Welcome to the June 2022 recap of Mondoo releases.
We have a lot of exciting changes to share from our work in June:
Automatic Container Discovery for Kubernetes
Agentless AWS EBS Volume Scanning
AWS Cross-Organization Queries
Kubernetes Scanning Enhancements
It is difficult to secure all the parts that make up a Kubernetes cluster. Particularly containers have to be manually added and scanned by users.
Mondoo now automatically discovers and scans all public containers in Kubernetes clusters. The scan will now test both the overall Kubernetes cluster and pod security, as well as evey running container in that cluster. These new containers are each added as a new asset.
This can be enabled in command line scans via:
mondoo scan k8s --discover=all
When logging into the Mondoo console, users didn't have immediate access to the essential information about their infrastructure.
The Overview page has been refreshed to focus only on the most helpful information. If you use technologies like AWS and Kubernetes, you can see an overview for these integrations directly on the page. We remove cards if the integration is not used.
Information about managed clients is no longer part of the Overview page. Instead, you can now access the list of managed clients via the Integrations page.
We also updated how Mondoo integrations report their status to include a new Pending status. This better describes the status of integrations that haven't failed but instead just haven't reported to the Mondoo Platform yet.
It is difficult to get started with Mondoo and add the first systems of your infrastructure. This affects anything from local machines to cloud accounts and deeper integrations.
We have completely re-designed the Integrations page. With this new Marketplace, it is much easier to find, install, and manage your Mondoo integrations and clients from a single location.
Many users want to secure the machine images that they create with HashiCorp Packer. However, using Mondoo with Packer forced people to jump through more hoops than contestants in a Japanese game show, facing manual downloads, manual configuration, and an overall complicated setup.
Mondoo is now available as a native, open source Packer plugin. You can include Mondoo directly in any Packer 1.7 or higher installation by adding the following blocks to your template:
packer {
required_plugins {
mondoo = {
version = ">= 0.2.1"
source = "github.com/mondoohq/mondoo"
}
}
}
build {
...
provisioner "mondoo" {
score_threshold = 80
on_failure = "continue"
asset_name = "${var.image_prefix}-${local.timestamp}"
}
}
Check out our getting started guide on Building Secure AMI Images with Mondoo and Packer for more details, and add Mondoo to your Packer builds today!
Some users want to scan EC2 instances for security and vulnerabilities without having any direct access to these nodes. They want to inspect EC2 instances externally without compromising on the security checks they can run.
Mondoo now provides fully agentless AWS EBS Volume Scanning. This allows us to perform a read-only evaluation of EC2 instances without accessing the instances and without installing any agents. Mondoo can quickly scan any instance, snapshot, or volume without impacting production workloads.
Requires the ability to run mondoo client in the same AWS account as the infrastructure you wish to scan. AWS CloudShell is excellent for this! The scanner needs permission to list instances, copy snapshots, create volumes, and attach volumes to instances.
====================================================
Here is an example AWS security policy to enable Agentless AWS EBS Volume Scanning. You can see the details below:
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/Created By": "Mondoo"
}
},
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CopySnapshot",
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Effect": "Allow"
}
]
}
====================================================
Example usage:
mondoo scan aws ec2 ebs <INSTANCEID>
mondoo scan aws ec2 ebs volume <VOLUMEID>
mondoo scan aws ec2 ebs snapshot <SNAPSHOTID>
Users with many AWS accounts in an AWS Organization find it challenging to discover resources across these accounts. This often requires users to know about all of their infrastructure, regardless of the associated AWS account.
Using the Mondoo AWS integration, users can now search across every AWS account associated with an AWS Organization. It is easier to find abandoned or untagged resources, as well as locate resources tagged to a particular project or cost center.
I need to find a particular S3 bucket, but I don't know in which AWS account it may be located. I only know part of the bucket name.
mondoo exec \
--integration-mrn //integration.api.mondoo.app/spaces/<SPACE_ID>/aws/<INTEGRATION_ID> \
'aws.s3.buckets.where(name.contains("lostbucket"))'
Users want to keep their GitHub repositories and organizations secure. However, doing this manually via APIs is so much work. Can’t we do better?
Mondoo adds flashy new Github resources! These allow you to gather critical information about the security of your GitHub organization and any public repositories you wish to examine.
To get started you need your GitHub token to talk to the API. Here are two examples of connecting a Mondoo shell to a GitHub user and organization respectively:
mondoo shell -t github --option token=${GH_TOKEN} --option login=USERNAME
mondoo shell -t github --option token=${GH_TOKEN} --option organization=ORGANIZATIONNAME
Once connected to GitHub, you can easily query resources or write assertions:
github.organization { repositories }
github.repository("mondoohq/client") { files }
Keep an eye out for our Github Security Policy that will ship next month 🎉.
The Kubernetes admission controller scanning in the CI/CD tab could be quite busy, and it was often difficult to find new deployment scans in this UI, because of a flood of scan reports coming in.
We revamped how scanning occurs in the Mondoo Kubernetes Operator 0.5.0, with scans now only occurring on Kubernetes resources. This means you'll no longer see scans for each new pod generated during auto scaling, cron jobs, or otherwise. This makes it much easier to see the security status of new workloads entering the cluster.
REGISTRATIONTOKEN
, which it uses to automatically register the system with Mondoo and start the service.processes.list
MQL resource on a Docker container will no longer run the container out of file handlesMondoo has added support for Amazon Linux 2022, which is currently in preview mode.
We updated the following policies: Linux Security Baseline (see 6.4 release notes and 6.5 release notes) Kubernetes Application Benchmark by Mondoo (see 6.4 release notes and 6.5 release notes)
You can find all of these policies in your Policy Hub: select Add Policies