Skip to content

Commit

Permalink
🧹 change all platform.name/family/release uses to asset.platform/fami…
Browse files Browse the repository at this point in the history 
…ly/version (#255)
  • Loading branch information
@vjeffrey
vjeffrey authored Sep 12, 2023
1 parent 17a66f9 commit 035717a
Show file tree
Hide file tree
Showing 15 changed files with 50 additions and 50 deletions.
6 changes: 3 additions & 3 deletions community/chef-infra-client.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ policies:
groups:
- title: Insecure permissions
filters: |
platform.family.contains(_ == 'unix')
asset.family.contains(_ == 'unix')
file("/opt/chef").exists
checks:
- uid: client-pem-permissions
Expand All @@ -24,15 +24,15 @@ policies:
- uid: var-log-chef-directory-permissions
- title: Insecure configurations
filters: |
platform.family.contains(_ == 'unix')
asset.family.contains(_ == 'unix')
file("/opt/chef").exists
checks:
- uid: avoid-reporting-tokens-in-config
- uid: disable-legacy-encrypted-data-bags
- uid: validation-pem-not-present
- title: EOL software
filters: |
platform.family.contains(_ == 'unix')
asset.family.contains(_ == 'unix')
file("/opt/chef").exists
checks:
- uid: non-eol-infra-client
Expand Down
6 changes: 3 additions & 3 deletions community/chef-infra-server.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ policies:
groups:
- title: EOL components
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
file("/opt/opscode").exists
checks:
- uid: eol-analytics-addon
Expand All @@ -24,14 +24,14 @@ policies:
- uid: non-eol-infra-server
- title: Insecure configurations
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
file("/opt/opscode").exists
checks:
- uid: disable-insecure-addon-compat
- uid: secure-tls-only
- title: Insecure permissions
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
file("/opt/opscode").exists
checks:
- uid: chef-server-rb-permissions
Expand Down
2 changes: 1 addition & 1 deletion core/mondoo-azure-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ policies:
groups:
- title: Azure Core
filters: |
platform.name == "azure"
asset.platform == "azure"
platform.kind == "api"
checks:
- uid: mondoo-azure-security-default-network-access-rule-storage-accounts-deny
Expand Down
2 changes: 1 addition & 1 deletion core/mondoo-dns-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ policies:
desc: "## Overview\n\nThe DNS Security by Mondoo provides baseline checks for assessing the configuration of DNS servers.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Scan a host \n\n```bash\ncnspec scan host <hostname>\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n"
groups:
- title: Networking
filters: platform.family.contains('network')
filters: asset.family.contains('network')
checks:
- uid: mondoo-dns-security-google-workspaces-mx-records
- uid: mondoo-dns-security-no-cname-for-root-domain
Expand Down
2 changes: 1 addition & 1 deletion core/mondoo-gitlab-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ policies:
desc: "## Overview\n\nThe GitLab Security by Mondoo policy bundle provides guidance for establishing minimum recommended security and operational best practices for GitLab. This policy is early access.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n``` \n\n### Prerequisites\n\nRemote scans of GitLab requires a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group.\n\n### Run a scan of a GitLab group\n\nOpen a terminal and configure an environment variable with your GitLab personal access token:\n\n```bash\nexport GITLAB_TOKEN=<your personal access token> \n```\n\nRun a remote scan of your GitLab group: \n\n```bash\ncnspec scan gitlab --group <group_name>\n``` \n \n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions."
groups:
- title: GitLab
filters: platform.name == "gitlab"
filters: asset.platform == "gitlab"
checks:
- uid: mondoo-gitlab-security-private-group
- uid: mondoo-gitlab-security-private-projects
Expand Down
16 changes: 8 additions & 8 deletions core/mondoo-kubernetes-best-practices.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@ policies:
desc: "## Overview\n\nThe Kubernetes Best Practices by Mondoo policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions."
groups:
- title: CronJobs
filters: platform.name == "k8s-cronjob"
filters: asset.platform == "k8s-cronjob"
checks:
- uid: mondoo-kubernetes-best-practices-cronjob-default-namespace
- uid: mondoo-kubernetes-best-practices-cronjob-hostalias
- uid: mondoo-kubernetes-best-practices-cronjob-ports-hostport
- uid: mondoo-kubernetes-best-practices-cronjob-requestcpu
- uid: mondoo-kubernetes-best-practices-cronjob-requestmemory
- title: StatefulSets
filters: platform.name == "k8s-statefulset"
filters: asset.platform == "k8s-statefulset"
checks:
- uid: mondoo-kubernetes-best-practices-statefulset-default-namespace
- uid: mondoo-kubernetes-best-practices-statefulset-hostalias
Expand All @@ -31,7 +31,7 @@ policies:
- uid: mondoo-kubernetes-best-practices-statefulset-requestcpu
- uid: mondoo-kubernetes-best-practices-statefulset-requestmemory
- title: Deployments
filters: platform.name == "k8s-deployment"
filters: asset.platform == "k8s-deployment"
checks:
- uid: mondoo-kubernetes-best-practices-deployment-default-namespace
- uid: mondoo-kubernetes-best-practices-deployment-hostalias
Expand All @@ -41,15 +41,15 @@ policies:
- uid: mondoo-kubernetes-best-practices-deployment-requestcpu
- uid: mondoo-kubernetes-best-practices-deployment-requestmemory
- title: Jobs
filters: platform.name == "k8s-job"
filters: asset.platform == "k8s-job"
checks:
- uid: mondoo-kubernetes-best-practices-job-default-namespace
- uid: mondoo-kubernetes-best-practices-job-hostalias
- uid: mondoo-kubernetes-best-practices-job-ports-hostport
- uid: mondoo-kubernetes-best-practices-job-requestcpu
- uid: mondoo-kubernetes-best-practices-job-requestmemory
- title: Replicasets
filters: platform.name == "k8s-replicaset"
filters: asset.platform == "k8s-replicaset"
checks:
- uid: mondoo-kubernetes-best-practices-replicaset-default-namespace
- uid: mondoo-kubernetes-best-practices-replicaset-hostalias
Expand All @@ -59,7 +59,7 @@ policies:
- uid: mondoo-kubernetes-best-practices-replicaset-requestcpu
- uid: mondoo-kubernetes-best-practices-replicaset-requestmemory
- title: Daemonsets
filters: platform.name == "k8s-daemonset"
filters: asset.platform == "k8s-daemonset"
checks:
- uid: mondoo-kubernetes-best-practices-daemonset-default-namespace
- uid: mondoo-kubernetes-best-practices-daemonset-hostalias
Expand All @@ -69,7 +69,7 @@ policies:
- uid: mondoo-kubernetes-best-practices-daemonset-requestcpu
- uid: mondoo-kubernetes-best-practices-daemonset-requestmemory
- title: Pods
filters: platform.name == "k8s-pod"
filters: asset.platform == "k8s-pod"
checks:
- uid: mondoo-kubernetes-best-practices-pod-default-namespace
- uid: mondoo-kubernetes-best-practices-pod-hostalias
Expand All @@ -80,7 +80,7 @@ policies:
- uid: mondoo-kubernetes-best-practices-pod-requestcpu
- uid: mondoo-kubernetes-best-practices-pod-requestmemory
- title: Ingress Configuration
filters: platform.name == "k8s-ingress"
filters: asset.platform == "k8s-ingress"
checks:
- uid: mondoo-kubernetes-best-practices-ingress-cert-expiration
scoring_system: 2
Expand Down
18 changes: 9 additions & 9 deletions core/mondoo-kubernetes-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ policies:
groups:
- title: Kubernetes API Server
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
processes.where( executable == /kube-apiserver/ ).list != []
checks:
- uid: mondoo-kubernetes-security-api-server-no-anonymous-auth
Expand All @@ -27,7 +27,7 @@ policies:
- uid: mondoo-kubernetes-security-secure-scheduler_conf
- title: Kubernetes kubelet
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
processes.where( executable == /kubelet/ ).list != []
checks:
- uid: mondoo-kubernetes-security-kubelet-anonymous-authentication
Expand All @@ -42,7 +42,7 @@ policies:
- uid: mondoo-kubernetes-security-secure-kubelet-cert-authorities
- uid: mondoo-kubernetes-security-secure-kubelet-config
- title: Kubernetes CronJobs Security
filters: platform.name == "k8s-cronjob"
filters: asset.platform == "k8s-cronjob"
checks:
- uid: mondoo-kubernetes-security-cronjob-allowprivilegeescalation
- uid: mondoo-kubernetes-security-cronjob-capability-net-raw
Expand All @@ -63,7 +63,7 @@ policies:
- uid: mondoo-kubernetes-security-cronjob-runasnonroot
- uid: mondoo-kubernetes-security-cronjob-serviceaccount
- title: Kubernetes StatefulSets Security
filters: platform.name == "k8s-statefulset"
filters: asset.platform == "k8s-statefulset"
checks:
- uid: mondoo-kubernetes-security-statefulset-allowprivilegeescalation
- uid: mondoo-kubernetes-security-statefulset-capability-net-raw
Expand All @@ -84,7 +84,7 @@ policies:
- uid: mondoo-kubernetes-security-statefulset-runasnonroot
- uid: mondoo-kubernetes-security-statefulset-serviceaccount
- title: Kubernetes Deployments Security
filters: platform.name == "k8s-deployment"
filters: asset.platform == "k8s-deployment"
checks:
- uid: mondoo-kubernetes-security-deployment-allowprivilegeescalation
- uid: mondoo-kubernetes-security-deployment-capability-net-raw
Expand All @@ -107,7 +107,7 @@ policies:
- uid: mondoo-kubernetes-security-deployment-serviceaccount
- uid: mondoo-kubernetes-security-deployment-tiller
- title: Kubernetes Jobs Security
filters: platform.name == "k8s-job"
filters: asset.platform == "k8s-job"
checks:
- uid: mondoo-kubernetes-security-job-allowprivilegeescalation
- uid: mondoo-kubernetes-security-job-capability-net-raw
Expand All @@ -128,7 +128,7 @@ policies:
- uid: mondoo-kubernetes-security-job-runasnonroot
- uid: mondoo-kubernetes-security-job-serviceaccount
- title: Kubernetes ReplicaSets Security
filters: platform.name == "k8s-replicaset"
filters: asset.platform == "k8s-replicaset"
checks:
- uid: mondoo-kubernetes-security-replicaset-allowprivilegeescalation
- uid: mondoo-kubernetes-security-replicaset-capability-net-raw
Expand All @@ -149,7 +149,7 @@ policies:
- uid: mondoo-kubernetes-security-replicaset-runasnonroot
- uid: mondoo-kubernetes-security-replicaset-serviceaccount
- title: Kubernetes DaemonSets Security
filters: platform.name == "k8s-daemonset"
filters: asset.platform == "k8s-daemonset"
checks:
- uid: mondoo-kubernetes-security-daemonset-allowprivilegeescalation
- uid: mondoo-kubernetes-security-daemonset-capability-net-raw
Expand All @@ -170,7 +170,7 @@ policies:
- uid: mondoo-kubernetes-security-daemonset-runasnonroot
- uid: mondoo-kubernetes-security-daemonset-serviceaccount
- title: Kubernetes Pods Security
filters: platform.name == "k8s-pod"
filters: asset.platform == "k8s-pod"
checks:
- uid: mondoo-kubernetes-security-pod-allowprivilegeescalation
- uid: mondoo-kubernetes-security-pod-capability-net-raw
Expand Down
6 changes: 3 additions & 3 deletions core/mondoo-linux-workstation-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ policies:
groups:
- title: Secure Boot
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
checks:
- uid: mondoo-linux-workstation-security-permissions-on-bootloader-config-are-configured
- uid: mondoo-linux-workstation-security-secure-boot-is-enabled
Expand All @@ -69,7 +69,7 @@ policies:
- uid: mondoo-linux-workstation-security-secure-boot-is-enabled-metadata
- title: Disk encryption
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
checks:
- uid: mondoo-linux-workstation-security-aes-encryption-algorithm
- uid: mondoo-linux-workstation-security-root-and-home-are-encrypted
Expand All @@ -78,7 +78,7 @@ policies:
- uid: mondoo-linux-workstation-security-disk-encryption-metadata
- title: BIOS Firmware up-to-date
filters: |
platform.family.contains(_ == 'linux')
asset.family.contains(_ == 'linux')
package('fwupd').installed
checks:
- uid: mondoo-linux-workstation-security-bios-uptodate
Expand Down
6 changes: 3 additions & 3 deletions core/mondoo-macos-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ policies:
desc: "## Overview\n\nThis policy provides prescriptive guidance for establishing a secure configuration posture for Apple macOS. This guide was tested against Apple macOS 10, 11, 12, and 13.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where `cnspec` is installed.\n\nTo scan the `localhost` against this policy: \n\n```bash\ncnspec scan local \n```\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of macOS hosts requires **Remote login** to be enabled in the System Preferences, along with a suitable authentication method such as SSH keys.\n\n### Scan a remote macOS (SSH authentication)\n\n```bash\ncnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. "
groups:
- title: Core
filters: "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n"
filters: "asset.platform == \"macos\" \nasset.version == /^10\\./ || asset.version == /^11\\./ || asset.version == /^12\\./ || asset.version == /^13\\./\n"
checks:
- uid: mondoo-macos-security-disable-bluetooth-sharing
- uid: mondoo-macos-security-disable-bonjour-advertising-service
Expand All @@ -38,15 +38,15 @@ policies:
- uid: mondoo-macos-security-software-updates-automatic-download
- uid: mondoo-macos-security-software-updates-install-critical-updates
- title: Account Security
filters: "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n"
filters: "asset.platform == \"macos\" \nasset.version == /^10\\./ || asset.version == /^11\\./ || asset.version == /^12\\./ || asset.version == /^13\\./\n"
checks:
- uid: mondoo-macos-security-do-not-enable-the-root-account
- uid: mondoo-macos-security-password-age
- uid: mondoo-macos-security-password-history
- uid: mondoo-macos-security-reduce-the-sudo-timeout-period
- uid: mondoo-macos-security-set-a-minimum-password-length
- title: Logging
filters: "platform.name == \"macos\" \nplatform.release == /^10\\./ || platform.release == /^11\\./ || platform.release == /^12\\./ || platform.release == /^13\\./\n"
filters: "asset.platform == \"macos\" \nasset.version == /^10\\./ || asset.version == /^11\\./ || asset.version == /^12\\./ || asset.version == /^13\\./\n"
checks:
- uid: mondoo-macos-security-control-access-to-audit-records
- uid: mondoo-macos-security-enable-security-auditing
Expand Down
2 changes: 1 addition & 1 deletion core/mondoo-ms365-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ policies:
groups:
- title: Microsoft365
filters: |
platform.name == "microsoft365"
asset.platform == "microsoft365"
platform.kind == "api"
checks:
- uid: mondoo-m365-security-enable-azure-ad-identity-protection-sign-in-risk-policies
Expand Down
2 changes: 1 addition & 1 deletion core/mondoo-openssl-vulnerability.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ policies:
If you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Unix OpenSSL
filters: platform.family.contains(_ == 'unix')
filters: asset.family.contains(_ == 'unix')
checks:
- uid: mondoo-openssl-vulnerability
queries:
Expand Down
2 changes: 1 addition & 1 deletion core/mondoo-slack-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ policies:
If you have any suggestions for improving this policy or if you need support, join [the Mondoo community in GitHub Discussions](https://github.com/orgs/mondoohq/discussions).
groups:
- title: Slack
filters: platform.family.contains(_ == 'slack')
filters: asset.family.contains(_ == 'slack')
checks:
- uid: mondoo-slack-security-limit-admin-accounts
- uid: mondoo-slack-security-admins-secure-2fa-methods
Expand Down
Loading

0 comments on commit 035717a

Please sign in to comment.