Skip to main content

155 posts tagged with "mondoo"

View All Tags

Β· 5 min read

πŸ₯³ Mondoo 9.14 is out! This release includes agentless Azure VM scanning, new MQL helpers, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Scan Azure VMs / snapshots / disks​

Use new Azure scanning capabilities to scan running VMs, instances, or disks without deploying or managing agents.

Scan snapshots of your VMs to perform agentless scans without impact to your running workloads:

cnspec scan azure compute snapshot <snapshot-name> --client-id <id> --tenant-id <id> --client-secret <value>

Scan snapshots outside your current resource group using the fully qualified Azure resource ID:

cnspec scan azure compute snapshot "/subscriptions/subId/resourceGroups/my-rg/providers/Microsoft.Compute/snapshots/test-debian-snap" --client-id <id> --tenant-id <id>--client-secret <secret>

Scan disks on running VMs with automatic running disk cloning:

cnspec scan azure compute disk <disk-id> --client-id <id> --tenant-id <id> --client-secret <value>

Not concerned about the impact to running workloads? Scan VMs directly without managing agent deploys:

cnspec azure compute instance <instance-name> --client-id <id> --tenant-id <id> --client-secret <value>

New MQL helpers for policy authoring​

New helpers for MQL give you the power to create robust security and compliance policies to meet your custom business needs.

Quickly access data in a map​

Use dot notation to access data in maps:

cnquery> {a: 1, b: 2, c:3}.a
[a]: 1

Check whether a time is within a range​

See if time values fall within a range. This works with all timestamps:

cnquery> password.lastChangedDate.inRange(time.now-90*time.day, time.now)
[ok] value: true

Check whether a number is within a range​

See if an integer value is within a range:

cnquery> 2.inRange(1,3)
[ok] value: true
```coffee

#### Check strings against a list of values

Check a string value against a list of acceptable values.

```coffee
cnquery> "PASS".in(["PASS","ALLOW","OK"])
[ok] value: true

Parse duration values​

Work with duration values using a new duration helper:

cnquery> parse.duration("3d")
parse.parse.duration: 3 days
cnquery> parse.duration("7days")
parse.parse.duration: 7 days

Check the contents of maps​

Check keys, values, and combination of the two within maps:

{'a': 1, 'b': 2}.contains( key == 'b' )
{'a': 1, 'b': 2}.all( value > 0 )
{'a': 1, 'b': 2}.one( value != 1 )
{'a': 1, 'b': 2}.none( key == /d-f/ )

Semantic version parsing​

Compare versions without the need for complex integer parsing:

cnquery> semver('1.9.0') < semver('1.10.0')
[ok] value: "1.9.0"

New Email Security policy​

A new Email Security policy includes 14 new checks for critical email security protocols, including:

  • Sender Policy Framework (SPF)
  • Domain Keys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

This policy really shines with our continuous domain and IP scanning integration (released in Mondoo 9.11). It's also handy on the CLI using cnspec.

Email Security policy checks

New Terraform Asset Inventory Pack​

Use the new Terraform Asset Inventory Pack to inventory versions and resources within your Terraform state files, including resources on AWS, Azure, and GCP clouds.

Terraform state file inventory

🧹 IMPROVEMENTS​

macOS and Windows policy data queries moved to query packs​

To give you additional control over when cnspec collects configuration data on your assets, we've moved all data queries from our macOS and Windows security policies to the dedicated asset inventory query packs. For those who want security scanning only, this change speeds up cnspec scans. If you want to continue collecting this configuration data, enable the macOS and Windows asset inventory query packs in your space.

Expanded MQL resources​

aws.rds.dbcluster​

  • Fix members field to properly fetch cluster members
  • New port field
  • New endpoint field
  • New availabilityZones field

aws.rds.dbinstance​

  • New port field
  • New endpoint field

terraform.state.resource​

  • Add type field to the default resource output

terraform.file​

  • Add path field to the default resource output

terraform.module​

  • Add source field to the default resource output

terraform.state.output​

  • Add identifier field to the default resource output

πŸ› BUG FIXES AND UPDATES​

  • Do not include out of scope control PDFs in the framework report archive.
  • Show correct exception counts in Compliance Hub controls and PDF reports.
  • Fix platform filters on Entra ID checks in the SOC 2 Security policy.
  • Prevent Kubernetes operator from failing if it cannot report scan results
  • Add retries to provider installations.
  • Fix the status command to respect HTTP proxies.
  • Improve console load times with a 21% reduction in the size of JavaScript files.
  • Improve service restarts when upgrading Windows clients via the install.ps1 script.
  • Fix scanning registry keys over WinRM connections.
  • Don't require downloading the OS provider to collect basic OS configuration information.
  • Ensure the appropriate providers are installed when running cnspec bundle init.
  • Fix errors in the user and group resources when specifying a single user / group to query.
  • Fix the Mondoo package version to match that of cnspec and cnquery on Arch Linux.
  • Fix incorrect rendering of some CIS policies.
  • Update the EOL date for Windows 10 Pro LTSC.
  • Fix package vulnerability data not loading for some Linux distribution releases.

Β· 3 min read

πŸ₯³ Mondoo 9.13 is out! This release includes check exceptions and scope definition in Compliance Hub, an updated vendor advisories view, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Scoping in Compliance Hub​

New scoping in Compliance Hub gives you fine-grained management of which controls you report to your auditor. Is your auditor not requesting a particular control even though it's part of the compliance framework? Select the control in Compliance Hub and mark it out of scope. With scoping, you decide what to include in your audit without setting exceptions (which would appear in audit report PDFs).

Scoping

Check exceptions in Compliance Hub​

Need more time to remediate findings for your audit? Now you can set exceptions on individual checks. Explanations let you communicate work to be done or identify compensating controls.

Check Exceptions

🧹 IMPROVEMENTS​

Improved vendor security advisory view​

Redesigned vendor security advisory pages make it easier to understand the impact of an advisory and what actions you need to take next.

Advisory page

Resource updates​

We've added new resources and fields to give you access to even more data.

aws.ecs.cluster​

  • Default fields now display name, region, status, runningTasksCount, and pendingTasksCount
  • New region field

aws.rds.dbcluster​

  • New securityGroups field

ms365.sharepointonline​

  • New spoSites field

ms365.sharepointonline.site​

  • New resource with url and denyAddAndCustomizePages fields

πŸ› BUG FIXES AND UPDATES​

  • Fix failures running cnspec vuln on Windows and Pop!_OS hosts.
  • Include the platform IDs and EC2 instance ARNs in SBOM exports.
  • Add back ECR and ECS discovery using the --discovery flag that was removed in 9.0.
  • Replace incorrect error message when failing to query Amazon GuardDuty.
  • Do not show disabled compliance controls in cnspec scans.
  • Don't clip the bottom pixels of the Mondoo logo in the console.
  • Update the macOS client installation setup instructions in the integrations page to install without Homebrew.
  • In exceptions lists, show the most recent exceptions first in each day's view.
  • Avoid failures running the Asset Count Query Pack on Microsoft 365 assets.
  • Fix remediation steps in the Linux Security policy's "Ensure SSH Idle Timeout Interval is configured" check. Thanks for this fix, @tomtrix!
  • Add properties to CIS/Mondoo Windows policies to allow tuning the maximum idle time of the Remote Desktop Services sessions.
  • Fix policy filtering on the asset checks page.
  • Improve console load times on low bandwidth connections by 70%.
  • Don't show the filter search bar on the asset checks page if there are no checks.
  • Prevent failures on Azure and Microsoft 365 assets in the SOC 2 Compliance Checks policy.
  • Improve the display of summary data on CVE pages.
  • Add tooltips to risk factors on CVE pages to make it easier to understand scoring.
  • Fix failures registering cnspec/cnquery 8.x clients.
  • Fix failures generating compliance PDF reports.
  • Improve performance loading CVE/advisory pages, individual asset pages, and the security dashboard.
  • Add an Alias directive to the system unit file definition for cnspec.
  • Update VMware Photon 4 EOL date.
  • Simplify Linux client installation on integration pages by using the install.sh script.
  • Fix errors setting an exception in compliance frameworks that are still in preview.
  • Improve check titles in the AWS Security and DNS Security policies.
  • Improve rendering of codeblocks in the Kubernetes Cluster and Workload Security policy.

Β· 5 min read

πŸ₯³ Mondoo 9.12 is out! This release includes improved asset UX, expanded AWS/MS365 resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Check overview summary information​

We added an overview to the Checks tab for each of your assets. Now you can quickly grasp the state of checks and see the most important recommended actions.

Check Overview

View exceptions on policy cards​

New information on the Overview tab for each asset exposes exceptions at a glance. For each policy applied to the asset, you can now see whether (and how many) exceptions are applied.

Exceptions Overview

🧹 IMPROVEMENTS​

Updated weekly email notifications​

We rebuilt the Mondoo weekly organization overview emails from the ground up to deliver the most important information about your spaces... and with a fresh new design to top it all off. The email still shows an overview of scores in your spaces, but now also includes top vulnerabilities, end-of-life assets, and a count of improving vs. worsening asset scores.

Check Overview

New fields and defaults in resources​

aws.acm.certificate​

  • Default fields now display domainName, issuer, createdAt, and notAfter
  • New keyAlgorithm field
  • New serial field
  • New source field
  • New issuer field
  • New issuedAt field
  • New importedAt field

aws.dynamodb.table​

  • New status field
  • New sizeBytes field

aws.ec2.keypair​

  • Default fields now display name, type, and region
  • New createdAt field

aws.rds.dbcluster​

  • New storageEncrypted field
  • New storageAllocated field
  • New storageIops field
  • New storageType field
  • New status field
  • New createdTime field
  • New backupRetentionPeriod field
  • New autoMinorVersionUpgrade field
  • New clusterDbInstanceClass field
  • New engine field
  • New engineVersion field
  • New publiclyAccessible field
  • New multiAZ field
  • New deletionProtection field

aws.rds.snapshot​

  • New engine field
  • New status field
  • New allocatedStorage field

aws.vpc.endpoint​

  • New privateDnsEnabled field
  • New state field
  • New createdAt field

aws.vpc.flowlog​

  • New createdAt field
  • New destination field
  • New maxAggregationInterval field
  • New trafficType field

aws.vpc.routetable​

  • New tags field

aws.vpc.subnet​

  • New assignIpv6AddressOnCreation field
  • New state field

github.user​

  • Default fields now display login, name, email, and company

microsoft.group​

  • New visibility field

ms365.exchangeonline​

  • New externalInOutlook field

ms365.exchangeonline.externalsender​

  • New resource with identity, allowList, and enabled fields

ms365.teams.teamsmeetingpolicyconfig​

  • New resource with allowAnonymousUsersToJoinMeeting, allowAnonymousUsersToStartMeeting, autoAdmittedUsers, allowPSTNUsersToBypassLobby, meetingChatEnabledType, designatedPresenterRoleMode, allowExternalParticipantGiveRequestControl, and allowSecurityEndUserReporting fields

ms365.teams.tenantfederationconfig​

  • New resource with identity, blockedDomains, allowFederatedUsers, allowPublicUsers, allowTeamsConsumer, allowTeamsConsumerInbound, treatDiscoveredPartnersAsUnverified, sharedSipAddressSpace, and restrictTeamsConsumerToExternalUserProfiles fields

microsoft.organization​

  • New onPremisesSyncEnabled field

slack.conversation​

  • A new resource that simplifies accessing channel, direct message, and group message data. This replaces the conversations field in the slack resource.

German/Italian support in Windows Security policy​

We've reworked our Windows Security policy to fully support both Windows Server and Workstation editions with the language set to either German or Italian.

New checks in HTTP Security policy​

Our HTTP security policy now includes additional checks to ensure that Content Security Policy (CSP) and Strict-Transport-Security (HSTS) headers are set. New groups in this policy ensure that checks are grouped by protocol and only enabled when appropriate.

Complete Microsoft 365 scanning, anywhere​

Sit back for a moment while I put on my engineer's hat. Sometimes, APIs are hard. Perhaps the best example is Microsoft 365. Some data can be retrieved using their Golang SDK, but much of the API can only be accessed through PowerShell.

Until now, Mondoo queried the necessary data using both methods and returned MQL as if it were easyβ€”that isβ€”if you were on Windows with PowerShell. On Linux, macOS, or using a Mondoo integration, queries that relied on PowerShell-gathered data failed.

But no more! cnquery and cnspec now query Microsoft 365 data using PowerShell installed on macOS / Linux systems so that Mondoo Platform integrations now successfully run these queries.

πŸ› BUG FIXES AND UPDATES​

  • Don't allow creating an exception for a control/asset/check more than once.
  • Resolve multiple edge cases in multi-select when setting up exceptions.
  • Improve the rendering of code blocks in the console.
  • Improve performance loading pages in the console.
  • Add validation of IP addresses in the Domain/IP integration.
  • Don't remove previously rejected exceptions when removing the current exception.
  • Fix detecting platform IDs for Kubernetes operator manifests.
  • Reduce network traffic when scanning assets with cnspec.
  • Fix failures setting sudo to active in an inventory file.
  • Add API retries to the Slack resources to better handle throttling while querying large amounts of data.
  • Improve the suggestion text when checks, assets, or data queries tabs are empty in Compliance Hub.
  • Fix failures running cnspec vuln.
  • Add back the feature flag for Kubernetes node scanning that was accidentally removed in the 9.0 release.

Β· 5 min read

πŸ₯³ Mondoo 9.11 is out! This release includes continuous domain/IP scanning, new and expanded AWS resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Continuous domain and IP scanning​

New continuous domain and IP scanning ensures the security and compliance of your external web properties.

Domain Scan Integration

Scan these endpoints using out-of-the-box SSL/TLS, DNS, and HTTP security policies to ensure your properties meet security best practices. Protect against common endpoint security mistakes such as:

  • Certificates nearing their expiration date
  • Insecure TLS releases or ciphers
  • Missing X-Content-Type-Options in HTTP headers

Domain Scan Result

Domain and IP scans don't stop with just security. These scan results are automatically mapped to compliance controls such as SOC 2 type 2's CC6.7.2: Uses Encryption Technologies or Secure Communication Channels to Protect Data. This provides continuous compliance for your web properties.

New AWS Web Application Firewall (WAF) resource​

Secure Amazon's Web Application Firewall (WAF) service with new Mondoo WAF resources. These resources allow you to query WAF ACLs, Rules, RuleGroups, and IP Sets.

See the AWS Resource Pack documentation for a complete list of new WAF resources.

Load policies from AWS S3 buckets​

Want to run custom policies across multiple systems without storing those policies in the Mondoo Platform's Registry? Now you can load policies in cnspec directly from AWS S3 buckets.

Specify an entire bucket and cnspec picks the correct policy:

cnspec scan -f s3://mysupernotexistingbucket1234567

Or specify the exact policy file in your bucket:

cnspec scan -f s3://mysupernotexistingbucket1234567/packs.mql.yaml

🧹 IMPROVEMENTS​

New fields and defaults in AWS resources​

aws.ec2.instance​

  • Improve default values
  • New enaSupported field
  • New hypervisor field
  • New instanceLifecycle field
  • New rootDeviceType field
  • New rootDeviceName field
  • New architecture field

aws.ec2.volume​

  • Improve default values
  • New multiAttachEnabled field
  • New throughput field
  • New size field
  • New iops field

aws.ec2.snapshot​

  • Improve default values
  • New volumeSize field
  • New description field
  • New encrypted field

aws.cloudwatch.logGroups​

  • New retentionInDays field

aws.ec2.securityGroups​

  • Improve default values

aws.ec2.networkacl​

  • New isDefault field
  • New tags field

New GitHub pull request query capabilities​

New fields in the GitHub resource give you fine-grained control over queries for GitHub pull requests.

First, connect to your GitHub repository with the cnquery shell:

cnquery shell github repo mondoohq/cnspec

Once you're connected to the GitHub repo in cnquery, you can query pull requests in a few different ways.

Query individual pull requests by number:

cnquery> github.mergeRequest(number: 1){ number state title }
github.mergeRequest: {
number: 1
title: "🧹 update command line help"
state: "closed"
}

Query all closed pull requests:

cnquery> github.repository.closedMergeRequests
github.repository.allMergeRequests: [
0: github.mergeRequest id=1640488170 state="closed"
1: github.mergeRequest id=1638254852 state="closed"
2: github.mergeRequest id=1638253038 state="closed"

...

]

Query all closed and open pull requests:

cnquery> github.repository.allMergeRequests
github.repository.allMergeRequests: [
0: github.mergeRequest id=1640488170 state="closed"
1: github.mergeRequest id=1640302075 state="open"
2: github.mergeRequest id=1638694955 state="open"

...

]

Improve bucket JSONL export​

Do you export your Mondoo data through one of our storage integrations? We've made it easier for you to process these exports in systems like Splunk or ELK: We added ExportedAt and asset_mrn fields:

{
"mrn": "//assets.api.mondoo.app/spaces/vibrant-edison-123456/assets/2Z8pfFOyDBcZhGHi123456789",
"asset_mrn": "//assets.api.mondoo.app/spaces/vibrant-edison-123456/assets/2Z8pfFOyDBcZhGHi123456789",
"name": "https://mondoo.com",
"platform_name": "host",
"error": "",
"score_updated_at": "2023-12-06T14:03:51Z",
"updated_at": "2023-12-06T14:03:51Z",
"labels": {
"mondoo.com/integration-mrn": "//integration.api.mondoo.app/spaces/vibrant-edison-123456/integrations/2YzVgXUPvA09dZ1tBD123456789"
},
"annotations": null,
"exported_at": "2023-12-06T15:12:57.619506985Z"
}

Alpine 3.19 support​

On December 7th the Alpine Linux team released Alpine Linux 3.19 with an updated Kernel and new versions of common language packages. Mondoo includes support for this latest release with EOL and CVE detection. Learn more about what's new in this updated version at alpinelinux.org.

Ignore .terraform directory during scans​

Want to scan Terraform files in a project directory, but the pesky .terraform directory is getting in your way? Now you can ignore files in the .terraform directory with the new --ignore-dot-terraform flag.

πŸ› BUG FIXES AND UPDATES​

  • Improve the display of categories in integrations during setup and on the integrations page.
  • Improve the UI on the space registration token page when no tokens have been created.
  • In audit log entries, include the asset on which the action occurs.
  • Improved registry search results for policies and query packs.
  • Detect Kali Linux systems running on AWS.
  • Display more than 100 spaces on the organization page.
  • Fix incorrect EOL asset counts on the organization dashboard.
  • Don't double-log failures to find SSH keys from the SSH agent in cnspec/cnquery.
  • Performance improvements loading spaces and assets in the console.
  • Fix tooltips for space and organization tokens to show the right messages.
  • Show the GCP icon for Google Container Optimized policies.
  • Use the latest Microsoft 365 logo on all integration pages.
  • Add the Okta logo to the integration page.
  • Fix + icon in the Okta integration to go directly to the Okta integration setup page.
  • Report Kali Linux as a rolling release without an EOL date.
  • Fix cannot convert primitive with NO type information error in github.mergeRequest resource.
  • Update host resources to show as Network Hosts in the console instead of Network API.
  • Properly display ReadOnlyPort value in k8s.kubelet.configuration resource when it is 0.
  • Fix caCertFile in k8s.kubelet resource to be in "authentication" and not "authorization".
  • Fix URL links from cnspec failing to load if you had previously loaded a different space.

Β· 5 min read

πŸ₯³ Mondoo 9.10 is out! This release includes compliance evidence PDF reports, exceptions for policies/assets, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Compliance evidence report generation in PDF format​

Prove compliance to your auditors with PDF evidence reports. Now you can export reports from any control page or export an archive containing controls for your whole compliance framework.

Generate a report

These reports are specifically formatted for auditors and ready for attachment to GRC systems or other auditor evidence upload solutions.

View a report

We've got you covered with secure storage as well, so you can share reports between team members without insecure email attachments or unauthenticated URLs.

Store a report

Exceptions for assets and policies​

The power and visibility of compliance exceptions is now available outside of compliance: You can now set exceptions for checks on assets and security policies. Asset and policy exceptions enable cross-team visibility and allow more granularity in how you prioritize your work.

Improve visibility with detailed explanations of why exceptions were created, approvals, and detailed logging. You never have to ask again who made a change and why.

Improved visibility

Prioritize your work with time-based snoozing: Turn off a check temporarily while you work on more important issues, but don't let it fall through the cracks.

Improved Granularity

New CIS Azure Compute Microsoft Windows Server 2019 and 2022 benchmarks​

Secure your Windows Azure environment using the new Azure Compute Microsoft Windows Server 2019 and 2022 benchmarks. These benchmarks specifically target the security of Windows 2019 and 2022 Datacenter editions, using Azure's secure configuration guide settings. Each benchmark consists of domain and member server policies containing over 200 Azure-tailored checks.

New CIS ESXi 8.0 Benchmark v1.0.0​

Are you upgrading your VMware deployments to version 8.0? Mondoo has you covered with the new CIS ESXi 8.0 Benchmark version 1.0. This updated policy includes 86 checks tailored to the latest VMware release.

🧹 IMPROVEMENTS​

Updated RHEL/Oracle/Rocky/AlmaLinux 8 Benchmarks​

Keep your RHEL 8 compatible servers secure with the new 3.0 release of CIS benchmarks for Red Hat Enterprise Linux, Oracle Linux, AlmaLinux, and Rocky Linux. These new policies are complete reworks of the existing CIS benchmarks with hundreds of new and updated checks.

MQL containsNone with an array of regular expressions​

Now you can avoid long, chained MQL queries that check multiple regular expressions. Instead, specify an array of regular expressions:

field.containsNone( [ /a/, /.*b/ ] )

πŸ› BUG FIXES AND UPDATES​

  • Provide friendly error messages if invalid time values for token expiration are entered.
  • Clarify what search values are supported on the compliance controls page.
  • Improve table headings for affected assets on the vulnerabilities pages.
  • Don't reset the pagination back to the first page when enabling/disabling a policy in the registry.
  • Update all policy icons to be full-color for consistency.
  • Fix different scan behaviors between container and docker providers that caused failures when scanning containers.
  • Don't fail when using .contains in queries if the dict value is empty.
  • Fix container image asset names changing between 8.x and 9.x client scans.
  • Fix an error in the aws.iam.policies resource when fetching attachedGroups data.
  • Support quitting the cnquery/cnspec shells with the quit command.
  • Fix failures when running cnquery login.
  • Add additional data to the aws.iam.attachedPolicies resource.
  • Improve cnspec bundle fmt to format markdown in documentation fields and optionally sort checks by name.
  • Fix a failure in cnspec if two policies use the same query UID.
  • Don't show rejected exceptions as active exceptions when scanning in cnspec.
  • Fix the width of the scanning progress bar to show the score result.
  • Fix theEnsure updates, patches, and additional security software are installed query in the CIS Distribution Independent Linux policy to work with Photon.
  • Fix a failure when running asset{*} on some non-operating system assets.
  • Improve the titles of many inventory query pack queries.
  • Improve the form validation behavior in Azure, Okta, OCI, Microsoft 365, and GitHub integration pages.
  • Add missing badges and a description to the Slack integration setup page.
  • Fix failures in the aws.acm.certificates resource.
  • Don't run the TLS security policy on non-host network assets.
  • Ensure that AIX, FreeBSD, Fedora, Kali Linux, Scientific Linux, Pop!_OS, and EuroLinux assets are grouped as operating systems in inventory.
  • Fix rejected compliance exceptions still showing as exceptions on the controls.
  • Improve performance throughout the Mondoo Console.
  • Add EOL detection for EuroLinux assets.
  • Add platform vulnerability detection for the Windows 23H2 release.
  • Ensure audit logs are generated for space create/delete events and add logging when changing space and organization owners.
  • Improve asset group display for GitLab assets.
  • Fix a failure running the cnspec vuln command.
  • Display all spaces when an organization includes more than 25 spaces.
  • Allow the network provider to run with an inventory file.
  • Improve the policy page UI when a policy is enabled, but hasn't yet run on any assets.
  • Fix a UI error when generating a non-expiring registration token.

Β· 3 min read

πŸ₯³ Mondoo 9.9 is out! This release includes experimental SBOM support, platform/package CPE data, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Experimental SBOM generation​

cnquery includes new experimental support for generating software bills of materials (SBOMs). You can generate SBOMs against your local system or containers, mounted filesystems, vagrant boxes, and remote systems over SSH or WinRM.

By default the SBOM prints in list format in the CLI:

cnquery sbom local
β†’ This command is experimental. Please report any issues to https://github.com/mondoohq/cnquery.
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
β†’ discover related assets for 1 asset(s)

lunalectric-test ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%


pypi/Jinja2/2.11.3 /usr/lib/python3/dist-packages/Jinja2-2.11.3.egg-info/PKG-INFO
pypi/LibAppArmor/2.13.6 /usr/lib/python3/dist-packages/LibAppArmor-2.13.6.egg-info
pypi/Mako/1.1.3 /usr/lib/python3/dist-packages/Mako-1.1.3.egg-info/PKG-INFO
pypi/Markdown/3.3.4 /usr/lib/python3/dist-packages/Markdown-3.3.4.egg-info/PKG-INFO
pypi/MarkupSafe/1.1.1 /usr/lib/python3/dist-packages/MarkupSafe-1.1.1.egg-info/PKG-INFO
pypi/PyGObject/3.38.0 /usr/lib/python3/dist-packages/PyGObject-3.38.0.egg-info/PKG-INFO
pypi/PyYAML/5.3.1 /usr/lib/python3/dist-packages/PyYAML-5.3.1.egg-info
deb/acl/2.2.53-10
deb/acpid/1:2.0.32-1
deb/adduser/3.118+deb11u1
deb/amd64-microcode/3.20230808.1.1~deb11u1
deb/anacron/2.3-30
...

Using the --output flag you can control the output format with support for cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, and table formats.

cnquery sbom local --output spdx-json
β†’ This command is experimental. Please report any issues to https://github.com/mondoohq/cnquery.
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
β†’ discover related assets for 1 asset(s)

lunalectric-test ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%

{
"spdxVersion": "SPDX-2.3",
"dataLicense": "",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "",
"documentNamespace": "",
"creationInfo": {
"creators": [
"Tool: cnquery"
],
"created": "2023-11-28T22:47:07Z"
},
"packages": [
{
"name": "Jinja2",
"SPDXID": "SPDXRef-Package-pypi-Jinja2-2e4a538b3939365a",
"versionInfo": "2.11.3",
"packageFileName": "/usr/lib/python3/dist-packages/Jinja2-2.11.3.egg-info/PKG-INFO",
"downloadLocation": "",
"filesAnalyzed": false,
"licenseDeclared": "2.11.3",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:jinja2_project:jinja2:2.11.3:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "purl",
"referenceLocator": "pkg:pypi/Jinja2@2.11.3"
}
]
},
...

🧹 IMPROVEMENTS​

Platform and package CPE data​

To power our new SBOM capabilities, Mondoo's asset and package resources now include Common Platform Enumeration (CPE) data that uniquely identifies the platform of the system and packages. Learn more about CPE on the NIST National Vulnerability Database CPE page.

Asset CPEs:

cnquery> asset.cpes
asset.cpes: [
0: cpe uri="cpe:2.3:o:debian:debian_linux:11.8:*:*:*:*:*:*:*"
]

OS package CPEs:

cnquery> packages{name cpes}
packages.list: [
0: {
name: "acl"
cpes: [
0: cpe uri="cpe:2.3:a:acl:acl:2.2.53-10:amd64:*:*:*:*:*:*"
]
}

πŸ› BUG FIXES AND UPDATES​

  • Fix authentication failures in some AWS resources.
  • Allow updating tokens in GitLab integrations.
  • Fix a false positive in the CIS macOS Ensure Show Wi-Fi status in Menu Bar Is Enabled check.
  • Fix the CIS Distribution Independent Linux policy Ensure updates, patches, and additional security software are installed check to run properly on Debian-based systems.
  • Show the number of assets for a policy, not the number of checks, on the Security -> Policies page.
  • Open CVE source links in new windows.
  • Remove extra white space on CVE pages with short descriptions.
  • Improve reliability of queries in the Mondoo Linux Security policy
  • Improve query titles in asset inventory query packs.

Β· 6 min read

πŸ₯³ Mondoo 9.8 is out! This release includes automated compliance inventory gathering, AIX support, a new CVE view, plus a whole lot more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Automated compliance inventory gathering​

Your audit goes beyond security checks; now so does Mondoo, with continuous infrastructure inventory gathering mapped automatically to top compliance frameworks. Compliance Hub controls now include a Data Queries tab listing inventory data from query packs. This inventory data is gathered automatically from the cnspec CLI or from integrations like AWS, GitHub, or Kubernetes. Inventory data fills key requirements from auditors to ensure your infrastructure is compliant, such as gathering AWS VPC configuration to prove SOC 2 CC6.1.5 or asset inventory data for CC6.1.1.

SOC 2 control with data queries:

SOC 2 control with data queries

Drill into a data query to see the query detail and the assets for which it gathered data:

Data queries page

New result scoring design​

The list of security findings was often presented and sorted in a confusing way. Successful security checks would often be listed above failed checks and errors and skipped checks were mixed into the list at seemingly random. This was due to the previous prioritization focusing more on the impact of checks, rather than the success or failure of its finding.

Scoring example

The new system is focused on prioritizing the most impactful actions. We now sort everything by failed checks first, followed by errors, then successful checks, and finally anything that is ignored or disabled. This means that the list now prioritizes the most critical failed findings.

We also improved the colors. If it looks like a successful check, it is now consistently green. If it looks like a red alarm, it's definitely a critical failed check.

Here's an overview of this new scoring system:

Scoring overview

New asset scorecard design​

When progress isn't lightning-fast, it's important to track small wins. With this in mind, we've redesigned our asset policy cards to better show progress made towards securing systems. The new design removes the score number from the cards and instead shows the number of passing and failing checks, so you can track progress without the need to dive into the list of all checks on an asset.

Asset with new scorecards

New security policies page​

When we built the security policies page, our goal was to give users a single location where they could see all asset scores for policies in their space and control how those policies ran.

This week, we updated that page to make it easier to identify failing assets for each policy quickly:

Policies Page

The updated page also allows you to disable a policy or set it to preview without leaving the policies page:

Changing Policies

New CVE view​

Out with the old and in with the new is the theme of the Mondoo 9.8 release, so why not update one of our oldest components? It's time for a whole new CVE page! A fresh, new design makes it easier to understand the impact of a CVE.

CVE Page

AIX 7.1 and 7.2 support​

Kubernetes and serverless may be all the rage, but mainframes power the world. Now you can secure your AIX mainframes with Mondoo. We've updated cnquery and cnspec with new remote scan capabilities for AIX and bundled CIS AIX 7.1 and 7.2 benchmark policies, allowing you to quickly evaluate the security and compliance of your AIX systems.

AIX Asset

New BSI SiSyPHuS Windows 10 policy​

Mondoo now includes a new BSI SiSyPHuS Windows 10 policy based on BSI's SiSyPHuS Win10 - Study on system design, logging, hardening and security features in Windows 10 - Configuration Recommendations document. This policy includes 363 queries with impact scores and remediation steps. The checks map to all Mondoo supported compliance frameworks, including BSI's Cloud Computing Compliance Controls Catalog (C5) framework.

🧹 IMPROVEMENTS​

Expanded resource fields​

Whether you're writing custom security policies or exploring your infrastructure with cnquery shell, it's important to have all the data possible for assets. This week, we further expand some of our most popular assets with additional fields, giving you greater insight into your infrastructure.

atlassian.admin.organization.managedUser​

  • productAccess - Product access
  • status - Status

aws.autoscaling.group​

  • minSize - The minimum number of instances to scale down to
  • maxSize - The maximum number of instances to scale up to
  • defaultCooldown - The time to wait after scaling up / down before the next scaling event is started
  • launchConfigurationName - The name of the launch configuration
  • healthCheckGracePeriod - The grace period in seconds before an instance with a failing health check will be replaced
  • createdAt - Time when the autoscaling group was created

aws.ssm.instance​

  • platformType - The type of for the SSM Instance, as described by AWS (Windows, Linux, etc)
  • platformVersion - Platform version for the SSM Instance, as described by AWS

aws.ec2.networkacl.entry​

  • ruleNumber - The rule number
  • cidrBlock - CIDR block for the ACL entry

microsoft​

  • tenantDomainName - The connected tenant's default domain name

package / python.package​

Expanded EOL date data​

Mondoo includes the latest EOL dates for distributions so you can ensure your systems receive critical security updates.

  • macOS 11 EOL date of September 26, 2023
  • FreeBSD 12.4 EOL date of December 31, 2023

πŸ› BUG FIXES AND UPDATES​

  • Fix the coloring of code blocks in print mode.
  • Correct spelling of SOC 2 in policies and frameworks.
  • Improved reliability in Windows CIS security checks.
  • Improve SOC 2 security check mapping.
  • Fix select all checkbox behavior in compliance frameworks to only select the visible controls on the page.
  • Use the time datatype instead of string in the Atlassian provider for better resource output.
  • cnspec bundle fmt now preserves comments on the first line of the policy file.
  • Update providers when cnspec is scanning as a service (serve mode).
  • Fix CIS Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' check failures.
  • Don't show the same policy twice for a single check in Compliance Hub.
  • Fix example scan flags for Kubernetes on the workstation integration page.
  • Only show the create space button on the organizations page if the user has permission to create a space.
  • Don't require all data to be reentered when updating a Jira integration.
  • Improve the performance of loading CVE and advisory data.
  • Add new preview HTTP Security policy.
  • Improve the reliability of organization dashboard graphs for some spaces.

Β· 5 min read

πŸ₯³ Mondoo 9.7 is out! This release includes a new compliance UI, expanded resources, and even more CVE data!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

New compliance exceptions UI​

We've reworked the compliance exceptions system to make it easier to understand when exceptions have been set and what that means for your compliance data collection.

Each control includes a new Set Exception button so you can quickly create exceptions directly from framework control pages.

Set Exception

For controls with an exception set, the UI now communicates which type of exception has been set: snooze or disable. It gives a quick description of how the exception affects compliance data collection. The details of the exception are also shown directly on the control page, allowing you to accept, reject, or delete the exception without needing to dig through the exceptions tab.

Active exception state

Run local query packs from cnspec​

Want to quickly test a custom query pack you've written? Now it's easier than ever because you can run a local query pack directly from cnspec:

cnspec scan -f example-pack.mql.yaml
β†’ no provider specified, defaulting to local. Use --help to see all providers.
β†’ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
β†’ using service account credentials
β†’ discover related assets for 1 asset(s)

Asset: Luna-Laptop.local
----------------------

Data queries:
packages.where.list: [
0: package name="ssh" version=""
]
services.where.list: [
0: service name="com.openssh.ssh-agent" running=true enabled=true type="launchd"
]
sshd.config.params: {
AcceptEnv: "LANG LC_*"
AuthorizedKeysFile: ".ssh/authorized_keys"
Subsystem: "sftp /usr/libexec/sftp-server"
UsePAM: "yes"
}

Scanned 1 asset

macOS
U Luna-Laptop.local

🧹 IMPROVEMENTS​

Atlassian asset grouping​

Atlassian admin, Jira, Confluence, and SCM assets scanned with cnspec are now grouped as Atlassian assets in the console. This helps you quickly find all your Atlassian assets.

Atlassian Asset Group

Ubuntu 23.10 EOL/CVE detection​

Ubuntu 23.10 is out, and Mondoo is ready with EOL reporting and CVE detection now available for this latest Ubuntu release. See our blog post What's New in Security for Ubuntu 23.10 to learn more about this release's great new security features.

Raspbian 11 and 12 CVE detection​

cnspec scans on Raspbian 11.x and 12.x releases now include important CVE data on both the CLI and in the console, so you can keep your Raspberry Pi hobby and IoT projects secure.

Better application of CIS Distribution Independent Linux Benchmark policy​

The CIS Distribution Independent Linux Benchmark policy is a fantastic alternative Linux security policy to use when your operating system distribution or specific version is not supported by one of the main CIS Linux benchmarks. Thanks to new filters, you can now apply this policy in any space and rest assured it will only apply to systems for which more specific CIS benchmark policies aren't available. This means that now you can always have security and compliance data available, even when you're running distros that are a bit off the beaten path, such as non-LTS Ubuntu releases, Arch Linux, or Raspbian.

New AWS resource fields​

AWS resources include new default values to improve data pack queries and navigation in the cnquery/cnspec shell. The resources also have many new fields to expose valuable asset inventory data:

aws.cloudfront.distribution

  • enabled
  • httpVersion
  • isIPV6Enabled
  • priceClass

aws.dynamodb.table

  • createdAt
  • deletionProtectionEnabled
  • globalTableVersion
  • id

aws.accessanalyzer.analyzer

  • createdAt
  • lastResourceAnalyzed
  • lastResourceAnalyzedAt

aws.autoscaling.group

  • region

aws.backup.vault

  • createdAt
  • encryptionKeyArn
  • locked
  • region

πŸ› BUG FIXES AND UPDATES​

  • Ensure asset groups display correctly as new assets are added or deleted.
  • Show the correct status badges on the Managed Clients page.
  • Fix incorrect EBS volume scan regions.
  • Fix a failure to display asset scores for EBS volume scans.
  • Add the ability to list processes on Windows systems in the ports.listening resource.
  • Fix EKS node checks not correctly executing in the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark policies.
  • Improve reliability of checks within the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark policies.
  • Fix failures in CIS macOS Benchmark policies' "Ensure Pop-up Windows Are Blocked" and "Ensure Show Status Bar Is Enabled" checks.
  • Fix VMware vSphere CVE detection with cnspec 8.x clients.
  • Return a 100 (A) score when no CVEs are detected on a system.
  • Fix CIS rsyslog checks to fail instead of erroring when the rsyslog config is not found.
  • Improve chrony configuration detection in the Operational Best Practices for Time Synchronization policy.
  • Better detect when journald is running in the Ensure journald is not configured to receive logs from a remote client check.
  • Improve titles of queries in multiple query packs.
  • Fix failures in some JSON data exports due to malformed JSON data.
  • Fix failures detecting the platform on some remote scans.
  • Improve shell help content for many resources.

Β· 4 min read

πŸ₯³ Mondoo 9.6 is out! This release includes Console asset query packs, Subject Alternative Name support for certificates, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

Asset inventory at your fingertips​

Query pack data now displays directly in the Mondoo Console for all assets. Explore asset configuration with the two dozen out-of-the-box query packs available in the registry. If you don't find what you're looking for there, write your own query packs to expose additional asset inventory information directly in the console.

Browse the results of asset inventory query packs with a new Data Queries tab on the individual asset view.

Asset data queries

🧹 IMPROVEMENTS​

Expanded certificate resource capabilities​

The tls.certificates resource now supports the PKIX Subject Alternative Name (SAN) extension, as well as the Subject Key Identifier (SKID) extension.

cnspec shell host google.com
cnspec> tls.certificates { sanExtension { * }}
tls.certificates: [
0: {
sanExtension: {
uris: []
extension: pkix.extension id = 5842ac625349147af543f8049f60497ca270c0412667bbeb1042482e805069f9:2.5.29.17
emailAddresses: []
dnsNames: [
0: "*.google.com"
1: "*.appengine.google.com"
2: "*.bdn.dev"
3: "*.origin-test.bdn.dev"
4: "*.cloud.google.com"
5: "*.crowdsource.google.com"
6: "*.datacompute.google.com"
7: "*.google.ca"
8: "*.google.cl"
..
]
}
}
1: {
sanExtension: null
}
2: {
sanExtension: null
}
]

Expanded cnspec status information​

Running cnspec status now prints the version number of the latest available release and a list of all installed providers. If the currently installed and latest releases don't match, the status indicates that a newer version is available for download.

./cnspec status
β†’ no Mondoo configuration file provided, using defaults
β†’ Platform: ubuntu
β†’ Version: 22.04
β†’ Hostname: localhost
β†’ IP: 192.168.178.32
β†’ Time: 2023-11-01T13:36:01+01:00
β†’ Version: 9.6.0 (API Version: 9)
β†’ Latest Version: 9.6.1
! A newer version is available
β†’ Installed Providers: terraform | aws | atlassian | gcp
β†’ Outdated Providers: terraform | aws | atlassian
β†’ API ConnectionConfig: https://us.api.mondoo.com
β†’ API Status: SERVING
β†’ API Time: 2023-11-01T12:36:02Z
β†’ API Version: 9

πŸ› BUG FIXES AND UPDATES​

  • Vulnerabilities results no longer show assets that are not impacted.
  • Fix colorblind mode being enabled for all users.
  • Add data validation for AWS Access Key ID and Secret Access Key values in the S3 export integration.
  • Improve asset links in Compliance Hub to go directly to the check or data query on the asset.
  • Fix tls.certificates returning null data incorrectly.
  • Fix AWS EC2 instance names not properly registering.
  • Improve default values in the azure.subscription.monitorService.applicationInsight resource.
  • Don't display a policy's main documentation when viewing the variant.
  • Improve form validation for integrations to only run after all text has been entered.
  • Improve formatting on the policy recommendation pages for integrations.
  • Fix text input boxes that could not be read in the Azure integration.
  • Improve the error message when an organization or space user cannot be removed.
  • Don't fail when running policies from the public registry that use asset filters.
  • Don't fail if a query packs has no description.
  • Don't fail if a policy group has checks, but not data queries.
  • Fix a failure when scanning AWS EBS volumes.
  • Fix incorrect runtime information being reported for AWS assets.
  • Fix service checks to work on masked systemd services and services that end in .service
  • Expand SOC 2 policy coverage
  • Improve data returned from the Azure Inventory Query Pack.
  • Improve the reliability of queries in the CIS AKS Benchmarks policies.
  • Wrap instead of cutting off long property values in the registry.
  • Use the custom image defined in the Kubernetes operator's MondooAuditConfig section.
  • Fix garbage collection of old Kubernetes assets not running.
  • Fix scanning of GKE nodes from the Kubernetes operator.

Β· 6 min read

πŸ₯³ Mondoo 9.5 is out! This release includes VMware vSphere security advisory detection, expanded AWS/Azure/Okta resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


πŸŽ‰ NEW FEATURES​

VMware vSphere CVE detection​

Mondoo now includes support for tracking CVEs and security advisories on VMware vSphere installations, so you can keep your most important on-premises assets secure. You'll automatically see CVE/advisory information on VMware vSphere assets in the Mondoo Console and you can scan assets manually on the command line to view this data as well:

cnquery shell vsphere USER@luna.dmz -p FOO
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> asset.vulnerabilityReport
asset.vulnerabilityReport: {
platform: {
build: "18778458"
name: "vmware-vsphere"
release: "7.0.3"
title: "VMware vSphere 7.0.3"
}
published: "2023-10-26T13:18:39Z"
stats: {
advisories: {}
cves: {}
exploits: {}
packages: {}
}
}
asset.vulnerabilityReport: {
advisories: [
0: {
ID: "VMSA-2022-0004"
Mrn: "//vadvisor.api.mondoo.app/advisories/VMSA-2022-0004"
cves: [
0: {
ID: "CVE-2021-22041"
Mrn: "//vadvisor.api.mondoo.app/cves/CVE-2021-22041"
cvss: [
0: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"
}
]
worstScore: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"
}
}

...

🧹 IMPROVEMENTS​

New AWS resource fields and defaults​

The aws.vpc.subnet resource now includes information on the subnet's availability zone so you can better understand where subnets are located.

cnquery> aws.vpcs.first.subnets{*}
aws.vpcs.first.subnets: [
0: {
arn: "arn:aws:ec2:ap-south-1:177043123456:subnet/subnet-b231234"
id: "subnet-b231234"
cidrs: "172.31.16.0/20"
mapPublicIpOnLaunch: true
defaultForAvailabilityZone: true
availabilityZone: "ap-south-1c"
}
...

We've also improved the default values returned by many AWS resources to give you better output in the cnquery shell as well as query packs. These updated defaults expose AWS resource IDs, regions, availability zones, and other metadata that makes understanding your AWS infrastructure easier with Mondoo. Enable the AWS Asset Inventory Pack in your spaces to see this improved asset inventory data today.

Improved resource output for Azure​

New default values in Azure resources make exploring asset configuration in the cnquery shell or the resource explorer better than ever. You'll see new improved output on Azure VMs that show OS and hardware types. We've also expanded NIC and disk resources to show information such as the disk size/type and the NIC MAC address type.

cnquery> azure.subscription.computeService.vms.first
azure.subscription.computeService.vms.first: azure.subscription.computeService.vm name="Windows-VM-5n6o" location="eastus" properties.hardwareProfile.vmSize="Standard_DS2_v2" properties.storageProfile.osDisk.osType="Windows"

cnquery> azure.subscription.computeService.disks.first
azure.subscription.computeService.disks.first: azure.subscription.computeService.disk name="Windows-VM-OsDisk-5n6o" location="eastus" properties.osType="Windows" properties.diskSizeGB=127.000000 properties.diskState="Attached"

cnquery> azure.subscription.networkService.interfaces.first
azure.subscription.networkService.interfaces.first: azure.subscription.networkService.interface name="Windows-VM-NIC-5n6o" location="eastus" properties.macAddress="60-45-BD-D7-7E-53" properties.nicType="Standard"

Expanded Okta group and role capabilities​

We've expanded the capabilities of our Okta provider and resources to make it easier to query your Okta configuration. You can now query Okta groups along with their roles and members using the okta.groups resource:

cnspec> okta.groups.where(roles.one(type =="SUPER_ADMIN")) { name roles { * } members members.length < 2 }
okta.groups.where: [
0: {
roles: [
0: {
created: 2023-04-08 22:11:00 +0200 CEST
lastUpdated: 2023-04-08 22:11:00 +0200 CEST
assignmentType: "GROUP"
id: "ABCD1234"
type: "SUPER_ADMIN"
status: "ACTIVE"
label: "Super Administrator"
}
]
name: "Super Admins"
members.length < 2: true
members: [
0: okta.user profile.email="ben@example.com"
]
}
]

You can also check which permissions are assigned to custom roles using the new okta.customRoles resource:

cnspec> okta.customRoles { * }
okta.customRoles: [
0: {
label: "Custom Role"
id: "abc12345678910"
description: "Custom Role"
permissions: []
}
]

Improved host scanning​

We've improved host scanning behavior with updates to Mondoo's host provider as well as the http and tls resources used when scanning domains and IPs. These updates make it easier to get started scanning hosts, even when the hosts aren't the best behaving.

  • Default to HTTPS when no protocol information was specified on the CLI. For example, with cnquery shell host mondoo.com cnquery now assumes HTTPS.
  • Improve handling of timeouts when checking TLS certs.
  • Improve error handling and logging when connecting to hosts, parsing TLS certificates, and checking TLS on non-TLS hosts.

Updated macOS CIS Benchmark policies​

It's been just a week since we last updated macOS CIS benchmark policies, but we're back again with new updates including the official release of the CIS macOS 14.0 benchmark. These new benchmarks include improved descriptions/remediation text, more robust queries, and additional checks for Intel Macs. Be sure to check out the improved results in these releases:

  • CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
  • CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
  • CIS Apple macOS 13.0 Ventura Benchmark v2.0.0
  • CIS Apple macOS 14.0 Sonoma Benchmark v1.0.0

Improved Windows EOL dates​

Windows EOL data in Mondoo Platform now tracks Microsoft's enterprise and education support track, which tends to be about one year later than consumer EOL dates. We've also added Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 releases so you can track upcoming EOL dates for all your Windows workstations.

Improved field copy behavior​

Sometimes a user suggests a fix you just can't pass up. User @xorima told us the copy icon in our text fields was hard to read and made copying important text like client installation commands difficult. We retooled the icon to make it better stand out against the text and have a more clear action when the copy was complete. Thanks @xorima!

New copy behavior

πŸ› BUG FIXES AND UPDATES​

  • Group Photon OS assets as operating systems in the Mondoo Console.
  • Fix data queries not always showing the policy or query pack where they were defined.
  • Don't error if the same query pack is specified more than once on the command line.
  • Don't fail if a query pack has no queries to run after platform filters are applied.
  • Properly filter out unsupported queries in a query pack to avoid failures.
  • Map checks from the CIS Distribution Independent Linux benchmark to compliance framework controls.
  • Fix cleanup of old assets scanned by the Mondoo Kubernetes operator.
  • Handle empty report data in the JUnit cnspec reporter.
  • Don't fail scanning a container registry if the container's platform cannot be detected.
  • Fix a failure running the cnspec vuln command.
  • Fix an error fetching the azure.subscription.mySql.server field.
  • Fix Microsoft 365 assets grouping under Unclassified Assets in the console inventory page.
  • Don't show the Schedule Now button for Jira integrations.
  • On the Organization page, sort spaces by name instead of space ID.