Mondoo 11.7 is out!

🥳 Mondoo 11.7 is out! This release includes Ansible playbook scanning, Shodan host security querying, updated policies, and more!

Get this release: Installation Docs | Package Downloads | Docker Container

🎉 NEW FEATURES

Ansible playbook scanning

Query and secure your Ansible playbooks with cnquery and cnspec using our new ansible provider.

Plain Text
cnquery shell ansible my_playbook.yml
→ connected to Ansible Playbook
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> ansible.plays { tasks }
ansible.plays: [
  0: {
    tasks: [
      0: ansible.task name="ensure apache is at the latest version"
      1: ansible.task name="write the apache config file"
      2: ansible.task name="ensure apache is running"
    ]
  }
]

With this provider, you can create custom security policies to enforce your organizational standards in CI jobs:

YAML
policies:
  - uid: ansible-best-practices
    name: Ansible Best Practices
    version: 1.0.0
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    groups:
      - filters:
          - mql: asset.platform == "ansible"
        checks:
          - uid: mondoo-ansible-block-error-handling
queries:
  - uid: mondoo-ansible-block-error-handling
    title: Ensure Tasks are wrapped in block error handling
    mql: ansible.plays.all(tasks.none(block == empty))

Shodan search engine querying

Query domain and IP security information in the Shodan search engine with the new shodan provider in cnquery and cnspec.

Shell
cnquery shell shodan

For authentication, use the SHODAN_TOKEN environment variable.

Shell
export SHODAN_TOKEN="<token>"

Example queries

Query the base information for a host by IP address:

Shell
cnquery> shodan.host("8.8.8.8") { * }
shodan.host: {
  tags: []
  hostnames: [
    0: "dns.google"
  ]
  org: "Google LLC"
  asn: "AS15169"
  ip: "8.8.8.8"
  isp: "Google LLC"
  vulnerabilities: null
  os: null
  ports: [
    0: 443
    1: 53
  ]
}

Query the hostname for an IP address:

Shell
cnquery> shodan.host("8.8.8.8").hostnames
shodan.host.hostnames: [
  0: "dns.google"
]

Display all open ports for a host:

Shell
cnquery> shodan.host("8.8.8.8").ports
shodan.host.ports: [
  0: 443
  1: 53
]

Query the DNS information for a domain:

Shell
cnquery> shodan.domain("example.com") { * }
shodan.domain: {
  name: "example.com"
  nsrecords: [
    0: shodan.nsrecord domain="example.com" subdomain="" type="A"
    1: shodan.nsrecord domain="example.com" subdomain="" type="AAAA"
    2: shodan.nsrecord domain="example.com" subdomain="" type="MX"
    3: shodan.nsrecord domain="example.com" subdomain="" type="NS"
    4: shodan.nsrecord domain="example.com" subdomain="" type="NS"
    5: shodan.nsrecord domain="example.com" subdomain="" type="SOA"
    6: shodan.nsrecord domain="example.com" subdomain="" type="TXT"
    7: shodan.nsrecord domain="example.com" subdomain="" type="TXT"
    8: shodan.nsrecord domain="example.com" subdomain="www" type="A"
    9: shodan.nsrecord domain="example.com" subdomain="www" type="AAAA"
    10: shodan.nsrecord domain="example.com" subdomain="www" type="TXT"
    11: shodan.nsrecord domain="example.com" subdomain="www" type="TXT"
  ]
  tags: [
    0: "ipv6"
    1: "spf"
  ]
  subdomains: [
    0: "www"
  ]
}

Query the DNS NS records for a domain:

Shell
cnquery> shodan.domain("example.com").nsrecords.where(type == "NS") { subdomain  type value }
shodan.domain.nsrecords.where: [
  0: {
    type: "NS"
    subdomain: ""
    value: "a.iana-servers.net"
  }
  1: {
    type: "NS"
    subdomain: ""
    value: "b.iana-servers.net"
  }
]

Query the DNS AAAA records for the "www" subdomain:

Shell
cnquery> shodan.domain("example.com").nsrecords.where(type == "AAAA").where(subdomain == "www") { subdomain  type value }
shodan.domain.nsrecords.where.where: [
  0: {
    subdomain: "www"
    value: "2606:2800:21f:cb07:6820:80da:af6b:8b2c"
    type: "AAAA"
  }
]

Discovery and querying options

Discover all exposed hosts on a network:

Shell
cnquery shell shodan --networks "192.168.0.0/20" --discover hosts

Connect to a specific IP address and display all open ports:

Shell
cnquery shell shodan host 8.8.8.8

Connect to a domain and display subdomains:

Shell
cnquery shell shodan domain example.com

Discover Kubernetes manifests in GitHub and GitLab

Extend your discovery of IaC assets in your GitHub and GitLab repositories or projects to include Kubernetes manifests: With one command, Mondoo tracks down all your manifest files, no matter where they're hiding.

Shell
cnquery scan gitlab --group mondoolabs --discover k8s-manifests
cnspec scan github organization MY_ORG --discover k8s-manifests

Directly scan and query SBOM files

cnquery now lets you directly query SBOM file content as if the files were real running assets:

Shell
cnquery shell sbom cyclonedx_file.json

To inspect SBOM content from Docker Hub:

Shell
docker buildx imagetools inspect mondoo/client --format "{{json .SBOM }}"  |  jq '."linux/amd64"."SPDX"' |  cnquery shell sbom -

🧹 IMPROVEMENTS

CIS Google Cloud Foundations 3.0

Secure your Google Cloud infrastructure with the latest recommendations from the Center for Internet Security (CIS). This updated policy includes new checks as well as updated audit and remediation steps to match the latest Google Cloud console experience.

Expanded FreeBSD end of life information

Plan your FreeBSD upgrades with expanded EOL detection for FreeBSD 13.2 and 14.0.

Resource updates

aws.eks.cluster

New nodeGroups field exposing a new aws.eks.nodegroup resource

aws.elb.loadbalancer

New targetGroups field exposing a new aws.elb.targetgroup resource

aws.ec2.instance

New networkInterfaces field exposing a new aws.ec2.networkinterface field

aws.vpc.natgateway

New subnet field

gcp.project.binaryAuthorization

New resource for inspecting GKE Binary Authorization configuration

gcp.project.sqlservice.instance.settings.ipconfiguration

New sslMode field
New enablePrivatePathForGoogleCloudServices field

microsoft.policies.authorizationPolicy

New permissionGrantPoliciesAssigned field under defaultUserRolePermissions

windows.feature

Deprecated in favor of windows.serverFeature, which better describes this as a server-only resource

windows.optionalFeatures

New resource to check for optional Windows features on desktop Windows releases

🐛 BUG FIXES AND UPDATES

Improve the output of many complex MQL queries in console check results.
Discover all resources when scanning Kubernetes manifests
Fix incorrect asset names when scanning Kubernetes manifests without namespaces
Improve wording in the weekly space summary emails.
Improve wording and fix a documentation link in the Jira integration setup page.
Fix an error querying the gcp.project.gke.cluster.networkPolicy resource.
Fix connection not found errors when scanning some asset types.
Improve wording in cnquery and cnspec help.
Prevent some operating system scans from showing up as "other" operating systems in the console.
Don't fail discovery when a single VMware ESXi host cannot be reached.
Remove non-functional sorting by risk factors in tables.
Add a "Type" column in search results when filtering by "All" so it's more clear if entries are assets, checks, or CVEs.
Fix missing "Space" column information in search when searching at the organization level.
Add Ensure user consent to apps accessing company data on their behalf is not allowed check to the CIS Microsoft 365 Foundations Benchmark policy.