Skip to main content

Β· 11 min read

πŸ₯³ Mondoo 9.0 is out!​

This is a major new release with exciting improvements to cnquery and cnspec's extensibility.

This release includes a whole new cnquery and cnspec client, enhanced GitLab scanning, piles of new resource updates, and more!

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

All new cnspec and cnquery clients!​

Up to this point, both cnquery and cnspec had all connectors and providers built into one binary file each. This was great when we only had a few connectors and things were small. Recently, however, the binaries have exploded in size with every new technology that we added. Since both projects are designed to also run on small devices and embedded controllers, we wanted to change this approach for some time now.

This release includes entirely new binaries for cnquery and cnspec. Both are 90% smaller, re-usable, and extensible now!

  1. Provider plugins

    When you connect to any technology (like AWS, Azure, K8s, etc) we now install a dedicated provider for that technology. This happens automatically for all core technologies we support:

    > cnquery run aws -c asset.name
    β†’ installing provider 'aws' version=9.0.8
    β†’ successfully installed aws provider path=/home/zero/.config/mondoo/providers/aws version=9.0.8
    β†’ loaded configuration from /home/zero/.config/mondoo/mondoo.yml using source default
    asset.name: "AWS Account lunalectric-management (177043759486)"

    These provider plugins are shared between cnquery and cnspec. If you install any provider for cnquery, it is available to cnspec and vice versa.

  2. Automatic updates

    Providers are automatically updated to the latest version of the current major release:

    ~ $> cnspec shell aws
    β†’ found a new version for 'aws' provider installed=9.0.5 latest=9.0.8
    β†’ successfully installed aws provider path=/home/zero/.config/mondoo/providers/aws version=9.0.8
    ...

    We avoid breaking changes during all major versions and will notify users of deprecations with a full major version of grace period, during which you can use deprecated features.

    For containers and restricted environments, you can turn off updates via --auto-update=false or auto_update: false in the config file. This will prevent existing providers from getting updated and prevent new providers from being installed.

    For example: If you install cnquery or cnspec on a container, you can pre-install all providers you aim to use with it. At the end of the build process you then deactivate the auto-update in the config file.

  3. Custom providers

    You can view all providers via the providers subcommand:

    > cnquery providers

    β†’ builtin (found 2 providers)

      core 9.0.1
      mock 9.0.0 with connectors: mock

    β†’ /home/zero/.config/mondoo/providers (found 4 providers)

      aws 9.0.8 with connectors: aws
      azure 9.0.4 with connectors: azure
      gitlab 9.0.4 with connectors: gitlab
      os 9.0.8 with connectors: local, ssh, winrm, vagrant, container, docker, filesystem

    β†’ /opt/mondoo/providers has no providers

    This command not only prints the current providers and versions, but it also shows the locations in which providers are installed.

    In the coming days we will share written and video guides on how to create your very own provider. In the meantime, feel free to check out cnquery's "providers" folder with lots of examples! All providers are distributed as binaries with a proto interface, so you can write them in Go or any other language with GRPC support.

    You can now create custom providers and install them everywhere you want to run them! This also includes restricted code that may use your company's internal APIs and which you don't want to publish. Mondoo will support the schema-upload shortly so you can see results in our UI without exposing any code.

Hassle-free asset discovery in GitLab scans​

We've removed the pain of manually discovering assets throughout your GitLab environment with new hassle-free asset discovery. The GitLab Mondoo Platform integration and the cnspec CLI now include options to automatically discover all GitLab projects, groups, and even Terraform files within your GitLab projects. Set it once and continuously scan your entire environment to secure your software supply chain and the Terraform files that define your infrastructure.

GitLab Setup

New cnspec GitLab discovery options:

cnspec scan gitlab --token TOKEN <- returns all groups the user has access to
cnspec scan gitlab --token TOKEN --discover groups <- returns the defined group and all subgroups of that group
cnspec scan gitlab --token TOKEN --discover projects <- returns all the projects discovered in all the groups the user has access to
cnspec scan gitlab --token TOKEN --discover terraform  <- returns all the Terraform files in all the projects discovered in all the groups the user has access to

Set asset annotations during client login​

Asset annotations let you add additional information on assets that can't necessarily be detected using Mondoo resources. Traditionally, these annotations have been set in the console on each asset page, but now you can automate setting annotations during the client registration process. This allows you to pass in data like employee workstation asset tags from an MDM solution.

Setting annotations during the client login:

cnspec login --token <token> --annotation assetid=MONDOO1234 --annotation location=PDX

Asset notations

🧹 IMPROVEMENTS​

New resources and resource fields​

What fun is a Mondoo release without new resources and fields to secure your infrastructure? For version 9.0, we went big with 46 new fields and resources. Stay tuned for updated policies and new asset inventory capabilities using some of these new additions.

aws.ec2.instance​

  • New httpEndpoint property: Status of the IMDS endpoint enabled on the instance
  • New stateTransitionTime property: Time when the last state transition occurred

aws.elb​

  • New createdTime property: Date the load balancer was created
  • New vpcID property: The ID of the VPC where the load balancer is located

aws.rds.dbInstances​

  • Improve default values for use in cnquery shell
  • New storageAllocated property: The amount of storage, in GiB, provisioned on the instance
  • New storageIops property: The storage IOPS provisioned on the instance
  • New storageType property: The type of storage provisioned on the instance
  • New availabilityZone property: Availability zone where the instance exists
  • New engineVersion property: The version of the database engine for this DB instance
  • New createdTime property: The creation date of the RDS instance

aws.s3.bucket​

  • New createdTime property: Date the bucket was created

aws.vpc​

  • Fix routeTables to return the correct values for the VPC
  • New cidrBlock property: IPv4 CIDR block of the VPC
  • New instanceTenancy property: How instance hardware tenancy settings are enforced on instances launched in this VPC
  • New endpoints subresource with additional fields:
    • id: Unique ID of the endpoint
    • type: Type of the endpoint
    • vpc: VPC the endpoint exists in
    • region: Region the VPC exists in
    • serviceName: The name of the endpoint service
    • policyDocument: The policy document associated with the endpoint, if applicable
    • subnets: The subnets for the (interface) endpoint
  • New subnets subresource with additional fields:
    • arn: ARN of the subnet
    • id: Unique ID of the subnet
    • cidrs: A list of CIDR descriptions
    • mapPublicIpOnLaunch: Whether instances launched in this subnet receive a public IPv4 address

azure.subscription.monitorService.activityLog​

  • New subscriptionId property: The subscription identifier

azure.subscription.monitorService.diagnosticsetting​

  • New storageAccountId property: ID of the diagnostic setting storage account

azure.subscription.monitorService.logprofile​

  • New storageAccountId property: ID of the log profile storage account

github.organization​

  • New membersCanForkPrivateRepos property: Whether members can fork private repositories to their own GitHub account

github.repository​

  • New hasDiscussions property: Whether the repository has discussions
  • New isTemplate property: Whether the repository is an organization repository template

gitlab.project​

  • New allowMergeOnSkippedPipeline property: Allow merging merge requests when a pipeline is skipped
  • New archived property: Is the project archived?
  • New autoDevopsEnabled property: Is the Auto DevOps feature enabled?
  • New containerRegistryEnabled property: Is the container registry feature enabled?
  • New createdAt property: Create date of the project
  • New defaultBranch property: Default git branch
  • New emailsDisabled property: Disable project email notifications
  • New fullName property: The full name of the project, including the namespace
  • New issuesEnabled property: Is the issues feature enabled?
  • New mergeRequestsEnabled property: Is the merge request feature enabled?
  • New mirror property: Is the project a mirror?
  • New onlyAllowMergeIfAllDiscussionsAreResolved property: Only allow merging merge requests if all discussions are resolved
  • New onlyAllowMergeIfPipelineSucceeds property: Only allow merging merge requests if the pipelines succeed
  • New packagesEnabled property: Is the packages feature enabled?
  • New requirementsEnabled property: Is the requirements feature enabled?
  • New serviceDeskEnabled property: Is the Service Desk feature enabled?
  • New snippetsEnabled property: Is the snippets feature enabled?
  • New webURL property: URL of the project
  • New wikiEnabled property: Is the wiki feature enabled?

gitlab.group​

  • New emailsDisabled property: Disable group email notifications
  • New preventForkingOutsideGroup property: Don't allow forking projects outside this group
  • New mentionsDisabled property: Disable group mentions within issues and merge requests
  • New webURL property: URL of the group

k8s.namespace​

  • New kind property: Kubernetes object type

rsyslog.conf​

  • New path property: Path for the main rsyslog file and search

terraform.settings​

  • New backend property: Backend configuration information

Improved query packs​

  • The Azure Asset Inventory Pack now includes a list of all public IP addresses in Azure subscriptions.
  • The Mondoo Asset Count query pack now includes asset counts for all GCP and GitLab assets, including all new GCP assets discovered when scanning with the --discover all flag.

MQL improvements​

Mondoo 9.0 further improves MQL so you can more easily query assets in your environment and write custom security policies.

Simple accessors for unstructured data​

Accessing structures in JSON, Terraform, and Kubernetes has often been painful:

dict["one"]["more"]["field"]

To make it easier to access these nested fields, we've introduced a new optional syntax. This is well-known from other scripting languages (like JS and TS):

dict.one.more.field

This mode continues to support our GraphQL foundation:

dict {
  one { more.field }
  two
  ...
}

It has helped simplify many use-cases for Terraform and Kubernetes:

# OLD:
tfblock {
  _["attributes"]["account_id"]["value"]
}

# NEW:
tfblock {
  attributes.account_id.value
}

Empty type​

With the new empty type, there's no need for complex logic to check for different kinds of empty values. Each of these common situations evaluate as empty:

[] == empty
null == empty
'' == empty
{} == empty

A single query can now check for an empty value in any type of data:

users.list == empty

Expanded platform EOL data​

  • Add Fedora 39: November 12, 2024
  • Add Google COS 109: September 1, 2025

πŸ› BUG FIXES AND UPDATES​

  • Significantly improve querying time of ports on Linux systems. If you query ports without accessing its related process, it will now return in a fraction of the time. We are working to further speed this up for use-cases with related processes.
  • Remove errors for files.find when no results were returned. Do not return an empty file object.
  • Improve output of GCP resources in the cnquery shell.
  • Resolve errors running the CIS Ensure default user shell timeout is 900 seconds or less check.
  • Resolve errors running the CIS Ensure lockout for failed password attempts is configured check.
  • Resolve errors running the CIS Ensure password hashing algorithm is SHA-512 or yescrypt check.
  • Resolve errors running the CIS Ensure password reuse is limited check.
  • Fix false positive in the CIS Ensure lockout for failed password attempts is configured check.
  • Don't show buttons to accept a compliance exception if the user only has viewer privileges in the space.
  • Don't show null at the end of compliance framework and control descriptions.
  • Show the asset completion percentage on compliance control pages.
  • Fix invalid CloudFormation links on the AWS integration page.
  • Avoid repeatedly generating registration tokens in the organization/space page.
  • Fix incorrect integrations listed on the Google Workspace integration page.
  • Add missing label examples in the search page.
  • Change all unknown and unrated check statuses to unscored.
  • Improve the rendering of Compliance Hub control distribution graphs with large numbers of controls.
  • In the registry, fix platform icons not displaying correctly for policies that use variants.
  • Allow updating the GCP service account configuration file in GCP integrations.
  • Fix scanning of untagged Amazon ECR images.
  • Fix some check links in Compliance Hub not loading.
  • Fix EC2 instance detection when IMDSv1 is disabled.

Β· 3 min read

πŸ₯³ Mondoo 8.29 is out! This release includes improved table views, a new Inventory navbar item, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🧹 IMPROVEMENTS​

Improved UI tables​

At Mondoo we take pride in not just collecting security information, but also displaying it in a meaningful way. If you've been using the product long enough you may have noticed we've gone through many iterations of our table view. It never felt quite right, until we introduced the new table in Compliance Hub that lets you easily view, sort, and multi-select data without pull down menus or multiple clicks. This week the team revamped all of our existing views to update them with this improved UX. Give it a try and keep an eye out for pagination improvements coming soon!

Improved multi-select

Fleet is now Inventory​

When we first built Mondoo, the Fleet view was where you found all of your servers or workstations. As we expanded Mondoo to include Kubernetes workloads, cloud accounts, and even SaaS servers, this name made less sense. This week we renamed Fleet to Inventory to better represent Mondoo's cross-platform asset inventory capabilities. It's just a rename, but we think this will make it easier to jump right in and begin exploring all your inventory.

Fleet in the nav bar

Fedora 39 vulnerability scanning​

Fedora 39 is right around the corner, with the first beta released this week. Not to be left behind we've added Fedora 39 vulnerability scanning to Mondoo, so fire up cnspec and keep that beta install secure.

Improved compliance control descriptions​

We've expanded the data that can be displayed in Compliance Control pages, so you'll always have all the details to keep your infrastructure secure. This new view includes improved description rendering and the ability to expand extra long descriptions.

Compliance control descriptions

πŸ› BUG FIXES AND UPDATES​

  • Reduce API usage for GitLab scans to avoid API rate-limiting.
  • Avoid some authentication failures when scanning GitLab projects.
  • Fix incorrect GitLab asset runtime values.
  • Improve the usage instructions in the GitLab policy with project scanning instructions.
  • Fix errors in the CIS Ensure GDM login banner is configured check when GDM files don't exist.
  • Improve output of the CIS Ensure journald is not configured to receive logs from a remote client check.
  • Add GitLab Group ID and Project ID to the asset configuration overview data.
  • Fix failures loading certain assets in the console.
  • Change the "Rational" sections in policies to "Rationale."
  • Only run the Linux Workstation Security policy when xorg-xserver is installed to prevent it from evaluating servers.
  • Update the registry to consistently refer to "query packs" as two words.
  • Improve query descriptions in the Azure Asset Inventory Pack query pack.
  • Remove a duplicate query from the Azure Asset Inventory Pack query pack.
  • Fix some query pack and policy bundle categories/authors to make filtering in the registry more consistent.
  • Support Rsyslog 7+ syntax in the CIS Ensure rsyslog is configured to send logs to a remote log host check.
  • Don't display the Assets button in Kubernetes integration pages when no assets have been scanned.
  • Allow updating the token in GitLab integrations.
  • Don't display compliance control checkboxes when a user only has view permissions in a space.

Β· 2 min read

πŸ₯³ Mondoo 8.28 is out! This release includes fine-grained GitLab scanning and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

Fine grained scanning of GitLab assets​

Mondoo now offers more detailed scanning capabilities for GitLab assets. Instead of the previous single gitlab asset, Mondoo now provides separate gitlab-group and gitlab-project assets. When scanning your GitLab group, both cnspec and cnquery now automatically detect each project within your group. This enhanced granularity in asset scans improves the accuracy of scan results and allows for setting exceptions for specific projects.

 cnspec scan gitlab --group lunalectric
β†’ loaded configuration from /Users/luna/.config/mondoo/mondoo.yml using source default
β†’ using service account credentials
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=37
β†’ synchronize assets
 lunalectric / rockets_101         ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
 lunalectric / oxygen_generator    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
 lunalectric / space_cats          ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
 lunalectric / rover_design        ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
 lunalectric / human_habitats      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
 ...

🧹 IMPROVEMENTS​

Runtime data in AWS Lambda function resource​

The aws.lambda.function MQL resource now includes a new runtime field that displays the runtime environment of the function. Thanks for this addition @mbainter!

πŸ› BUG FIXES AND UPDATES​

  • Fix a panic viewing some asset data in the asset resources tab.
  • Add more user-friendly control titles to the SOC2 compliance framework.
  • Show 0% check completion instead of β€œUnknown” when appropriate in compliance controls.
  • Automatically close the search box when results display.
  • Fix hardware systems incorrectly identifying as Azure VMs in asset configuration data.
  • Improve reliability of the CIS Ensure GDM login banner is configured check on RHEL based systems.
  • Prevent errors in the CIS Ensure filesystem integrity is regularly checked check when the aide package is not installed.

Β· 3 min read

πŸ₯³ Mondoo 8.27 is out! This release includes asset search, improved CIS policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

Want to quickly find all your Debian systems or maybe the Mac laptop with a particular IT asset tag? Now you can with simple, yet powerful, search.

Search Results

Search your whole organization or limit results to a single Mondoo space.

Org or Space Search

Need to craft a more advanced query? Use GitHub-style search syntax to write powerful search queries with ease.

Advanced Search Syntax

Learn more in the Mondoo search docs.

🧹 IMPROVEMENTS​

Improved CIS policy results​

This week we further improved the reliability of our CIS benchmark policies, so you'll always have the best security compliance data for your infrastructure.

  • Fix failures in the Ensure permissions on bootloader config are configured on some Linux distributions.
  • Fix failures in the Ensure permissions on /etc/shadow- are configured when the /etc/shadow- file doesn't exist.
  • Update the Ensure local login warning banner is configured properly and Ensure remote login warning banner is configured properly checks to also ensure the /etc/issue file exists.
  • Fix failures in the Ensure permissions on /etc/issue are configured check when the /etc/issue file does not exist.
  • Fix failures in the Ensure permissions on /etc/issue.net are configured check when the /etc/issue.net file does not exist.
  • Fix failures in the Ensure permissions on /etc/gshadow- are configured and Ensure permissions on /etc/gshadow are configured checks on Debian-based systems.
  • Fix failures in the Ensure audit log storage size is configured, Ensure audit logs are not automatically deleted, and Ensure system is disabled when audit logs are full checks when the /etc/audit/audit.conf file does not exist.
  • Fix failures in the Ensure at/cron is restricted to authorized users if the /etc/cron.allow or /etc/at.allow config files don't exist.
  • Add PowerShell remediation snippets to all Windows policies.

πŸ› BUG FIXES AND UPDATES​

  • Pages in compliance that show check details now include breadcrumbs that take you back to the main compliance page.
  • Allow users to update the private key in OCI integrations.
  • Remove GCP BigQuery table count from the asset configuration overview to prevent long scan times in complex environments.
  • Show an improved empty state page on security and compliance check pages that have no assets.
  • Update the AWS integrations list page design to match other integration pages.
  • Improve the rendering of the integration list page when the last integration has been removed.
  • Fix missing check summary counts on asset pages.
  • Fix some CVE scores showing up as "None" when they should be "Critical".

Β· 3 min read

πŸ₯³ Mondoo 8.26 is out! This release includes OCI asset configuration data, improved Compliance Hub results, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

OCI asset configuration overview data​

Mondoo now shows configuration data for Oracle Cloud Infrastructure (OCI) Tenancies.

OCI Asset Configuration Data

Filter compliance results by asset type​

Compliance Hub now has buttons that let you quickly filter compliance assets by platform type. Because these group buttons in the fleet view were so helpful to users, we added them to compliance as well.

Compliance Hub Asset Groups

🧹 IMPROVEMENTS​

Improved Compliance Hub framework completion calculations​

When we set out to build Compliance Hub, we wanted to enable teams to quickly asses their compliance posture and track progress as they worked to secure systems and services. After launching Compliance Hub, we received insightful feedback from our users. Based on that feedback, this week we've improved how we report progress towards compliance completion.

Previously we calculated a space's compliance completion by the percentage of all assets that were 100% compliant. In some circumstances, the completion status could remain 0% until the team deployed one last magical fix that made all assets compliant.

Compliance Hub now calculates a space's completion as the average of all control completion percentages. Teams can now see incremental progress with each security improvement they deploy. We think this better reflects the true state of compliance and gives users the small wins they deserve as they work to secure their environments.

Improved Compliance Completion Tracking

Improved CIS policy results​

We've reworked many of our bundled CIS benchmark policies to make them more resilient and improve the rendering of scan results:

  • Rework queries in CIS AWS Foundations to improve rendering of results.
  • Improve reliability of Auditd, SELinux, and AppArmor checks in Linux policies.
  • Improve the reliability of the Ensure audit_backlog_limit is sufficient check.
  • Prevent failures in the Ensure permissions on /etc/gshadow are configured check when the file does not exist.
  • Prevent failures in the Ensure cron is restricted to authorized users check when /etc/cron.allow does not exist.
  • Expand the Ensure HTTP server is not installed check for Nginx and lighttpd in addition to Apache2.
  • Add two additional controls to the CIS AWS Foundations benchmark policy.
  • Improve reliability and result output of queries in the CIS GCP and GKE policies.
  • Improve the query output of failing Kubernetes namespaces in the Ensure that all Namespaces have Network Policies defined check.
  • Add missing audit blocks to checks in Kubernetes policies.

πŸ› BUG FIXES AND UPDATES​

  • Improve rendering of GCP tiles in the fleet view when organizations, projects, and cloud assets have scanned.
  • Fix sorting of assets by count in Security > Policies table when there are checks with 0 assets.
  • Don't show empty Manufacturer or Product configuration data on cloud assets.
  • Add the July 31, 2023 EOL date for FreeBSD 13.1.
  • Remove the unused user settings option "Send me space alerts."
  • Improve performance of reporting first time asset scans.
  • Improve error messages when scanning GCP VM instances/snapshots outside of a GCP environment.
  • Rename Oracle Cloud Infrastructure assets to Oracle Cloud Infrastructure Tenancy to better reflect that these are the OCI tenancies.
  • Show policy descriptions in the registry.
  • Show audit content in asset check pages.

Β· 2 min read

πŸ₯³ Mondoo 8.25 is out! This release includes improvements to Compliance Hub, updated CIS Debian Linux 2.0 Benchmark, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

🧹 IMPROVEMENTS​

Improved Compliance Hub experience​

We've been busy this week rolling out fixes and improvements to make Compliance Hub an even better experience.

  • The first exception on the compliance exceptions tab now automatically expands for easier viewing.
  • Compliance control pages now include tooltips for the completion column.
  • Controls listed in exceptions now link to the individual control pages.
  • The completion column in control pages now supports ascending and descending sorting.
  • The completion percentage shown for frameworks now better reflects progress.
  • There are improved recommendations when there are no checks or assets in a control.
  • Compliance completion bars in Firefox now size properly at all window dimensions.

CIS Debian Linux 10 Benchmark 2.0​

CIS Debian Linux 10 Benchmark is updated from 1.0 to 2.0. This is a massive update to the CIS benchmarks for Debian that includes the following changes:

  • 38 controls now have improved descriptions, audit instructions, and remediation steps.
  • 34 new controls now follow the "Ensure service X is not installed" method instead of "Ensure service X is disabled".
  • 58 legacy controls have been removed, including the existing "Ensure service X is disabled" controls mentioned above.

πŸ› BUG FIXES AND UPDATES​

  • Don't show duplicate checks in the registry when a policy uses variants.
  • Remove a black box displayed in the registry when a policy uses policy variants.
  • Add three additional controls to the CIS Amazon Linux 2023 policies.
  • Improved descriptions and remediation steps in the CIS Distribution Independent Linux Benchmark policies.
  • Log errors for missing API support when scanning GCP organization and projects instead of failing.
  • Give a unique name to gcp-subnetwork assets that includes the region in the name.
  • Fix the grouping of GCP organizations and projects in the fleet view.
  • Don't attempt to discover GCP projects that are marked for deletion.
  • Don't detect GCP VM instances as VM images.

Β· 3 min read

πŸ₯³ Mondoo 8.24 is out! This release includes NIST SP 800-171 compliance, CIS AWS Foundations Benchmark 2.0, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

NIST SP 800-171 Framework​

Mondoo Compliance Hub now includes the NIST SP 800-171 framework, raising the total number of out-of-the-box compliance frameworks to ten. Each of the 110 controls in this framework automatically map to the checks in your infrastructure, so with a flip of a switch you can start your NIST SP 800-171 and see where you stand.

Compliance Hub - NIST SP 800-171

🧹 IMPROVEMENTS​

Improved asset configuration data for GCP projects​

GCP project assets in the fleet now include additional asset configuration data, so you can always understand what's being scanned at a quick glance.

GCP Project Configuration Data

CIS Amazon Web Services (AWS) Foundations Benchmark 2.0​

The CIS Amazon Web Services (AWS) Foundations Benchmark is updated to the latest 2.0 release. This updated benchmark includes a number of important updates to make securing your AWS environment easier:

  • Adds a new check to ensure that EC2 metadata service requires IMDSv2
  • Adds a new check to restrict the usage of AWS CloudShell
  • Removes the check that ensures all S3 buckets have encryption at rest enabled because this feature is now enabled automatically
  • 22 updated checks with improved audit and remediation steps

πŸ› BUG FIXES AND UPDATES​

  • Fix errors determining cloud configuration for containers.
  • Improve slow scan times while waiting on policy data.
  • Resolve a panic loading some queries in the resource explorer.
  • Fix organization overview dashboard to ignore data below 0.
  • Improve reliability of queries in the CIS Distribution Independent Linux Benchmark policy.
  • Update CIS Windows policy scoring to match that of non-Windows CIS benchmarks.
  • Improve the reliability of the GitHub Organization Security and GitHub Repository Security policy SECURITY.md checks.
  • Fix incorrect text on the org and space level service account pages.
  • Improve padding in the asset page configuration tiles.
  • Improve the display of various compliance pages when there is not data.
  • Fix an error in the asset overview data when the cloud could not be properly detected.
  • Fix failures scanning OCI via the integration.
  • Adjust impact scores in the Mondoo Linux Security and CIS Distribution Independent Linux Benchmark policies.
  • Don't show buttons to create new spaces when users only have Viewer privileges.
  • Fix the Kubernetes operator to properly garbage collect old node scans when only node scanning is enabled.
  • Display CVSS 3.1 CVE scores when available.

Β· 2 min read

πŸ₯³ Mondoo 8.23 is out! This release includes Mondoo Compliance Hub, improved asset configuration data, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

Compliance Hub​

Are you struggling to achieve compliance with frameworks such as SOC 2, HIPAA, BSI, or PCI? Let the new Mondoo Compliance Hub do the heavy lifting for you. It automatically maps all of your existing security scans into the top compliance frameworks, allowing you to quickly view your progress towards compliance. And best of all, you'll never have to take a screenshot for manual evidence gathering again.

Learn more in our Simplifying Compliance: Introducing the Mondoo Compliance Hub blog post.

🧹 IMPROVEMENTS​

Improved asset configuration data​

Last week we added new asset configuration data to the console, so you can quickly understand what Mondoo is scanning and where to find it in your infrastructure. This week we've improved that experience with an updated layout on the asset pages, improved DB type names for AWS RDS instances, and new data collection on Slack and Okta assets.

VMware policy improvements​

  • Update CIS VMware ESXi 6.7 Benchmark from 1.2 to 1.3 with improved audit and remediation steps.
  • Rework queries in CIS ESXi 6.7 and 7.0 benchmarks for improved reliability.

πŸ› BUG FIXES AND UPDATES​

  • Fix failures loading AWS assets in the console.
  • Fix failure applying MS365 policies.
  • Update the VMware appliance to Debian 12.
  • Improve Linux OpenSSH checks to only run when OpenSSH is installed.
  • Improve Ensure SSH Protocol is set to 2 Linux query to only run on the appropriate OpenSSH releases.
  • Improve Ensure access to the su command is restricted Linux query to account for admin or mondoo users.
  • Improve Postfix queries to also ensure that Postfix is running.
  • Update Linux policies to use the port resource instead of the deprecated socketstats resource.
  • Use bool value and not pointer in aws.ec2.networkacl.entry.egress resource.
  • Fix an issue that made MQL query compilation non-deterministic.
  • Improve support for services on SUSE systems.
  • Fix some package queries hanging on SUSE systems.
  • Don't include ignored checks in the asset "Top Recommended Actions" tile.

Β· 3 min read

πŸ₯³ Mondoo 8.22 is out! This release includes new asset configuration data, updated CIS policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

New asset configuration insights​

Have you ever struggled to respond to a security alert because you couldn't locate the asset in your infrastructure? Now with Mondoo, you can quickly track down assets in your environment, thanks to new asset configuration information available in the Mondoo console. This new configuration data includes important asset metadata such as accounts and regions for cloud assets or make, model, and serial number for physical assets. Mondoo automatically collects this data so you don't have to worry about enabling additional policies or query packs.

Example cloud asset:

Cloud asset configuration information

Example physical asset:

Employee laptop configuration information

🧹 IMPROVEMENTS​

See who set up integrations​

Want to know whom to thank for setting up infrastructure integrations in Mondoo? Each integration in Mondoo now shows the creator so you can quickly see who's been busy securing infrastructure in your organization.

Integration with username

CIS AWS Foundations Benchmark 2.0​

Mondoo now includes the CIS AWS Foundations Benchmark policy version 2.0. This updated release includes two new controls to ensure AWS CloudShell access is restricted and to ensure that instances only allow metadata access via IMDSv2. The policy also includes 22 updated controls with improved audit and remediation steps.

CIS Amazon EKS Benchmark 1.3.0​

Mondoo now includes the CIS AWS EKS Benchmark policy 1.3.0. This updated release replaces checks for the deprecated Pod Security Policy system with Pod Security Standards instead. It also includes six updated controls with improved audit and remediation steps.

aws.rds.dbinstance Automatic Upgrade field​

The aws.rds.dbinstance MQL resource now includes a new autoMinorVersionUpgrade field that identifies if automatic minor version upgrades are enabled for the RDS instance.

πŸ› BUG FIXES AND UPDATES​

  • Don't hang waiting on Zypper CLI input when scanning SUSE hosts.
  • Detect SUSE 11 and earlier platforms where /etc/os-release is absent.
  • Fix failures scanning containers on the latest Docker releases.
  • Prevent cnspec service checks from potentially rebooting sys-v init based SUSE 11 and earlier.
  • Fix failures scanning new AWS instances created from the AWS Lambda integration.
  • Fix failing ECR image scans from the AWS Lambda integration.
  • Don't display the Show all policies button on assets when all policies are already showing.
  • Improve the display of current AWS resources from within the AWS Integration page.
  • Stop the packages list in the asset Platform Vulnerabilities tab from reloading twice.
  • Fix a double refresh when selecting asset CVEs.
  • Improve alignment of data on the Platform Vulnerabilities page.
  • Fix Load More pagination on the CVEs page.
  • Fix query results that returned cannot convert primitive with NO type information.
  • Remove empty Impact sections from CIS benchmark policies.
  • Improve MQL query formatting in policies to improve readability.
  • Add a friendly message when an asset has no annotations so it's more clear how to create an annotation.
  • Warn before leaving Risk Actions midway through creating a plan.
  • Fix panics loading some asset data.
  • Improve the display of organization dashboard graphs on tablets.
  • Improve several AWS platform titles.
  • Fix failures using hashi-vault with local inventory files.

Β· 3 min read

πŸ₯³ Mondoo 8.21 is out! This release includes loads of new CIS policies, performance improvements, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

New CIS policies for OCI, OpenShift, and Amazon 2023​

We've been busy pulling in the latest CIS policies for your growing infrastructure, with five new policies this week to help you secure the latest platforms:

  • CIS Red Hat OpenShift Container Platform v4 Benchmark - Level 1
  • CIS Red Hat OpenShift Container Platform v4 Benchmark - Level 2
  • CIS Amazon 2023 Benchmark - Level 1
  • CIS Amazon 2023 Benchmark - Level 2
  • CIS Oracle Cloud Infrastructure Foundation Benchmark - Level 1

🧹 IMPROVEMENTS​

Improved policy formatting​

The cnspec bundle lint command has seen improvements to better handle multi-line queries. These queries will now automtically format on individual lines so you can more easily read your policies.

Before:

mql: "users.where(\n  shell.contains(\"nologin\") == false && shell.contains(\"false\") == false\n  && name != \"sync\" && name != \"shutdown\" && name != \"halt\" \n).list {\n  file(home) {exists}\n}\n"

After:

mql: |
  users.where(
    shell.contains("nologin") == false && shell.contains("false") == false
    && name != "sync" && name != "shutdown" && name != "halt"
  ).list {
    file(home) {exists}
  }

Improved performance​

Who doesn't like getting the same thing, only faster? We optimized how we deliver policy data from Mondoo Platform to our clients to make your scans even quicker. Expect to save around 1.5 seconds on each scan. We hope you make the best of this time windfall.

πŸ› BUG FIXES AND UPDATES​

  • Accept Jira project IDs in any case.
  • Suggest CIS GitHub Benchmark policy after setting up a GitHub integration.
  • Show Debian 11/12 security update repository packages in CVE scan results.
  • Fix assets failing to load in the console under some circumstances.
  • Fix CIS Amazon Linux 2 benchmark policies incorrectly applying to Amazon Linux 2023 hosts.
  • Fix failures when EBS volume scanning Amazon 2023 instances.
  • Fix Oracle Linux 8/9 vulnerability scans showing already installed updates for some packages.
  • Fix typos in the Okta Organization Security policy’s query UIDs. Thanks @moeterich.
  • Improve reliability of data exports when data is malformed.
  • Improve reliability of queries in CIS Windows Benchmark policies.
  • Improve reliability of the chrony and timesyncd checks in the Operational Best Practices for Time Synchronization policy.
  • Improve Jira host validation during the integration setup.
  • Improve policy search results in the registry.
  • Improve consistency of CIS benchmark names and query UIDs.
  • Improve queries in CIS Kubernetes Benchmark policies.
  • Rework CIS policies to include groups for better display in the registry.
  • Show an error if a policy cannot be removed from the registry.