From 45caf450a4e125c896755c5de06324f885f969ca Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 26 Jul 2024 10:47:44 -0700 Subject: [PATCH] Add 11.15 release notes New week. New release Signed-off-by: Tim Smith --- .../mql/resources/aws-pack/aws.eks.cluster.md | 38 ++++++----- .../resources/aws-pack/aws.rds.dbcluster.md | 61 ++++++++--------- .../resources/aws-pack/aws.rds.dbinstance.md | 67 ++++++++++--------- docs/mql/resources/gitlab-pack/README.md | 20 +++--- ...s.md => gitlab.project.approvalsetting.md} | 8 +-- .../resources/gitlab-pack/gitlab.project.md | 2 +- releases/2024-07-30-mondoo-11.15-is-out.md | 67 +++++++++++++++++++ 7 files changed, 167 insertions(+), 96 deletions(-) rename docs/mql/resources/gitlab-pack/{gitlab.project.approvalsettings.md => gitlab.project.approvalsetting.md} (88%) create mode 100644 releases/2024-07-30-mondoo-11.15-is-out.md diff --git a/docs/mql/resources/aws-pack/aws.eks.cluster.md b/docs/mql/resources/aws-pack/aws.eks.cluster.md index e691501ad..f752c9f69 100644 --- a/docs/mql/resources/aws-pack/aws.eks.cluster.md +++ b/docs/mql/resources/aws-pack/aws.eks.cluster.md @@ -18,21 +18,23 @@ Amazon EKS cluster **Fields** -| ID | TYPE | DESCRIPTION | -| ------------------ | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -| name | string | Name of the cluster | -| arn | string | ARN of the cluster | -| region | string | Region for the cluster | -| tags | map[string]string | A map of tags associated with the cluster | -| endpoint | string | The endpoint of Kubernetes API server | -| version | string | Kubernetes server version | -| platformVersion | string | Amazon EKS cluster version | -| status | string | Cluster status | -| encryptionConfig | []dict | Encryption configuration for the cluster | -| logging | dict | Cluster logging configuration | -| networkConfig | dict | Kubernetes network configuration | -| resourcesVpcConfig | dict | VPC configuration | -| createdAt | time | Cluster creation timestamp | -| nodeGroups | [][aws.eks.nodegroup](aws.eks.nodegroup.md) | List of EKS node groups | -| addons | [][aws.eks.addon](aws.eks.addon.md) | List of EKS add-ons | -| iamRole | [aws.iam.role](aws.iam.role.md) | The IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf | +| ID | TYPE | DESCRIPTION | +| ------------------ | --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| name | string | Name of the cluster | +| arn | string | ARN of the cluster | +| region | string | Region for the cluster | +| tags | map[string]string | A map of tags associated with the cluster | +| endpoint | string | The endpoint of Kubernetes API server | +| version | string | Kubernetes server version | +| platformVersion | string | Amazon EKS cluster version | +| status | string | Cluster status | +| encryptionConfig | []dict | Encryption configuration for the cluster | +| logging | dict | Cluster logging configuration | +| networkConfig | dict | Kubernetes network configuration | +| resourcesVpcConfig | dict | VPC configuration | +| createdAt | time | Cluster creation timestamp | +| nodeGroups | [][aws.eks.nodegroup](aws.eks.nodegroup.md) | List of EKS node groups | +| addons | [][aws.eks.addon](aws.eks.addon.md) | List of EKS add-ons | +| iamRole | [aws.iam.role](aws.iam.role.md) | The IAM role that provides permissions for the Kubernetes control plane to make calls to Amazon Web Services API operations on your behalf | +| supportType | string | The Kubernetes support policy of the cluster. (`STANDARD` support automatically upgrades at the end of standard support. `EXTENDED` automatically enters extended support at the end of standard support) | +| authenticationMode | string | The authentication mode for the cluster | diff --git a/docs/mql/resources/aws-pack/aws.rds.dbcluster.md b/docs/mql/resources/aws-pack/aws.rds.dbcluster.md index 5a5f16606..7ba6b4664 100644 --- a/docs/mql/resources/aws-pack/aws.rds.dbcluster.md +++ b/docs/mql/resources/aws-pack/aws.rds.dbcluster.md @@ -20,33 +20,34 @@ The `aws.rds.dbcluster` resource provides fields for assessing the configuration **Fields** -| ID | TYPE | DESCRIPTION | -| ----------------------- | ----------------------------------------------------------- | --------------------------------------------------------------------------------------- | -| arn | string | ARN for the database cluster | -| region | string | Region where the database cluster exists | -| id | string | Identifier for the database cluster | -| members | [][aws.rds.dbinstance](aws.rds.dbinstance.md) | List of database instances that belong to the cluster | -| snapshots | [][aws.rds.snapshot](aws.rds.snapshot.md) | List of snapshots for the cluster | -| tags | map[string]string | Tags for the database cluster | -| storageEncrypted | bool | Whether the cluster is encrypted | -| storageAllocated | int | The amount of storage, in GiB, provisioned on the cluster | -| storageIops | int | The storage IOPS provisioned on the cluster | -| storageType | string | The type of storage provisioned on the cluster | -| status | string | Current state of the cluster | -| createdTime | time | The creation date of the RDS cluster | -| backupRetentionPeriod | int | Number of days for which automated snapshots are retained | -| autoMinorVersionUpgrade | bool | Whether minor version patches are applied automatically | -| clusterDbInstanceClass | string | Name of the compute and memory capacity class of the cluster database instances | -| engine | string | Name of the database engine for this database cluster | -| engineVersion | string | The version of the database engine for this DB cluster | -| publiclyAccessible | bool | Whether the cluster is publicly accessible | -| multiAZ | bool | Whether the cluster is a Multi-AZ deployment | -| deletionProtection | bool | Whether deletion protection is enabled | -| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of VPC security group elements that the database cluster belongs to | -| availabilityZones | []string | List of Availability Zones (AZs) where instances in the database cluster can be created | -| port | int | The port that the database engine is listening on | -| endpoint | string | The connection endpoint for the primary instance of the database cluster | -| hostedZoneId | string | The cluster hosted zone ID | -| masterUsername | string | The master username for the database | -| latestRestorableTime | time | The latest time to which a database can be restored with point-in-time restore | -| backupSettings | [][aws.rds.backupsetting](aws.rds.backupsetting.md) | Backup setting for the database cluster | +| ID | TYPE | DESCRIPTION | +| ----------------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| arn | string | ARN for the database cluster | +| region | string | Region where the database cluster exists | +| id | string | Identifier for the database cluster | +| members | [][aws.rds.dbinstance](aws.rds.dbinstance.md) | List of database instances that belong to the cluster | +| snapshots | [][aws.rds.snapshot](aws.rds.snapshot.md) | List of snapshots for the cluster | +| tags | map[string]string | Tags for the database cluster | +| storageEncrypted | bool | Whether the cluster is encrypted | +| storageAllocated | int | The amount of storage, in GiB, provisioned on the cluster | +| storageIops | int | The storage IOPS provisioned on the cluster | +| storageType | string | The type of storage provisioned on the cluster | +| status | string | Current state of the cluster | +| createdTime | time | The creation date of the RDS cluster | +| backupRetentionPeriod | int | Number of days for which automated snapshots are retained | +| autoMinorVersionUpgrade | bool | Whether minor version patches are applied automatically | +| clusterDbInstanceClass | string | Name of the compute and memory capacity class of the cluster database instances | +| engine | string | Name of the database engine for this database cluster | +| engineVersion | string | The version of the database engine for this DB cluster | +| publiclyAccessible | bool | Whether the cluster is publicly accessible | +| multiAZ | bool | Whether the cluster is a Multi-AZ deployment | +| deletionProtection | bool | Whether deletion protection is enabled | +| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of VPC security group elements that the database cluster belongs to | +| availabilityZones | []string | List of Availability Zones (AZs) where instances in the database cluster can be created | +| port | int | The port that the database engine is listening on | +| endpoint | string | The connection endpoint for the primary instance of the database cluster | +| hostedZoneId | string | The cluster hosted zone ID | +| masterUsername | string | The master username for the database | +| latestRestorableTime | time | The latest time to which a database can be restored with point-in-time restore | +| backupSettings | [][aws.rds.backupsetting](aws.rds.backupsetting.md) | Backup setting for the database cluster | +| engineLifecycleSupport | string | The life cycle type for the database engine. By default, this value is set to `open-source-rds-extended-support`, which enrolls your DB engine into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled`. In this case, creating the DB engine will fail if the DB major version is past its end of standard support date. | diff --git a/docs/mql/resources/aws-pack/aws.rds.dbinstance.md b/docs/mql/resources/aws-pack/aws.rds.dbinstance.md index 2dff71358..e3ae03cf3 100644 --- a/docs/mql/resources/aws-pack/aws.rds.dbinstance.md +++ b/docs/mql/resources/aws-pack/aws.rds.dbinstance.md @@ -20,36 +20,37 @@ The `aws.rds.dbinstance` resource provides fields for assessing the configuratio **Fields** -| ID | TYPE | DESCRIPTION | -| ----------------------------- | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | -| arn | string | ARN for the database instance | -| name | string | Name of the database instance | -| backupRetentionPeriod | int | Number of days for which automated snapshots are retained | -| snapshots | [][aws.rds.snapshot](aws.rds.snapshot.md) | List of snapshots for the database instance | -| storageEncrypted | bool | Whether the instance is encrypted | -| storageAllocated | int | The amount of storage, in GiB, provisioned on the instance | -| storageIops | int | The storage IOPS provisioned on the instance | -| storageType | string | The type of storage provisioned on the instance | -| region | string | Region where the instance exists | -| availabilityZone | string | Availability zone where the instance exists | -| publiclyAccessible | bool | Whether the instance is publicly accessible | -| enabledCloudwatchLogsExports | []string | List of log types the instance is configured to export to CloudWatch logs | -| deletionProtection | bool | Whether deletion protection is enabled | -| multiAZ | bool | Whether the instance is a Multi-AZ deployment | -| id | string | Identifier for the database instance | -| enhancedMonitoringResourceArn | string | ARN of the CloudWatch log stream that receives the enhanced monitoring metrics data | -| tags | map[string]string | Tags for the database instance | -| dbInstanceClass | string | Name of the compute and memory capacity class of the database instance | -| dbInstanceIdentifier | string | User-supplied unique key that identifies a database instance | -| engine | string | Name of the database engine for this database instance | -| engineVersion | string | The version of the database engine for this database instance | -| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of VPC security group elements that the database instance belongs to | -| status | string | Current state of this database | -| autoMinorVersionUpgrade | bool | Whether minor version patches are applied automatically | -| createdTime | time | The creation date of the RDS instance | -| port | int | The port that the database instance listens on. If the database instance is part of a DB cluster, this can be a different port than the DB cluster port. | -| endpoint | string | The connection endpoint for the database instance | -| masterUsername | string | The master username for the database instance | -| latestRestorableTime | time | The latest time to which a database can be restored with point-in-time restore | -| backupSettings | [][aws.rds.backupsetting](aws.rds.backupsetting.md) | Backup setting for the database instance | -| subnets | [][aws.vpc.subnet](aws.vpc.subnet.md) | Subnet for the RDS instance | +| ID | TYPE | DESCRIPTION | +| ----------------------------- | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| arn | string | ARN for the database instance | +| name | string | Name of the database instance | +| backupRetentionPeriod | int | Number of days for which automated snapshots are retained | +| snapshots | [][aws.rds.snapshot](aws.rds.snapshot.md) | List of snapshots for the database instance | +| storageEncrypted | bool | Whether the instance is encrypted | +| storageAllocated | int | The amount of storage, in GiB, provisioned on the instance | +| storageIops | int | The storage IOPS provisioned on the instance | +| storageType | string | The type of storage provisioned on the instance | +| region | string | Region where the instance exists | +| availabilityZone | string | Availability zone where the instance exists | +| publiclyAccessible | bool | Whether the instance is publicly accessible | +| enabledCloudwatchLogsExports | []string | List of log types the instance is configured to export to CloudWatch logs | +| deletionProtection | bool | Whether deletion protection is enabled | +| multiAZ | bool | Whether the instance is a Multi-AZ deployment | +| id | string | Identifier for the database instance | +| enhancedMonitoringResourceArn | string | ARN of the CloudWatch log stream that receives the enhanced monitoring metrics data | +| tags | map[string]string | Tags for the database instance | +| dbInstanceClass | string | Name of the compute and memory capacity class of the database instance | +| dbInstanceIdentifier | string | User-supplied unique key that identifies a database instance | +| engine | string | Name of the database engine for this database instance | +| engineVersion | string | The version of the database engine for this database instance | +| securityGroups | [][aws.ec2.securitygroup](aws.ec2.securitygroup.md) | List of VPC security group elements that the database instance belongs to | +| status | string | Current state of this database | +| autoMinorVersionUpgrade | bool | Whether minor version patches are applied automatically | +| createdTime | time | The creation date of the RDS instance | +| port | int | The port that the database instance listens on. If the database instance is part of a DB cluster, this can be a different port than the DB cluster port. | +| endpoint | string | The connection endpoint for the database instance | +| masterUsername | string | The master username for the database instance | +| latestRestorableTime | time | The latest time to which a database can be restored with point-in-time restore | +| backupSettings | [][aws.rds.backupsetting](aws.rds.backupsetting.md) | Backup setting for the database instance | +| subnets | [][aws.vpc.subnet](aws.vpc.subnet.md) | Subnet for the RDS instance | +| engineLifecycleSupport | string | The life cycle type for the database engine. By default, this value is set to `open-source-rds-extended-support`, which enrolls your DB engine into Amazon RDS Extended Support. At the end of standard support, you can avoid charges for Extended Support by setting the value to `open-source-rds-extended-support-disabled`. In this case, creating the DB engine will fail if the DB major version is past its end of standard support date. | diff --git a/docs/mql/resources/gitlab-pack/README.md b/docs/mql/resources/gitlab-pack/README.md index b7f833ef3..21fc3a221 100644 --- a/docs/mql/resources/gitlab-pack/README.md +++ b/docs/mql/resources/gitlab-pack/README.md @@ -12,13 +12,13 @@ The GitLab resource pack lets you use MQL to query and assess the security of yo Resources included in this pack: -| ID | DESCRIPTION | -| --------------------------------------------------------------------- | -------------------------------- | -| [gitlab.group](gitlab.group.md) | GitLab group | -| [gitlab.project](gitlab.project.md) | GitLab project | -| [gitlab.project.approvalRule](gitlab.project.approvalrule.md) | GitLab project approval rule | -| [gitlab.project.approvalSettings](gitlab.project.approvalsettings.md) | GitLab project approval settings | -| [gitlab.project.file](gitlab.project.file.md) | GitLab project file | -| [gitlab.project.member](gitlab.project.member.md) | GitLab project member | -| [gitlab.project.protectedBranch](gitlab.project.protectedbranch.md) | GitLab protected branch | -| [gitlab.project.webhook](gitlab.project.webhook.md) | GitLab project webhook | +| ID | DESCRIPTION | +| ------------------------------------------------------------------- | -------------------------------- | +| [gitlab.group](gitlab.group.md) | GitLab group | +| [gitlab.project](gitlab.project.md) | GitLab project | +| [gitlab.project.approvalRule](gitlab.project.approvalrule.md) | GitLab project approval rule | +| [gitlab.project.approvalSetting](gitlab.project.approvalsetting.md) | GitLab project approval settings | +| [gitlab.project.file](gitlab.project.file.md) | GitLab project file | +| [gitlab.project.member](gitlab.project.member.md) | GitLab project member | +| [gitlab.project.protectedBranch](gitlab.project.protectedbranch.md) | GitLab protected branch | +| [gitlab.project.webhook](gitlab.project.webhook.md) | GitLab project webhook | diff --git a/docs/mql/resources/gitlab-pack/gitlab.project.approvalsettings.md b/docs/mql/resources/gitlab-pack/gitlab.project.approvalsetting.md similarity index 88% rename from docs/mql/resources/gitlab-pack/gitlab.project.approvalsettings.md rename to docs/mql/resources/gitlab-pack/gitlab.project.approvalsetting.md index d85cdcaff..f12cde127 100644 --- a/docs/mql/resources/gitlab-pack/gitlab.project.approvalsettings.md +++ b/docs/mql/resources/gitlab-pack/gitlab.project.approvalsetting.md @@ -1,12 +1,12 @@ --- -title: gitlab.project.approvalSettings -id: gitlab.project.approvalSettings -sidebar_label: gitlab.project.approvalSettings +title: gitlab.project.approvalSetting +id: gitlab.project.approvalSetting +sidebar_label: gitlab.project.approvalSetting displayed_sidebar: MQL description: GitLab project approval settings --- -# gitlab.project.approvalSettings +# gitlab.project.approvalSetting **Description** diff --git a/docs/mql/resources/gitlab-pack/gitlab.project.md b/docs/mql/resources/gitlab-pack/gitlab.project.md index dd52c6ad6..9cdf4a073 100644 --- a/docs/mql/resources/gitlab-pack/gitlab.project.md +++ b/docs/mql/resources/gitlab-pack/gitlab.project.md @@ -46,7 +46,7 @@ GitLab project | requirementsEnabled | bool | Whether the requirements feature is enabled | | approvalRules | [][gitlab.project.approvalRule](gitlab.project.approvalrule.md) | Approval rules for the project | | mergeMethod | string | Merge methods for the project | -| approvalSettings | [gitlab.project.approvalSettings](gitlab.project.approvalsettings.md) | Approval settings for the project | +| approvalSettings | [gitlab.project.approvalSetting](gitlab.project.approvalsetting.md) | Approval settings for the project | | protectedBranches | [][gitlab.project.protectedBranch](gitlab.project.protectedbranch.md) | Protected branches settings for the project | | projectMembers | [][gitlab.project.member](gitlab.project.member.md) | List of members in the project with their roles | | projectFiles | [][gitlab.project.file](gitlab.project.file.md) | List of files in the project repository | diff --git a/releases/2024-07-30-mondoo-11.15-is-out.md b/releases/2024-07-30-mondoo-11.15-is-out.md new file mode 100644 index 000000000..13e1bc437 --- /dev/null +++ b/releases/2024-07-30-mondoo-11.15-is-out.md @@ -0,0 +1,67 @@ +--- +slug: mondoo-11.15-is-out/ +title: Mondoo 11.15 is out! +description: Announcing the 11.15 release of Mondoo, with FOO, BAR, BAZ, and more! +author: Tim Smith +author_title: Mondoo Core Team +author_url: https://github.com/tas50 +image: /img/featured_img/release-feature.jpg +tags: [release, mondoo] +--- + +## ๐Ÿฅณ Mondoo 11.15 is out! This release includes FOO, BAR, BAZ, and more! + +Get this release: [Installation Docs](https://mondoo.com/docs/cnspec/) | [Package Downloads](https://releases.mondoo.com/cnspec/) | [Docker Container](https://hub.docker.com/r/mondoo/cnspec) + +--- + +## ๐ŸŽ‰ NEW FEATURES + +### CIS benchmarks for GitLab security + +DEETS + +### New compliance framework experience + +DEETS + +## ๐Ÿงน IMPROVEMENTS + +### CIS RHEL 9 benchmark policies 2.0 + +DEETS + +### Linux Mint 22 CVE detection + +- AlmaLinux +- Oracle Linux +- Red Hat Enterprise Linux +- Rocky Linux + +DEETS + +### Resource updates + +#### aws.eks.cluster + +- Add new `supportType` field +- Add new `authenticationMode` field + +#### aws.rds.dbcluster + +- Add new `engineLifecycleSupport` field + +#### aws.rds.dbinstance + +- Add new `engineLifecycleSupport` field + +## ๐Ÿ› BUG FIXES AND UPDATES + +- Fix incorrect scoring when policy banded scoring is selected. +- Fix passing the `--token` failure with the Shodan provider. +- Fix display of organizations with zero spaces on the organizations dashboard. +- Don't apply CIS Windows desktop benchmark policies to Windows Server assets. +- Fix `Ensure password hashing algorithm is SHA-512` check in the CIS Distribution Independant Linux benchmark policy. +- Improve application of CIS Linux policies on container assets. +- Fix failures scanning Atlassian Confluence assets. +- Fix error when fetching `createdAt` in the `aws.ec2.keypair` resource.