Skip to main content

Β· One min read

πŸ₯³ mondoo 5.22.0 is out!

πŸŽ‰ FEATURES

Add the where method to map types

Maps now have a where method that allows filtering by keys and values:

mondoo> {a: 1, b: 2, c: 3}.where(key == 'c')
where: {
c: 3;
}
mondoo> {a: 1, b: 2, c: 3}.where(value < 3)
where: {
a: 1;
b: 2;
}

Currently, this only works with map types whose key is a string.

🧹 IMPROVEMENTS:

  • Allow using the --insecure flag with --inventory when using the Mondoo CLI
  • Automatically delete the CloudFormation stack when the AWS integration is deleted
  • Add ownerAlias field to the aws.ec2.image resource

πŸ› BUG FIXES:

  • Fix potential panic when using mondoo scan with the --inventory flag
  • Fix Ansible inventory loading for tags and multiple groups
  • Fix echo warning when using PowerShell over SSH
  • Fix bug where AWS EBS volume scan did not work for SUSE

Β· One min read

πŸ₯³ mondoo 5.21.0 is out!

🧹 IMPROVEMENTS:

  • Assets can be filtered by state
  • The AWS integration uses the AWS account alias for the name
  • Adds additional GCP Compute, DNS, BigQuery, and GKE checks
  • Updates AWS policy with messages and new docs and metadata
  • Allow mondoo scan -t docker instead of requiring mondoo scan -t docker:// ...

πŸ› BUG FIXES:

  • Fix issue where aws.ec2.instances { vpc {*} } would print errors about fields not being found
  • Fix aws.iam.credentialReport.accessKey2Active field incorrectly mapping to access key 1

Β· 4 min read

πŸ₯³ mondoo 5.20.0 is out!

πŸŽ‰ FEATURES

Support for Terraform Objects

Given a Terraform definition for:

resource "google_compute_instance" "default" {
name = "test"
machine_type = "e2-medium"
zone = "us-central1-a"

boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}

// Local SSD disk
scratch_disk {
interface = "SCSI"
}

metadata = {
enable-oslogin = false
}
}

metadata is a defined object and not a block. The following query requests the arguments:

terraform.resources.where( nameLabel  == "google_compute_instance" ) {
arguments
}

Before this, the metadata was null because key/value pairs have not been parsed:

terraform.resources.where: [
0: {
arguments: {
machine_type: "e2-medium"
metadata: null
name: "test"
zone: "us-central1-a"
}
}
]

With this latest release:

terraform.resources.where[0].arguments: {
machine_type: "e2-medium"
metadata: {
enable-oslogin: true
}
name: "test"
zone: "us-central1-a"
}

Support Linux kernel vault

Storing credentials on disk is not recommended and Mondoo strongly advises doing so for production environments. Therefore we support various vault backends that allow you to store credentials in a secure way.

Given a simple inventory file that scans a Linux machine via SSH and password authentication:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-ssh-inventory
labels:
environment: production
spec:
assets:
# linux with password authentication
- id: linux-with-password
connections:
- host: 192.168.178.28
backend: ssh
credentials:
- user: chris
password: password1! # implicit type password

With this inventory, you can scan the machine:

mondoo scan β€”inventory inventory.yml
β†’ load inventory inventory=inventory.yml

Of course, we do not want to store credentials in plain text files. In the past we assumed that we can do that via systemd secret service. The problem is that this interface is only working well with Gnome and KDE and is mostly bundled with Desktop environments. This is problematic for headless server.

To solve the issue meet Linux Kernel Key Management:

NOTE: An introduction to [Kernel key management](Kernel key management LWN.net) explains how it works. See [keyutils](keyctl(1) β€” keyutils β€” Debian stretch β€” Debian Manpages) man page for more details

On Debian keyutils need to be present to use the kernel key management:

apt-get install keyutils

Configure Mondoo’s vault to use the keyring mondoo-client-vault for secrets:

mondoo vault set mondoo-client-vault β€”type linux-kernel-keyring
β†’ set new vault configuration name=mondoo-client-vault
β†’ stored vault configuration successfully

Mondoo itself stores its configuration for vaults via Linux Kernel Key Management. The configuration is stored in mondoo-cli-keyring keyring and user-vaults key.

keyctl list @u
1 key in keyring:
599473326: --alswrv 1000 1000 keyring: mondoo-cli-keyring

keyctl show 599473326
Keyring
599473326 --alswrv 1000 1000 keyring: mondoo-cli-keyring
988442797 --alswrv 1000 1000 \_ user: user-vaults

Now we need to add a secret for a remove ssh connection. We set mondoo-client-vault as the key ring that Mondoo Client will use.

# The format to add a key is as following
# keyctl add user {desc} {data} @u
keyctl add user 'secret for 192.168.178.28' '{ "user": "chris", "password": "password1!", "type": "password" }' @u
52720293

# Next, lets display the key within the keyring
keyctl list @u
1 key in keyring:
52720293: --alswrv 1000 1000 user: secret for 192.168.178.28

# lets display the created key
keyctl print 52720293
{ "user": "chris", "password": "password1!", "type": "password" }

# Later, we can delete the key from user scope via:
# keyctl purge -p user "secret for 192.168.178.28"

Now we can adapt the inventory:

apiVersion: v1
kind: Inventory
metadata:
name: mondoo-ssh-inventory
labels:
environment: production
spec:
assets:
# linux with password authentication
- id: linux-with-password
connections:
- host: 192.168.178.28
backend: ssh
credentials:
- secret_id: secret for 192.168.178.28
vault:
name: mondoo-client-vault

🧹 IMPROVEMENTS:

  • Add end-of-life information for vSphere 7.0.0
  • Improved handling for miss-configured sudo where SSH connections do not return the platform name properly
  • Asset search is now case insensitive
  • The AWS CloudFormation can be customized when creating the stack

πŸ› BUG FIXES:

  • Fix Linux policies to check correct cron package name based on distribution
  • Fix not found handling in AWS S3 resource. This would cause fields to error out instead of returning null when they were not set
  • Fix awsec2ebs transport to not error out when there are multiple volumes

Β· 2 min read

πŸ₯³ mondoo 5.19.0 is out!

🧹 IMPROVEMENTS:

  • Make asset name consistent for AWS instances regardless of the transport or discovery mechanism used
  • Add additional fields to theaws.rds.dbinstance resource
    • dbInstanceClass: name of the compute and memory capacity class of the DB instance
    • dbInstanceIdentifier: user-supplied unique key that identifies a DB instance
    • engine: name of the database engine for this DB instance
    • securityGroups: list of VPC security group elements that the DB instance belongs to
    • status: current state of this database
  • Detect services managed by systemd for FS based transports
  • Handle Terraform template wrap expressions
  • Add advisory support for Ubuntu 21.10
  • Improve printing of assessments for blocks

πŸ› BUG FIXES:

  • mondoo scan -o now accepts json and yml for report output formats. Before, json support was claimed but did not work, and yaml support worked, but did not accept yml
  • Fix panic when using the AWS S3 resource
  • Fix potential panic if scan results fail to store
  • Fix issue where the assessment for package("foo").installed would be missing, but package("foo").installed == true would work
  • Fix bug where AWS S3 buckets without tags return an error when no tags are present
  • Update asset filter for CIS Distribution Independent Linux Benchmark Level 1 for Container so that it only runs for containers
  • Use public IP instead of public DNS for EC2 Instance Connect since not all instances have a public DNS entry

Β· 3 min read

πŸ₯³ mondoo 5.18.0 is out!

πŸŽ‰ FEATURES

Use Mondoo to verify certificate chains

You can now use the isVerified field on the certificate resource to check whether or not a certificate chain is valid:

tls("mondoo.io").certificates {
subject.commonName
isVerified
}
tls.certificates: [
0: {
isVerified: true
subject.commonName: "mondoo.io"
}
1: {
isVerified: true
subject.commonName: "R3"
}
2: {
isVerified: true
subject.commonName: "ISRG Root X1"
}
]

Use Mondoo to query CloudWatch metrics on AWS resources

Mondoo can now pull CloudWatch statistics for AWS resources. For instance, you can use Mondoo to query the number of invocations and errors for a Lambda function. This can be used to assess error rates, or to detect un-used resources.

Note: Mondoo queries Cloudwatch Statistics for the last 24h of data, in 1h intervals.

aws.cloudwatch.metricstatistics(namespace: "AWS/EBS", region: "us-east-1", name: "VolumeTotalReadTime") {
label
datapoints {
maximum
average
sum
}
}
aws.cloudwatch.metricstatistics: {
datapoints: [
0: {
average: 0.0004509803921568627
maximum: 0
sum: 0.22999999999999998
}
]
label: "VolumeTotalReadTime"

or

aws.cloudwatch.metrics {
name
namespace
statistics {
label
datapoints
}
}
  1512: {
statistics: {
datapoints: []
label: "CallCount"
}
namespace: "AWS/Logs"
name: "CallCount"
}
1513: {
statistics: {
datapoints: []
label: "CallCount"
}
namespace: "AWS/Usage"
name: "CallCount"
}
1514: {
statistics: {
datapoints: []
label: "ThrottleCount"
}
namespace: "AWS/Usage"
name: "ThrottleCount"
}
1515: {
statistics: {
datapoints: []
label: "CallCount"
}
namespace: "AWS/Usage"
name: "CallCount"
}

Enhanced assessment of yum repo file contents through file field

Prior to this release, Mondoo could display a list of all configured yum repos. With this new improvement, Mondoo can now not only list all the configured repositories, but inspect the file for each yum repo definition in /etc/yum.repos.d.

With the new file field, the contents are also now available to Mondoo:

yum.repos {
name
file {
path
content
}
}
yum.repos: [
0: {
name: "AlmaLinux 8 - AppStream"
file: {
path: "/etc/yum.repos.d/almalinux.repo"
content: "# almalinux.repo

[baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream]
name=AlmaLinux $releasever - AppStream
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras]
name=AlmaLinux $releasever - Extras
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

## Sources
[baseos-source]
name=AlmaLinux $releasever - BaseOS Source
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos-source
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/Source/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream-source]
name=AlmaLinux $releasever - AppStream Source
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream-source
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/Source/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras-source]
name=AlmaLinux $releasever - Extras Source
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras-source
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/Source/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

## Debuginfo
[baseos-debuginfo]
name=AlmaLinux $releasever - BaseOS debuginfo
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos-debuginfo
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/debug/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[appstream-debuginfo]
name=AlmaLinux $releasever - AppStream debuginfo
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream-debuginfo
# baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/debug/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux

[extras-debuginfo]
name=AlmaLinux $releasever - Extras debuginfo
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras-debuginfo
# baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/debug/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
"
}
}
...
}

Use Mondoo to test that files exist, but have no content

Mondoo can now detect that an empty file exists at an expected location. One common use case for this test is to detect files written in error to a location that would otherwise be a filesystem or chroot mount point.

We've added a new field to the file resource to query if the file or directory is empty:

file("/my/empty/file").empty;
file.empty: true

🧹 IMPROVEMENTS:

  • The AWS integration reports long-failing CloudFormation update
  • Save more information to improve assessments
  • Add support for Rocky Linux
  • Add support for AlmaLinux

πŸ› BUG FIXES:

  • Fix bug where AWS Lambda environment would get too big and fail to update
  • Fix queries that were not working in the Mondoo AWS Baseline policy

Β· 4 min read

πŸ₯³ mondoo 5.17.1 is out!

πŸŽ‰ FEATURES

Terraform Policy

  • Added Terraform Static Analysis Policy for AWS (Early Access)

terraform

Network targets

We first released the tls resource back in 5.12.2, and the dns resource in 5.11.0. This was 1 month ago and today we are taking the next step at making them applicable by adding new ways to target assets.

First, we added the host:// target:

> mondoo shell -t host://mondoo.io

Once connected, you can run queries like this:

TLS on host://

Additionally, we expose this information via the platform resource:

Platform on host://

Alternatively you can also use the tls:// target for this use-case as well, and we are planning to expand these to provide contextual information to the MQL engine.

DNS policy

We added a baseline policy to check your DNS security called: Mondoo DNS Baseline (Early Access). As you can see, it's still in early access and we'd love to hear what else you might want to see!

dns-policy

To scan mondoo.io for DNS, run the following:

mondoo scan -t host://mondoo.io --incognito --policy '//policy.api.mondoo.app/policies/mondoo-dns-baseline'

TLS policy

We also added a policy for TLS security called: Mondoo TLS/SSL Baseline. This policy will be expanded over the course of time with more tests. Check out our community channel and let us know if you want to test more features!

tls-policy

To scan mondoo.io for TLS, run the following

mondoo scan -t host://mondoo.io --incognito --policy '//policy.api.mondoo.app/policies/mondoo-tls-baseline'

Scanning multiple Hosts

To scan multiple hosts, create a new domainlist.txt file that includes domains separated by newlines:

mondoo.io
google.com

Then you can pipe that domain inventory to mondoo:

cat domainlist.txt | mondoo scan --domainlist-inventory

Certificate resource

You can now check if a certificate has been revoked. This is done via OCSP requests to see if that certificate has been revoked. In all cases where OCSP information has not been provided, the value for this field will be null.

When a certificate is revoked, you can additionally access the revocation time via the field revokedAt.

TLS is revoked check

Note: This feature is currently limited to TLS checks. Please ping us in our community channel if you need it for standalone certificates as well!

TLS extensions

Additionally, we added tests for a few TLS extensions. Amongst others, we now support 3 extensions:

  • server_name Indicates that the serve supports Server Name Indication (SNI). You can access all SNI certificates via the certificates field and non-SNI certificates via nonSniCertificates
  • fake_server_name When a fake SNI name is sent to the server, this indicates that we get a response without any alerts from the server. This means that the server doesn't leak information about the name.
  • renegotiation_info Shows that the server supports secure TLS renegotiations (via TLS 1.2 and 1.3)

TLS extensions

🧹 IMPROVEMENTS:

  • Map fields via the #map( .. ) function to flatten list. For example: users.map(name) to get a flat list of user names.
  • Include tags on more AWS resources for discoverability
  • Allow machineid as a platform identifier
  • More AWS resource MQL documentation

πŸ› BUG FIXES:

  • Use numbers for the entry.shadow resource (was string)
  • Properly detect AWS arm instances
  • Ensure asset state and asset name are always updated
  • Only update platform name when valid
  • Fix ec2-managedinstance-association-compliance-status-check query
  • Ensure incognito runs do not try to report to Mondoo Platform
  • Resolve refs in arrays
  • Fix recursive operator with arrays and maps
  • Array to nil comparison
  • Fix url parsing on domain list inventory
  • Fix displayed errors for missing upstream policies

Β· 2 min read

πŸ₯³ mondoo 5.16.1 is out!

πŸŽ‰ FEATURES

Terraform Static Analysis Policy for AWS

With this release, users can activate the "Terraform Static Analysis Policy for AWS" in their space.

Once the policy is active, you can check your Terraform configuration like this:

mondoo scan -t terraform --path . --incognito

Terraform scan output

Native Assesments for all/none/any/one

The 4 list assessment methods (all, none, any, and one) had only limited output in Mondoo so far. This made it very difficult to understand what items failed any given check and what needed to be fixed.

This patch introduces a descriptive output which shows the entries that failed for these list assessment methods. See the following example:

Native list assessments

AWS EC2 Instance Connect Transport

We've added a new transport to allow to connect to EC2 instances directly using AWS EC2 Instance Connect.

mondoo shell -t aws-ec2-connect://ec2-user@i-ec2ec2ec2ec2ec2f2 --insecure

🧹 IMPROVEMENTS:

  • The mount resource can now be initialized with a path:
    mount.point("/dev/shm") { * }
  • The TLS resource now supports SNI. This means that it will return the correct certificates for a given domain name, which supports this feature. For example, tls("mondoo.io").certificates will now return the expected certificate for the domain.
  • The terraform.block resource provides 2 new fields
    1. attributes: Access the raw block attributes
    2. snippet: The source code snippet for the block
  • You can now run multiple policy bundles at once in incognito mode.
  • Support Amazon Linux 2022, including vulnerabilities, repos, and EOL information

Β· One min read

πŸ₯³ mondoo 5.15.0 is out!

πŸŽ‰ FEATURES

Support --path for exec command to allow for autocompletion in the shell This brings shell auto-completion for transports that require a path

Before:

$ mondoo exec -t terraform --option path=policy/bundles/testdata/terraform/fail "$(cat test.mql)"

After:

$ mondoo exec -t terraform --path policy/bundles/testdata/terraform/fail "$(cat test.mql)"

🧹 IMPROVEMENTS:

  • Add azure vm platform id autodetection
  • Add tags to aws acm certificate resource

Β· One min read

πŸ₯³ mondoo 5.14.1 is out!

🧹 IMPROVEMENTS:

  • support trailing comments in MQL expressions
  • Add optional/customizable tags the AWS Cloudformation stack
  • Make files.find follow symlinks
  • Include default Mondoo AWS Policy

πŸ› BUG FIXES:

  • explicit health check for scan and serve

Β· 2 min read

πŸ₯³ mondoo 5.14.0 is out!

πŸŽ‰ FEATURES

Terraform Transport

This release adds support to scan Terraform HCL files.

mondoo shell -t terraform:// --option path=path/to/tf
mondoo > terraform.blocks { nameLabel type arguments }
terraform.blocks: [
0: {
arguments: {
most_recent: {
type: "bool"
value: true
}
owners: {
type: "tuple([string])"
value: [
0: "self"
]
}
tags: {
type: "object({Name=string,Tested=string})"
value: null
}
}
type: "data"
nameLabel: "aws_ami"
}
1: {
arguments: {
source: {
type: "string"
value: "hashicorp/consul/aws"
}
version: {
type: "string"
value: "0.11.0"
}
}
type: "module"
nameLabel: "consul"
}
...
}

MQL glob fields

You can now ask the shell to print all the fields using *.

mondoo > sshd.config { * }
sshd.config: {
macs: []
file: file id = /etc/ssh/sshd_config
ciphers: []
params: {
AuthorizedKeysFile: ".ssh/authorized_keys"
ChallengeResponseAuthentication: "no"
Port: "22"
PrintMotd: "no"
Subsystem: "sftp /usr/lib/ssh/sftp-server"
UsePAM: "yes"
}
kexs: []
content: "# $OpenBSD: sshd_config..."
}

DNS DKIM Record Parsing

This release improves the previously released dns resource with the ability to parse DKIM TXT records.

dns("google._domainkey.mondoo.io").records { type rdata }
dns.records: [
0: {
type: "TXT"
rdata: [
0: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3E9IavfvGHiENM/bFBTJfRLBUE1PV9f2q2mbYOHu2d1zZ3VB22sXnpGN6TV1m8Tq8zUWlXPgkApOaSF/+zRqBuyF6ci1rmcfvFCAHdERXy37bFgi0/EkoslaqEZel4eddqqWt93KuwydPL2jEhd01M+PGbfFfCu65iZFW107u0PhlXWZG0iJbFsBNdp4mKXI4CxWNlVb0xPr0kcYaE0eAi+EcnG5QHONv5cQrQJ6ncUNehV0caUKWibIKTKPmwttPTyTYbF6sWY7olT9FAgbGz5flHHqBVWPXsf5Jivv5HbsJLTdejAvQwm7e+w0S//OFafffZUXgF/yNB4HczZiQIDAQAB"
]
}
]

Now a dns("google._domainkey.mondoo.io").dkim returns the value and offers a valid method to verify if the public key is parsable:

dns("google._domainkey.mondoo.io").dkim {
keyType
version
notes
serviceTypes
flags
publicKeyData
valid
}
dns.dkim: [
0: {
notes: ""
publicKeyData: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3E9IavfvGHiENM/bFBTJfRLBUE1PV9f2q2mbYOHu2d1zZ3VB22sXnpGN6TV1m8Tq8zUWlXPgkApOaSF/+zRqBuyF6ci1rmcfvFCAHdERXy37bFgi0/EkoslaqEZel4eddqqWt93KuwydPL2jEhd01M+PGbfFfCu65iZFW107u0PhlXWZG0iJbFsBNdp4mKXI4CxWNlVb0xPr0kcYaE0eAi+EcnG5QHONv5cQrQJ6ncUNehV0caUKWibIKTKPmwttPTyTYbF6sWY7olT9FAgbGz5flHHqBVWPXsf5Jivv5HbsJLTdejAvQwm7e+w0S//OFafffZUXgF/yNB4HczZiQIDAQAB"
version: "DKIM1"
flags: []
valid: true
serviceTypes: []
keyType: "rsa"
}
]

🧹 IMPROVEMENTS:

  • support mondoo scan -t scheme:// without ://. You can now just mondoo scan -t scheme
  • Add ability to load default ssh eliptic curve keys
  • Try to detect a platform identifier consistent across transports when scanning EC2 instances

πŸ› BUG FIXES:

  • Fix bug where the tls resource would panic with concurrent map access
  • Fix bug with machine resource on linux where it would error out with could not retrieve smbios info for platform: read /sys/class/dmi/id: is a directory
  • Fix aws.accessAnalyzer resource