Welcome to the August 2022 recap of Mondoo releases.
We have a lot of exciting changes to share from our work this month:
Chapters:
Kubernetes Control Plane Node Scanning
Continuous Kubernetes Workload Scanning
Kubernetes Private Container Image Scanning
Kubernetes Clusters Match Integration Name
Simpler Kubernetes Manifest Scanning
Simpler Getting Started Experience
Supply Chain Security Resources and Policies
RPM Package CVE Scanning without RPM
Google Container Operating System Support Preview
Terraform State File Resource Preview
Scanning of Single Terraform Files
New AWS Backup Vaults MQL Resources
Official Hashicorp Packer Plugin
Elevate Privileges with --sudo flag in Local Mondoo Scans
Improved Linux Kernel Parameter Scanning
Expanded CIS Amazon EKS Benchmarks
Improved RunAsNonRoot Policy Queries
Improved Linux Baseline Policy
Problem: You want to secure not just your Kubernetes cluster control plane and nodes, but also the workloads you deploy to your cluster. You need visibility into the security of each of the running workloads.
Solution: Mondoo now scans each workload type as a dedicated asset, with new security and best practice policies applied to each asset. This means you'll now get not only scans of your cluster nodes and overall cluster control plane configuration, but also Pods, CronJobs, StatefulSets, DaemonSets, Jobs, and Deployments. These new assets provide more granular visibility into the workloads deployed onto your clusters and make it easy to disable or skip controls on particular workloads.
Results of Pod Scans:
In addition to these new assets, we're also shipping new Kubernetes Security and Kubernetes Best Practice policies. These new policies replace the existing Kubernetes Application Benchmark policy and apply only to the new Kubernetes resource assets.
We decided to break out our combined security and best practices policy so that it would be easier to determine security vs. best practice violations at a glance. Since these policies scan individual Kubernetes assets instead of the cluster as a whole, they also feature greatly improved scan output and new remediation steps, so you can more easily resolve findings.
Pod Asset with New Policies:
Improved Kubernetes Policy Controls:
To enable scanning of all Kubernetes resources as individual Mondoo assets, pass the --discover all flag when scanning clusters:
mondoo scan k8s --discover all
Stay tuned for resource scanning directly in the Mondoo Kubernetes Operator and even more improvements to out-of-the-box Kubernetes policies in the coming weeks!
Problem: You need to secure not just your Kubernetes workloads or cluster configuration, but the actual installation of Kubernetes on the control plane servers.
Solution This week, we added the first of many new Mondoo Kubernetes Security policy control plane checks to secure the kube-apiserver, kube-scheduler, kube-controller-manager, and etcd installations. These new controls check for secure permissions on critical configuration files and private key directories. Stay tuned for more controls to secure your control plane next week, along with kubelet controls.
Problem: You want to continuously evaluate the security of all the running workloads in your cluster.
Solution: The Mondoo Operator for Kubernetes now automatically discovers all workload resources in the cluster, including Deployments, CronJobs, and Pods. These new resources, when combined with the recently released Kubernetes Security and Best Practices Benchmarks, provide deep insight into the security of deployed workloads at a moment's glance.
Problem: You scan your container images using Mondoo in CI to ensure they are secure when you deploy them. However, you want to ensure that they stay secure as new security best practices are developed, and CVEs in container images are discovered.
Solution: Mondoo now utilizes imagePullSecrets in your Kubernetes cluster to fetch and scan container images in private registries. When you enable image scanning in the Mondoo Kubernetes Operator and use imagePullSecrets to store secrets for private container registries, you receive continuous scan results for public and private container images. This gives you quick access to the misconfigurations and CVEs running in your applications.
You can now write Mondoo policies that examine the configuration of Kubernetes Init Containers in your workloads via the k8s.initContainer
resource.
bash
mondoo> k8s.deployment(name: 'luna-frontend'
namespace:'default').podSpec{}
k8s.deployment.podSpec: {
containers: [
0: {
image: "nginx:1.14.2"
name: "nginx"
ports: [
0: {
containerPort: 80.000000
}
]
resources: {}
}
]
}
The Kubernetes clusters listed in the Mondoo CI/CD view now match the name configured in the Kubernetes Integration, making it easier to find your cluster when multiple integrations have been set up.
You can now scan Kubernetes manifests files without the need to specify the --path
flag:
bash
mondoo scan k8s my_deployment.yml
Problem: You created your first space with Mondoo, but what's next?
Solution A new Workstation setup page is available directly from your new Space page. This setup experience helps you to install Mondoo Client onto your Mac, Windows, or Linux workstation. It then guides you through remote scans you can perform to quickly evaluate the security of your infrastructure without deploying agents or installing integrations.
The Workstation Integration setup page now takes you to the instructions for your platform by default. Use Windows: See Windows steps. Use macOS: See macOS steps. Use Arch, Fedora, etc: See Linux steps.
The Mondoo GitHub Action has been entirely rewritten to better integrate within modular workflows in your projects. The action now includes individual GitHub Actions for scanning AWS accounts, Kubernetes Clusters, Kubernetes manifests, Docker images, and Terraform configuration files.
There's also a new action for uploading Mondoo Policies to PolicyHub and an action for configuring Mondoo Client, so you can run whatever scan commands you may need. Keep in mind that this new setup is entirely different than our previous releases and breaks existing workflow configurations.
Make sure to check out the project Readme and each new action's readme for more information on usage. As always, let us know if you have any questions at hello@mondoo.com or join us on our Mondoo Community Slack
Find the new action on the GitHub Actions Marketplace.
Problem: You want to apply multiple Mondoo scans within your CI projects and view each scan individually.
Solution We've made improvements to Mondoo Client, our GitHub Action, and the CI project UI to make working with complex CI projects a breeze. Mondoo Client CI integrations can now run multiple times within a single CI pipeline. This includes multiple executions within stage/workflow (GitLab/GitHub) and even multiple executions within a job. This makes it possible to use Mondoo to test different assets like Docker containers or Kubernetes manifests in a single pipeline, or to perform before-and-after scans of the same asset.
Problem: You have a particular Mondoo scan you want to see, but there are hundreds of Kubernetes deployments in your admission controller scan results or your CI job results page.
Solution: The CI/CD view now includes filtering so you can easily find the scan results of particular Kubernetes deployments or CI scans.
Problem: In the aftermath of numerous high profile software supply chain hacks, you want to secure your softare supply chain against attackers. Mondoo provided initial resources, but didn't offer a security policy out of the box.
Solution: Mondoo now includes a preview of the CIS Software Supply Chain Security Guide policy. This policy includes 18 controls to help you secure your GitHub organization and repositories. It includes important guidelines like ensuring all organization members enable MFA and limiting repository deletion to particular users. This policy is in preview as we work to implement more controls and improve the remediation guidance for failures.
As part of the development of this policy we've also greatly expanded the Mondoo git and GitHub resources. We've expanded the data returned in the github.repository, github.file, and github.branchprotection resources and added the following new resources:
Problem: You want to analyze Red Hat- or SUSE-based containers or images to find CVEs, but you can't see package information unless you run on a system with the rpm CLI.
Solution Mondoo now remotely scans for package information on Red Hat-based containers and container images without needing the rpm CLI on your workstation. Fire up your Mac, Windows, or Ubuntu system and scan any Red Hat or SUSE container or container image to find outdated packages with CVEs, all without any additional setup.
Problem: When scanning Google Kubernetes Engine (GKE) clusters, you want to ensure the security of the cluster nodes running the Google Container OS Linux distribution.
Solution: Mondoo now includes preview support for the Google Container Operating System (GCOS). With this release, you will now see GCOS hosts properly report their release version, EOL date, and package/service states. Stay tuned for improved detection and policy support in the coming weeks.
Problem: Instead of scanning the security of various Terraform configuration files, you'd rather go straight to the source and inspect the Terraform state file.
Solution: Mondoo now includes new preview resources for scanning the security of Terraform state files.
These new resources can be used as part of your Terraform development and deployment cycle:
bash
terraform init
terraform apply
terraform show -json > state.json
mondoo shell -t tfstate --path state_file.json
mondoo> tfstate { * }
tfstate: {
terraformVersion: "1.2.6"
rootModule: tfstate.module id = tfmodule
modules: [
0: tfstate.module id = tfmodule
]
formatVersion: "1.0"
outputs: []
}
# root module
mondoo> tfstate.rootModule { * }
tfstate.rootModule: {
address: ""
childModules: []
resources: [
0: tfstate.resource id = aws_instance.app_server
]
}
# recursive list of modules
mondoo> tfstate.modules { * }
tfstate.modules: [
0: {
address: ""
resources: [
0: tfstate.resource id = aws_instance.app_server
]
childModules: []
}
]
You can now scan just a single Terraform configuration file instead of a whole directory of files:
bash
mondoo scan terraform my_tf_deploy.tf
The Mondoo Fleet view now includes more detailed information on each asset's platform and where that asset is running. This information helps you trace assets scanned in Kubernetes/cloud integrations to the infrastructure code that is responsible for their creation.
We've also broken out each Kubernetes resource so you can more easily distinguish between Deployments and the resulting ReplicaSets or Pods they spawn. This new information makes it easier to tell running containers apart from container images or server instances.
Mondoo now includes a new aws.backup.vaults resource for working with backup vaults in AWS Backup.
Returning the ARN and recover points of all backup vaults:
bash
mondoo> aws.backup.vaults { arn recoveryPoints { * }}
aws.backup.vaults: [
0: {
arn: "arn:aws:backup:us-east-1:1234567891011:backup-vault:aws/
efs/automatic-backup-vault"
recoveryPoints: [
0: {
creationDate: 2022-08-17 05:00:00 +0000 UTC
isEncrypted: true
completionDate: 2022-08-17 07:14:15.311 +0000 UTC
arn: "arn:aws:backup:us-east-1:1234567891011:recovery-point:
1234b01b-da45-40a2-8a3a-d1d01234a8e7"
resourceType: "EFS"
createdBy: {
BackupPlanArn: "arn:aws:backup:us-east-1:1234567891011:
backup-plan:aws/efs/73d922fb-9312-3a70-99c3-e69123f9fdad"
BackupPlanId: "aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad"
BackupPlanVersion: "NDdhZGMxMmUtMTA5Zi00NDgzLThhNzItYmI1Mjk3ZWRlY2M4"
BackupRuleId: "2e8b7566-8ec3-4e4b-8911-3c11dfdb1123"
}
iamRoleArn: "arn:aws:iam::1234567891011:role/aws-service-role/
backup.amazonaws.com/AWSServiceRoleForBackup"
encryptionKeyArn: "arn:aws:kms:us-east-1:1234567891011:key/
9461a123-05ae-48d0-a90b-7d5123f2578f"
status: "COMPLETED"
}
]
}
]
The Mondoo Provisioner for HashiCorp Packer is now available as a HashiCorp verified provisioner on Packer.io.
You can now use the --sudo flag with mondo scan local. This gives you a consistent way to execute scans with elevated privileges, regardless of the type of Mondoo scan you run.
Problem: You want to secure the Linux kernel parameters on your systems, but you don't see results when scanning Kubernetes nodes from the Mondoo Kubernetes Operator.
Solution: Mondoo now directly scans kernel parameters by checking the contents of /proc/sys. Not only is this method faster because we don't have to run the systcl command on the system, but it also allows us to validate Linux kernel parameters when scanning without Mondoo Client installed. With this update, you should see improved scoring in the Linux Security Baseline policy on Kubernetes cluster nodes.
The simple list of resources in the MQL documentation may have worked initially, but the team is just far too fast adding new resources. We have over 350 resources now!
These resources are now broken up by resource packs, which are much easier to navigate. For example, you now have a resource pack for all Kubernetes resources.
We've been hard at work to get you the latest and greatest CIS benchmarks to secure your systems. This week we've updated the following policies to the latest releases with new and updated controls:
We've massively revamped our AWS Best Practices policies with over 8000 lines of improved queries, expanded descriptions, and remediation steps that include Terraform code to correct AWS misconfigurations.
We've greatly expandeded the CIS Amazon EKS Level 1 and 2 benchmarks with additional queries and improved the overall reliability of many of the policies. Our updated policies feature many all-new controls and improvements to the existing controls to provide the best possible results.
We've improved the Kubernetes RunAsNonRoot queries in our Kubernetes Security Benchmark and Kubernetes Application Benchmark policies. These policies now take into account settings in the PodSecurityContext, eliminating false positives when the PodSecurityContext is used to control RunAsNonRoot behavior.
We continue to improve our out-of-the-box Linux Baseline policy to provide better remediation steps and to support different Linux distros.