Prioritization with context: Mondoo Firewatch
Ever feel like you're drowning in a rushing firehose of security findings? What about so-called critical vulnerabilities that, it turns out, aren't really much of a threat to your infrastructure?
This month we released the first phase of our all-new Firewatch feature, a solution to overwhelming and often misrepresented findings. Firewatch surfaces genuinely critical risks and prioritizes the most important findings in your infrastructure.
Firewatch evaluates and prioritizes findings and vulnerabilities based on contextual risks on affected assets and downstream system exposure. Our unique algorithm considers multiple angles and factors to highlight the issues most likely to expose your business to attack.
We redesigned our UI to focus on the most critical issues first. The all-new space dashboard includes an interactive sunburst chart for navigating critical findings in your entire space, as well as ranked lists of both vulnerabilities and security findings.
New views for advisories, CVEs, and assets show risk scores and contextual risk factors to expose the importance of fixes needed in your infrastructure.
When you explore the details of an individual risk from anywhere in the Mondoo Console, you now see exposure and downstream impact that help you compare and plan.
New policy check pages allow you to better understand critical impacts to your business. Score tiles bring risk front and center so you can understand the priority of findings. With refactored query descriptions, it's easier to understand why a check is important, how Mondoo evaluates your assets, and what risk factors mean to the safety of your organization.
The new blast radius value for every finding tells you the potential impact of a problem… and of fixing it. Blast radius isn't just the number of assets that have the issue; it also considers risk factors of all of the assets that have the issue.
A new Affected Assets page lets you better prioritize assets in your environment with critical vulnerabilities. Top-of-page filters allow you to drill into individual risk factors that increase or decrease the threat that vulnerabilities present.
Improved EPSS graphs expose the risk percentile and are easier to read.
For a deeper look at the game-changing features of Mondoo Firewatch and an idea of what's coming next, read our Firewatch blog post.
Console performance improvements
No one wants to wait for slow-loading web pages. That's why we unleashed some masterful jiu jitsu on how the console fetches space and asset data. Now our pages are always speedy to load.
Compliance as code
Every audit is different. Now you can customize the Mondoo Compliance Hub experience to match the exact evidence required by your auditor.
Download one of our top industry compliance frameworks to your local system directly from Mondoo Compliance Hub.
The framework file you download is pre-customized for your space with compliance evidence mappings from policies you've enabled, as well as any exceptions you've defined. You can customize the file with any additional controls or specific evidence items your auditor requests.
With your compliance framework fully customized for your auditor's requirements, upload it to Mondoo Compliance Hub and track your progress just as you would using an out-of-the box framework. Need to make a change? Don't worry: You can replace the framework with an updated version at any time or remove it altogether.
Scan more
Scan Azure Container Registry
Mondoo now supports scanning Azure Container Registries (ACR) that require authentication using credentials stored after running the az login command.
To log in and scan a complete registry, run:
az login
cnspec scan container registry my_registry.azurecr.ioDockerfile scanning
Expose security concerns before they reach production with new Mondoo Dockerfile scanning. Run cnquery shell docker file DIRECTORY_OR_PATH to inspect a single Dockerfile or find nested Dockerfiles within directories. Using the new docker.file resource, you can explore the file itself or dive into Dockerfile stages and instructions.
cnquery shell docker file Dockerfile
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ connected to Dockerfile
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondoo™ |_| |___/ interactive shell
cnquery> docker.file.stages{*}
docker.file.stages: [
0: {
entrypoint: null
add: []
run: [
0: docker.file.run script="mkdir -p /opt/app"
1: docker.file.run script="npm install"
]
file: docker.file file.path="Dockerfile" instructions.length=8 stages.length=1
copy: [
0: docker.file.copy src=[
0: "src/package.json"
1: "src/package-lock.json"
] dst="."
]
from: docker.file.from name="" image="node" tag="18.16.0-alpine3.17"
env: {}
cmd: docker.file.run script="npm
start"
}
]Stay tuned for upcoming Dockerfile policies and Dockerfile security monitoring in the Mondoo Console!
Kubernetes DaemonSet-based node scanning
With the new DaemonSet Kubernetes node scanning option you can scan Kubernetes cluster nodes with the Mondoo Kubernetes Operator even if the node utilization is too high for CronJob scheduling. If your clusters run high utilization, you can either edit an existing integration to use DaemonSets or configure a new integration with DaemonSet node scanning.
New and updated policies
XZ Utils Vulnerability policy
Although the recent XZ supply chain attack in XZ 5.6.0 and 5.6.1 (CVE-2024–3094) thankfully didn't make it into any mainstream enterprise Linux distributions, there's still a significant risk if employees are running rolling distributions or pre-releases of upcoming Linux distros. To quickly evaluate your CVE-2024–3094 exposure, we've created a new XZ Vulnerability (CVE-2024–3094) policy that looks for XZ 5.6.0/5.6.1 on impacted Linux releases:
- Alpine
- Arch
- Debian trixie/sid
- Fedora 40
- Kali 2024.1
- openSUSE Tumbleweed
Expanded Endpoint Detection and Response (EDR) policy support
Mondoo now detects the ESET EDR with our new Endpoint Detection and Response (EDR) policy.
Rewritten cloud policies
We rewrote the Mondoo AWS Security policy and the Mondoo Microsoft Azure Security policy from the ground up with new and expanded queries that match the latest capabilities and risks, including Microsoft Entra ID.
Windows 11 compatibility policy
Enable the new Windows 11 Compatibility policy to see if existing Windows workstations meet the hardware requirements for Windows 11. This policy includes several different checks for CPU, RAM, TPM, and hard drive space requirements. To learn more about these hardware requirements, read Microsoft's Windows 11 Specs & System Requirements.
New Terraform checks in the CIS GCP Foundation policy
Now you can flag critical security misconfigurations before they ever run in your infrastructure. New and expanded Terraform config checks in the CIS Google Cloud Platform Foundation policy evaluate Terraform configs for proper GCP uniform bucket level access setup.
Support for the latest platforms
Fedora 40 EOL/CVE detection
Mondoo already offers CVE and EOL detection for the Fedora 40 beta, which is now available for testing. Protect your test systems from critical vulnerabilities such as the compromised XZ release (CVE-2024–3094) that originally shipped in this beta.
Google Container-Optimized OS 113
Mondoo now includes security scanning and EOL detection support for Google's latest COS 113 release.
Ubuntu 24.10 CVE detection
Canonical recently announced the start of development for Ubuntu 24.10, code named Oracular Oriole. If you're a risk taker and want to run this pre-alpha release of Ubuntu, Mondoo has your back with CVE support for this upcoming release.
Automate deployments with Terraform
Mondoo's latest Terraform provider allows you to automate the setup of Azure, Slack, and domain integrations. You can even tie in the Azure setup with the Mondoo setup to make managing Azure applications easier than ever. Thank you @mati007thm and @Pauti for all your fantastic work making this provider possible!
Expanded resource support
aws.autoscaling.groups
- Improve resource default values
- New
availabilityZonesfield - New
capacityRebalancefield - New
defaultInstanceWarmupfield - New
desiredCapacityfield - New
instancesfield - New
maxInstanceLifetimefield
aws.cloudfront.distributions
- New
cnamesfield
aws.ec2.instances
- Improve the performance of instance scanning
aws.ec2.networkacl
- New
associationsfield
aws.inspector
- New resource for Amazon Inspector
aws.s3.bucket
- Fix failures fetching ACL grants
gcp.project.bigqueryService
- Fix failures querying BigQuery resources
aws.ec2.images
- New
createdAtfield
aws.elb.loadbalancer
- New
availabilityZonesfield - New
elbTypefield - New
hostedZoneIdfield - New
regionfield - New
securityGroupsfield - New
vpcfield - Deprecate
vpcIdin favor ofvpcfield, which exposes theaws.vpcresource
aws.vpc.subnet
- New
regionfield
docker.file
- New
exposefield - New
labelfield
gcp.project.gkeService.cluster
- Expand default fields to improve cnquery shell use
- New
shieldedNodesConfigfield - New
costManagementConfigfield - New
confidentialNodesConfigfield - New
identityServiceConfigfield - New
networkPolicyConfigfield
gcp.project.gkeService.cluster.addonsConfig
- New
gcsFuseCsiDriverConfigfield - New
statefulHaConfigfield
gcp.project.gkeService.cluster.networkConfig
- New
enableMultiNetworkingfield - New
enableFqdnNetworkPolicyfield - New
enableCiliumClusterwideNetworkPolicyfield
sshd.config
An all-new sshd.config resource includes support for parsing the combined sshd_config and sshd_config.d/* configs. Now Mondoo can track the running state of your SSH daemon no matter where you define configuration options.
What's next?
Mondoo Firewatch already eliminates so much frustration and uncertainty from your prioritization and planning efforts. But there's more to come: Watch for the upcoming ability to customize how Mondoo prioritizes vulnerabilities and security findings.
In the meantime, explore Mondoo and see for yourself how much smarter your team can work when your decisions are well-informed.
