ICYMI: Mondoo Release Highlights for July 2022

Welcome to the July 2022 recap of Mondoo releases.

We have a lot of exciting changes to share from our work in July.

Azure Pipelines, Jenkins, and CircleCI support

Mondoo now supports CI integrations with Azure Pipelines, Jenkins, and CircleCI projects, increasing our out-of-the-box CI/CD integrations to six. Rely on CI/CD integrations to scan Kubernetes manifests, Terraform configuration files, and Docker images for common misconfigurations and CVEs.

Check out our docs to learn more:

• Azure Pipelines integration
• Jenkins integration
• CircleCI integration

Still don't see the CI/CD integration you need? Let us know at hello@mondoo.com.

AWS side scanning

Problem

You want Mondoo to scan your AWS instances, but you want to do it without SSH credentials or an SSM agent and without directly impacting your production workloads.

Solution

Mondoo now supports AWS side scanning, an approach which scans a snapshot of any EC2 instance. You can scan an EC2 instance, an EC2 EBS volume, or an EC2 EBS snapshot. Side scanning allows you to scan an instance without having to remotely log into the machine or install an agent. See the EC2 Snapshot Scanning docs for details.

Mondoo Operator for Kubernetes container image scanning

Problem

You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.

Solution

We are now integrating public container image scanning directly into the Mondoo Operator for Kubernetes. When enabled, the Mondoo Operator for Kubernetes will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.

Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the kube-apiserver pod:

We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:

Kubernetes Pod scanning

Problem

You have hundreds or even thousands of different workloads in your Kubernetes clusters, and you want to see the security status of individual workloads instead of just the cluster as a whole.

Solution

This week, we're shipping our first slice of Kubernetes resource scanning with Pod scanning. With this new discovery mode, each Pod in your cluster becomes an asset within Mondoo. Policies are applied at the Pod level, and you can write MQL queries against these Pods instead of the whole cluster. This gives you more granular workflow scanning and improved alerting.

To start scanning discovery Pods as assets during your Kubernetes scans, run:

mondoo scan k8s --discover pods

Stay tuned for next month’s release when we introduce more new Kubernetes resources as Mondoo assets, along with new out-of-the-box policies for scanning these assets.

Improved K8s application scanning

Problem

Your Kubernetes workloads include not just Pods, but many other kinds of Kubernetes resources. Mondoo's Kubernetes Application Benchmark policy scanned only Pods, missing the root cause of many security misconfigurations.

Solution

The Kubernetes Application Benchmark policy now scans not just Pods, but also StatefulSets, DaemonSets, Jobs, CronJobs, and Deployments, ensuring all the resources on your cluster are secured. With these additional queries and expanded audit instructions in the policy, you can more easily find the parent resource with the identified misconfiguration, saving you time securing your cluster.

Mondoo Kubernetes Operator 1.0

We started our open source Mondoo Operator for Kubernetes project in January of this year. Since then, the Mondoo team has been busy extending the functionality, ensuring stability, and squeezing every ounce of performance out of the codebase. This week, after 300 pull requests merged, we shipped the 1.0 release.

What does 1.0 mean for me?

1.0 means we're confident in the functionality and stability of the project. Additionally, since Mondoo follows Semantic Versioning, we won't intentionally break any configuration interfaces in subsequent 1.x releases. Config stability between minor releases makes upgrades easier without requiring stepped upgrades.

If you're still on an older Mondoo Operator release, we strongly encourage you to upgrade to 1.0. We've introduced significant new capabilities over the last few months, including Pod container image scanning, rootless/read-only execution, and CronJob-based scanning. See our Mondoo Operator Upgrade docs for more information on upgrading to 1.0.

Top platform vulnerabilities on overview

Problem

You want to find the critical CVEs in your environment quickly.

Solution

The Mondoo Overview page now shows your space's top five platform vulnerabilities. This new view lets you quickly determine the most impacting vendor advisories and how many assets are affected by each advisory. The individual advisories link to detailed information pages summarizing the included CVEs and impact. You can also click View All to see all security advisories in your space.

Summary scan output

Problem

Mondoo scans printed all results for every query in the CLI. However, sometimes you just want to see a quick summary of how the scan went, especially when the data is collected upstream for a deeper analysis.

Solution

Mondoo now includes a new summary output mode. This mode contains just the summary portion of the Mondoo scan so you can quickly determine the security posture of systems. To activate it, run:

mondoo scan … -o summary

Multiline support in Mondoo Shell

Problem

Writing complex MQL queries on one line could be frustrating. This limitation caused many queries to look far more complicated than they really are.

Solution

Mondoo Shell now supports multiline input! It will automatically recognize queries that are incomplete when hitting the enter key.

Show disabled and ignored controls

Problem

With the old reporting, it WAS difficult to recognize disabled and ignored controls in the scan results. In fact, it was possible to confuse them with regular results, instead of the intended states.

Solution

Disabled and Ignored controls in policies are now visually indicated in assets' policies, making it clear which policies impact scoring. It is now easier to see how changes in the policy configuration are affecting the results that are reported after scans.

Total scans on the vulnerability page

Problem

Mondoo didn't provide enough context about vulnerability scans. It provided the number of findings, but didn't show the total number of objects scanned. If you had a system with no vulnerabilities, it could appear that Mondoo wasn't doing anything!

Solution

Mondoo now also shows the total number of objects scanned in a vulnerability scan. This reveals more about the execution and communicates how many objects were tested.

macOS Ventura (13) support

Problem

Apple is currently working on the next major version of its Mac operating system: macOS Ventura (release 13). It is slated for a release towards the end of this year. An early version of this new release is now available in beta and can be used today. However, the Mondoo baseline policy did not support it yet.

Solution

Mondoo Client has been tested on macOS Ventura beta and the macOS Security Baseline by Mondoo policy has been updated for this upcoming release.

Simpler asset deletion

You can now delete assets directly on the asset page by clicking the delete icon.

If you're one to live dangerously, you can even opt out of warnings and delete assets with just a single click. However, be careful to avoid accidentally deleting assets.

Improved Linux EOL detection

We've improved the EOL operating system detection in Mondoo Client to support the following new Linux releases:

• Alpine 3.16
• openSUSE 15.4
• Oracle Linux 9
• Rocky Linux 9
• SUSE Linux Enterprise 15.4

MQL improvements

We've updated MQL's platform resource to improve gathering information on assets. A new platform.title value exposes a human-friendly version of the platform's name, and the platform.version value has been deprecated in favor of platform.release.

Policy updates

We have added 3 major new policies:

1. NSA PowerShell: Security Measures to Use and Embrace
   This policy implements the recommendations of the United States, New Zealand, and the United Kingdom cybersecurity agency's whitepaper Keeping PowerShell: Security Measures to Use and Embrace.
2. Operational Best Practices for Time Synchronization by Mondoo
   This policy supports macOS, Linux, and Windows hosts to ensure that systems are correctly syncing their time. If you have ever run into buggy services that were caused by simple time issues (after hours of debugging), you'll appreciate these checks.

3. Bundesamt für Sicherheit in der Informationstechnik (BSI) Policy
   Mondoo now includes a new BSI SYS.1.3 Linux and Unix Servers by Mondoo policy. BSI is a German standard for IT security, similar to SOC 2 in the US. We are releasing this first policy with support for Debian- and RedHat-based Linux to ensure that systems are correctly hardened according to the BSI requirements. This is especially helpful for users in the DACH region overall and Germany in particular.

Mondoo's Linux Baseline policy and various CIS Linux policies have been updated for improved reliability and to better secure your systems:

• New: Ensure sudo logging is enabled control added to Mondoo Linux Security Baseline
• Bugfix: Ensure SSH access is limited now passes if SSH access is limited using only AllowUsers/AllowGroups
• Bugfix: Failures running Ensure all GIDs in /etc/passwd exist in /etc/group have been resolved
• Bugfix: Improved reliability in Ensure that strong Key Exchange algorithms are used and Ensure only strong MAC algorithms are used control
• Improved: Impact scores added to many controls
• Improved: Ensure permissions on bootloader config are configured control now checks that the file is owned by root/root
• Improved: Ensure permissions on /etc/motd are configured control now checks that the file is owned by root/root
• Improved: Ensure permissions on /etc/issue are configured control now checks that the file is owned by root/root
• Improved: Ensure permissions on /etc/issue.net are configured control now checks that the file is owned by root/root
• Improved: Ensure permissions on all logfiles are configured now shows which log files do not have the proper permission in the output
• Bugfix: Fix errors running Ensure automatic mounting of removable media is disabled
• Bugfix: Improved compatibility with Debian in Ensure access to the su command is restricted
• Improved: Define the hardened ciphers for all SSH configurations control now better runs on RHEL-derivitive distros
• Bugfix: Improved compatibility with Debian/Ubuntu in Define the hardened ciphers for all SSH configurations
• Improved: Ensure permissions on all logfiles are configured now includes remediation steps to ensure future log files have the correct permissions
• Improved: Ensure SSH root login is disabled control now allows prohibit-password value
• Improved: Improved compatibility with Arch Linux derivatives
• Bugfix: Fix false positives in Ensure journald is configured to compress large log files control

You can find all of these policies in your Policy Hub: select Add Policies.

Other improvements

• Improved Mondoo Operator for Kubernetes to increase the security and performance of scanning. The operator now runs all Mondoo Client containers without root privileges for increased security. The operator's admission controller also now runs scans ~30% faster, while reducing memory consumption in the cluster.
• Mondoo now includes new StatefulSet and ReplicaSet resources so you can write policies for these resource types.
• Resolved improperly failing queries in the macOS policy.
• The Linux Security Baseline policy now correctly detects Apache 2 on Debian-based Linux distributions.
• Improved Kubernetes admission controller reliability on small Kubernetes clusters.
• Resolved inconsistent results when scanning Kubernetes manifests using mondoo scan vs. Mondoo Operator admission controller scans.
• Resolved failures running scans on Windows systems with the system language set to German.
• Resolved failures scanning Azure when the current stack is not set.
• Resolved two failures in MQL that could result in inconsistent or incorrect results.
• Provided user friendly error messages when scanning container images in private registries.
• Improved readability within policy results.
• We now wrap long asset names in the fleet view and the asset pages.
• Replaced platform.runtimeEnv with the simpler platform.runtime. platform.runtimeEnv is now deprecated and will be removed in Mondoo Client 7.0.
• Deprecated platform.virtualization.isContainer in favor of either platform.kind or platform.runtime. platform.virtualization.isContainer will be removed in Mondoo Client 7.0.
• Added the ability to determine if a branch is the default branch with isDefault in the github.branch resource.
• Resolved failures in the github.branch resource when branch protection is not configured.
• Resolved failures that could occur in some valid MQL blocks, which caused failures in the Kubernetes Application Benchmark policy.
• Resolved incorrect policy scores when all controls in a policy fail.
• Added severity scores to the Kubernetes Application Benchmark policy to make prioritizing fixes easier.
• Expanded the Ensure HTTP Proxy Server Is Stopped and Not Enabled control in the Linux Security Baseline policy to check for the Tinyproxy proxy service.
• Resolved Mondoo Operator for Kubernetes node scans of Minikube not scanning all nodes.
• Fully cleaned up all Mondoo Operator resources when uninstalling.
• We now use a Red Hat UBI-based Mondoo image when scanning in Red Hat OpenShift.
• Fixed handling of the Mondoo Operator's running UID when running in OpenShift.
• Added a liveness probe to the Mondoo Operator pods to improve Mondoo scan scores.
• Resolved potential panics when the first Kubernetes Operator check-in occurs.
• Resolved failures to properly exit in the Kubernetes Operator when a scan request failed.
• Reduced resource utilization by lowering the initial requested CPU and memory limits for the Kubernetes Operator's node scanning pods.
• Resolved incorrect EOL dates for Rocky Linux 9 and SLES 15.3.
• Added a timeout for long running Kubernetes Operator scans.
• Updated the VMware Appliance from Debian 11.2 to 11.4 to resolve CVEs in the underlying Debian installation.
• Resolved failures during container image scanning.
• Resolved failures during Terraform config file scans.
• Resolved failures during EBS volume scans.
• Removed references to "asset" in CI/CD run scan pages.
• Client Linux Security Baseline's control 'Ensure / and /home are encrypted' now executes correctly on btrfs formatted partitions.
• Users with the Mondoo viewer role can now list ChatOps integrations