Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 11.17 release notes #309

Merged
merged 4 commits into from
Aug 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
170 changes: 170 additions & 0 deletions releases/2024-08-13-mondoo-11.17-is-out.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
---
slug: mondoo-11.17-is-out/
title: Mondoo 11.17 is out!
description: Announcing the 11.17 release of Mondoo, with Dockerfile security, all-new AWS security policies, and piles of new resources!
authors: [tim]
image: /img/releases/2024-08-07-mondoo-11.17-is-out/empty_state.png
tags: [release, mondoo]
---

## 🥳 Mondoo 11.17 is out! This release includes Dockerfile security, all-new AWS security policies, and piles of new resources!

Get this release: [Installation Docs](https://mondoo.com/docs/cnspec/) | [Package Downloads](https://releases.mondoo.com/cnspec/) | [Docker Container](https://hub.docker.com/r/mondoo/cnspec)

---

## 🎉 NEW FEATURES

### New Dockerfile Security policy

Secure your container workloads before they run in production with our new Dockerfile Security policy. With automatic Dockerfile discovery in GitHub and GitLab and this new policy, you can evaluate the security of Dockerfiles no matter where they're hiding. Once you've secured your existing files, keep them secure with Dockerfile scanning in CI pipelines.

![Dockerfile policy](/img/releases/2024-08-13-mondoo-11.17-is-out/dockerfile.png)

### New CIS AWS Database Services Benchmark policy

Keep your most valuable business data secure with the new CIS AWS Database Services benchmark policy. This policy includes security recommendations for Amazon's most popular database services:

- Amazon Aurora
- Amazon DynamoDB
- Amazon ElastiCache
- Amazon Neptune
- Amazon RDS
- Amazon Timestream

### Mew Mondoo Amazon Web Services (AWS) GuardDuty policy

Make the most of AWS GuardDuty with our new Mondoo Amazon Web Services (AWS) GuardDuty policy. This policy includes checks to ensure that GuardDuty is properly enabled and configured for EC2, EKS, IAM, Lambda, and S3 security.

### Mondoo Amazon Web Services (AWS) IAM Access Analyzer policy

Cloud security starts with securing access to critical resources. With the new Mondoo Amazon Web Services (AWS) IAM Access Analyzer policy you can now ensure that IAM Access Analyzer is enabled and properly configured.

## 🧹 IMPROVEMENTS

### Newly certified CIS benchmark policies

Our CIS Red Hat Enterprise Linux, Oracle Linux, AlmaLinux, and Rocky Linux 9 policies are better than ever with updates to improve reliability and query output. Even better, these policies are now certified to pass the rigorous CIS benchmark validation process, so you can be confident they'll secure even the most complex enterprise Linux installations.

### Jump right to the point

Now you find what you're looking for with fewer clicks thanks to improved linking behavior on affected assets pages. Links to assets now go directly to the asset result instead of the main asset page, so you can spend your time remediating findings instead of searching for them.

### Resource updates

#### aws.dynamodb.table

- New `items` field
- New `latestStreamArn` field

#### aws.elasticache

- New `serverlessCaches` field using the new `aws.elasticache.serverlessCache` resource

#### aws.guardduty.detector

- New `features` field
- New `findings` field using the new `aws.guardduty.finding` resource
- New `tags` field
- Improve performance fetching detector details

#### aws.iam.accessAnalyzer

- Renamed from `aws.accessAnalyzer` with backward compatibility for existing policies
- New `findings` field using the new `aws.iam.accessanalyzer.finding` resource

#### aws.iam.accessanalyzer.analyzer

- New `region` field
- Include organization-level analyzers as well as activated but unused analyzers

#### aws.neptune

- New resource for the AWS Neptune graph database
- `clusters` field using the new `aws.neptune.cluster` resource
- `instances` field using the new `aws.neptune.instance` resource

#### aws.rds

- New `allPendingMaintenanceActions` field using the new `aws.rds.pendingMaintenanceAction` resource
- Deprecate the `dbInstances` field in favor of a new `instances` field
- Deprecate the `dbClusters` field in favor of a new `clusters` field

#### aws.rds.dbcluster and aws.rds.dbinstance

- New `activityStreamMode` field
- New `activityStreamStatus` field
- New `certificateAuthority` field
- New `certificateExpiresAt` field
- New `enabledCloudwatchLogsExports` field
- New `iamDatabaseAuthentication` field
- New `monitoringInterval` field
- New `networkType` field
- New `preferredBackupWindow` field
- New `preferredMaintenanceWindow` field
- Improve performance fetching security groups details
- Don't include non-RDS engine results

#### aws.timestream.liveanalytics

- New resource with `databases` and `tables` fields

#### aws.vpc

- New `name` field

#### azure.subscription.cloudDefender

- Check the pricing tier for the Servers plan when verifying that Azure's Defender for Servers is enabled

#### microsoft.application

- New `certificates` field using the new `microsoft.keyCredential` resource
- New `createdAt` field
- New `description` field
- New `hasExpiredCredentials` field
- New `info` field
- New `name` field
- New `notes` field
- New `secrets` field using the new `microsoft.passwordCredential` resource
- New `tags` field

#### microsoft.group

- New `members` field

#### microsoft.user

- New `owners` field

#### product.eol

Use this new resource to look up end-of-life status for common products. Example:

```coffee
cnquery> product(name: "php", version: "8.1").releaseCycle { * }
product.releaseCycle: {
endOfLife: 2025-12-31 01:00:00 +0100 CET
endOfExtendedSupport: 719528 days
cycle: "8.1"
lastReleaseDate: 2024-06-06 02:00:00 +0200 CEST
name: ""
link: "https://www.php.net/supported-versions.php"
latestVersion: "8.1.29"
endOfActiveSupport: 2023-11-25 01:00:00 +0100 CET
firstReleaseDate: 2021-11-25 01:00:00 +0100 CET
}
```

## 🐛 BUG FIXES AND UPDATES

- Fix a false negative result in the CIS Microsoft 365 policy's "Ensure a dynamic group for guest users is created" check.
- Add VPC name to asset overview information.
- Don't execute CIS Windows workstation benchmarks on server releases.
- Improve the default data returned by the `k8s.node` resource.
- On the Available Frameworks page, make compliance framework descriptions more concise.
- Add an AWS CloudFormation policy variant icon on policy pages.
- Fix missing risk factors in the affected assets views.
- Show the risk score instead of CVSS scores in asset CVE tables.
- Allow sorting by risk score in tables.
- Fix Windows asset information not returning on some Windows releases if WinRM is disabled.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
22 changes: 11 additions & 11 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -2182,11 +2182,11 @@
"@types/node" "*"

"@types/node@*":
version "22.2.0"
resolved "https://registry.yarnpkg.com/@types/node/-/node-22.2.0.tgz#7cf046a99f0ba4d628ad3088cb21f790df9b0c5b"
integrity sha512-bm6EG6/pCpkxDf/0gDNDdtDILMOHgaQBVOJGdwsqClnxA3xL6jtMv76rLBc006RVMWbmaf0xbmom4Z/5o2nRkQ==
version "22.3.0"
resolved "https://registry.yarnpkg.com/@types/node/-/node-22.3.0.tgz#7f8da0e2b72c27c4f9bd3cb5ef805209d04d4f9e"
integrity sha512-nrWpWVaDZuaVc5X84xJ0vNrLvomM205oQyLsRt7OHNZbSHslcWsvgFR7O7hire2ZonjLrWBbedmotmIlJDVd6g==
dependencies:
undici-types "~6.13.0"
undici-types "~6.18.2"

"@types/node@^17.0.5":
version "17.0.45"
Expand Down Expand Up @@ -3718,9 +3718,9 @@ [email protected]:
integrity sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==

electron-to-chromium@^1.5.4:
version "1.5.6"
resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.6.tgz#c81d9938b5a877314ad370feb73b4e5409b36abd"
integrity sha512-jwXWsM5RPf6j9dPYzaorcBSUg6AiqocPEyMpkchkvntaH9HGfOOMZwxMJjDY/XEs3T5dM7uyH1VhRMkqUU9qVw==
version "1.5.7"
resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.7.tgz#425d2a7f76ecfa564fdca1040d11fb1979851f3c"
integrity sha512-6FTNWIWMxMy/ZY6799nBlPtF1DFDQ6VQJ7yyDP27SJNt5lwtQ5ufqVvHylb3fdQefvRcgA3fKcFMJi9OLwBRNw==

emoji-regex@^8.0.0:
version "8.0.0"
Expand Down Expand Up @@ -8065,10 +8065,10 @@ typescript@^5.5.3:
resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.5.4.tgz#d9852d6c82bad2d2eda4fd74a5762a8f5909e9ba"
integrity sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==

undici-types@~6.13.0:
version "6.13.0"
resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-6.13.0.tgz#e3e79220ab8c81ed1496b5812471afd7cf075ea5"
integrity sha512-xtFJHudx8S2DSoujjMd1WeWvn7KKWFRESZTMeL1RptAYERu29D6jphMjjY+vn96jvN3kVPDNxU/E13VTaXj6jg==
undici-types@~6.18.2:
version "6.18.2"
resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-6.18.2.tgz#8b678cf939d4fc9ec56be3c68ed69c619dee28b0"
integrity sha512-5ruQbENj95yDYJNS3TvcaxPMshV7aizdv/hWYjGIKoANWKjhWNBsr2YEuYZKodQulB1b8l7ILOuDQep3afowQQ==

unicode-canonical-property-names-ecmascript@^2.0.0:
version "2.0.0"
Expand Down
Loading