Skip to main content

72 posts tagged with "mondoo"

View All Tags

Β· 4 min read

πŸ₯³ Mondoo 6.10 is out! This release includes Kubernetes resource scanning and expanded OS support.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Kubernetes Resource Scanning​

Problem: You want to secure not just your Kubernetes cluster control plane and nodes, but also the workloads you deploy to your cluster. You need visibility into the security of each of the running workloads.

Solution: Mondoo now scans each workload type as a dedicated asset, with new security and best practice policies applied to each asset. This means you'll now get not only scans of your cluster nodes and overall cluster control plane configuration, but also Pods, CronJobs, StatefulSets, DaemonSets, Jobs, and Deployments. These new assets provide more granular visibility into the workloads deployed onto your clusters and make it easy to disable or skip controls on particular workloads.

Results of Pod Scans:

Fleet View for PostgreSQL

In addition to these new assets we're also shipping new Kubernetes Security and Kubernetes Best Practice policies. These new policies replace the existing Kubernetes Application Benchmark policy and apply only to the new Kubernetes resource assets. We decided to break out our combined security and best practices policy so that it would easier to determine security vs. best practice violations at a glance. Since these policies scan indvidual Kubernetes assets instead of the cluster as a whole, they also feature greatly improved scan output and new remediation steps, so you can more easily resolve findings.

Pod Asset with New Policies:

PostgreSQL Pod Asset

Improved Kubernetes Policy Controls:

PostgreSQL Pod Scan Result

To enable scanning of all Kubernetes resources as individual Mondoo assets, pass the --discover all flag when scanning clusters:

mondoo scan k8s --discover all

Stay tuned for resource scanning directly in the Mondoo Kubernetes Operator and even more improvements to out-of-the-box Kubernetes policies in the coming weeks!

Google Container Operating System Support Preview​

Problem: When scanning Google Kubernetes Engine (GKE) clusters, you want to ensure the security of the cluster nodes running the Google Container OS Linux distribution.

Solution: Mondoo now includes preview support for the Google Container Operating System (GCOS). With this release, you will now see GCOS hosts properly report their release version, EOL date, and package/service states. Stay tuned for improved detection and policy support in the coming weeks.

GCOS Asset

Kubernetes k8s.initContainer Resource​

Problem: You want to write Mondoo policies that examine the configuration of Kubernetes Init Containers in your workloads.

Solution A new k8s.initContainer allows you to write policy against Kubernetes Init Containers.

InitContainer Query

🧹 IMPROVEMENTS​

Expanded Operating System Support​

We've updated Mondoo with enhanced platform end-of-life and package vulnerability data so you can scan the latest and greatest operating systems:

  • Added Alpine 3.16, Fedora 33/34/35, and VMware Photon 4 package vulnerability data.
  • Updated Amazon Linux 2022 vulnerability data for the latest preview release packages.
  • Added EOL date detection for openSUSE Tumbleweed and Clear Linux OS.
  • Updated EOL date detection for the new patch version format of VMware 7.x.x.

Linux Baseline Policy Improvements​

We continue to improve our out-of-the-box Linux Baseline policy to provide better remediation steps and to support different Linux distros.

  • Skips the Ensure permissions on /etc/shadow- are configured control instead of failing when /etc/shadow- doesn't exist on the system.
  • Updates the query in the Ensure Samba is stopped and not enabled control to support Debian/Ubuntu-based Linux distros.
  • Updates the query and remediation steps for the Ensure core dumps are restricted control to support more distros.
  • Updates the query in the Ensure login and logout events are collected control to support Ubuntu.
  • Improves remediation steps and formatting throughout the policy.

Filtering in Asset Lists​

You can now quickly filter assets by their score by clicking the A-F values at the top of the fleet page.

Asset Filtering

πŸ› BUG FIXES​

  • Resolves failures running scans in the Kubernetes Operator.
  • VMware Mondoo appliance now includes timesyncd to prevent platform registration failures due to time drift.
  • Resolves duplicate AWS resource counts in the AWS integration pages.
  • Resolves potential failures in Mondoo Client when reporting scan results.
  • Reports all Mondoo Client scans within GitHub Actions when running the Mondoo action in multiple jobs or steps within the same workflow.
  • Resolves incorrect steps in the VMware Integration page.
  • Resolves failures in MQL when using if/else statements that have single-valued blocks.
  • Resolves the fleet summary pages sometimes showing an incorrect summary breakdown of asset scores.

Β· 4 min read

πŸ₯³ Mondoo 6.9 is out! This release includes new Kubernetes pod scanning and top CVEs in the space overview!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Top Platform Vulnerabilities on Overview​

Problem: You want to find the critical CVEs in your environment quickly

Solution: The Mondoo Overview page now shows your space's top five platform vulnerabilities. This new view lets you quickly determine the most impacting vendor advisories and how many assets are affected by each advisory. The individual advisories link to detailed information pages summarizing the included CVEs and impact. You can also click View All to see all security advisories in your space.

Container CVEs

Kubernetes Pod Scanning​

Problem: You have hundreds or even thousands of different workloads in your Kubernetes clusters, and you want to see the security status of individual workloads instead of just the cluster as a whole.

Solution: This week, we're shipping our first slice of Kubernetes resource scanning with pod scanning. With this new discovery mode, each pod in your cluster becomes an asset within Mondoo. Policies are applied at the pod level, and you can write MQL queries against these pods instead of the whole cluster. This gives you more granular workflow scanning and improved alerting.

Pod Asset

To start scanning discovery pods as assets during your Kubernetes scans, run mondoo scan k8s --discover pods.

Stay tuned for next week's release when we introduce more new Kubernetes resources as Mondoo assets, along with new out-of-the-box policies for scanning these assets.

Mondoo Kubernetes Operator 1.0​

We started our open source Mondoo Operator for Kubernetes project in January of this year. Since then, the Mondoo team has been busy extending the functionality, ensuring stability, and squeezing every ounce of performance out of the codebase. This week after 300 pull requests merged, we shipped the 1.0 release.

What does 1.0 mean for me?

1.0 means we're confident in the functionality and stability of the project. Additionally, since Mondoo follows Semantic Versioning, we won't intentionally break any configuration interfaces in subsequent 1.x releases. Config stability between minor releases makes upgrades easier without requiring stepped upgrades.

If you're still on an older Mondoo Operator release, we strongly encourage you to upgrade to 1.0. We've introduced significant new capabilities over the last few months, including pod container image scanning, rootless/read-only execution, and CronJob-based scanning. See our Mondoo Operator Upgrade documentation for more information on upgrading to 1.0.

🧹 IMPROVEMENTS​

Show Disabled and Ignored Controls​

Disabled and Ignored controls in policies are now visually indicated in assets' policies, making it clear which policies impact scoring.

Status Indication in Policies

Simpler Asset Deletion​

You can now delete assets directly on the asset page by clicking the delete icon.

Asset Deletion

If you're one to live dangerously, you can even opt out of warnings and delete assets with just a single click.

Opt Out of Warnings

Improved Linux EOL Detection​

We've improved the EOL operating system detection in Mondoo Client to support the following new Linux releases:

  • Alpine 3.16
  • openSUSE 15.4
  • Oracle Linux 9
  • Rocky Linux 9
  • SUSE Linux Enterprise 15.4

MQL Improvements​

We've updated MQL's platform resource to improve gathering information on assets. A new platform.title value exposes a human-friendly version of the platform's name, and the platform.version value has been deprecated in favor of platform.release.

Mondoo Shell

πŸ› BUG FIXES​

  • Resolves incorrect EOL dates for Rocky Linux 9 and SLES 15.3.
  • Adds a timeout for long running Kubernetes Operator scans.
  • Updates the VMware Appliance from Debian 11.2 to 11.4 to resolve CVEs in the underlying Debian installation.
  • Resolves failures during container image scanning.
  • Resolves failures during Terraform config file scans.
  • Resolves failures during EBS volume scans.
  • Remove references to "asset" in CI/CD run scan pages.
  • Client Linux Security Baseline's control 'Ensure / and /home are encrypted' now executes correctly on btrfs formatted partitions.
  • Users with the Mondoo viewer role can now list ChatOps integrations

Β· 3 min read

πŸ₯³ Mondoo 6.8 is out! This release includes Azure Pipeline / Jenkins CI/CD support and Kubernetes container image scanning!


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Azure Pipelines and Jenkins Support​

Problem: You want to set up security scanning of projects in your CI pipelines, but you're not using a CI platform supported by Mondoo.

Solution: Mondoo now supports CI integrations with Azure Pipelines and Jenkins, raising our out-of-the-box CI/CD integrations to six. Still don't see the CI/CD integration you need? Let us know at hello@mondoo.com.

CI Setup Window

Moondoo Operator for Kubernetes Container Image Scanning​

Problem: You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.

Solution: Following up on last week's new CLI-based container image scanning, we're now integrating public container image scanning directly into the Mondoo Operator. When enabled, the Mondoo Operator will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.

Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the kube-apiserver pod:

Cluster Scan Results

We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:

Container CVEs

🧹 IMPROVEMENTS​

Policy and MQL Improvements​

Solution: We continue to improve the out-of-the-box Mondoo policies and the MQL resources that power those policies, giving your the most reliable scan results with Mondoo:

  • Replaced platform.runtimeEnv with the simpler platform.runtime. platform.runtimeEnv is now deprecated and will be removed in Mondoo Client 7.0.
  • Deprecated platform.virtualization.isContainer in favor of either platform.kind or platform.runtime. platform.virtualization.isContainer will be removed in Mondoo Client 7.0.
  • Added the ability to determine if a branch is the default branch with isDefault in the github.branch resource.
  • Resolved failures in the github.branch resource when branch protection is not configured.
  • Resolved failures that could occur in some valid MQL blocks, which caused failures in the Kubernetes Application Benchmark policy.
  • Resolved incorrect policy scores when all controls in a policy fail.
  • Added severity scores to the Kubernetes Application Benchmark policy to make prioritizing fixes easier.
  • Expanded the Ensure HTTP Proxy server is stopped and not enabled control in the Linux Security Baseline policy to check for the Tinyproxy proxy service.
  • Added a new platform.runtime.

πŸ› BUG FIXES​

  • Resolve Mondoo Operator for Kubernetes node scans of Minikube not scanning all nodes.
  • Fully clean up all Mondoo Operator resources when uninstalling.
  • Use a Red Hat UBI-based Mondoo image when scanning in Red Hat OpenShift.
  • Fix handling of the Mondoo Operator's running UID when running in OpenShift.
  • Add a liveness probe to the Mondoo Operator pods to improve Mondoo scan scores.
  • Resolve potential panics when the first Kubernetes Operator check-in occurs.
  • Resolve failures to properly exit in the Kubernetes Operator when a scan request failed.
  • Reduce resource utilization by lowering the initial requested CPU and memory limits for the Kubernetes Operator's node scanning pods.

Β· 6 min read

πŸ₯³ Mondoo 6.7 is out! This release includes a pile of new policies and policy updates


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Summary Scan Output​

Problem: Mondoo scans print all results for every query in the CLI. However, sometimes users just want to see a quick summary of how the scan went, especially when it's collected upstream for a deeper analysis.

Solution: Mondoo now includes a new summary output mode. This mode contains just the summary portion of the Mondoo scan so you can quickly determine the security posture of systems.

Summary Scan

NSA PowerShell Policy​

Problem: Mondoo has always provided comprehensive resources for Microsoft PowerShell, but we never shipped a policy for its security best practices. This forced users to research, author, and maintain their own PowerShell policies.

Solution: Mondoo includes a new PowerShell security policy NSA PowerShell: Security Measures to Use and Embrace. This policy implements the recommendations of the United States, New Zealand, and the United Kingdom cybersecurity agency's whitepaper Keeping PowerShell: Security Measures to Use and Embrace.

Time Synchronization Policy​

Problem: You want to be able to ensure accurate time across systems within your organization for authentication and logging purposes.

Solution: Mondoo now includes a new Operational Best Practices for Time Synchronization by Mondoo policy for macOS, Linux, and Windows hosts to ensure that systems are correctly syncing their time.

Bundesamt fΓΌr Sicherheit in der Informationstechnik (BSI) Policy​

Problem: You want to be able to secure your Debian- and Red Hat-based Linux systems according to the Federal Office for Information Security (BSI) and pass a BSI audit.

Solution: Mondoo now includes a new BSI SYS.1.3 Linux and Unix Servers by Mondoo policy. BSI is a German standard for IT security, similar to SOC2 in the US. We are releasing this first policy with support for Debian- and Red Hat-based Linux to ensure that systems are correctly hardened according to the BSI requirements. This is especially helpful for users in the DACH region overall and Germany in particular.```

macOS Ventura (13) support​

Problem: Apple is currently working on the next major version of its Mac operating system: macOS Ventura (release 13). It is slated for a release towards the end of this year. An early version of this new release is now available in beta and can be used today. However, the Mondoo baseline policy did not support it yet.

Solution: Mondoo Client has been tested on macOS Ventura beta and the macOS Security Baseline by Mondoo policy has been updated for this upcoming release.

New Kubernetes MQL Resources​

Solution: Mondoo now includes new StatefulSet and ReplicaSet resources so you can write policies for these resource types.

🧹 IMPROVEMENTS​

Improved Linux Policies​

Solution: Mondoo's Linux Baseline policy and various CIS Linux policies have been updated for improved reliability and to better secure your systems:

  • New: Ensure sudo logging is enabled control added to Mondoo Linux Security Baseline
  • Bugfix: Ensure SSH access is limited now passes if SSH access is limited using only AllowUsers/AllowGroups
  • Bugfix: Failures running Ensure all GIDs in /etc/passwd exist in /etc/group have been resolved
  • Bugfix: Improved reliability in Ensure that strong Key Exchange algorithms are used and Ensure only strong MAC algorithms are used control
  • Improved: Impact scores added to many controls
  • Improved: Ensure permissions on bootloader config are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on /etc/motd are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on /etc/issue are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on /etc/issue.net are configured control now checks that the file is owned by root/root
  • Improved: Ensure permissions on all logfiles are configured now shows which log files do not have the proper permission in the output
  • Bugfix: Fix errors running Ensure automatic mounting of removable media is disabled
  • Bugfix: Improved compatibility with Debian in Ensure access to the su command is restricted
  • Improved: Define the hardened ciphers for all SSH configurations control now better runs on RHEL-derivitive distros
  • Bugfix: Improved compatibility with Debian/Ubuntu in Define the hardened ciphers for all SSH configurations
  • Improved: Ensure permissions on all logfiles are configured now includes remediation steps to ensure future log files have the correct permissions
  • Improved: Ensure SSH root login is disabled control now allows prohibit-password value
  • Improved: Improved compatibility with Arch Linux derivatives
  • Bugfix: Fix false positives in Ensure journald is configured to compress large log files control

Improved K8s Application Policy​

Problem: Your Kubernetes workloads include not just Pods, but many other kinds of Kubernetes resources. Mondoo's Kubernets Application Benchmark scans only Pods, missing the root cause of many security misconfigurations.

Solution: The Kubernetes Application Benchmark by Mondoo now scans not just Pods, but also StatefulSets, DaemonSets, Jobs, CronJobs, and Deployments, ensuring all the resources on your cluster are secured. With these additional queries and expanded audit intructions in the policy, you can more easily find the parent resource with the identified misconfiguration, saving you time securing your cluster.

Improved Kubernetes Operator​

Solution: The Mondoo Operator for Kubernetes has been improved to increase the security and performance of scanning. The operator now runs all Mondoo Client containers without root privileges for increased security. The operator's admission controller also now runs scans ~30% faster, while reducing memory consumption in the cluster.

πŸ› BUG FIXES​

  • Resolves inconsistent results when scanning Kubernetes manifests using mondoo scan vs. Mondoo Operator admission controller scans
  • Resolves failures running scans on Windows systems with the system language set to German
  • Resolves failures scanning Azure when the current stack is not set
  • Resolves two failures in MQL that could result in inconsistent or incorrect results
  • Provide user friendly error messages when scanning container images in private registries
  • Improved readability within policy results
  • Wrap long asset names in the fleet view and the asset pages

Β· 2 min read

πŸ₯³ Mondoo 6.6 is out! This release adds much-requested support for scanning pipelines with CircleCI, side scanning from the command line, and some nice improvements to the Linux Baseline policy for securing users and groups.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

CircleCI Support​

Problem: You want to use Mondoo natively with CircleCI projects to secure your build pipelines.

Solution: Mondoo now securely integrates with CircleCI projects to scan Kubernetes manifests, Terraform configuration files, and Docker images for common misconfigurations and CVEs. Check out the CircleCI integration documentation to learn more.

CircleCI Security Scans

AWS Side Scanning From the CLI​

Problem: You want Mondoo to scan your AWS instances, but you want to do it without SSH credentials or an SSM agent and without directly impacting your production workloads.

Solution: Mondoo now supports AWS side scanning. You can scan an EC2 instance, an EC2 EBS volume, or an EC2 EBS snapshot. See the EC2 Snapshot Scanning documentation for details.

🧹 IMPROVEMENTS​

Improved Linux Baseline Policy​

Problem: You want the best possible out-of-the-box policies for securing your Linux systems.

Solution: Update the Linux Security Baseline policy to provide additional security recommendations. We've added 12 new controls to validate that users and groups are configured correctly on your Linux systems.

Multiline Support in Mondoo Shell​

Problem: Writing complex MQL queries on one line can be frustrating.

Solution: The Mondoo shell now supports multiline input! Multiline Shell

Copy MRN From the Asset Detail Page​

Problem: It could be challenging to generate a properly-formed asset MRN to use with the Mondoo CLI.

Solution: You can now copy the MRN for any asset from that asset's detail page.

Copy MRN

Total Scans From the Vulnerability Page​

Problem: Mondoo didn't provide enough context about vulnerability scans. It provided the number of findings, but didn't show the total number of objects scanned. If you had a system with no vulnerabilities, it could appear that Mondoo wasn't doing anything!

Solution: Mondoo now also shows the total number of objects scanned in a vulnerability scan.

πŸ› BUG FIXES​

  • Resolves improperly failing queries in the macOS policy
  • The Linux Security Baseline policy now correctly detects apache2 on Debian-based Linux distributions
  • Improved Kubernetes admission controller reliability on small Kubernetes clusters

Β· 3 min read

πŸ₯³ Mondoo 6.5 is out! This release is all about quality-of-life improvements and bug fixes.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


🧹 IMPROVEMENTS​

Kubernetes Scanning Enhancements​

The Kubernetes admission controller scanning in the CI/CD tab could be quite busy, and it was often difficult to find new deployment scans in this UI. We revamped how scanning occurs in the Mondoo Kubernetes Operator 0.5.0, with scans now only occurring on Kubernetes resources. This means you'll no longer see scans for each new pod generated during auto scaling, cron jobs, or otherwise. This makes it much easier to see the security status of new workloads entering the cluster.

We also improved the performance of Docker image scans. This should greatly improve the experience of users running the container image discovery in Kubernetes scans, which we introduced in Mondoo 6.2. If you haven't tried image scanning in your Kubernetes scans, be sure to try mondoo scan k8s --dicover all and keep an eye out for more cluster asset discovery features in future releases.

Improved Integration Status​

Life isn't binary, and neither are our integration status fields now. We updated how Mondoo integrations report their status to include a new Pending status. This better describes the status of integrations that haven't failed but instead just haven't reported to Mondoo Platform yet.

Pending Integration

Many small improvements​

  • The CVE view on the individual asset now shows the total number of packages scanned
  • The Continuous Integration view now shows a timestamp for each branch scanned
  • The installation and usage instructions for HashiCorp Packer & HashiCorp Terraform in the Integrations page is much more useful

πŸ› BUG FIXES​

  • Improved the readability of buttons on the SAML setup page
  • Fixed the "Load More" button not working when viewing CVEs tied to an individual asset
  • Scanning Microsoft Azure with Mondoo Client no longer requires a URL
  • Container scans now properly set platform architecture
  • SSHD config file scanning in Linux Security Baseline by Mondoo now properly parses all recognized time string formats
  • Improved the Ensure filesystem integrity is regularly checked query in the Linux Security Baseline by Mondoo policy to also support running Aide as a systemd timer
  • Improved the Pod should not run with default service account query in the Kubernetes Application Benchmark by Mondoo policy to not fail when a manifest doesn't specify the service account

Β· 3 min read

πŸ₯³ Mondoo 6.4 is out! This release includes new GitHub resources and improvements to the Linux Baseline policy.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

New GitHub Resource Capabilities​

Problem: Customers want to write Mondoo policies to ensure the security of their GitHub repositories and organizations

Solution: Mondoo is writing resources to allow users to gather critical information about the security stance of their GitHub Organization and any public repositories they wish to examine.

Connect to mondoo shell to begin discovering more about your GitHub infrastructure:

mondoo shell -t github --option token=${GH_TOKEN} --option login=USERNAME

mondoo shell -t github --option token=${GH_TOKEN} --option organization=ORGANIZATIONNAME

Ask questions and discover:

github.organization { repositories { files { path type  isBinary files { path type  isBinary files  } } }}

github.repository("chris-rock/bubbletea") { files { content} }

Assess:

github.organization { repositories { default=defaultBranchName branches.where(name == default) { protected }}}

github.repository("chris-rock/bubbletea") { archived == false hasIssues == true}

Keep an eye out for our Github Security Policy that should be shipping in the next month πŸŽ‰

New Enterprise Windows Installer​

Problem: Customers want to fully automate the installation of Mondoo on Windows using MDM or configuration management solutions.

Solution: A new enterprise Mondoo MSI Installer (mondoo-enterprise.msi) has been created to make the automated setup of Mondoo simpler. This new installer requires a REGISTRATIONTOKEN value, which it uses to automatically register the system with Mondoo and then start the service.

🧹 IMPROVEMENTS​

Improved Linux Baseline Policy​

Problem: Customers want the best possible out of the box policies for securing their Linux systems

Solution: Update the Linux Security Baseline policy to provide additional security recommendations as well as more reliable checks. All checks involving systemd services now check to see if the service is both running and enabled. The Ensure filesystem integrity is regularly checked query now matches the remediation steps. We also updated a number of remediation steps to include SLES instructions.

πŸ› BUG FIXES​

  • Improve the display of the Mondoo Console on mobile devices
  • Display error messages when the AWS integrations fail to scan instances
  • Add links to OpenShift and cert-manager on the K8s Integration setup page
  • Fix invalid example code in the 'Generate Long-Lived Credentials' Integration page
  • Return actual asset error when scanning on CLI without policies set
  • Fix remediations steps for priveleged containers in the Kubernetes Application Benchmark by Mondoo
  • Fix the Mondoo Client Windows service failing to stop
  • Various fixes to the junit output from Mondoo Client
  • Only scan unique container images when running mondoo scan k8s --discover=all
  • Remove version checks in the Mondoo Operator that block upgrading an existing operator

Β· 4 min read

πŸ₯³ Mondoo 6.3 is out! This release includes significant UI updates, a new Packer plugin, agentless scans of AWS infrastructure, querying across AWS Organizations, and substantial speed improvements in Kubernetes scans.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Refreshed Overview Page​

Problem: Customers didn't have immediate access to the essential information about their infrastructure when logging into the Mondoo console.

Solution: The Overview page has been refreshed to focus only on the most pertinent information. Customers can now see information about their Kubernetes integrations directly from the Overview page. If customers are not using Mondoo with Kubernetes or Amazon AWS, the Overview page will no longer show cards for these technologies.

Look for additional improvements to the Overview page in the coming weeks.

Overview Page

Information about managed clients is no longer part of the Overview page. Instead, you can now access the list of managed clients via the Integrations page.

Integrations Marketplace​

Problem: Customers find it difficult to install Mondoo in their infrastructure, so they can quickly get started with scans.

Solution: The Integrations page has been completely re-designed. With the new Integrations Marketplace, it's easy to find, install, and manage your Mondoo integrations and clients from this single location.

Integrations Page

Packer Plugin Mondoo​

Problem: Customers who want to use Mondoo to secure the machine images they create with HashiCorp Packer face a lot of complexity, manual downloads, and manual configuration.

Solution: Mondoo is now available as a native, open source Packer plugin. You can include Mondoo directly in any Packer 1.7 or higher build by adding these blocks to your template:

packer {
required_plugins {
mondoo = {
version = ">= 0.2.1"
source = "github.com/mondoohq/mondoo"
}
}
}
build {
...

provisioner "mondoo" {
score_threshold = 80
on_failure = "continue"
asset_name = "${var.image_prefix}-${local.timestamp}"
}
}

Check out our getting started guide on Building Secure AMI Images with Mondoo and Packerfor more details, and add Mondoo to your Packer builds today!

Agentless AWS EBS Volume Scanning​

Problem: Customers need to ensure that a specific EC2 instance meets security and policy standards but have no direct access to that instance. They need a way to inspect EC2 instances externally without losing scan fidelity.

Solution: Agentless AWS EBS Volume Scanning lets Mondoo perform agentless, read-only evaluation of EC2 instances without accessing the instances directly. Mondoo can quickly scan any instance, snapshot, or volume without accessing production workloads.

Requirements:

  • Requires the ability to run mondoo client in the same AWS account as the infrastructure you wish to scan. (AWS CloudShell is excellent for this!)
  • The scanner needs permission to list instances, copy snapshots, create volumes, and attach volumes to instances.
Here's an example AWS security policy to enable Agentless AWS EBS Volume Scanning. It's a little long, so we've collapsed it by default.
  "Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Mondoo"
}
},
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CopySnapshot",
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Effect": "Allow"
}
]
}

Example usage:

mondoo scan aws ec2 ebs <INSTANCEID>
mondoo scan aws ec2 ebs volume <VOLUMEID>
mondoo scan aws ec2 ebs snapshot <SNAPSHOTID>

AWS Cross-Organization Queries​

Problem: Customers with many AWS accounts in their AWS Organization need to know about all of their infrastructure, regardless of the associated AWS account.

Solution: Using the Mondoo AWS integration, customers can now search across every AWS account associated with their AWS Organization. Find abandoned or untagged resources, or locate every resource tagged to a particular project or cost center quickly and easily.

Example: I need to find a particular S3 bucket, but I don't know in which AWS account it may be located. I only know part of the bucket name.

mondoo exec --integration-mrn //integration.api.mondoo.app/spaces/<SPACE_ID>/aws/<INTEGRATION_ID> 'aws.s3.buckets.where(name.contains("lostbucket"))'

🧹 IMPROVEMENTS​

Kubernetes Scan Speed Improvements​

Problem: Initial scans of Kubernetes clusters were too slow.

Solution: Optimizations in the Kubernetes scan code have reduced test scan durations from a duration of 2min 10s to only 9s!

πŸ› BUG FIXES​

  • Using the processes.list MQL resource on a Docker container will no longer run the container out of file handles
  • Fleet-wide statistics now correctly include unscored assets
  • The Mondoo console has been updated to use Mondoo's new logo

Β· One min read

πŸ₯³ Mondoo 6.2 is out! This release adds automatic container discovery for Kubernetes and support for Amazon Linux 2022.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

Automatic Container Discovery for Kubernetes​

Problem: Customers couldn't secure containers running within Kubernetes cluster.

Solution: Mondoo automatically discovers and scans containers in Kubernetes clusters!

Use Mondoo to not just scan Kubernetes cluster and pod configurations, but also all the containers running within your Kubernetes clusters by enabling discovery in command line scans:

mondoo scan k8s --discover=all

This scan will return results for the overall Kubernetes cluster and pod security, a new asset scan for each running container, and a link to the Mondoo console.

Container Scan

Amazon Linux 2022 Support​

Problem: Customers could not be certain that Mondoo would work as expected with the Amazon Linux 2022 preview release.

Solution: Mondoo has been fully tested on Amazon Linux 2022 Preview, and Mondoo now supports using Mondoo Client with Amazon Linux 2022 Preview.

Bug Fixes and Performance Improvements​

About a half-dozen minor stability improvements under the hood.

Β· 3 min read

πŸ₯³ Mondoo 6.1.1 is out! This release adds additional support for Red Hat Linux and AlmaLinux 9 and improvements for working with AWS and K8s.


Get this release: Installation Docs | Client Download | Installation Service | Docker Container | Kubernetes Operator


πŸŽ‰ FEATURES​

EU Region Support​

Problem: Customers in the EU are subject to local regulatory requirements and need the data storage and processing that Mondoo performs on their behalf to physically occur in Europe.

Solution: Mondoo has added a new cloud infrastructure in the EU. Customers can now create and join organizations and spaces in the EU region. All data created and processed in the EU region happens on servers located in data centers within the EU.

Just click on the US / EU region pulldown in the Mondoo UI to switch regions.

Mondoo Region Selector

At this time, Mondoo does not support cross-region organizations or spaces.

Red Hat Linux / AlmaLinux 9 Support​

Problem: Customers who wanted to upgrade to the May releases of Red Hat Linux 9 and Alma Linux 9 were unable to use the full capabilities of Mondoo with these new operating systems.

Solution: Mondoo now supports the detection of EOL dates and package vulnerabilities for Red Hat Linux 9 and AlmaLinux 9.

🧹 IMPROVEMENTS​

Additional Resources Shown in AWS Accounts​

Problem: The AWS account integration page sometimes didn't display the information customers needed about their accounts.

Solution: The AWS Account integrations page now displays the number of EC2 Snapshots, Cloudwatch LogGroups, Lambda Functions, Config Recorders, and EKS clusters.

Kubernetes Custom Resources Support in MQL​

Problem: When writing policies to inspect Kubernetes installations, customers need to easily interrogate my Kubernetes custom resources.

Solution: The MQL query language now exposes Kubernetes custom resources for use in policies as k8s.customresource.

k8s.customresource usage example

πŸ› BUG FIXES​

  • AWS SSM scans should no longer fail due to AWS SSM timeouts
  • Fetch the default registry entries on Windows in addition to the explicitly set registry entries
  • Improve Linux Security Baseline policy queries and remediation steps to reduce errors
  • EBS volume-based scans of AWS EC2 instances are more reliable
  • The filtering of assets by AWS integration now works as intended
  • Add missing UI breadcrumbs from CI/CD scan jobs back to their projects
  • Fix the load more button in a CI/CD project not loading more jobs
  • Fix service checks when scanning hosts using the fs transport
  • Fix failures in the Platform End-of-Life Policy