🧹 format bundles

.github/actions/spelling/expect.txt

@@ -44,6 +44,7 @@ CUSTOMERID
 CYAAAAAAAKEY
 dhe
 diffie
+Dlp
 dnf
 driveletter
 dss

community/chef-infra-client.mql.yaml

@@ -13,7 +13,10 @@ policies:
       - name: Tim Smith
         email: [email protected]
     docs:
-      desc: "Chef Infra Client Policy identifies insecure Chef Infra Client installations that could expose node credentials, as well as end of life client releases that no longer receive security updates per the [Chef Supported Versions documentation](https://docs.chef.io/versions/).\n  \nIf you have questions, comments, or have identified ways to improve this policy, please write me at [email protected], or reach out in the [Mondoo Slack Community](https://mondoo.link/slack)."
+      desc: |-
+        Chef Infra Client Policy identifies insecure Chef Infra Client installations that could expose node credentials, as well as end of life client releases that no longer receive security updates per the [Chef Supported Versions documentation](https://docs.chef.io/versions/).
+
+        If you have questions, comments, or have identified ways to improve this policy, please write me at [email protected], or reach out in the [Mondoo Slack Community](https://mondoo.link/slack).
     groups:
       - title: Insecure permissions
         filters: |

community/chef-infra-server.mql.yaml

@@ -13,7 +13,13 @@ policies:
       - name: Tim Smith
         email: [email protected]
     docs:
-      desc: "Chef Infra Server Policy identifies several misconfigurations and end of life components that allow attackers to expose node information:\n  - Insecure disk permissions on critical directories and configuration files.\n  - End of life components installed on the Chef Infra Server such as Push Jobs, Analytics, or Reporting, which no longer receive security updates.\n  - Insecure servers settings such non-secure TLS support or legacy add-on compatibility.\n  \nIf you have questions, comments, or have identified ways to improve this policy, please write me at [email protected], or reach out in the [Mondoo Slack Community](https://mondoo.link/slack)."
+      desc: |-
+        Chef Infra Server Policy identifies several misconfigurations and end of life components that allow attackers to expose node information:
+          - Insecure disk permissions on critical directories and configuration files.
+          - End of life components installed on the Chef Infra Server such as Push Jobs, Analytics, or Reporting, which no longer receive security updates.
+          - Insecure servers settings such non-secure TLS support or legacy add-on compatibility.
+
+        If you have questions, comments, or have identified ways to improve this policy, please write me at [email protected], or reach out in the [Mondoo Slack Community](https://mondoo.link/slack).
     groups:
       - title: EOL components
         filters: |

community/mondoo-linux-operational-policy.mql.yaml

@@ -13,7 +13,46 @@ policies:
       - name: Mondoo, Inc
         email: [email protected]
     docs:
-      desc: "## Overview\n\nLinux Server Operational Policy by Mondoo provides guidance for operational best practices on Linux hosts.\n\n## Local scan\n\nLocal scan refer to scans of files and operating systems where cnspec is installed.\n\nTo scan the `localhost` against this policy:\n\n```bash\ncnspec scan local\n```\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration.\n\nFor a complete list of native transports run:\n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Linux hosts requires authentication such as SSH keys.\n\n### Scan a remote Linux host (SSH authentication)\n\n```bash\ncnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. "
+      desc: |-
+        ## Overview
+
+        Linux Server Operational Policy by Mondoo provides guidance for operational best practices on Linux hosts.
+
+        ## Local scan
+
+        Local scan refer to scans of files and operating systems where cnspec is installed.
+
+        To scan the `localhost` against this policy:
+
+        ```bash
+        cnspec scan local
+        ```
+
+        ## Remote scan
+
+        Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration.
+
+        For a complete list of native transports run:
+
+        ```bash
+        cnspec scan --help
+        ```
+
+        ### Prerequisites
+
+        Remote scans of Linux hosts requires authentication such as SSH keys.
+
+        ### Scan a remote Linux host (SSH authentication)
+
+        ```bash
+        cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key
+        ```
+
+        ## Join the community!
+
+        Our goal is to build policies that are simple to deploy, accurate, and actionable.
+
+        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
     groups:
       - filters: asset.family.contains("linux")
         checks:

core/mondoo-aws-security.mql.yaml

@@ -217,8 +217,8 @@ queries:
         __AWS Console__
 
         MFA devices in AWS can be either hardware-based or virtual. To enable an MFA device for the root user, either:
-        - [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root)        
-        or:     
+        - [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root)
+        or:
         - [Enable a hardware MFA device for the AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html#enable-hw-mfa-for-root)
 
         __AWS CLI__
@@ -664,7 +664,7 @@ queries:
         8. If the virtual MFA app supports multiple virtual MFA devices or accounts, select the option to create a new virtual MFA device or account.
         9. Determine whether the MFA app supports QR codes, and then either:
           - From the wizard, select **Show QR code**, and then use the app to scan the QR code. For example, you might select the camera icon or select an option similar to Scan code, and then use the device's camera to scan the code.
-          or: 
+          or:
           - In the Manage MFA Device wizard, select **Show secret key** and type the secret key into your MFA app.
         10. When you finish, the virtual MFA device generates one-time passwords.
         11. In the Manage MFA Device wizard, in the **MFA code 1** box, type the one-time password that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password, then type the second one-time password into the **MFA code 2 box**.
@@ -2134,7 +2134,7 @@ queries:
         __Terraform__
 
         You can use this code snippet to create a KMS encrypted EFS.
-        
+
         Note: `kms_key_id` attribute is optional, and a key will be created if you don't pass a KMS key ID.
 
         ```hcl
@@ -2242,7 +2242,7 @@ queries:
           - To create a key, select **New**. Then in **AWS KMS alias**, enter an alias for the key. The key is created in the same Region as the S3 bucket.
           or:
           * To use an existing key, select **Existing** and from **AWS KMS alias**, select the key.
-          
+
           Note: The AWS KMS key and S3 bucket must be in the same Region.
         7. Select **Save**.
   - uid: mondoo-aws-security-secgroup-restricted-ssh

core/mondoo-azure-security.mql.yaml

@@ -13,7 +13,44 @@ policies:
       - name: Mondoo, Inc
         email: [email protected]
     docs:
-      desc: "## Overview\n\nMicrosoft Azure Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft Azure.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on-demand scan results without installing agents or integrations. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Azure require API credentials with access to the subscription.\n\nNote: Some of the checks in this policy query data using Microsoft's Graph API. To successfully run these checks, you must create an Azure AD app registration for cnspec with proper permissions. Follow the instructions on https://mondoo.com/docs/platform/cloud/azure/azure-integration-scan/ to set up this app.\n\nTo run all checks at the same time, ensure your app registration has the necessary permissions as described above and then run:\n\n```bash\ncnspec scan azure --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id> --policy-bundle mondoo-azure-security.mql.yaml\n```\n\n### Scan an Azure subscription\n\n```bash\ncnspec scan azure --subscription <subscription_id>\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy or need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions."
+      desc: |-
+        ## Overview
+
+        Microsoft Azure Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Microsoft Azure.
+
+        ## Remote scan
+
+        Remote scans use native transports in cnspec to provide on-demand scan results without installing agents or integrations.
+
+        For a complete list of native transports run:
+
+        ```bash
+        cnspec scan --help
+        ```
+
+        ### Prerequisites
+
+        Remote scans of Azure require API credentials with access to the subscription.
+
+        Note: Some of the checks in this policy query data using Microsoft's Graph API. To successfully run these checks, you must create an Azure AD app registration for cnspec with proper permissions. Follow the instructions on https://mondoo.com/docs/platform/cloud/azure/azure-integration-scan/ to set up this app.
+
+        To run all checks at the same time, ensure your app registration has the necessary permissions as described above and then run:
+
+        ```bash
+        cnspec scan azure --certificate-path <*.pem> --tenant-id <tenant_id> --client-id <client_id> --policy-bundle mondoo-azure-security.mql.yaml
+        ```
+
+        ### Scan an Azure subscription
+
+        ```bash
+        cnspec scan azure --subscription <subscription_id>
+        ```
+
+        ## Join the community!
+
+        Our goal is to build policies that are simple to deploy, accurate, and actionable.
+
+        If you have any suggestions for how to improve this policy or need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
     groups:
       - title: Azure Core
         filters: |

core/mondoo-dns-security.mql.yaml

@@ -13,7 +13,32 @@ policies:
       - name: Mondoo, Inc
         email: [email protected]
     docs:
-      desc: "## Overview\n\nThe DNS Security by Mondoo provides baseline checks for assessing the configuration of DNS servers.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Scan a host \n\n```bash\ncnspec scan host <hostname>\n```\n\n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. \n"
+      desc: |
+        ## Overview
+
+        The DNS Security by Mondoo provides baseline checks for assessing the configuration of DNS servers.
+
+        ## Remote scan
+
+        Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration.
+
+        For a complete list of native transports run:
+
+        ```bash
+        cnspec scan --help
+        ```
+
+        ### Scan a host
+
+        ```bash
+        cnspec scan host <hostname>
+        ```
+
+        ## Join the community!
+
+        Our goal is to build policies that are simple to deploy, accurate, and actionable.
+
+        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
     groups:
       - title: Networking
         filters: asset.family.contains('network')

core/mondoo-gcp-security.mql.yaml

@@ -13,7 +13,54 @@ policies:
       - name: Mondoo, Inc
         email: [email protected]
     docs:
-      desc: "## Overview\n\nGoogle Cloud Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Google Cloud.\n\n## Remote scan\n\nRemote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n```\n\n### Prerequisites\n\nRemote scans of Google Cloud Projects requires API credentials with access to the project.\n\n### Scan a GCP project\n\nOpen a terminal and authenticate with Google Cloud:      \n\n```bash\ngcloud auth login\n```\n\nRun a scan of a GCP project: \n\n```bash\ncnspec scan gcp\n```\n\nTo target a specific project: \n\n```bash\ngcloud config set project <project_id>\n```\n\n```bash\ncnspec scan gcp\n```      \n  \n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. "
+      desc: |-
+        ## Overview
+
+        Google Cloud Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for Google Cloud.
+
+        ## Remote scan
+
+        Remote scans use native transports in cnspec to provide on demand scan results without the need to install any agents, or integration.
+
+        For a complete list of native transports run:
+
+        ```bash
+        cnspec scan --help
+        ```
+
+        ### Prerequisites
+
+        Remote scans of Google Cloud Projects requires API credentials with access to the project.
+
+        ### Scan a GCP project
+
+        Open a terminal and authenticate with Google Cloud:
+
+        ```bash
+        gcloud auth login
+        ```
+
+        Run a scan of a GCP project:
+
+        ```bash
+        cnspec scan gcp
+        ```
+
+        To target a specific project:
+
+        ```bash
+        gcloud config set project <project_id>
+        ```
+
+        ```bash
+        cnspec scan gcp
+        ```
+
+        ## Join the community!
+
+        Our goal is to build policies that are simple to deploy, accurate, and actionable.
+
+        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
     groups:
       - title: GCP Project
         filters: |