Welcome to the August 2022 recap of Mondoo releases.
We have a lot of exciting changes to share from our work this month:
Chapters:
Kubernetes Control Plane Node Scanning
Continuous Kubernetes Workload Scanning
Kubernetes Private Container Image Scanning
Kubernetes Clusters Match Integration Name
Simpler Kubernetes Manifest Scanning
Simpler Getting Started Experience
Supply Chain Security Resources and Policies
RPM Package CVE Scanning without RPM
Google Container Operating System Support Preview
Terraform State File Resource Preview
Scanning of Single Terraform Files
New AWS Backup Vaults MQL Resources
Official Hashicorp Packer Plugin
Elevate Privileges with --sudo flag in Local Mondoo Scans
Improved Linux Kernel Parameter Scanning
Expanded CIS Amazon EKS Benchmarks
Improved RunAsNonRoot Policy Queries
Improved Linux Baseline Policy
Kubernetes Resource Scanning
Problem: You want to secure not just your Kubernetes cluster control plane and nodes, but also the workloads you deploy to your cluster. You need visibility into the security of each of the running workloads.
Solution: Mondoo now scans each workload type as a dedicated asset, with new security and best practice policies applied to each asset. This means you'll now get not only scans of your cluster nodes and overall cluster control plane configuration, but also Pods, CronJobs, StatefulSets, DaemonSets, Jobs, and Deployments. These new assets provide more granular visibility into the workloads deployed onto your clusters and make it easy to disable or skip controls on particular workloads.
Results of Pod Scans:
In addition to these new assets, we're also shipping new Kubernetes Security and Kubernetes Best Practice policies. These new policies replace the existing Kubernetes Application Benchmark policy and apply only to the new Kubernetes resource assets.
We decided to break out our combined security and best practices policy so that it would be easier to determine security vs. best practice violations at a glance. Since these policies scan individual Kubernetes assets instead of the cluster as a whole, they also feature greatly improved scan output and new remediation steps, so you can more easily resolve findings.
Pod Asset with New Policies:
Improved Kubernetes Policy Controls:
To enable scanning of all Kubernetes resources as individual Mondoo assets, pass the --discover all flag when scanning clusters:
mondoo scan k8s --discover allStay tuned for resource scanning directly in the Mondoo Kubernetes Operator and even more improvements to out-of-the-box Kubernetes policies in the coming weeks!
Kubernetes Control Plane Node Scanning
Problem: You need to secure not just your Kubernetes workloads or cluster configuration, but the actual installation of Kubernetes on the control plane servers.
Solution This week, we added the first of many new Mondoo Kubernetes Security policy control plane checks to secure the kube-apiserver, kube-scheduler, kube-controller-manager, and etcd installations. These new controls check for secure permissions on critical configuration files and private key directories. Stay tuned for more controls to secure your control plane next week, along with kubelet controls.
Continuous Kubernetes Workload Scanning
Problem: You want to continuously evaluate the security of all the running workloads in your cluster.
Solution: The Mondoo Operator for Kubernetes now automatically discovers all workload resources in the cluster, including Deployments, CronJobs, and Pods. These new resources, when combined with the recently released Kubernetes Security and Best Practices Benchmarks, provide deep insight into the security of deployed workloads at a moment's glance.
Kubernetes Private Container Image Scanning
Problem: You scan your container images using Mondoo in CI to ensure they are secure when you deploy them. However, you want to ensure that they stay secure as new security best practices are developed, and CVEs in container images are discovered.
Solution: Mondoo now utilizes imagePullSecrets in your Kubernetes cluster to fetch and scan container images in private registries. When you enable image scanning in the Mondoo Kubernetes Operator and use imagePullSecrets to store secrets for private container registries, you receive continuous scan results for public and private container images. This gives you quick access to the misconfigurations and CVEs running in your applications.
New Kubernetes Resources
You can now write Mondoo policies that examine the configuration of Kubernetes Init Containers in your workloads via the k8s.initContainer resource.
bash
mondoo> k8s.deployment(name: 'luna-frontend'
namespace:'default').podSpec{}
k8s.deployment.podSpec: {
containers: [
0: {
image: "nginx:1.14.2"
name: "nginx"
ports: [
0: {
containerPort: 80.000000
}
]
resources: {}
}
]
}
Kubernetes Clusters Match Integration Name
The Kubernetes clusters listed in the Mondoo CI/CD view now match the name configured in the Kubernetes Integration, making it easier to find your cluster when multiple integrations have been set up.
Simpler Kubernetes Manifest Scanning
You can now scan Kubernetes manifests files without the need to specify the --path flag:
bash
mondoo scan k8s my_deployment.yml
Simpler Getting Started Experience
Problem: You created your first space with Mondoo, but what's next?
Solution A new Workstation setup page is available directly from your new Space page. This setup experience helps you to install Mondoo Client onto your Mac, Windows, or Linux workstation. It then guides you through remote scans you can perform to quickly evaluate the security of your infrastructure without deploying agents or installing integrations.
The Workstation Integration setup page now takes you to the instructions for your platform by default. Use Windows: See Windows steps. Use macOS: See macOS steps. Use Arch, Fedora, etc: See Linux steps.
All New Modular GitHub Action
The Mondoo GitHub Action has been entirely rewritten to better integrate within modular workflows in your projects. The action now includes individual GitHub Actions for scanning AWS accounts, Kubernetes Clusters, Kubernetes manifests, Docker images, and Terraform configuration files.
There's also a new action for uploading Mondoo Policies to PolicyHub and an action for configuring Mondoo Client, so you can run whatever scan commands you may need. Keep in mind that this new setup is entirely different than our previous releases and breaks existing workflow configurations.
Make sure to check out the project Readme and each new action's readme for more information on usage. As always, let us know if you have any questions at hello@mondoo.com or join us on our Mondoo Community Slack
Find the new action on the GitHub Actions Marketplace.
Improved CI/CD Project UI
Problem: You want to apply multiple Mondoo scans within your CI projects and view each scan individually.
Solution We've made improvements to Mondoo Client, our GitHub Action, and the CI project UI to make working with complex CI projects a breeze. Mondoo Client CI integrations can now run multiple times within a single CI pipeline. This includes multiple executions within stage/workflow (GitLab/GitHub) and even multiple executions within a job. This makes it possible to use Mondoo to test different assets like Docker containers or Kubernetes manifests in a single pipeline, or to perform before-and-after scans of the same asset.
Filtering in CI/CD Views
Problem: You have a particular Mondoo scan you want to see, but there are hundreds of Kubernetes deployments in your admission controller scan results or your CI job results page.
Solution: The CI/CD view now includes filtering so you can easily find the scan results of particular Kubernetes deployments or CI scans.
Supply Chain Security Resources and Policies
Problem: In the aftermath of numerous high profile software supply chain hacks, you want to secure your softare supply chain against attackers. Mondoo provided initial resources, but didn't offer a security policy out of the box.
Solution: Mondoo now includes a preview of the CIS Software Supply Chain Security Guide policy. This policy includes 18 controls to help you secure your GitHub organization and repositories. It includes important guidelines like ensuring all organization members enable MFA and limiting repository deletion to particular users. This policy is in preview as we work to implement more controls and improve the remediation guidance for failures.
As part of the development of this policy we've also greatly expanded the Mondoo git and GitHub resources. We've expanded the data returned in the github.repository, github.file, and github.branchprotection resources and added the following new resources:
- github.team
- github.collaborator
- github.package
- github.webhook
- github.workflow
- git.commit
- git.commitAuthor
- git.gpgSignature
RPM Package CVE Scanning Without RPM
Problem: You want to analyze Red Hat- or SUSE-based containers or images to find CVEs, but you can't see package information unless you run on a system with the rpm CLI.
Solution Mondoo now remotely scans for package information on Red Hat-based containers and container images without needing the rpm CLI on your workstation. Fire up your Mac, Windows, or Ubuntu system and scan any Red Hat or SUSE container or container image to find outdated packages with CVEs, all without any additional setup.
Google Container Operating System Support Preview
Problem: When scanning Google Kubernetes Engine (GKE) clusters, you want to ensure the security of the cluster nodes running the Google Container OS Linux distribution.
Solution: Mondoo now includes preview support for the Google Container Operating System (GCOS). With this release, you will now see GCOS hosts properly report their release version, EOL date, and package/service states. Stay tuned for improved detection and policy support in the coming weeks.
Terraform State File Resource Review
Problem: Instead of scanning the security of various Terraform configuration files, you'd rather go straight to the source and inspect the Terraform state file.
Solution: Mondoo now includes new preview resources for scanning the security of Terraform state files.
These new resources can be used as part of your Terraform development and deployment cycle:
bash
terraform init
terraform apply
terraform show -json > state.json
mondoo shell -t tfstate --path state_file.json
mondoo> tfstate { * }
tfstate: {
terraformVersion: "1.2.6"
rootModule: tfstate.module id = tfmodule
modules: [
0: tfstate.module id = tfmodule
]
formatVersion: "1.0"
outputs: []
}
# root module
mondoo> tfstate.rootModule { * }
tfstate.rootModule: {
address: ""
childModules: []
resources: [
0: tfstate.resource id = aws_instance.app_server
]
}
# recursive list of modules
mondoo> tfstate.modules { * }
tfstate.modules: [
0: {
address: ""
resources: [
0: tfstate.resource id = aws_instance.app_server
]
childModules: []
}
]
Scanning of Single Terraform Files
You can now scan just a single Terraform configuration file instead of a whole directory of files:
bash
mondoo scan terraform my_tf_deploy.tf
Improved Platform Information
The Mondoo Fleet view now includes more detailed information on each asset's platform and where that asset is running. This information helps you trace assets scanned in Kubernetes/cloud integrations to the infrastructure code that is responsible for their creation.
We've also broken out each Kubernetes resource so you can more easily distinguish between Deployments and the resulting ReplicaSets or Pods they spawn. This new information makes it easier to tell running containers apart from container images or server instances.
New AWS Backup Vaults MQL Resources
Mondoo now includes a new aws.backup.vaults resource for working with backup vaults in AWS Backup.
Returning the ARN and recover points of all backup vaults:
bash
mondoo> aws.backup.vaults { arn recoveryPoints { * }}
aws.backup.vaults: [
0: {
arn: "arn:aws:backup:us-east-1:1234567891011:backup-vault:aws/
efs/automatic-backup-vault"
recoveryPoints: [
0: {
creationDate: 2022-08-17 05:00:00 +0000 UTC
isEncrypted: true
completionDate: 2022-08-17 07:14:15.311 +0000 UTC
arn: "arn:aws:backup:us-east-1:1234567891011:recovery-point:
1234b01b-da45-40a2-8a3a-d1d01234a8e7"
resourceType: "EFS"
createdBy: {
BackupPlanArn: "arn:aws:backup:us-east-1:1234567891011:
backup-plan:aws/efs/73d922fb-9312-3a70-99c3-e69123f9fdad"
BackupPlanId: "aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad"
BackupPlanVersion: "NDdhZGMxMmUtMTA5Zi00NDgzLThhNzItYmI1Mjk3ZWRlY2M4"
BackupRuleId: "2e8b7566-8ec3-4e4b-8911-3c11dfdb1123"
}
iamRoleArn: "arn:aws:iam::1234567891011:role/aws-service-role/
backup.amazonaws.com/AWSServiceRoleForBackup"
encryptionKeyArn: "arn:aws:kms:us-east-1:1234567891011:key/
9461a123-05ae-48d0-a90b-7d5123f2578f"
status: "COMPLETED"
}
]
}
]
Official Hashicorp Packer Plugin
The Mondoo Provisioner for HashiCorp Packer is now available as a HashiCorp verified provisioner on Packer.io.
Elevate Privileges with --sudo flag in Local Mondoo Scans
You can now use the --sudo flag with mondo scan local. This gives you a consistent way to execute scans with elevated privileges, regardless of the type of Mondoo scan you run.
Improved Linux Kernel Parameter Scanning
Problem: You want to secure the Linux kernel parameters on your systems, but you don't see results when scanning Kubernetes nodes from the Mondoo Kubernetes Operator.
Solution: Mondoo now directly scans kernel parameters by checking the contents of /proc/sys. Not only is this method faster because we don't have to run the systcl command on the system, but it also allows us to validate Linux kernel parameters when scanning without Mondoo Client installed. With this update, you should see improved scoring in the Linux Security Baseline policy on Kubernetes cluster nodes.
Resource Packs in Mondoo Docs
The simple list of resources in the MQL documentation may have worked initially, but the team is just far too fast adding new resources. We have over 350 resources now!
These resources are now broken up by resource packs, which are much easier to navigate. For example, you now have a resource pack for all Kubernetes resources.
Policy Updates
Updated CIS Policies
We've been hard at work to get you the latest and greatest CIS benchmarks to secure your systems. This week we've updated the following policies to the latest releases with new and updated controls:
- AlmaLinux OS 8 Benchmark - Level 1 and Level 2 updated to 2.0
- Apple macOS 10.15 Catalina Benchmark - Level 1 and Level 2 to 2.1.0
- Apple macOS 11.0 Big Sur Benchmark - Level 1 and Level 2 to 2.1.0
- Apple macOS 12.0 Monterey Benchmark - Level 1 and Level 2 to 1.1.0
- Amazon Elastic Kubernetes Service (EKS) Benchmark - Level 1 and Level 2 to 1.1.0
- Windows 2016 CIS Benchmarks - Level 1 and Level 2 to 1.4.0 release. This includes new and improved controls to secure your Windows 2016 hosts.
AWS Best Practices Policies
We've massively revamped our AWS Best Practices policies with over 8000 lines of improved queries, expanded descriptions, and remediation steps that include Terraform code to correct AWS misconfigurations.
Expanded CIS Amazon EKS Benchmarks
We've greatly expandeded the CIS Amazon EKS Level 1 and 2 benchmarks with additional queries and improved the overall reliability of many of the policies. Our updated policies feature many all-new controls and improvements to the existing controls to provide the best possible results.
Improved RunAsNonRoot Policy Queries
We've improved the Kubernetes RunAsNonRoot queries in our Kubernetes Security Benchmark and Kubernetes Application Benchmark policies. These policies now take into account settings in the PodSecurityContext, eliminating false positives when the PodSecurityContext is used to control RunAsNonRoot behavior.
Improved Linux Baseline Policy
We continue to improve our out-of-the-box Linux Baseline policy to provide better remediation steps and to support different Linux distros.
- Skips the Ensure permissions on /etc/shadow- are configured control instead of failing when /etc/shadow- doesn't exist on the system.
- Updates the query in the Ensure Samba is stopped and not enabled control to support Debian/Ubuntu-based Linux distros.
- Updates the query and remediation steps for the Ensure core dumps are restricted control to support more distros.
- Updates the query in the Ensure login and logout events are collected control to support Ubuntu.
- Improves remediation steps and formatting throughout the policy.
Other Improvements
- You can now download policies from the Policy Hub's policy pages.
- EOL data is now stored in the Mondoo Platform and updated automatically. With this change, your systems will always have the latest EOL data as vendors publish new or updated EOL dates.
- Mondoo scans now sync their asset data faster, and asset deletion time is reduced as well. These speed improvements should be especially pronounced when scanning a Kubernetes cluster with a large number of resources or when bulk deleting assets in the Mondoo Console.
- You can now quickly filter assets by their score by clicking the A-F values at the top of the fleet page.
- Resolves failures running scans in the Kubernetes Operator.
- VMware Mondoo appliance now includes timesyncd to prevent platform registration failures due to time drift.
- Resolves duplicate AWS resource counts in the AWS integration pages.
- Resolves potential failures in Mondoo Client when reporting scan results.
- Reports all Mondoo Client scans within GitHub Actions when running the Mondoo action in multiple jobs or steps within the same workflow.
- Resolves incorrect steps in the VMware Integration page.
- Resolves failures in MQL when using if/else statements that have single-valued blocks.
- Resolves the fleet summary pages sometimes showing an incorrect summary breakdown of asset scores.
- Resolves incorrect CRI-O and containerd socket check titles in the Kubernetes Security policy.
- Updates remediation steps for some Auditd checks in the Linux Baseline to work with Debian/Ubuntu systems.
- Resolves errors querying Kubernetes rolebindings or clusterrolebindings.
- Mondoo Kubernetes Security and Kubernetes Best Practices policies now appear as recommended policies when setting up a Kubernetes integration.
- Resolves page rendering problems in the ... menu on the AWS Integrations page.
- Resolves buttons rendering too close together on Policy Hub pages.
- Resolves failures in some if/else blocks in MQL queries.
- Resolves failures delivering some Mondoo invites.
- Properly detects busybox when in containers.
- Resolves incorrect platform description values in the Fleet view.
- Adds a missing tooltip for control status in the policy results.
- Resolves failures scanning Kubernetes ReplicaSets.
- Resolves Amazon Linux EKS nodes not displaying their platform correctly.
- Updates Amazon Linux 2022 CVE data to the 2022-08-17 release
- Evaluates config files in the /etc/ssh/sshd_config.d when parsing sshd configuration.
- Resolves failures to parse some container images when scanning AKS clusters.
- Improves the reliability of SSH algorithm checks in CIS, BSI, and Linux Baseline by Mondoo policies
- Prevents sending duplicate Organization or Space invitations if you add a space chatacter to an e-mail address.
- Prevents display of duplicate informational alerts in AWS Integrations.
- Resolves failures querying EC2 instances that lacked assigned key pairs.
- Properly detects the OS of the Ubiquiti Dream Machine Pro / SE as ubios.
- Resolves a permission denied message when storing discovery results.
- Prevents unnecessary write operations in the AWS Integration Lamba.
- Detects rate limiting in the AWS Integration Lamba to avoid causing failures in other account operations.
- Properly scans and displays Jenkins jobs that have no Git commit.
- Fixes the incorrect spelling of exceptions data in the macos.alf resource.
- Includes Docker tag labels for assets when scanning container registries.
