Welcome to February 2023 release highlight of Mondoo.
We are thrilled to announce the launching of our Enterprise Cloud and v8, as well as other noteworthy milestones for the month:
Chapters
We are thrilled to unveil Mondoo's new cloud-based corporate solution. Data privacy is crucial in regulated industries including healthcare, government, and finance. Our SaaS platform and dedicated environment boost security, privacy, and scalability for large companies.
The release focuses on running a dedicated environment on GCP, Amazon, or Azure, enterprise-level security and compliance controls, frequent product and security upgrades, and unifying security posture management tool footprint into one platform.
Find out more in our blog post.
Problem: Earlier, Mondoo's GCP and Azure integrations had limited support for policies and resources requiring users to install the Mondoo clients to scan their cloud accounts remotely. There was also limited discoverability of all the things in your cloud accounts.
Solution: We added server-side integrations for GCP, Azure, and MS365, allowing you to scan and integrate these environments without installing agents. You can continuously scan these environments and use MQL to discover all included services and components. We also expanded on policies for these systems, including support for CIS.
You can now configure continuous scanning of GCP, Azure, and even Microsoft 365 services through the Mondoo console. No need to download an agent or deploy any code into your infrastructure. Configure read-only service credentials in the Mondoo console and let Mondoo do the rest.
In addition to these integrations, we have also updated our policies.
Mondoo now includes the latest CIS policies for GCP and Azure, version 2.0.0 and 1.5.0 respectively. These updated policies utilize the latest resources shipped with the latest versions of cnspec, and include many new queries as well as audit and remediation steps for all queries. Our certification release for the latest CIS MS365 is coming soon.
You can now configure the Mondoo AWS integration to continuously scan your AWS ECR (Elastic Container Registry) and ECS (Elastic Container Service) infrastructure, providing security insight to your critical container infrastructure.
This will now be automatically scanned with your new or existing AWS integration. The configuration can be found on the integration page:
We are excited to announce our latest release of Mondoo version 8 which includes our open source projects cnquery and cnspec.
This release focuses on improving policies and query packs, simplifying their structure, and adding major new features like configurable properties, variants, and embedded queries to enhance your experience with Mondoo.
Find out more in our release notes for v8.
Problem: The top-heavy navigation in Mondoo caused difficulties for our consumers as it was difficult to use, didn't support sub-menus, and exposed only a few menu items. Additionally, the vulnerability database and policy registry were difficult to find, even though they were highly useful.
Solution: To address these issues, we have completely revamped the navigation in the Mondoo interface. We have introduced a new navigation menu to the left side of the website to replace the top navigation tabs.This new menu includes frequently accessed sections of the UI such as Fleet, CI/CD, Integrations, and Policy Hub.
Sub-items in the menu make it easier to find what you're looking for without having to navigate through multiple pages. For example, to view Kubernetes integrations you can select Integrations ⇒ Kubernetes in the menu instead of loading the Integrations page and then selecting Kubernetes.
This new menu also includes quick access to the Mondoo Vulnerability Database, which was previously buried deep in the Policy Hub. With this new navigation, users can easily find and access the database.
Additionally, we have introduced a new integrations menu that summarizes all configured integrations. We have also added a convenient link to add new integrations at the top of the menu.
We have exciting plans to further improve this new navigation menu, so stay tuned for new releases.
Problem: When using cnspec to protect your code, it can be challenging to locate Terraform code results as they appear as uncategorized assets.
Solution: To make it easier to find all of your Terraform scans in one location, we have introduced a new Terraform section in the Fleet view.
To improve the user experience and make it easier to locate and categorize assets, we've renamed and introduced new groupings in the fleet view. Azure, Slack, and Okta assets are now azure-subscription, slack-team, and okta-org, respectively, to more accurately reflect their contents. Additionally, we have introduced new Okta, Google Workspace, and Slack groupings to enable users to filter assets by SaaS service.
We have added new functionality to show asset advisory counts in CVE views. This allows users to better understand the impact of each vulnerability and prioritize their patching efforts accordingly. Users can now see the asset score for each affected asset, as well as the total number of advisories for each asset directly on the CVE page. This new feature will help users to make more informed decisions about how to allocate their resources to improve their overall security posture.
The latest update to cnspec now detects the platform and architecture of containers built from scratch. With this update, users can more easily identify scratch containers and ensure they are secured properly to reduce security risks.
Controls that are automatically skipped are no longer shown as disabled in the Mondoo console. Depending on the policy and infrastructure scanned, there could be several dozen controls that cnspec skipped automatically. This new behavior simplifies the asset controls view and makes it more clear which controls ran and which you disabled.
Differentiating between shared spaces can be difficult if the space names are the same. Shared spaces now include the org and space name, so you can better tell spaces apart.
Small and embedded devices, like programmable logic controllers, are often-times black boxes and can pose a security risk if they are not well-secured.
Mondoo now supports Phoenix PLCnext programmable logic controllers.
Specifically, cnspec and cnquery now support Phoenix PLCnext PLCs. We have introduced a new community Phoenix PLCnext Security Policy that includes 22 security guidelines based on recommendations from the PLCnext community. Additionally, cnquery now includes a new platform output field that specifies the PLCnext platform, including the version number and build.
cnquery PLCnext platform output:
platform: {
name: "plcnext"
build: "d755854b5b21ecb8dca26b0a560e6842a0c638d7"
title: "PLCnext"
version: "23.0.0.65"
}
With this new support, you can now use Mondoo to audit and secure your PLCnext controllers, ensuring that they are protected against potential security vulnerabilities.
Problem: Keeping track of the status of your GitHub repositories', including any security and best practices violations, can be challenging.
Solution: We’ve created a new policy, "GitHub Repository Best Practices by Mondoo," which covers non-security checks from our existing "GitHub Repository Security by Mondoo" policy. This makes it easier for you to report and address security and best practices issues separately. Additionally, we’ve added a new query to the policy to ensure that repositories are set up to utilize Dependabot for package management lock files, GitHub Actions, or Docker base images.
We've improved support for detecting end of life (EOL) platforms with new and updated EOL detection support:
In response to community feedback, we have implemented updates to the CLI scanning UX. Now, viewing scan results is easier than ever before. Additionally, we have improved the user experience when scans fail. These updates aim to enhance the overall usability of our CLI scanning feature.
Problem: You want to scan multiple assets using a Mondoo inventory file but also need to securely store any required secrets.
Solution: cnspec and cnquery now provide the ability to manage secrets data in vaults directly through the command line. To securely store the secrets, a keychain vault can be defined using the command cnspec vault set mondoo-client-vault --type keyring. You can confirm the vault's configuration using the cnspec vault list command. Then, add your secret to the keychain vault with the cnspec vault add-secret command. Once you have added the secret to the keychain vault, you can reference the secret in your inventory. Re-run the scan, and you will see that the secret is now picked up along with the inventory file.
The cnquery CLI can now produce CSV output on the CLI for integration spreadsheet apps or other systems that parse CSV input.
cnquery scan docker debian:11 --output csv > report.csv
Our latest release makes it simpler to install and migrate to cnspec at scale with our new Mondoo Ansible role. This role can setup cnspec and cnquery on new systems, and update existing installations to use these tools. Just run this role on your systems, and the latest cnspec release will automatically be running as a service.
The mondoo cookbook 0.5.0 is now available on Chef Supermarket. This updated release configures systems to use the cnspec service. If you’re already using the previous release of the cookbook, this release will automatically update your systems from the mondoo service to the cnspec service.
If you don't want to pass your Okta token on the CLI with the --token flag, cnquery and cnspec now support fetching the token from the OKTA_CLIENT_TOKEN env var in your shell.
A new azure.subscription.aks.cluster resource has been added to explore your Kuberenetes clusters in Azure AKS. It allows you to inspect the settings in your Kubernetes control plane and add checks to keep them secure.
To list all AKS clusters:
cnquery> azure.subscription.aks.clusters
azure.subscription.aks.clusters: [
0: azure.subscription.aksService.cluster name="aks-dev-cluster" location="westeurope"
]
To select particular properties for each cluster:
cnquery> azure.subscription.aks.clusters{name rbacEnabled kubernetesVersion powerState}
azure.subscription.aks.clusters: [
0: {
rbacEnabled: true
powerState: "Running"
kubernetesVersion: "1.24.9"
name: "aks-dev-cluster"
}
]
A new aws.ssm resource allows you to explore and secure the settings in your AWS Systems Manager (SSM) infrastructure.
To query SSM data using cnquery:
cnquery> aws.ssm.instances { * }
aws.ssm.instances: [
0: {
arn: "arn:aws:ssm:us-east-1:185972261234:instance/i-0f58c727dc7ca1337"
platformName: "Microsoft Windows Server 2022 Datacenter"
ipAddress: "172.1.89.50"
instanceId: "i-0f58c727dc7ca1337"
region: "us-west-2"
pingStatus: "Online"
tags: {
Name: "test-win"
}
}
1: {
arn: "arn:aws:ssm:us-east-1:185972261234:instance/i-04680e19801302600"
platformName: "Amazon Linux"
ipAddress: "172.1.80.30"
instanceId: "i-04680e19801302600"
region: "us-west-2"
pingStatus: "Online"
tags: {
Name: "badssm"
}
}
...
Or write a query for a policy:
cnquery> aws.ssm.instances.all(pingStatus == "Online")
[ok] value: true
Mondoo now includes new resources for Amazon ECR and CloudFront so you can explore and secure even more of your Amazon infrastructure using MQL.
Querying ECR images:
cnquery> aws.ecr.images { * }
aws.ecr.images: [
0: {
registryId: "172746783610"
tags: [
0: "latest"
]
digest: "sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca"
repoName: "vjtestpriv"
mediaType: "application/vnd.docker.distribution.manifest.v2+json"
}
]
cnquery> aws.ecr.publicRepositories { * }
aws.ecr.publicRepositories: []
cnquery> aws.ecr.privateRepositories { * }
aws.ecr.privateRepositories: [
0: {
uri: "172746783610.dkr.ecr.us-east-1.amazonaws.com/vjtestpriv"
public: false
region: "us-east-1"
registryId: "172746783610"
name: "vjtestpriv"
arn: "arn:aws:ecr:us-east-1:172746783610:repository/vjtestpriv"
images: [
0: aws.ecr.image id = vjtestpriv/sha256:0c78b32ef7f3b41e3ed3115488d64a6faf7a3cdade2a5eb720092b6e8e0a88ca
]
}
]
Querying CloudFront distributions and functions:
cnquery> aws.cloudfront { distributions { *} functions { * } }
aws.cloudfront: {
distributions: [
0: {
origins: [
0: aws.cloudfront.distribution.origin id = 185972265011/test-1be01d1424077260.elb.us-east-1.amazonaws.com
]
status: "Deployed"
cacheBehaviors: []
domainName: "d1w4eig1i8et92.cloudfront.net"
arn: "arn:aws:cloudfront::185972265011:distribution/E3J92HBG5Z8S6Q"
defaultCacheBehavior: {
AllowedMethods: {
CachedMethods: {
Items: [
0: "HEAD"
1: "GET"
]
Quantity: 2.000000
}
Items: [
0: "HEAD"
1: "GET"
]
Quantity: 2.000000
}
CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
Compress: true
DefaultTTL: null
FieldLevelEncryptionId: ""
ForwardedValues: null
FunctionAssociations: {
Items: null
Quantity: 0.000000
}
LambdaFunctionAssociations: {
Items: null
Quantity: 0.000000
}
MaxTTL: null
MinTTL: null
OriginRequestPolicyId: null
RealtimeLogConfigArn: null
ResponseHeadersPolicyId: null
SmoothStreaming: false
TargetOriginId: "test-1be01d1424077260.elb.us-east-1.amazonaws.com"
TrustedKeyGroups: {
Enabled: false
Items: null
Quantity: 0.000000
}
TrustedSigners: {
Enabled: false
Items: null
Quantity: 0.000000
}
ViewerProtocolPolicy: "allow-all"
}
}
]
functions: [
0: {
status: ""
arn: "arn:aws:cloudfront:global:185972265011::/functions/vjtest"
comment: ""
stage: "DEVELOPMENT"
name: "vjtest"
runtime: "cloudfront-js-1.0"
lastModifiedTime: "2023-01-29T21:07:01Z"
createdTime: "2023-01-29T21:07:01Z"
}
]
}
We've continued to expand the data you can query using MQL in your GCP projects to make asset inventory and security easier:
Added a new gcp.project.compute.addresses resource
gcp.project.compute.addresses[0]: {
ipv6EndpointType: ""
created: 2022-12-15 12:45:25.62 -0800 -0800
address: "10.10.0.2"
network: data is not a map to auto-expand
networkTier: "PREMIUM"
id: "2700460578865297802"
userUrls: [
0: "https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1/forwardingRules/gke-mondoo-gke-cluster-2-c255f8bc-73b71c8f-pe"
]
ipVersion: ""
name: "gke-mondoo-gke-cluster-2-c255f8bc-73b71c8f-pe"
status: "IN_USE"
subnetworkUrl:
"https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1/subnetworks/mondoo-gke-cluster-2-subnet"
prefixLength: 0
networkUrl: ""
regionUrl:
"https://www.googleapis.com/compute/v1/projects/mondoo-edge/regions/us-central1"
addressType: "INTERNAL"
purpose: "GCE_ENDPOINT"
description: ""
subnetwork: gcp.project.computeService.subnetwork
name="mondoo-gke-cluster-2-subnet"
}
Added new gcp.project.compute.forwardingRules resource
gcp.project.compute.forwardingRules: [
0: {
description: ""
ipProtocol: "TCP"
serviceDirectoryRegistrations: []
id: "1374403102344"
labels: {}
name: "front-lb-1-test"
serviceName: ""
network: gcp.project.computeService.network name="test-vpc-3"
networkUrl:
"https://www.googleapis.com/compute/v1/projects/manuel-development-2/global/networks/test-vpc-3"
allPorts: false
targetUrl:
"https://www.googleapis.com/compute/v1/projects/manuel-development-2/regions/us-central1/targetHttpProxies/lb-1-test-target-proxy"
ipAddress: "35.209.226.183"
allowGlobalAccess: false
networkTier: "STANDARD"
backendService: ""
isMirroringCollector: false
subnetwork: data is not a map to auto-expand
noAutomateDnsZone: false
serviceLabel: ""
ports: []
loadBalancingScheme: "EXTERNAL_MANAGED"
ipVersion: ""
created: 2023-01-19 10:56:30.873 -0800 -0800
metadataFilters: []
regionUrl:
"https://www.googleapis.com/compute/v1/projects/manuel-development-2/regions/us-central1"
portRange: "80-80"
subnetworkUrl: ""
}
]
gcp.project.dataproc.clusters data is now only gathered if the DataProc Cloud service is enabled in the project.
Improve reliability of parsing GCP alert policies conditions.
PublicAccessPrevention added to gcp.storage.buckets resource
The gcp.storage.buckets resource now includes publicAccessPrevention data. Here's an example of querying this data out for all buckets in a project:
gcp.storage.buckets { iamConfiguration['publicAccessPrevention'] }
gcp.storage.buckets: [
0: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
1: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
2: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
3: {
iamConfiguration[publicAccessPrevention]: "inherited"
}
]