Mondoo 7.4 is out!

Back to releases

🥳 Mondoo 7.4 is out! This release includes Google Workspaces, Slack, and Okta security scanning!

Get this release: Installation Docs | Package Downloads | Docker Container

---

🎉 NEW FEATURES

Builds for Linux on IBM Z

Problem: You need to ensure the security of Linux distributions running on IBM Z mainframes.

Solution: Mondoo now includes packages for Ubuntu, SLES, and Red Hat running on IBM Z mainframes. You can find these packages in our releases repository at releases.mondoo.com.

New SaaS scanning capabilities

Problem: Securing your business isn't just about the servers that your operations run on. It's also critical to safeguard the many SaaS services your teams rely on. How can you extend policies and security practices to protect this critical infrastructure?

Solution: We've expanded our SaaS Security Posture Management (SSPM) capabilities by introducing resources, security policies, and incident response packs for Google Workspace, Okta, and Slack. These new policies let you codify and continuously apply security policies to these critical SaaS services.

Google Workspace

The new googleworkspace MQL resource pack allows you to query the state of your Google Workspace:

ShellCopy
cnquery scan googleworkspace --customer-id <CUSTOMER_ID> --impersonated-user-email <EMAIL>

MqlscriptCopy
# list all domains
googleworkspace.domains { * }

# list all groups for your Google Workspace customer
googleworkspace.groups { * }

# find the group for a specific email
googleworkspace.groups.where( email == "myemail@example.com")  { * }

# list all users for your Google Workspace customer
googleworkspace.users { * }

# search a specific user
googleworkspace.users.where ( primaryEmail == "myuser@example.com") { * }

# find all users that have Slack authorized
googleworkspace.users.where(tokens.one( displayText == "Slack") ) {
  fullName
  primaryEmail
}

# list all super admins
 googleworkspace.report.users.where(security["isSuperAdmin"] == true) { userEmail }

# check that all users are enrolled with MFA
googleworkspace.report.users.all( security["isS2SvEnrolled"] == true )

Okta

The new okta MQL resource pack allows you to query the state of your Okta organization:

ShellCopy
cnquery shell okta --organization <ORG_URL> --token <OKTA_TOKEN>

MqlscriptCopy
# display information about the org
okta.organization { * }

# display registered applications
okta.applications { * }

# display all users
okta.users { * }

# display policies
okta.policies.password { id name  rules { * } }

Slack

The new slack MQL resources will allow you to query the state of your Slack workspace.

ShellCopy
cnquery shell slack --token <SLACK_TOKEN>

MqlscriptCopy
# display team info
slack.team { * }

# display members
slack.users.members { * }

# display bots
slack.users.bots { * }

# display all users
slack.users { * }

# list all users that have no MFA (members + bots)
slack.users.where( has2FA == false) { * }

# list all members that have no MFA
slack.users.members.where( has2FA == false) { * }

# list all conversation and their creator
slack.conversations { name id creator  { id name }  }

# display user groups (only on Slack paid plan)
slack.userGroups { * }

# display access logs (only on Slack paid plan)
slack.accessLogs { * }

🧹 IMPROVEMENTS

Package CVE support for Fedora 37

The Fedora Project team released Fedora 37 this week. Mondoo is ready for upgrades, with CVE scanning support for this new release.

terraform.module now includes the full block for modules

The terraform.module now returns the full block for the module if it is included in the hcl files:

MqlscriptCopy
cnquery> terraform.modules { block key }
terraform.modules: [
  0: {
    key: "consul.consul_servers.security_group_rules"
    block: null
  }
  1: {
    key: "consul.consul_servers.security_group_rules.client_security_group_rules"
    block: null
  }
  2: {
    key: ""
    block: null
  }
  3: {
    key: "consul"
    block: terraform.block id = terraform.block/modules.tf/1/1
  }
  4: {
    key: "consul.consul_clients.iam_policies"
    block: null
  }
  5: {
    key: "consul.consul_servers"
    block: null
  }
  6: {
    key: "gke"
    block: terraform.block id = terraform.block/gke.tf/10/1
  }
  7: {
    key: "consul.consul_clients"
    block: null
  }
  8: {
    key: "consul.consul_clients.security_group_rules"
    block: null
  }
  9: {
    key: "consul.consul_clients.security_group_rules.client_security_group_rules"
    block: null
  }
  10: {
    key: "consul.consul_servers.iam_policies"
    block: null
  }
]

Array deletion in MQL

You can now perform array subtraction within MQL. For example:

MqlscriptCopy
> [1,2,3,3,4] - [3,4,5]
[1,2]

TLS configuration within the port resource

The ports resource now includes information on any TLS certificates on the port:

MqlscriptCopy
cnquery> ports.listening[1] { port tls{ * } }
ports.listening[1]: {
  port: 8080
  tls: {
    socket: socket protocol="tcp" port=8080 address="127.0.0.1"
    nonSniCertificates: [
  certificate serial="3e:44:c8:e3:2c:bc:2a:6e:0a:1f:f8:9e:53:57:69:91:eb:3f:c4:dd" subject.commonName="mondoo.dev" subject.dn="CN=mondoo.dev,OU=n/a,O=Mondoo,L=LA,ST=California,C=US,1.2.840.113549.1.9.1=#0c0e646f6d406d6f6e646f6f2e636f6d"
    ]
    ciphers: [
      0: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
      1: "TLS_RSA_WITH_AES_256_CCM_8"
      2: "TLS_RSA_WITH_AES_128_GCM_SHA256"
      3: "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"
      4: "TLS_CHACHA20_POLY1305_SHA256"
      5: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      6: "TLS_AES_256_GCM_SHA384"
      7: "TLS_RSA_WITH_AES_256_CBC_SHA256"
      8: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
      9: "TLS_RSA_WITH_AES_128_CBC_SHA"
      10: "TLS_RSA_WITH_AES_128_CCM"
      11: "TLS_RSA_WITH_AES_128_CCM_8"
      12: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
      13: "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"
      14: "TLS_AES_128_GCM_SHA256"
      15: "TLS_RSA_WITH_ARIA_256_GCM_SHA384"
      16: "TLS_RSA_WITH_AES_256_CCM"
      17: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
      18: "TLS_RSA_WITH_AES_128_CBC_SHA256"
      19: "TLS_RSA_WITH_ARIA_128_GCM_SHA256"
      20: "TLS_RSA_WITH_AES_256_GCM_SHA384"
      21: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
      22: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
      23: "TLS_RSA_WITH_AES_256_CBC_SHA"
    ]
    versions: [
      0: "tls1.3"
      1: "tls1.2"
    ]
    params: {
      certificates: [
        0: id:"certificate:f157279e8a7f6b819e8fbcaaa980f069a318bb9ea90ef9ea0c89204cffae4e94" name:"certificate"
      ]
      ciphers: {
        OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: false
        OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: false
        OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: false
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: false
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: false
        SSL_DHE_DSS_WITH_DES_CBC_SHA: false
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: false
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA: false
        SSL_DHE_RSA_WITH_DES_CBC_SHA: false
        SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: false
        SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA: false
        SSL_DH_DSS_WITH_DES_CBC_SHA: false
        SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: false
        SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA: false
        SSL_DH_RSA_WITH_DES_CBC_SHA: false
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: false
        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: false
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA: false
        SSL_DH_anon_WITH_DES_CBC_SHA: false
        SSL_DH_anon_WITH_RC4_128_MD5: false
        SSL_NULL_WITH_NULL_NULL: false
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: false
        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: false
        SSL_RSA_EXPORT_WITH_RC4_40_MD5: false
        SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: false
        SSL_RSA_FIPS_WITH_DES_CBC_SHA: false
        SSL_RSA_WITH_3DES_EDE_CBC_SHA: false
        SSL_RSA_WITH_DES_CBC_SHA: false
        SSL_RSA_WITH_IDEA_CBC_SHA: false
        SSL_RSA_WITH_NULL_MD5: false
        SSL_RSA_WITH_NULL_SHA: false
        SSL_RSA_WITH_RC4_128_MD5: false
        SSL_RSA_WITH_RC4_128_SHA: false
        TLS_AES_128_CCM_8_SHA256: false
        TLS_AES_128_CCM_SHA256: false
        TLS_AES_128_GCM_SHA256: true
        TLS_AES_256_GCM_SHA384: true
        TLS_CHACHA20_POLY1305_SHA256: true
        TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: false
        TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: false
        TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: false
        TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: false
        TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: false
        TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: false
        TLS_DHE_PSK_WITH_AES_128_CCM: false
        TLS_DHE_PSK_WITH_AES_256_CCM: false
        TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: false
        TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: false
        TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: false
        TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: false
        TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: false
        TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: false
        TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: false
        TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: false
        TLS_DHE_PSK_WITH_CHACHA20_POLY1305: false
        TLS_DHE_RSA_WITH_AES_128_CCM: false
        TLS_DHE_RSA_WITH_AES_128_CCM_8: false
... (197 lines left)

Extend Kubernetes queries for ephemeralContainers

We've updated our Kubernetes policies to scan the security of ephemeralContainers defined in Kubernetes workloads. This ensures the security of any containers attached to workloads for debugging.

🐛 BUG FIXES AND UPDATES

• Significantly reduce memory usage when syncing data to Mondoo Platform.
• Tag cnspec/cnquery container images on Docker Hub for the major version (7, 8, etc) to match mondoo image tagging.
• Publish cnspec/cnquery rootless container images to Docker Hub to match mondoo rootless container builds.
• cnspec -o json now produces properly formatted JSON and includes the policy scores.
• Resolve errors in some MQL queries using { * } such as docker.containers { * }.
• Automatically discover Google organizations when --discover is set to auto or the --discover flag is not specified.
• Resolve authentication failures against Microsoft 365.
• Update the chevrons in the Fleet view so it's clear when there are hidden lists of assets.
• Improve CVE pages to show data more reliably.
• Improve mondoo update reliability on Windows.
• Update the example setup commands for Debian/Ubuntu on the Integrations page to overwrite repository GPG keys.
• Improve GitHub Actions examples in the Integrations page.