option region option.
  • Resolves an error that could cause creation of empty AWS account assets when scanning instances.
  • Prevents errors in the Linux Security by Mondoo policy when /etc/shadow is not present on a system.
  • Container images no longer show up in the fleet view as container registries during scans.
  • Fixes parsing of OS uptime on some Linux distributions.
  • Corrects reporting of Kubernetes Integration errors while cluster during scans.
  • Scanning a Kubernetes cluster with an invalid namespace specified no longer creates an empty cluster asset.