Skip to content

Commit

Permalink
Firewatch 1.5 (#126)
Browse files Browse the repository at this point in the history 
* Firewatch 1.5

* flesh out table of icons

* tas50 changes

* restructure

* imgs

* more imgs

* more more imgs

* omg letha images

* fix broken link

* a little findings progress

* add score/rank topic

* tweaks

* Update docs/platform/security/posture/advisories.md

* Update docs/platform/security/posture/advisories.md

* Update docs/platform/security/posture/findings.mdx

* Keep prettier happy

Perhaps

Signed-off-by: Tim Smith <[email protected]>

---------

Signed-off-by: Tim Smith <[email protected]>
Co-authored-by: Tim Smith <[email protected]>
  • Loading branch information
@misterpantz @tas50
misterpantz and tas50 authored Apr 27, 2024
1 parent e05131e commit 7b185a6
Show file tree
Hide file tree
Showing 30 changed files with 343 additions and 158 deletions.
6 changes: 3 additions & 3 deletions docs/glossary.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ image: /img/featured_img/mondoo-feature.jpg

### advisory

An [advisory](/platform/security/vuln/advisories/) is a notice released by a software vendors that provides recommendations on how to fix or mitigate a vulnerability in their product.
An [advisory](/platform/security/posture/advisories/) is a notice released by a software vendors that provides recommendations on how to fix or mitigate a vulnerability in their product.

### annotation

Expand Down Expand Up @@ -43,7 +43,7 @@ A [control](/platform/compliance/monitor/frameworks/#controls-and-checks) is a g

### CVE

A [CVE](/platform/security/vuln/overview/) (common vulnerability and exposure) is a weakness in a computer system that an attacker can exploit to gain access or extract information.
A [CVE](/platform/security/posture/vulnerabilities/) (common vulnerability and exposure) is a weakness in a computer system that an attacker can exploit to gain access or extract information.

### integration

Expand Down Expand Up @@ -107,6 +107,6 @@ A [team member](/platform/maintain/access/team_members/) is a person in your org

### vulnerability

A [vulnerability](/platform/security/vuln/overview/) is a weakness in a computer system that an attacker can exploit to gain access or extract information. Vulnerabilities are also known as CVEs (common vulnerabilities and exposures).
A [vulnerability](/platform/security/posture/vulnerabilities/) is a weakness in a computer system that an attacker can exploit to gain access or extract information. Vulnerabilities are also known as CVEs (common vulnerabilities and exposures).

---
6 changes: 3 additions & 3 deletions docs/platform/infra/cloud/azure/_include-webapp.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,16 +122,16 @@ Grant web app permissions by creating a custom RBAC role for Mondoo and assignin

13. Select the **+ Select Members** link, find and select your Mondoo app registration, and select the **Select** button.

![Azure Subscription Role Member Assignment](/img/platform/infra/cloud/azure/add-int-azure-custom-member.png)
![Azure Subscription Role Member Assignment](/img/platform/infra/cloud/azure/add-int-azure-custom-member.png)

14. Select the **Review + assign** button to check the assignment. Select the **Review + assign** button again to assign the `mondoo-role` role to your Mondoo app registration.

![Azure Subscription Role Member Assignment](/img/platform/infra/cloud/azure/add-int-azure-select-member.png)
![Azure Subscription Role Member Assignment](/img/platform/infra/cloud/azure/add-int-azure-select-member.png)

15. Make sure that you have two RBAC roles for the app you created: On the subscription's **Access control (IAM)** page toolbar, select **Check Access**.

16. Keep "User, group, or service principal" selected and type name you gave the app, such as `mondoo-security`.

17. Select the app. Verify that you see two roles: Reader and the custom role that you created.

It can take a few minutes for the roles you assigned to take effect.
It can take a few minutes for the roles you assigned to take effect.
99 changes: 50 additions & 49 deletions docs/platform/infra/cloud/azure/azure-integration-scan-group.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,9 @@ If you want Mondoo to continuously scan all the resources in a management group,

1. Run this command:

```bash
az account management-group list
```
```bash
az account management-group list
```

2. Copy the ID of the group you want and paste it somewhere handy to use in later steps.

Expand All @@ -98,35 +98,35 @@ A single command in the Azure CLI performs these tasks:

1. In the Azure CLI, enter:

```bash
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID --create-cert
```
```bash
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID --create-cert
```

For `YOUR-GROUP-ID`, substitute the management group ID value you copied in the step above. For example, this command creates a service principal and an application named `mondoo-security` that provides access to a management group with the ID `e4e2600a-2d3d-2600-aa70-b9d8c8ec2600`:
For `YOUR-GROUP-ID`, substitute the management group ID value you copied in the step above. For example, this command creates a service principal and an application named `mondoo-security` that provides access to a management group with the ID `e4e2600a-2d3d-2600-aa70-b9d8c8ec2600`:

```bash
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /providers/Microsoft.Management/managementGroups/e4e2600a-2d3d-2600-aa70-b9d8c8ec2600 --create-cert
```
```bash
az ad sp create-for-rbac --name mondoo-security --role Reader --scopes /providers/Microsoft.Management/managementGroups/e4e2600a-2d3d-2600-aa70-b9d8c8ec2600 --create-cert
```

When successful, the Azure CLI returns results like these:
When successful, the Azure CLI returns results like these:

```bash
"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6",
"displayName": "Mondoo",
"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem",
"password": null,
"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600"
```
```bash
"appId": "63c35483-c62f-2600-a097-a6e44d8dcdf6",
"displayName": "Mondoo",
"fileWithCertAndPrivateKey": "/Users/stella/tmpkqyme3rm.pem",
"password": null,
"tenant": "e4e2600a-2d3d-2600-aa70-b9d8c8ec2600"
```

2. Copy your results and paste them somewhere handy; you'll need them in later steps.

3. Copy the created PEM file (in the example above, it's named tmpkqyme3rm.pem) and save it; you'll need it in later steps.

:::tip
:::tip

In the Azure portal, you can make sure that the created application has the required READ access at the subscription level: Go to **Azure portal > [your subscription] > Access control (IAM) > Roles (choose Reader and View) > Assessments**. If you see the `mondoo-security` application, you've succeeded.
In the Azure portal, you can make sure that the created application has the required READ access at the subscription level: Go to **Azure portal > [your subscription] > Access control (IAM) > Roles (choose Reader and View) > Assessments**. If you see the `mondoo-security` application, you've succeeded.

:::
:::

### Step C: Grant web app and key vault READ permissions to the registered app

Expand All @@ -142,7 +142,7 @@ To assign this role across all subscriptions under a management group, follow th

1. Create the custom role definition.

Save this JSON content into a file named `mondoo-role.json`:
Save this JSON content into a file named `mondoo-role.json`:

```json
{
Expand Down Expand Up @@ -198,44 +198,45 @@ To assign this role across all subscriptions under a management group, follow th

4. Check your permissions:

Confirm that your account has the required permissions to list subscriptions within the management group:
Confirm that your account has the required permissions to list subscriptions within the management group:

```
az account management-group subscription show-sub-under-mg --name "YOUR-GROUP-ID"
```

```
az account management-group subscription show-sub-under-mg --name "YOUR-GROUP-ID"
```
If you encounter authorization issues, grant the necessary permissions:

If you encounter authorization issues, grant the necessary permissions:
```
az role assignment create --assignee "[email protected]" --role "Management Group Reader" --scope "/providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID"
```
```
az role assignment create --assignee "[email protected]" --role "Management Group Reader" --scope "/providers/Microsoft.Management/managementGroups/YOUR-GROUP-ID"
```

Replace YOUR-GROUP-ID with the actual ID of your management group. Then, re-execute the command to list subscriptions and confirm access.
Replace YOUR-GROUP-ID with the actual ID of your management group. Then, re-execute the command to list subscriptions and confirm access.

5. Assign the custom role using a script:

Create a new file named `assign_role_to_subscriptions.sh` and paste this script in the file:
Create a new file named `assign_role_to_subscriptions.sh` and paste this script in the file:

```
#!/bin/bash
```
#!/bin/bash
MGMT_GROUP_ID="Mang-Group-ID"
PRINCIPAL_ID="APP-ID"
MGMT_GROUP_ID="Mang-Group-ID"
PRINCIPAL_ID="APP-ID"
# List all subscriptions under the management group and read them line by line
SUBSCRIPTIONS=$(az account management-group subscription show-sub-under-mg --name "$MGMT_GROUP_ID" --query "[].name" -o tsv)
# List all subscriptions under the management group and read them line by line
SUBSCRIPTIONS=$(az account management-group subscription show-sub-under-mg --name "$MGMT_GROUP_ID" --query "[].name" -o tsv)
for SUBSCRIPTION_ID in $SUBSCRIPTIONS; do
echo "Assigning 'mondoo-role' to subscription $SUBSCRIPTION_ID"
# Set the context to the current subscription
az account set --subscription "$SUBSCRIPTION_ID"
# Assign the role to the principal for the current subscription
az role assignment create --role "mondoo-role" --assignee $PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION_ID"
done
```
for SUBSCRIPTION_ID in $SUBSCRIPTIONS; do
echo "Assigning 'mondoo-role' to subscription $SUBSCRIPTION_ID"
# Set the context to the current subscription
az account set --subscription "$SUBSCRIPTION_ID"
# Assign the role to the principal for the current subscription
az role assignment create --role "mondoo-role" --assignee $PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION_ID"
done
```

Be sure to replace YOUR-GROUP-ID with your management group ID and APP-ID with the principal ID.
Be sure to replace YOUR-GROUP-ID with your management group ID and APP-ID with the principal ID.

Make the script executable:
Make the script executable:

```
chmod +x assign_role_to_subscriptions.sh
Expand All @@ -247,7 +248,7 @@ To assign this role across all subscriptions under a management group, follow th
./assign_role_to_subscriptions.sh
```

These steps ensure that the custom role is systematically assigned to all subscriptions within your specified management group.
These steps ensure that the custom role is systematically assigned to all subscriptions within your specified management group.

### Step D: Grant permissions to access Microsoft Graph (API permissions)

Expand Down
2 changes: 1 addition & 1 deletion docs/platform/security/overview.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Mondoo features out-of-the-box security and best practice policies certified by

- [Assess your security posture](/platform/security/posture/overview/) with Mondoo's policy as code.

- [Find vulnerabilities and advisories](/platform/security/vuln/overview/) across your infrastructure.
- [Find vulnerabilities and advisories](/platform/security/posture/vulnerabilities/) across your infrastructure.

- [Customize your Mondoo security](/platform/security/customize/overview/) to meet the unique needs of your organization.

Expand Down
66 changes: 66 additions & 0 deletions docs/platform/security/posture/advisories.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
title: Find Advisories
sidebar_label: Find Advisories
sidebar_position: 5
description: Use Mondoo to find advisories that put your infrastructure at risk
image: /img/featured_img/mondoo-feature.jpg
---

Software vendors often release _advisories_ that provide recommendations on how to fix or mitigate vulnerabilities in their products. Advisories may or may not be released before vulnerabilities are disclosed. Sometimes advisories provide workarounds or other steps that users can take to mitigate a security weakness in the vendor’s products.

:::note

Not every known software issue has an advisory. Be sure to monitor vulnerabilities (CVEs) to find potential exploits in your infrastructure. To learn more, read [Find Vulnerabilities](/platform/security/posture/vulnerabilities).

:::

## Find advisories in your infrastructure

Find advisories for assets in a space:

1. In the [Mondoo Console](https://console.mondoo.com), [navigate to the space](/platform/start/navigate) in which you want to see vulnerabilities.

2. In the left navigation bar, under **Vulnerabilities**, select **Advisories**.

![Find Advisories](/img/platform/security/advisories.png)

The list shows CVEs found in your infrastructure. For each CVE, Mondoo shows a rank (priority compared to other CVEs), score (CRITICAL, HIGH, MEDIUM, OR LOW), blast radius (calculated based on the affected assets), any [risk factors](#risk-factors), and when the vulnerability was first found in your infrastructure.

To learn how Mondoo calculates risk and rank, read [Security Findings](/platform/security/posture/findings/).

3. To filter the list, enter text in the search bar. These are some examples:

- To show only advisories for a certain platform, enter all or part of the platform name. For example, type `windows`, `debian`, or `google`.

- To find an advisory related to a specific CVE number, enter all or part of the number. For example, type `2024-21755` or `1325`.

- To find advisories for a certain service, tool, API, or other technology, enter all or part of its name. For example, enter `winsock`, `curl`, or `cim`.

4. To see the assets in your space where the advisory is found, select the advisory.

## Risk factors

Risk factors are attributes that can elevate the risk that an advisory poses to your organization. Advisories can have their own risk factors:

| Icon | Risk factor |
| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ![Exploitable icon](/img/platform/security/exploitable.svg) | **Exploitable** advisories have known exploits in the wild. Attackers know how to breach a system using this defect and have already shown it can be done. |
| ![Remote execution icon](/img/platform/security/remote-exec.svg) | **Remote execution** advisories are known to present remote code execution over the network. They let an attacker run malicious code on a target system. |

Mondoo also flags an advisory if the _assets_ that contain the advisory have factors that increase or decrease risk. These are _contextual_ risk factors for an advisory:

| Icon | Risk factor |
| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ![Keys icon](/img/platform/security/keys.svg) | **Accessible keys** indicates that key or credential information is exposed on at least one asset with this advisory. |
| ![EOL icon](/img/platform/security/eol.svg) | **End-of-life (EOL)** indicates that at least one asset with this advisory is running an operating system version that is approaching or has reached EOL (no longer supported). |
| ![Database icon](/img/platform/security/db.svg) | **Database** indicates that at least one asset with this advisory hosts a running database (MySQL or PostgreSQL). |
| ![In use icon](/img/platform/security/use.svg) | **In use** indicates that at least one asset with this advisory has a running service or is in active use. Examples are assets running sshd, OpenSSH, NGINX, or Apache, or assets with open or listening ports. |
| ![Defensive icon](/img/platform/security/defensive.svg) | **Defensive** indicates that at least one asset with this advisory has defensive countermeasures in place (SELinux or AppArmor). |

#### See also

- [Find Vulnerabilities (CVEs)](/platform/security/posture/vulnerabilities/)

- [Prioritize Security Findings](/platform/security/posture/findings/)

---
Loading

0 comments on commit 7b185a6

Please sign in to comment.