From 6b94bdce0a14a96489886264d56c55292949e0e2 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Mon, 16 Oct 2023 15:28:55 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=A7=B9=20format=20bundles?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- community/chef-infra-client.mql.yaml | 5 +- community/chef-infra-server.mql.yaml | 8 +- .../mondoo-linux-operational-policy.mql.yaml | 41 +++++- core/mondoo-aws-security.mql.yaml | 10 +- core/mondoo-azure-security.mql.yaml | 39 ++++- core/mondoo-dns-security.mql.yaml | 27 +++- core/mondoo-gcp-security.mql.yaml | 49 ++++++- core/mondoo-github-best-practices.mql.yaml | 64 ++++++++- core/mondoo-github-security.mql.yaml | 135 +++++++++++++++++- core/mondoo-gitlab-security.mql.yaml | 47 +++++- .../mondoo-kubernetes-best-practices.mql.yaml | 39 ++++- core/mondoo-kubernetes-security.mql.yaml | 41 +++++- ...mondoo-linux-workstation-security.mql.yaml | 1 + core/mondoo-macos-security.mql.yaml | 53 ++++++- core/mondoo-microsoft-vulnerability.mql.yaml | 19 ++- core/mondoo-ms365-security.mql.yaml | 80 ++++++++++- core/mondoo-okta-security.mql.yaml | 2 +- core/mondoo-slack-security.mql.yaml | 3 +- core/mondoo-terraform-aws-security.mql.yaml | 27 +++- core/mondoo-terraform-gcp-security.mql.yaml | 23 ++- core/mondoo-tls-security.mql.yaml | 29 +++- core/mondoo-vmware-vulnerability.mql.yaml | 19 ++- core/mondoo-windows-security.mql.yaml | 41 +++++- ...ndoo-windows-workstation-security.mql.yaml | 1 + 24 files changed, 769 insertions(+), 34 deletions(-) diff --git a/community/chef-infra-client.mql.yaml b/community/chef-infra-client.mql.yaml index 1dc8b619..bf0e110c 100644 --- a/community/chef-infra-client.mql.yaml +++ b/community/chef-infra-client.mql.yaml @@ -13,7 +13,10 @@ policies: - name: Tim Smith email: tim@mondoo.com docs: - desc: "Chef Infra Client Policy identifies insecure Chef Infra Client installations that could expose node credentials, as well as end of life client releases that no longer receive security updates per the [Chef Supported Versions documentation](https://docs.chef.io/versions/).\n \nIf you have questions, comments, or have identified ways to improve this policy, please write me at tim@mondoo.com, or reach out in the [Mondoo Slack Community](https://mondoo.link/slack)." + desc: |- + Chef Infra Client Policy identifies insecure Chef Infra Client installations that could expose node credentials, as well as end of life client releases that no longer receive security updates per the [Chef Supported Versions documentation](https://docs.chef.io/versions/). + + If you have questions, comments, or have identified ways to improve this policy, please write me at tim@mondoo.com, or reach out in the [Mondoo Slack Community](https://mondoo.link/slack). groups: - title: Insecure permissions filters: | diff --git a/community/chef-infra-server.mql.yaml b/community/chef-infra-server.mql.yaml index ba21fc8e..1f0cad58 100644 --- a/community/chef-infra-server.mql.yaml +++ b/community/chef-infra-server.mql.yaml @@ -13,7 +13,13 @@ policies: - name: Tim Smith email: tim@mondoo.com docs: - desc: "Chef Infra Server Policy identifies several misconfigurations and end of life components that allow attackers to expose node information:\n - Insecure disk permissions on critical directories and configuration files.\n - End of life components installed on the Chef Infra Server such as Push Jobs, Analytics, or Reporting, which no longer receive security updates.\n - Insecure servers settings such non-secure TLS support or legacy add-on compatibility.\n \nIf you have questions, comments, or have identified ways to improve this policy, please write me at tim@mondoo.com, or reach out in the [Mondoo Slack Community](https://mondoo.link/slack)." + desc: |- + Chef Infra Server Policy identifies several misconfigurations and end of life components that allow attackers to expose node information: + - Insecure disk permissions on critical directories and configuration files. + - End of life components installed on the Chef Infra Server such as Push Jobs, Analytics, or Reporting, which no longer receive security updates. + - Insecure servers settings such non-secure TLS support or legacy add-on compatibility. + + If you have questions, comments, or have identified ways to improve this policy, please write me at tim@mondoo.com, or reach out in the [Mondoo Slack Community](https://mondoo.link/slack). groups: - title: EOL components filters: | diff --git a/community/mondoo-linux-operational-policy.mql.yaml b/community/mondoo-linux-operational-policy.mql.yaml index 6ea78a42..740f53e8 100644 --- a/community/mondoo-linux-operational-policy.mql.yaml +++ b/community/mondoo-linux-operational-policy.mql.yaml @@ -13,7 +13,46 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nLinux Server Operational Policy by Mondoo provides guidance for operational best practices on Linux hosts.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where cnspec is installed.\n\nTo scan the `localhost` against this policy:\n\n```bash\ncnspec scan local\n```\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration.\n\nFor a complete list of native transports run:\n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Linux hosts requires authentication such as SSH keys.\n\n### Scan a remote Linux host (SSH authentication)\n\n```bash\ncnspec scan ssh @ -i /path/to/ssh_key\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " + desc: |- + ## Overview + + Linux Server Operational Policy by Mondoo provides guidance for operational best practices on Linux hosts. + + ## Local scan + + Local scan refer to scans of files and operating systems where cnspec is installed. + + To scan the `localhost` against this policy: + + ```bash + cnspec scan local + ``` + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of Linux hosts requires authentication such as SSH keys. + + ### Scan a remote Linux host (SSH authentication) + + ```bash + cnspec scan ssh @ -i /path/to/ssh_key + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - filters: asset.family.contains("linux") checks: diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index f281a133..d15d1c07 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -217,8 +217,8 @@ queries: __AWS Console__ MFA devices in AWS can be either hardware-based or virtual. To enable an MFA device for the root user, either: - - [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root) - or: + - [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root) + or: - [Enable a hardware MFA device for the AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root) __AWS CLI__ @@ -664,7 +664,7 @@ queries: 8. If the virtual MFA app supports multiple virtual MFA devices or accounts, select the option to create a new virtual MFA device or account. 9. Determine whether the MFA app supports QR codes, and then either: - From the wizard, select **Show QR code**, and then use the app to scan the QR code. For example, you might select the camera icon or select an option similar to Scan code, and then use the device's camera to scan the code. - or: + or: - In the Manage MFA Device wizard, select **Show secret key** and type the secret key into your MFA app. 10. When you finish, the virtual MFA device generates one-time passwords. 11. In the Manage MFA Device wizard, in the **MFA code 1** box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password, then type the second one-time password into the **MFA code 2 box**. @@ -2134,7 +2134,7 @@ queries: __Terraform__ You can use this code snippet to create a KMS encrypted EFS. - + Note: `kms_key_id` attribute is optional, and a key will be created if you don't pass a KMS key ID. ```hcl @@ -2242,7 +2242,7 @@ queries: - To create a key, select **New**. Then in **AWS KMS alias**, enter an alias for the key. The key is created in the same Region as the S3 bucket. or: * To use an existing key, select **Existing** and from **AWS KMS alias**, select the key. - + Note: The AWS KMS key and S3 bucket must be in the same Region. 7. Select **Save**. - uid: mondoo-aws-security-secgroup-restricted-ssh diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index ff1ab5a5..74f8f4ba 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -13,7 +13,44 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nMicrosoft Azure Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft Azure.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on-demand scan results without installing agents or integrations. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Azure require API credentials with access to the subscription.\n\nNote: Some of the checks in this policy query data using Microsoft's Graph API. To successfully run these checks, you must create an Azure AD app registration for cnspec with proper permissions. Follow the instructions on https://mondoo.com/docs/platform/cloud/azure/azure-integration-scan/ to set up this app.\n\nTo run all checks at the same time, ensure your app registration has the necessary permissions as described above and then run:\n\n```bash\ncnspec scan azure --certificate-path <*.pem> --tenant-id --client-id --policy-bundle mondoo-azure-security.mql.yaml\n```\n\n### Scan an Azure subscription\n\n```bash\ncnspec scan azure --subscription \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy or need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." + desc: |- + ## Overview + + Microsoft Azure Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft Azure. + + ## Remote scan + + Remote scans use native transports in cnspec to provide on-demand scan results without installing agents or integrations. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of Azure require API credentials with access to the subscription. + + Note: Some of the checks in this policy query data using Microsoft's Graph API. To successfully run these checks, you must create an Azure AD app registration for cnspec with proper permissions. Follow the instructions on https://mondoo.com/docs/platform/cloud/azure/azure-integration-scan/ to set up this app. + + To run all checks at the same time, ensure your app registration has the necessary permissions as described above and then run: + + ```bash + cnspec scan azure --certificate-path <*.pem> --tenant-id --client-id --policy-bundle mondoo-azure-security.mql.yaml + ``` + + ### Scan an Azure subscription + + ```bash + cnspec scan azure --subscription + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy or need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Azure Core filters: | diff --git a/core/mondoo-dns-security.mql.yaml b/core/mondoo-dns-security.mql.yaml index ed02c381..675094f7 100644 --- a/core/mondoo-dns-security.mql.yaml +++ b/core/mondoo-dns-security.mql.yaml @@ -13,7 +13,32 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThe DNS Security by Mondoo provides baseline checks for assessing the configuration of DNS servers.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Scan a host \n\n```bash\ncnspec scan host \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + ## Overview + + The DNS Security by Mondoo provides baseline checks for assessing the configuration of DNS servers. + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Scan a host + + ```bash + cnspec scan host + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Networking filters: asset.family.contains('network') diff --git a/core/mondoo-gcp-security.mql.yaml b/core/mondoo-gcp-security.mql.yaml index 6f48c4d0..f6ab28b0 100644 --- a/core/mondoo-gcp-security.mql.yaml +++ b/core/mondoo-gcp-security.mql.yaml @@ -13,7 +13,54 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nGoogle Cloud Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Google Cloud.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Google Cloud Projects requires API credentials with access to the project.\n\n### Scan a GCP project\n\nOpen a terminal and authenticate with Google Cloud: \n\n```bash\ngcloud auth login\n```\n\nRun a scan of a GCP project: \n\n```bash\ncnspec scan gcp\n```\n\nTo target a specific project: \n\n```bash\ngcloud config set project \n```\n\n```bash\ncnspec scan gcp\n``` \n \n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " + desc: |- + ## Overview + + Google Cloud Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Google Cloud. + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of Google Cloud Projects requires API credentials with access to the project. + + ### Scan a GCP project + + Open a terminal and authenticate with Google Cloud: + + ```bash + gcloud auth login + ``` + + Run a scan of a GCP project: + + ```bash + cnspec scan gcp + ``` + + To target a specific project: + + ```bash + gcloud config set project + ``` + + ```bash + cnspec scan gcp + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: GCP Project filters: | diff --git a/core/mondoo-github-best-practices.mql.yaml b/core/mondoo-github-best-practices.mql.yaml index 4acc260a..eac12941 100644 --- a/core/mondoo-github-best-practices.mql.yaml +++ b/core/mondoo-github-best-practices.mql.yaml @@ -10,10 +10,70 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "# Overview\n\nGitHub Repository Best Practices by Mondoo provides assessments of public and private GitHub repositories to ensure a minimum recommended operational best practices. \n\n## About remote scanning\n\nRemote scans with cnspec provide on demand security assessments of infrastructure and services without the need to install any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. \n\nA complete list of providers can be found by running this command: \n\n```bash\ncnspec scan --help\n``` \n\n### cnspec GitHub provider\n\nThis policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command: \n\n```bash\ncnspec scan github --help\n```\n\n## Configuring the GitHub provider\n\nThe `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs. \n\n### Create a personal access token\n\nTo create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.\n\n### Configure a GITHUB_TOKEN environment variable\n\nYou supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. \n\n#### Linux / macOS\n\n```bash\nexport GITHUB_TOKEN=\n```\n\n#### Windows \n\n```powershell\n$Env:GITHUB_TOKEN = \"\"\n``` \n\n## Scanning GitHub repositories\n\nTo scan the configuration of a GitHub repository: \n\n```bash\ncnspec scan github repo \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + # Overview + + GitHub Repository Best Practices by Mondoo provides assessments of public and private GitHub repositories to ensure a minimum recommended operational best practices. + + ## About remote scanning + + Remote scans with cnspec provide on demand security assessments of infrastructure and services without the need to install any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. + + A complete list of providers can be found by running this command: + + ```bash + cnspec scan --help + ``` + + ### cnspec GitHub provider + + This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command: + + ```bash + cnspec scan github --help + ``` + + ## Configuring the GitHub provider + + The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs. + + ### Create a personal access token + + To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site. + + ### Configure a GITHUB_TOKEN environment variable + + You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. + + #### Linux / macOS + + ```bash + export GITHUB_TOKEN= + ``` + + #### Windows + + ```powershell + $Env:GITHUB_TOKEN = "" + ``` + + ## Scanning GitHub repositories + + To scan the configuration of a GitHub repository: + + ```bash + cnspec scan github repo + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: GitHub Repo - filters: "asset.platform == \"github-repo\" \n" + filters: | + asset.platform == "github-repo" checks: - uid: mondoo-github-repository-best-practices-code-of-conduct - uid: mondoo-github-repository-best-practices-include-authors diff --git a/core/mondoo-github-security.mql.yaml b/core/mondoo-github-security.mql.yaml index e155484a..7ded6ffd 100644 --- a/core/mondoo-github-security.mql.yaml +++ b/core/mondoo-github-security.mql.yaml @@ -13,7 +13,76 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nGitHub Organization Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations.\n\n## About remote scanning\n\nRemote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. \n\nA complete list of providers can be found by running this command: \n\n```bash\ncnspec scan --help\n``` \n\n### cnspec GitHub provider\n\nThis policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running this command: \n\n```bash\ncnspec scan github --help\n```\n\n## Configuring the GitHub provider\n\nThe `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. Access to an organization is determined by the level of access the token cnspec is configured with when it runs. \n\n### Create a personal access token\n\nTo create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.\n\n### Configure a GITHUB_TOKEN environment variable\n\nYou supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. \n\n#### Linux / macOS\n\n```bash\nexport GITHUB_TOKEN=\n```\n\n#### Windows \n\n```powershell\n$Env:GITHUB_TOKEN = \"\"\n```\n\n## Scan a GitHub organization\n \nTo scan the configuration of your GitHub organization, run this command: \n\n```bash\ncnspec scan github org \n```\n\n## Scan a GitHub organization and all repositories\n\ncnspec can also scan a GitHub organization and all of its repositories using the `--discover all` flag. To scan your GitHub organization and discover and scan all of the repositories within your organization, run this command: \n\n```bash\ncnspec scan github org --discover all\n```\n\n> Note: Scanning large GitHub organizations may exceed GitHub API rate limits. For more information see [About rate limits](https://docs.github.com/en/rest/rate-limit?apiVersion=2022-11-28#about-rate-limits) in the GitHub documentation.\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + ## Overview + + GitHub Organization Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations. + + ## About remote scanning + + Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. + + A complete list of providers can be found by running this command: + + ```bash + cnspec scan --help + ``` + + ### cnspec GitHub provider + + This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running this command: + + ```bash + cnspec scan github --help + ``` + + ## Configuring the GitHub provider + + The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. Access to an organization is determined by the level of access the token cnspec is configured with when it runs. + + ### Create a personal access token + + To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site. + + ### Configure a GITHUB_TOKEN environment variable + + You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. + + #### Linux / macOS + + ```bash + export GITHUB_TOKEN= + ``` + + #### Windows + + ```powershell + $Env:GITHUB_TOKEN = "" + ``` + + ## Scan a GitHub organization + + To scan the configuration of your GitHub organization, run this command: + + ```bash + cnspec scan github org + ``` + + ## Scan a GitHub organization and all repositories + + cnspec can also scan a GitHub organization and all of its repositories using the `--discover all` flag. To scan your GitHub organization and discover and scan all of the repositories within your organization, run this command: + + ```bash + cnspec scan github org --discover all + ``` + + > Note: Scanning large GitHub organizations may exceed GitHub API rate limits. For more information see [About rate limits](https://docs.github.com/en/rest/rate-limit?apiVersion=2022-11-28#about-rate-limits) in the GitHub documentation. + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: GitHub Org filters: asset.platform == "github-org" @@ -31,9 +100,69 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "# Overview\n\nGitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments.\n\n## About remote scanning\n\nRemote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. \n\nA complete list of providers can be found by running this command: \n\n```bash\ncnspec scan --help\n``` \n\n### cnspec GitHub Provider\n\nThis policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command: \n\n```bash\ncnspec scan github --help\n```\n\n## Configuring the GitHub provider\n\nThe `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs. \n\n### Create a personal access token\n\nTo create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.\n\n### Configure a GITHUB_TOKEN environment variable\n\nYou supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. \n\n#### Linux / macOS\n\n```bash\nexport GITHUB_TOKEN=\n```\n\n#### Windows \n\n```powershell\n$Env:GITHUB_TOKEN = \"\"\n``` \n\n## Scanning GitHub repositories\n\nTo scan the configuration of a GitHub repository: \n\n```bash\ncnspec scan github repo \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + # Overview + + GitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments. + + ## About remote scanning + + Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. + + A complete list of providers can be found by running this command: + + ```bash + cnspec scan --help + ``` + + ### cnspec GitHub Provider + + This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command: + + ```bash + cnspec scan github --help + ``` + + ## Configuring the GitHub provider + + The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs. + + ### Create a personal access token + + To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site. + + ### Configure a GITHUB_TOKEN environment variable + + You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. + + #### Linux / macOS + + ```bash + export GITHUB_TOKEN= + ``` + + #### Windows + + ```powershell + $Env:GITHUB_TOKEN = "" + ``` + + ## Scanning GitHub repositories + + To scan the configuration of a GitHub repository: + + ```bash + cnspec scan github repo + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - - filters: "asset.platform == \"github-repo\" \n" + - filters: | + asset.platform == "github-repo" checks: - uid: mondoo-github-repository-security-binary-artifacts - uid: mondoo-github-repository-security-enforce-branch-protection diff --git a/core/mondoo-gitlab-security.mql.yaml b/core/mondoo-gitlab-security.mql.yaml index 25f0378f..142b2859 100644 --- a/core/mondoo-gitlab-security.mql.yaml +++ b/core/mondoo-gitlab-security.mql.yaml @@ -13,7 +13,52 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThe GitLab Security policy by Mondoo offers guidance on establishing minimum recommended security best practices for GitLab groups and projects. \n\n## Remote scan\n\nRemote scans of GitLab groups and projects use native transports in cnspec to provide on-demand scan results without the need to install agents or configure integrations.\n\n### Prerequisites\n\nRemote scans of GitLab require a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group and projects you plan to scan.\n\n### Scan a GitLab group and projects\n\nOpen a terminal and configure an environment variable with your GitLab personal access token:\n\n```bash\nexport GITLAB_TOKEN=\n```\n\nRun a remote scan of your GitLab group:\n\n```bash\ncnspec scan gitlab --group \n```\n\n### Scan a single GitLab project\n\nOpen a terminal and configure an environment variable with your GitLab personal access token:\n\n```bash\nexport GITLAB_TOKEN=\n```\n\nScan a GitLab group:\n\n```bash\ncnspec scan gitlab --group --project \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable.\n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.\"\n" + desc: | + ## Overview + + The GitLab Security policy by Mondoo offers guidance on establishing minimum recommended security best practices for GitLab groups and projects. + + ## Remote scan + + Remote scans of GitLab groups and projects use native transports in cnspec to provide on-demand scan results without the need to install agents or configure integrations. + + ### Prerequisites + + Remote scans of GitLab require a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group and projects you plan to scan. + + ### Scan a GitLab group and projects + + Open a terminal and configure an environment variable with your GitLab personal access token: + + ```bash + export GITLAB_TOKEN= + ``` + + Run a remote scan of your GitLab group: + + ```bash + cnspec scan gitlab --group + ``` + + ### Scan a single GitLab project + + Open a terminal and configure an environment variable with your GitLab personal access token: + + ```bash + export GITLAB_TOKEN= + ``` + + Scan a GitLab group: + + ```bash + cnspec scan gitlab --group --project + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." groups: - title: GitLab Group filters: asset.platform == "gitlab" || asset.platform == "gitlab-group" diff --git a/core/mondoo-kubernetes-best-practices.mql.yaml b/core/mondoo-kubernetes-best-practices.mql.yaml index b4fc67e5..cd640ec8 100644 --- a/core/mondoo-kubernetes-best-practices.mql.yaml +++ b/core/mondoo-kubernetes-best-practices.mql.yaml @@ -13,7 +13,44 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThe Kubernetes Best Practices by Mondoo policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." + desc: |- + ## Overview + + The Kubernetes Best Practices by Mondoo policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices. + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan. + + ### Scan a Kubernetes cluster + + Open a terminal and configure an environment variable with the path to your `KUBECONFIG`: + + ```bash + export KUBECONFIG=/path/to/kubeconfig + ``` + + Run a scan of the Kubernetes cluster: + + ```bash + cnspec scan k8s + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: CronJobs filters: asset.platform == "k8s-cronjob" diff --git a/core/mondoo-kubernetes-security.mql.yaml b/core/mondoo-kubernetes-security.mql.yaml index 44b93b7c..290ab72f 100644 --- a/core/mondoo-kubernetes-security.mql.yaml +++ b/core/mondoo-kubernetes-security.mql.yaml @@ -13,7 +13,46 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "# Overview\n\nThe Kubernetes Cluster and Workload Security by Mondoo provides guidance for establishing secure Kubernetes cluster configurations and workload deployments.\n\nIf you have questions, comments, or have identified ways to improve this policy, please write us at hello@mondoo.com, or reach out in [GitHub Discussions](https://github.com/orgs/mondoohq/discussions).\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan.\n\n### Scan a Kubernetes cluster\n\nOpen a terminal and configure an environment variable with the path to your `KUBECONFIG`:\n\n```bash\nexport KUBECONFIG=/path/to/kubeconfig\n```\n\nRun a scan of the Kubernetes cluster:\n\n```bash\ncnspec scan k8s\n``` \n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." + desc: |- + # Overview + + The Kubernetes Cluster and Workload Security by Mondoo provides guidance for establishing secure Kubernetes cluster configurations and workload deployments. + + If you have questions, comments, or have identified ways to improve this policy, please write us at hello@mondoo.com, or reach out in [GitHub Discussions](https://github.com/orgs/mondoohq/discussions). + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of Kubernetes clusters requires a `KUBECONFIG` with access to the cluster you want to scan. + + ### Scan a Kubernetes cluster + + Open a terminal and configure an environment variable with the path to your `KUBECONFIG`: + + ```bash + export KUBECONFIG=/path/to/kubeconfig + ``` + + Run a scan of the Kubernetes cluster: + + ```bash + cnspec scan k8s + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Kubernetes API Server filters: | diff --git a/core/mondoo-linux-workstation-security.mql.yaml b/core/mondoo-linux-workstation-security.mql.yaml index 9ac60862..36fb48c4 100644 --- a/core/mondoo-linux-workstation-security.mql.yaml +++ b/core/mondoo-linux-workstation-security.mql.yaml @@ -15,6 +15,7 @@ policies: docs: desc: | ## Overview + This policy provides prescriptive guidance for establishing a secure configuration posture for Client Linux systems running on x86 and x64 platforms. Commands and scripts are provided which should work on most distributions however some translation to local styles may be required in places. diff --git a/core/mondoo-macos-security.mql.yaml b/core/mondoo-macos-security.mql.yaml index d34fe065..0fe19fdb 100644 --- a/core/mondoo-macos-security.mql.yaml +++ b/core/mondoo-macos-security.mql.yaml @@ -13,10 +13,51 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThis policy provides prescriptive guidance for establishing a secure configuration posture for Apple macOS. This guide was tested against Apple macOS 10, 11, 12, and 13.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where cnspec is installed.\n\nTo scan the `localhost` against this policy: \n\n```bash\ncnspec scan local \n```\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of macOS hosts requires **Remote login** to be enabled in the System Preferences, along with a suitable authentication method such as SSH keys.\n\n### Scan a remote macOS (SSH authentication)\n\n```bash\ncnspec scan ssh @ -i /path/to/ssh_key \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " + desc: |- + ## Overview + + This policy provides prescriptive guidance for establishing a secure configuration posture for Apple macOS. This guide was tested against Apple macOS 10, 11, 12, and 13. + + ## Local scan + + Local scan refer to scans of files and operating systems where cnspec is installed. + + To scan the `localhost` against this policy: + + ```bash + cnspec scan local + ``` + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of macOS hosts requires **Remote login** to be enabled in the System Preferences, along with a suitable authentication method such as SSH keys. + + ### Scan a remote macOS (SSH authentication) + + ```bash + cnspec scan ssh @ -i /path/to/ssh_key + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Core - filters: "asset.platform == \"macos\" \nasset.version == /^10\\./ || asset.version == /^11\\./ || asset.version == /^12\\./ || asset.version == /^13\\./ || asset.version == /^14\\./ \n" + filters: | + asset.platform == "macos" + asset.version == /^10\./ || asset.version == /^11\./ || asset.version == /^12\./ || asset.version == /^13\./ || asset.version == /^14\./ checks: - uid: mondoo-macos-security-disable-bluetooth-sharing - uid: mondoo-macos-security-disable-bonjour-advertising-service @@ -41,7 +82,9 @@ policies: - uid: mondoo-macos-security-software-updates-automatic-download - uid: mondoo-macos-security-software-updates-install-critical-updates - title: Account Security - filters: "asset.platform == \"macos\" \nasset.version == /^10\\./ || asset.version == /^11\\./ || asset.version == /^12\\./ || asset.version == /^13\\./ || asset.version == /^14\\./ \n" + filters: | + asset.platform == "macos" + asset.version == /^10\./ || asset.version == /^11\./ || asset.version == /^12\./ || asset.version == /^13\./ || asset.version == /^14\./ checks: - uid: mondoo-macos-security-do-not-enable-the-root-account - uid: mondoo-macos-security-password-age @@ -49,7 +92,9 @@ policies: - uid: mondoo-macos-security-reduce-the-sudo-timeout-period - uid: mondoo-macos-security-set-a-minimum-password-length - title: Logging - filters: "asset.platform == \"macos\" \nasset.version == /^10\\./ || asset.version == /^11\\./ || asset.version == /^12\\./ || asset.version == /^13\\./ || asset.version == /^14\\./ \n" + filters: | + asset.platform == "macos" + asset.version == /^10\./ || asset.version == /^11\./ || asset.version == /^12\./ || asset.version == /^13\./ || asset.version == /^14\./ checks: - uid: mondoo-macos-security-control-access-to-audit-records - uid: mondoo-macos-security-enable-security-auditing diff --git a/core/mondoo-microsoft-vulnerability.mql.yaml b/core/mondoo-microsoft-vulnerability.mql.yaml index 2bd1ba93..3557b771 100644 --- a/core/mondoo-microsoft-vulnerability.mql.yaml +++ b/core/mondoo-microsoft-vulnerability.mql.yaml @@ -13,7 +13,24 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nMondoo Microsoft Vulnerability Policy checks for Windows and Microsoft Application vulnerabilities. It should be used in combination with the Platform Vulnerability Policy to identify missing patches.\n\n### Run policy\n\nTo run this policy against a Windows system:\n\n```bash\ncnspec scan ssh user@domain.local@192.168.1.1 --ask-pass -f core/mondoo-microsoft-vulnerability.mql.yaml\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.\n" + desc: | + ## Overview + + Mondoo Microsoft Vulnerability Policy checks for Windows and Microsoft Application vulnerabilities. It should be used in combination with the Platform Vulnerability Policy to identify missing patches. + + ### Run policy + + To run this policy against a Windows system: + + ```bash + cnspec scan ssh user@domain.local@192.168.1.1 --ask-pass -f core/mondoo-microsoft-vulnerability.mql.yaml + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Windows Office 2016, 2019, 2021 filters: | diff --git a/core/mondoo-ms365-security.mql.yaml b/core/mondoo-ms365-security.mql.yaml index 8bcc50b1..f56092aa 100644 --- a/core/mondoo-ms365-security.mql.yaml +++ b/core/mondoo-ms365-security.mql.yaml @@ -13,7 +13,85 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nMicrosoft 365 Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft 365.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Microsoft 365 require API credentials with access to the subscription. Use the following steps to create a new API credential:\n\n1. Install the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)\n2. Login to Azure CLI\n\n ```bash\n az login --allow-no-subscriptions\n ```\n3. Create a new service principal and certificate\n\n ```bash\n az ad sp create-for-rbac --name \"mondoo-ms365\" --create-cert\n ```\n4. Record the `appId` and `tenant` values for later use, copy the created certificate file to a safe location\n5. Login to the Azure Active Directory portal at https://portal.azure.com and navigate to \"App Registrations\", select the application you just created above\n6. Select \"API permissions\" from the left menu, select \"Add a permission\", select \"Microsoft Graph\", select \"Application permissions\", add the following permissions:\n - Application.Read.All\n - AuditLog.Read.All\n - Calendars.Read\n - Device.Read.All\n - DeviceManagementApps.Read.All\n - DeviceManagementConfiguration.Read.All\n - DeviceManagementManagedDevices.Read.All\n - DeviceManagementRBAC.Read.All\n - DeviceManagementServiceConfig.Read.All\n - Directory.Read.All\n - Domain.Read.All\n - IdentityProvider.Read.All\n - IdentityRiskEvent.Read.All\n - IdentityRiskyUser.Read.All\n - InformationProtectionPolicy.Read.All\n - MailboxSettings.Read\n - Organization.Read.All\n - OrgContact.Read.All\n - Policy.Read.All\n - Policy.Read.ConditionalAccess\n - Policy.Read.PermissionGrant\n - RoleManagement.Read.All\n - SecurityActions.Read.All\n - SecurityEvents.Read.All\n - TeamsAppInstallation.ReadForUser.All\n - TeamSettings.Read.All\n - ThreatAssessment.Read.All\n - ThreatIndicators.Read.All\n 7. Again, select \"Add a permission\", select \"Office 365 Management APIs\", select \"Application permissions\", add the following permissions:\n - ActivityFeed.Read\n - ActivityFeed.ReadDlp\n - ServiceHealth.Read\n 8. Finally, select \"Grant admin consent for \" and select \"Yes\"\n\n\n### Scan a Microsoft 365 subscription\n\n```bash\ncnspec scan ms365 --certificate-path <*.pem> --tenant-id --client-id --policy-bundle <*.mql.yaml>\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " + desc: |- + ## Overview + + Microsoft 365 Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft 365. + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of Microsoft 365 require API credentials with access to the subscription. Use the following steps to create a new API credential: + + 1. Install the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) + 2. Login to Azure CLI + + ```bash + az login --allow-no-subscriptions + ``` + 3. Create a new service principal and certificate + + ```bash + az ad sp create-for-rbac --name "mondoo-ms365" --create-cert + ``` + 4. Record the `appId` and `tenant` values for later use, copy the created certificate file to a safe location + 5. Login to the Azure Active Directory portal at https://portal.azure.com and navigate to "App Registrations", select the application you just created above + 6. Select "API permissions" from the left menu, select "Add a permission", select "Microsoft Graph", select "Application permissions", add the following permissions: + - Application.Read.All + - AuditLog.Read.All + - Calendars.Read + - Device.Read.All + - DeviceManagementApps.Read.All + - DeviceManagementConfiguration.Read.All + - DeviceManagementManagedDevices.Read.All + - DeviceManagementRBAC.Read.All + - DeviceManagementServiceConfig.Read.All + - Directory.Read.All + - Domain.Read.All + - IdentityProvider.Read.All + - IdentityRiskEvent.Read.All + - IdentityRiskyUser.Read.All + - InformationProtectionPolicy.Read.All + - MailboxSettings.Read + - Organization.Read.All + - OrgContact.Read.All + - Policy.Read.All + - Policy.Read.ConditionalAccess + - Policy.Read.PermissionGrant + - RoleManagement.Read.All + - SecurityActions.Read.All + - SecurityEvents.Read.All + - TeamsAppInstallation.ReadForUser.All + - TeamSettings.Read.All + - ThreatAssessment.Read.All + - ThreatIndicators.Read.All + 7. Again, select "Add a permission", select "Office 365 Management APIs", select "Application permissions", add the following permissions: + - ActivityFeed.Read + - ActivityFeed.ReadDlp + - ServiceHealth.Read + 8. Finally, select "Grant admin consent for " and select "Yes" + + + ### Scan a Microsoft 365 subscription + + ```bash + cnspec scan ms365 --certificate-path <*.pem> --tenant-id --client-id --policy-bundle <*.mql.yaml> + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Microsoft365 filters: | diff --git a/core/mondoo-okta-security.mql.yaml b/core/mondoo-okta-security.mql.yaml index 36b66f8b..16432d40 100644 --- a/core/mondoo-okta-security.mql.yaml +++ b/core/mondoo-okta-security.mql.yaml @@ -106,7 +106,7 @@ policies: Our goal is to build policies that are simple to deploy, accurate, and actionable. - If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." groups: - title: Okta Organization Security - HealthInsight Tasks and Recommendations checks: diff --git a/core/mondoo-slack-security.mql.yaml b/core/mondoo-slack-security.mql.yaml index 863c93f4..4827eac9 100644 --- a/core/mondoo-slack-security.mql.yaml +++ b/core/mondoo-slack-security.mql.yaml @@ -387,5 +387,4 @@ queries: ```mql slack.conversations.where(isExtShared == false ) {name members {name profile['email']} ``` - remediation: | - Make sure to block or remove any users that don't belong. \ No newline at end of file + remediation: Make sure to block or remove any users that don't belong. diff --git a/core/mondoo-terraform-aws-security.mql.yaml b/core/mondoo-terraform-aws-security.mql.yaml index bb7c9afd..860b399e 100644 --- a/core/mondoo-terraform-aws-security.mql.yaml +++ b/core/mondoo-terraform-aws-security.mql.yaml @@ -13,7 +13,28 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThis policy checks for security misconfigurations in Terraform for Amazon Web Services.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where cnspec is installed.\n\n### Scan a Terraform project\n\nOpen a terminal and run this command: \n\n```bash\ncnspec scan terraform /path/to/terraform/directory\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + ## Overview + + This policy checks for security misconfigurations in Terraform for Amazon Web Services. + + ## Local scan + + Local scan refer to scans of files and operating systems where cnspec is installed. + + ### Scan a Terraform project + + Open a terminal and run this command: + + ```bash + cnspec scan terraform /path/to/terraform/directory + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: AWS General filters: | @@ -22,7 +43,9 @@ policies: checks: - uid: terraform-aws-security-no-static-credentials-in-providers - title: Amazon API Gateway - filters: "asset.platform == \"terraform\" || asset.platform == \"terraform-hcl\"\nterraform.providers.any(nameLabel == \"aws\") \n" + filters: | + asset.platform == "terraform" || asset.platform == "terraform-hcl" + terraform.providers.any(nameLabel == "aws") checks: - uid: terraform-aws-security-api-gw-cache-enabled-and-encrypted - uid: terraform-aws-security-api-gw-execution-logging-enabled diff --git a/core/mondoo-terraform-gcp-security.mql.yaml b/core/mondoo-terraform-gcp-security.mql.yaml index b266abbc..284df76d 100644 --- a/core/mondoo-terraform-gcp-security.mql.yaml +++ b/core/mondoo-terraform-gcp-security.mql.yaml @@ -13,7 +13,28 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThis checks for security misconfigurations in Terraform HCL for Google Cloud. \n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where cnspec is installed.\n\n### Scan a Terraform project\n\nOpen a terminal and run this command: \n\n```bash\ncnspec scan terraform /path/to/terraform/directory\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + ## Overview + + This checks for security misconfigurations in Terraform HCL for Google Cloud. + + ## Local scan + + Local scan refer to scans of files and operating systems where cnspec is installed. + + ### Scan a Terraform project + + Open a terminal and run this command: + + ```bash + cnspec scan terraform /path/to/terraform/directory + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: GCP BigQuery filters: | diff --git a/core/mondoo-tls-security.mql.yaml b/core/mondoo-tls-security.mql.yaml index d57a416a..c50ebea0 100644 --- a/core/mondoo-tls-security.mql.yaml +++ b/core/mondoo-tls-security.mql.yaml @@ -13,7 +13,34 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "The Transport Layer Security (TLS) protocol is the primary means of protecting network communications. \n\nThe TLS/SSL Security Baseline by Mondoo includes checks for ensuring the security and configuration of TLS/SSL connections and certificates.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Scan a host \n\n```bash\ncnspec scan host \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n" + desc: | + ## Overview + + The Transport Layer Security (TLS) protocol is the primary means of protecting network communications. + + The TLS/SSL Security Baseline by Mondoo includes checks for ensuring the security and configuration of TLS/SSL connections and certificates. + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Scan a host + + ```bash + cnspec scan host + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Secure TLS/SSL connection filters: asset.family.contains('network') diff --git a/core/mondoo-vmware-vulnerability.mql.yaml b/core/mondoo-vmware-vulnerability.mql.yaml index 52dd2c16..30b8cb10 100644 --- a/core/mondoo-vmware-vulnerability.mql.yaml +++ b/core/mondoo-vmware-vulnerability.mql.yaml @@ -13,7 +13,24 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nMondoo OpenSSL VMware vCenter Policy checks for vulnerable vCenter/ESXi configuration. It should be used in combination with the Platform Vulnerability Policy to identify missing patches.\n\n### Run policy\n\nTo run this policy against VMware vCenter:\n\n```bash\ncnspec scan vsphere user@domain.local@192.168.5.24 --ask-pass -f core/mondoo-vmware-vulnerability.mql.yaml\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.\n" + desc: | + ## Overview + + Mondoo OpenSSL VMware vCenter Policy checks for vulnerable vCenter/ESXi configuration. It should be used in combination with the Platform Vulnerability Policy to identify missing patches. + + ### Run policy + + To run this policy against VMware vCenter: + + ```bash + cnspec scan vsphere user@domain.local@192.168.5.24 --ask-pass -f core/mondoo-vmware-vulnerability.mql.yaml + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: VMware ESXi filters: asset.platform == "vmware-esxi" diff --git a/core/mondoo-windows-security.mql.yaml b/core/mondoo-windows-security.mql.yaml index 9a8a260e..14482382 100644 --- a/core/mondoo-windows-security.mql.yaml +++ b/core/mondoo-windows-security.mql.yaml @@ -13,7 +13,46 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThis policy provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows. This guide was tested against Microsoft Windows 10 Release 20H2 Enterprise. \n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where cnspec is installed.\n\nTo scan the `localhost` against this policy: \n\n```bash\ncnspec scan local \n```\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of windows hosts suitable authentication method such as winRM enabled or SSH keys.\n\n### Scan a remote Windows (SSH authentication)\n\n```bash\ncnspec scan ssh @ -i /path/to/ssh_key \n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. " + desc: |- + ## Overview + + This policy provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows. This guide was tested against Microsoft Windows 10 Release 20H2 Enterprise. + + ## Local scan + + Local scan refer to scans of files and operating systems where cnspec is installed. + + To scan the `localhost` against this policy: + + ```bash + cnspec scan local + ``` + + ## Remote scan + + Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. + + For a complete list of native transports run: + + ```bash + cnspec scan --help + ``` + + ### Prerequisites + + Remote scans of windows hosts suitable authentication method such as winRM enabled or SSH keys. + + ### Scan a remote Windows (SSH authentication) + + ```bash + cnspec scan ssh @ -i /path/to/ssh_key + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - title: Core filters: | diff --git a/core/mondoo-windows-workstation-security.mql.yaml b/core/mondoo-windows-workstation-security.mql.yaml index e2adfca5..c59375cf 100644 --- a/core/mondoo-windows-workstation-security.mql.yaml +++ b/core/mondoo-windows-workstation-security.mql.yaml @@ -15,6 +15,7 @@ policies: docs: desc: | ## Overview + This policy provides prescriptive guidance for establishing a secure configuration posture for Windows Client systems running on x86 and x64 platforms. Commands and scripts are provided which should work on Windows 10 and 11. From 0109f9f2e712d6396d9372dd8736cfbd152d1bb4 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Mon, 16 Oct 2023 15:33:49 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=A7=B9=20update=20spellcheck?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/spelling/expect.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 8d8223b3..acaa6254 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -44,6 +44,7 @@ CUSTOMERID CYAAAAAAAKEY dhe diffie +Dlp dnf driveletter dss