Welcome to the July 2022 recap of Mondoo releases.
We have a lot of exciting changes to share from our work in July.
Mondoo now supports CI integrations with Azure Pipelines, Jenkins, and CircleCI projects, increasing our out-of-the-box CI/CD integrations to six. Rely on CI/CD integrations to scan Kubernetes manifests, Terraform configuration files, and Docker images for common misconfigurations and CVEs.
Check out our docs to learn more:
Still don't see the CI/CD integration you need? Let us know at hello@mondoo.com.
You want Mondoo to scan your AWS instances, but you want to do it without SSH credentials or an SSM agent and without directly impacting your production workloads.
Mondoo now supports AWS side scanning, an approach which scans a snapshot of any EC2 instance. You can scan an EC2 instance, an EC2 EBS volume, or an EC2 EBS snapshot. Side scanning allows you to scan an instance without having to remotely log into the machine or install an agent. See the EC2 Snapshot Scanning docs for details.
You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.
We are now integrating public container image scanning directly into the Mondoo Operator for Kubernetes. When enabled, the Mondoo Operator for Kubernetes will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.
Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the kube-apiserver pod:
We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:
You have hundreds or even thousands of different workloads in your Kubernetes clusters, and you want to see the security status of individual workloads instead of just the cluster as a whole.
This week, we're shipping our first slice of Kubernetes resource scanning with Pod scanning. With this new discovery mode, each Pod in your cluster becomes an asset within Mondoo. Policies are applied at the Pod level, and you can write MQL queries against these Pods instead of the whole cluster. This gives you more granular workflow scanning and improved alerting.
To start scanning discovery Pods as assets during your Kubernetes scans, run:
mondoo scan k8s --discover pods
Stay tuned for next month’s release when we introduce more new Kubernetes resources as Mondoo assets, along with new out-of-the-box policies for scanning these assets.
Your Kubernetes workloads include not just Pods, but many other kinds of Kubernetes resources. Mondoo's Kubernetes Application Benchmark policy scanned only Pods, missing the root cause of many security misconfigurations.
The Kubernetes Application Benchmark policy now scans not just Pods, but also StatefulSets, DaemonSets, Jobs, CronJobs, and Deployments, ensuring all the resources on your cluster are secured. With these additional queries and expanded audit instructions in the policy, you can more easily find the parent resource with the identified misconfiguration, saving you time securing your cluster.
We started our open source Mondoo Operator for Kubernetes project in January of this year. Since then, the Mondoo team has been busy extending the functionality, ensuring stability, and squeezing every ounce of performance out of the codebase. This week, after 300 pull requests merged, we shipped the 1.0 release.
What does 1.0 mean for me?
1.0 means we're confident in the functionality and stability of the project. Additionally, since Mondoo follows Semantic Versioning, we won't intentionally break any configuration interfaces in subsequent 1.x releases. Config stability between minor releases makes upgrades easier without requiring stepped upgrades.
If you're still on an older Mondoo Operator release, we strongly encourage you to upgrade to 1.0. We've introduced significant new capabilities over the last few months, including Pod container image scanning, rootless/read-only execution, and CronJob-based scanning. See our Mondoo Operator Upgrade docs for more information on upgrading to 1.0.
You want to find the critical CVEs in your environment quickly.
The Mondoo Overview page now shows your space's top five platform vulnerabilities. This new view lets you quickly determine the most impacting vendor advisories and how many assets are affected by each advisory. The individual advisories link to detailed information pages summarizing the included CVEs and impact. You can also click View All to see all security advisories in your space.
Mondoo scans printed all results for every query in the CLI. However, sometimes you just want to see a quick summary of how the scan went, especially when the data is collected upstream for a deeper analysis.
Mondoo now includes a new summary output mode. This mode contains just the summary portion of the Mondoo scan so you can quickly determine the security posture of systems. To activate it, run:
mondoo scan … -o summary
Writing complex MQL queries on one line could be frustrating. This limitation caused many queries to look far more complicated than they really are.
Mondoo Shell now supports multiline input! It will automatically recognize queries that are incomplete when hitting the enter key.
With the old reporting, it WAS difficult to recognize disabled and ignored controls in the scan results. In fact, it was possible to confuse them with regular results, instead of the intended states.
Disabled and Ignored controls in policies are now visually indicated in assets' policies, making it clear which policies impact scoring. It is now easier to see how changes in the policy configuration are affecting the results that are reported after scans.
Mondoo didn't provide enough context about vulnerability scans. It provided the number of findings, but didn't show the total number of objects scanned. If you had a system with no vulnerabilities, it could appear that Mondoo wasn't doing anything!
Mondoo now also shows the total number of objects scanned in a vulnerability scan. This reveals more about the execution and communicates how many objects were tested.
Apple is currently working on the next major version of its Mac operating system: macOS Ventura (release 13). It is slated for a release towards the end of this year. An early version of this new release is now available in beta and can be used today. However, the Mondoo baseline policy did not support it yet.
Mondoo Client has been tested on macOS Ventura beta and the macOS Security Baseline by Mondoo policy has been updated for this upcoming release.
You can now delete assets directly on the asset page by clicking the delete icon.
If you're one to live dangerously, you can even opt out of warnings and delete assets with just a single click. However, be careful to avoid accidentally deleting assets.
We've improved the EOL operating system detection in Mondoo Client to support the following new Linux releases:
We've updated MQL's platform resource to improve gathering information on assets. A new platform.title value exposes a human-friendly version of the platform's name, and the platform.version value has been deprecated in favor of platform.release.
We have added 3 major new policies:
Mondoo's Linux Baseline policy and various CIS Linux policies have been updated for improved reliability and to better secure your systems:
You can find all of these policies in your Policy Hub: select Add Policies.