From 3f53bd90fabcfa10eda113ec24ee1bce170ae468 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:14:32 +0200 Subject: [PATCH 01/15] != null > != empty Signed-off-by: Manuel Weber --- .../mondoo-phoenix-plcnext-security.mql.yaml | 6 +++--- core/mondoo-aws-security.mql.yaml | 4 ++-- core/mondoo-http-security.mql.yaml | 2 +- core/mondoo-linux-security.mql.yaml | 19 ++++++++----------- core/mondoo-terraform-gcp-security.mql.yaml | 2 +- 5 files changed, 15 insertions(+), 18 deletions(-) diff --git a/community/mondoo-phoenix-plcnext-security.mql.yaml b/community/mondoo-phoenix-plcnext-security.mql.yaml index b3aa4474..5fd6de3d 100644 --- a/community/mondoo-phoenix-plcnext-security.mql.yaml +++ b/community/mondoo-phoenix-plcnext-security.mql.yaml @@ -118,7 +118,7 @@ queries: mql: | return ["sntrup761x25519-sha512@openssh.com","curve25519-sha256@libssh.org","diffie-hellman-group-exchange-sha256"] mql: | - sshd.config.kexs != null + sshd.config.kexs != empty sshd.config.kexs.containsOnly(props.PLCKexAlgos) docs: desc: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received @@ -136,7 +136,7 @@ queries: mql: | return ["hmac-sha2-512-etm@openssh.com","hmac-sha2-256-etm@openssh.com","umac-128-etm@openssh.com","hmac-sha2-512","hmac-sha2-256"] mql: | - sshd.config.macs != null + sshd.config.macs != empty sshd.config.macs.containsOnly(props.PLCMacAlgos) docs: desc: This variable limits the types of MAC algorithms that SSH can use during communication. @@ -156,7 +156,7 @@ queries: mql: | return ["chacha20-poly1305@openssh.com","aes256-gcm@openssh.com","aes128-gcm@openssh.com","aes256-ctr","aes192-ctr","aes128-ctr"] mql: | - sshd.config.ciphers != null + sshd.config.ciphers != empty sshd.config.ciphers.containsOnly(props.PLCSshdCiphers) docs: desc: This variable limits the ciphers that SSH can use during communication. diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index 56825541..f720c57c 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -1211,7 +1211,7 @@ queries: ```mql aws.s3.buckets.all( - publicAccessBlock != null && publicAccessBlock.values.all(_ == true) + publicAccessBlock != empty && publicAccessBlock.values.all(_ == true) ) ``` @@ -2393,7 +2393,7 @@ queries: ```mql aws.cloudtrail.trails.all( - kmsKey != null + kmsKey != empty ) ``` diff --git a/core/mondoo-http-security.mql.yaml b/core/mondoo-http-security.mql.yaml index f7f32764..0d8ef727 100644 --- a/core/mondoo-http-security.mql.yaml +++ b/core/mondoo-http-security.mql.yaml @@ -48,7 +48,7 @@ policies: - title: Headers for HTTPS communication filters: | asset.platform == 'host' - tls.certificates != null + tls.certificates != empty checks: - uid: mondoo-http-security-strict-transport-security scoring_system: highest impact diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index fc8de818..66f5dfc1 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -2468,8 +2468,7 @@ queries: } return ["chacha20-poly1305@openssh.com","aes256-gcm@openssh.com","aes128-gcm@openssh.com","aes256-ctr","aes192-ctr","aes128-ctr"] mql: | - sshd.config.ciphers != null - sshd.config.ciphers != [] + sshd.config.ciphers != empty sshd.config.ciphers.containsOnly(props.MondooSshdCiphers) docs: desc: This variable limits the ciphers that SSH can use during communication. @@ -2491,8 +2490,7 @@ queries: return ["umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512"] mql: | - sshd.config.macs != null - sshd.config.macs != [] + sshd.config.macs != empty sshd.config.macs.containsOnly(props.macAlgos) docs: desc: This variable limits the types of MAC algorithms that SSH can use during communication. @@ -2522,8 +2520,7 @@ queries: } return ["sntrup761x25519-sha512@openssh.com","curve25519-sha256@libssh.org","diffie-hellman-group18-sha512"] mql: | - sshd.config.kexs != null - sshd.config.kexs != [] + sshd.config.kexs != empty sshd.config.kexs.containsOnly(props.kexAlgos) docs: desc: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received @@ -2594,12 +2591,12 @@ queries: title: Ensure SSH access is limited impact: 60 mql: | - sshd.config.params["AllowUsers"] != null || sshd.config.params["AllowGroups"] != null || sshd.config.params["DenyUsers"] != null || sshd.config.params["DenyGroups"] != null + sshd.config.params["AllowUsers"] != empty || sshd.config.params["AllowGroups"] != empty || sshd.config.params["DenyUsers"] != empty || sshd.config.params["DenyGroups"] != empty - if (sshd.config.params["AllowUsers"] != null) { sshd.config.params["AllowUsers"] != "" } - if (sshd.config.params["AllowGroups"] != null) { sshd.config.params["AllowGroups"] != "" } - if (sshd.config.params["DenyUsers"] != null) { sshd.config.params["DenyUsers"] != "" } - if (sshd.config.params["DenyGroups"] != null) { sshd.config.params["DenyGroups"] != "" } + if (sshd.config.params["AllowUsers"] != empty) { sshd.config.params["AllowUsers"] != "" } + if (sshd.config.params["AllowGroups"] != empty) { sshd.config.params["AllowGroups"] != "" } + if (sshd.config.params["DenyUsers"] != empty) { sshd.config.params["DenyUsers"] != "" } + if (sshd.config.params["DenyGroups"] != empty) { sshd.config.params["DenyGroups"] != "" } docs: desc: |- There are several options available to limit which users and groups can access the system via SSH. It is recommended that at least one of the following options be leveraged: `AllowUsers` diff --git a/core/mondoo-terraform-gcp-security.mql.yaml b/core/mondoo-terraform-gcp-security.mql.yaml index 56967e6c..466ce48a 100644 --- a/core/mondoo-terraform-gcp-security.mql.yaml +++ b/core/mondoo-terraform-gcp-security.mql.yaml @@ -610,7 +610,7 @@ queries: mql: | terraform.resources.where( nameLabel == "google_compute_instance" && blocks.one( type == "service_account") ) { blocks.where( type == "service_account" ) { - attributes['email'] != null + attributes['email'] != empty } } terraform.resources.where( nameLabel == "google_compute_instance" && blocks.one( type == "service_account") ) { From bda5ff352ba962417af154d23337b7ea4f4658bc Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:17:18 +0200 Subject: [PATCH 02/15] != null > != empty++ Signed-off-by: Manuel Weber --- .../mondoo-kubernetes-best-practices.mql.yaml | 94 +++++----- core/mondoo-kubernetes-security.mql.yaml | 164 +++++++++--------- core/mondoo-macos-security.mql.yaml | 14 +- core/mondoo-slack-security.mql.yaml | 2 +- core/mondoo-terraform-aws-security.mql.yaml | 22 +-- 5 files changed, 148 insertions(+), 148 deletions(-) diff --git a/core/mondoo-kubernetes-best-practices.mql.yaml b/core/mondoo-kubernetes-best-practices.mql.yaml index f86cdd98..2d8e168c 100644 --- a/core/mondoo-kubernetes-best-practices.mql.yaml +++ b/core/mondoo-kubernetes-best-practices.mql.yaml @@ -130,7 +130,7 @@ queries: impact: 50 mql: | k8s.pod { - manifest['metadata']['ownerReferences'] != null && manifest['metadata']['ownerReferences'].length > 0 + manifest['metadata']['ownerReferences'] != empty && manifest['metadata']['ownerReferences'].length > 0 } docs: desc: | @@ -148,10 +148,10 @@ queries: mql: | k8s.pod { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -198,10 +198,10 @@ queries: mql: | k8s.cronjob { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -248,10 +248,10 @@ queries: mql: | k8s.statefulset { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -298,10 +298,10 @@ queries: mql: | k8s.deployment { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -348,10 +348,10 @@ queries: mql: | k8s.job { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -398,10 +398,10 @@ queries: mql: | k8s.replicaset { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -448,10 +448,10 @@ queries: mql: | k8s.daemonset { initContainers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } containers { - resources['requests']['cpu'] != null + resources['requests']['cpu'] != empty } } docs: @@ -498,10 +498,10 @@ queries: mql: | k8s.pod { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -548,10 +548,10 @@ queries: mql: | k8s.cronjob { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -598,10 +598,10 @@ queries: mql: | k8s.statefulset { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -648,10 +648,10 @@ queries: mql: | k8s.deployment { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -698,10 +698,10 @@ queries: mql: | k8s.job { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -748,10 +748,10 @@ queries: mql: | k8s.replicaset { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -798,10 +798,10 @@ queries: mql: | k8s.daemonset { initContainers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } containers { - resources['requests']['memory'] != null + resources['requests']['memory'] != empty } } docs: @@ -849,7 +849,7 @@ queries: if (k8s.pod.manifest['metadata']['ownerReferences'].none(_['kind'] == 'Job')) { k8s.pod { containers { - probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null + probeSpecified = livenessProbe['httpGet'] != empty || livenessProbe['tcpSocket'] != empty || livenessProbe['exec'] != empty probeSpecified == true } @@ -886,7 +886,7 @@ queries: mql: | k8s.statefulset { containers { - probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null + probeSpecified = livenessProbe['httpGet'] != empty || livenessProbe['tcpSocket'] != empty || livenessProbe['exec'] != empty probeSpecified == true } @@ -922,7 +922,7 @@ queries: mql: | k8s.deployment { containers { - probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null + probeSpecified = livenessProbe['httpGet'] != empty || livenessProbe['tcpSocket'] != empty || livenessProbe['exec'] != empty probeSpecified == true } } @@ -957,7 +957,7 @@ queries: mql: | k8s.replicaset { containers { - probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null + probeSpecified = livenessProbe['httpGet'] != empty || livenessProbe['tcpSocket'] != empty || livenessProbe['exec'] != empty probeSpecified == true } @@ -993,7 +993,7 @@ queries: mql: | k8s.daemonset { containers { - probeSpecified = livenessProbe['httpGet'] != null || livenessProbe['tcpSocket'] != null || livenessProbe['exec'] != null + probeSpecified = livenessProbe['httpGet'] != empty || livenessProbe['tcpSocket'] != empty || livenessProbe['exec'] != empty probeSpecified == true } @@ -1030,7 +1030,7 @@ queries: if (k8s.pod.manifest['metadata']['ownerReferences'].none(_['kind'] == 'Job')) { k8s.pod { containers { - probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null + probeSpecified = readinessProbe['httpGet'] != empty || readinessProbe['tcpSocket'] != empty || readinessProbe['exec'] != empty probeSpecified == true } @@ -1067,7 +1067,7 @@ queries: mql: | k8s.statefulset { containers { - probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null + probeSpecified = readinessProbe['httpGet'] != empty || readinessProbe['tcpSocket'] != empty || readinessProbe['exec'] != empty probeSpecified == true } @@ -1103,7 +1103,7 @@ queries: mql: | k8s.deployment { containers { - probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null + probeSpecified = readinessProbe['httpGet'] != empty || readinessProbe['tcpSocket'] != empty || readinessProbe['exec'] != empty probeSpecified == true } } @@ -1138,7 +1138,7 @@ queries: mql: | k8s.replicaset { containers { - probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null + probeSpecified = readinessProbe['httpGet'] != empty || readinessProbe['tcpSocket'] != empty || readinessProbe['exec'] != empty probeSpecified == true } @@ -1174,7 +1174,7 @@ queries: mql: | k8s.daemonset { containers { - probeSpecified = readinessProbe['httpGet'] != null || readinessProbe['tcpSocket'] != null || readinessProbe['exec'] != null + probeSpecified = readinessProbe['httpGet'] != empty || readinessProbe['tcpSocket'] != empty || readinessProbe['exec'] != empty probeSpecified == true } @@ -1678,7 +1678,7 @@ queries: audit: | Check to ensure no Pods are binding any of their containers to a host port: - ```kubectl get pods -A -o json | jq -r '.items[] | select( (.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get pods -A -o json | jq -r '.items[] | select( (.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any Pods that bind to a host port, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not bind to a host port: @@ -1718,7 +1718,7 @@ queries: audit: | Check to ensure no DaemonSets are binding any of their containers to a host port: - ```kubectl get daemonsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get daemonsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any DaemonSets that bind to a host port, update the DaemonSets to ensure they do not bind to a host port: @@ -1760,7 +1760,7 @@ queries: audit: | Check to ensure no ReplicaSets are binding any of their containers to a host port: - ```kubectl get replicasets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get replicasets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any ReplicaSets that bind to a host port, update the ReplicaSets to ensure they do not bind to a host port: @@ -1802,7 +1802,7 @@ queries: audit: | Check to ensure no Jobs are binding any of their containers to a host port: - ```kubectl get jobs -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get jobs -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any ReplicaSets that bind to a host port, update the Jobs to ensure they do not bind to a host port: @@ -1844,7 +1844,7 @@ queries: audit: | Check to ensure no Deployments are binding any of their containers to a host port: - ```kubectl get deployments -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get deployments -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any Deployments that bind to a host port, update the Deployments to ensure they do not bind to a host port: @@ -1886,7 +1886,7 @@ queries: audit: | Check to ensure no StatefulSets are binding any of their containers to a host port: - ```kubectl get statefulsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get statefulsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any StatefulSets that bind to a host port, update the StatefulSets to ensure they do not bind to a host port: @@ -1928,7 +1928,7 @@ queries: audit: | Check to ensure no CronJobs are binding any of their containers to a host port: - ```kubectl get cronjobs -A -o json | jq -r '.items[] | select( (.spec.jobTemplate.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` + ```kubectl get cronjobs -A -o json | jq -r '.items[] | select( (.spec.jobTemplate.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq``` remediation: | For any CronJobs that bind to a host port, update the CronJobs to ensure they do not bind to a host port: @@ -1971,7 +1971,7 @@ queries: Check to ensure no Ingress Secrets contain TLS certificates near expiration: Display all Ingress resources with TLS Secret data: - ```kubectl get ingress -A -o json | jq -r '.items[] | select(.spec.tls != null) | .metadata.namespace + "/" + .metadata.name'``` + ```kubectl get ingress -A -o json | jq -r '.items[] | select(.spec.tls != empty) | .metadata.namespace + "/" + .metadata.name'``` For each Ingress resource, check the certificate expiration dates in the Secrets (under `.spec.tls[].secretName`). Ensure that the expiration dates don't expire soon: ```kubectl get secret --namespace NAMESPACE_OF_INGRESS NAME_OF_SECRET -o json | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -noout -text | grep "Not After"``` diff --git a/core/mondoo-kubernetes-security.mql.yaml b/core/mondoo-kubernetes-security.mql.yaml index 078f0214..5421b1af 100644 --- a/core/mondoo-kubernetes-security.mql.yaml +++ b/core/mondoo-kubernetes-security.mql.yaml @@ -362,8 +362,8 @@ queries: "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384"] mql: | - kubelet.configuration['tlsCipherSuites'] != null - if (kubelet.configuration['tlsCipherSuites'] != null) { + kubelet.configuration['tlsCipherSuites'] != empty + if (kubelet.configuration['tlsCipherSuites'] != empty) { kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.allowedCiphers) } docs: @@ -391,8 +391,8 @@ queries: title: Run kubelet with a user-provided certificate/key impact: 100 mql: | - kubelet.configuration["tlsCertFile"] != null - kubelet.configuration["tlsPrivateKeyFile"] != null + kubelet.configuration["tlsCertFile"] != empty + kubelet.configuration["tlsPrivateKeyFile"] != empty docs: desc: | Ensure that the kubelet is not running with self-signed certificates generated by the kubelet itself. @@ -428,7 +428,7 @@ queries: title: Ownership and permissions of kubelet configuration should be restricted impact: 80 mql: | - if (kubelet.configFile != null) { + if (kubelet.configFile != empty) { if (kubelet.configFile.exists) { kubelet.configFile { user.name == "root" @@ -468,8 +468,8 @@ queries: title: Specify a kubelet certificate authorities file and ensure proper ownership and permissions impact: 100 mql: | - kubelet.configuration['authentication']['x509']['clientCAFile'] != null - if (kubelet.configuration['authentication']['x509']['clientCAFile'] != null) { + kubelet.configuration['authentication']['x509']['clientCAFile'] != empty + if (kubelet.configuration['authentication']['x509']['clientCAFile'] != empty) { cafile = kubelet.configuration["authentication"]["x509"]["clientCAFile"] file(cafile) { user.name == "root" @@ -679,7 +679,7 @@ queries: title: Ensure that the Kubernetes PKI/SSL directory is owned by root:root impact: 65 mql: | - if (processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"] != null) { + if (processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"] != empty) { clientCAFile = processes.where(executable == /kube-apiserver/).list[0].flags["etcd-certfile"] ssldir = file(clientCAFile).dirname file(ssldir) { @@ -4554,8 +4554,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.pod.initContainers.all( resources['limits']['cpu'] != null ) - k8s.pod.containers.all( resources['limits']['cpu'] != null ) + k8s.pod.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.pod.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes Pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4596,8 +4596,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.cronjob.initContainers.all( resources['limits']['cpu'] != null ) - k8s.cronjob.containers.all( resources['limits']['cpu'] != null ) + k8s.cronjob.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.cronjob.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4638,8 +4638,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.statefulset.initContainers.all( resources['limits']['cpu'] != null ) - k8s.statefulset.containers.all( resources['limits']['cpu'] != null ) + k8s.statefulset.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.statefulset.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4680,8 +4680,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.deployment.initContainers.all( resources['limits']['cpu'] != null ) - k8s.deployment.containers.all( resources['limits']['cpu'] != null ) + k8s.deployment.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.deployment.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4722,8 +4722,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.job.initContainers.all( resources['limits']['cpu'] != null ) - k8s.job.containers.all( resources['limits']['cpu'] != null ) + k8s.job.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.job.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4764,8 +4764,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.replicaset.initContainers.all( resources['limits']['cpu'] != null ) - k8s.replicaset.containers.all( resources['limits']['cpu'] != null ) + k8s.replicaset.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.replicaset.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4806,8 +4806,8 @@ queries: title: Container should have a CPU limit impact: 20 mql: | - k8s.daemonset.initContainers.all( resources['limits']['cpu'] != null ) - k8s.daemonset.containers.all( resources['limits']['cpu'] != null ) + k8s.daemonset.initContainers.all( resources['limits']['cpu'] != empty ) + k8s.daemonset.containers.all( resources['limits']['cpu'] != empty ) docs: desc: | Kubernetes pod configurations should set CPU limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4848,8 +4848,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.pod.initContainers.all( resources['limits']['memory'] != null ) - k8s.pod.containers.all( resources['limits']['memory'] != null ) + k8s.pod.initContainers.all( resources['limits']['memory'] != empty ) + k8s.pod.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4887,8 +4887,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.cronjob.initContainers.all( resources['limits']['memory'] != null ) - k8s.cronjob.containers.all( resources['limits']['memory'] != null ) + k8s.cronjob.initContainers.all( resources['limits']['memory'] != empty ) + k8s.cronjob.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4926,8 +4926,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.statefulset.initContainers.all( resources['limits']['memory'] != null ) - k8s.statefulset.containers.all( resources['limits']['memory'] != null ) + k8s.statefulset.initContainers.all( resources['limits']['memory'] != empty ) + k8s.statefulset.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -4965,8 +4965,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.deployment.initContainers.all( resources['limits']['memory'] != null ) - k8s.deployment.containers.all( resources['limits']['memory'] != null ) + k8s.deployment.initContainers.all( resources['limits']['memory'] != empty ) + k8s.deployment.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -5004,8 +5004,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.job.initContainers.all( resources['limits']['memory'] != null ) - k8s.job.containers.all( resources['limits']['memory'] != null ) + k8s.job.initContainers.all( resources['limits']['memory'] != empty ) + k8s.job.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -5043,8 +5043,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.replicaset.initContainers.all( resources['limits']['memory'] != null ) - k8s.replicaset.containers.all( resources['limits']['memory'] != null ) + k8s.replicaset.initContainers.all( resources['limits']['memory'] != empty ) + k8s.replicaset.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -5082,8 +5082,8 @@ queries: title: Container should have a memory limit impact: 20 mql: | - k8s.daemonset.initContainers.all( resources['limits']['memory'] != null ) - k8s.daemonset.containers.all( resources['limits']['memory'] != null ) + k8s.daemonset.initContainers.all( resources['limits']['memory'] != empty ) + k8s.daemonset.containers.all( resources['limits']['memory'] != empty ) docs: desc: | Kubernetes pod configurations should set memory limits for containers defined in the manifest. This prevents the pod from exhausting the host's resources in case of an application malfunction or an attack. @@ -5134,7 +5134,7 @@ queries: Check to ensure no Pods have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5189,7 +5189,7 @@ queries: Check to ensure no DaemonSets have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get daemonsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get daemonsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5248,7 +5248,7 @@ queries: Check to ensure no ReplicaSets have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get replicasets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get replicasets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5306,7 +5306,7 @@ queries: Check to ensure no Jobs have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get jobs -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get jobs -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5365,7 +5365,7 @@ queries: Check to ensure no Deployments have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get deployments -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get deployments -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5424,7 +5424,7 @@ queries: Check to ensure no StatefulSets have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get statefulsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get statefulsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5483,7 +5483,7 @@ queries: Check to ensure no CronJobs have explicitly asked for the NET_RAW capability (or asked for ALL capabilities which includes NET_RAW): ```bash - kubectl get cronjobs -A -o json | jq -r '.items[] | select(.spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get cronjobs -A -o json | jq -r '.items[] | select(.spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|NET_RAW")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` @@ -5548,7 +5548,7 @@ queries: Check to ensure no Pods have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Pods that explicitly add the SYS_ADMIN or ALL capability, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5583,7 +5583,7 @@ queries: Check to ensure no DaemonSets have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get daemonsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get daemonsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any DaemonSets that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5620,7 +5620,7 @@ queries: Check to ensure no ReplicaSets have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get replicasets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get replicasets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any ReplicaSets that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5657,7 +5657,7 @@ queries: Check to ensure no Jobs have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get jobs -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get jobs -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Jobs that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5693,7 +5693,7 @@ queries: Check to ensure no Deployments have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get deployments -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get deployments -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Deployments that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5730,7 +5730,7 @@ queries: Check to ensure no StatefulSets have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get statefulsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get statefulsets -A -o json | jq -r '.items[] | select(.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any StatefulSets that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5767,7 +5767,7 @@ queries: Check to ensure no CronJobs have explicitly asked for the SYS_ADMIN capability (or asked for ALL capabilities which includes SYS_ADMIN): ```bash - kubectl get cronjobs -A -o json | jq -r '.items[] | select(.spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.add | . != null and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get cronjobs -A -o json | jq -r '.items[] | select(.spec.jobTemplate.spec.template.spec.containers[].securityContext.capabilities.add | . != empty and any(.[] ; ascii_upcase | test("ALL|SYS_ADMIN")) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any CronJobs that explicitly add the SYS_ADMIN or ALL capability, update them to ensure they do not ask for the SYS_ADMIN or ALL capability: @@ -5807,7 +5807,7 @@ queries: Check to ensure no Pods are binding any of their containers to a host port: ```bash - kubectl get pods -A -o json | jq -r '.items[] | select( (.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get pods -A -o json | jq -r '.items[] | select( (.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Pods that bind to a host port, update the Pods (or the Deployments/DaemonSets/CronJobs/etc that produced the Pods) to ensure they do not bind to a host port: @@ -5846,7 +5846,7 @@ queries: Check to ensure no DaemonSets are binding any of their containers to a host port: ```bash - kubectl get daemonsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get daemonsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any DaemonSets that bind to a host port, update the DaemonSets to ensure they do not bind to a host port: @@ -5887,7 +5887,7 @@ queries: Check to ensure no ReplicaSets are binding any of their containers to a host port: ```bash - kubectl get replicasets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get replicasets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any ReplicaSets that bind to a host port, update the ReplicaSets to ensure they do not bind to a host port: @@ -5928,7 +5928,7 @@ queries: Check to ensure no Jobs are binding any of their containers to a host port: ```bash - kubectl get jobs -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get jobs -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any ReplicaSets that bind to a host port, update the Jobs to ensure they do not bind to a host port: @@ -5969,7 +5969,7 @@ queries: Check to ensure no Deployments are binding any of their containers to a host port: ```bash - kubectl get deployments -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get deployments -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Deployments that bind to a host port, update the Deployments to ensure they do not bind to a host port: @@ -6010,7 +6010,7 @@ queries: Check to ensure no StatefulSets are binding any of their containers to a host port: ```bash - kubectl get statefulsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get statefulsets -A -o json | jq -r '.items[] | select( (.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any StatefulSets that bind to a host port, update the StatefulSets to ensure they do not bind to a host port: @@ -6051,7 +6051,7 @@ queries: Check to ensure no CronJobs are binding any of their containers to a host port: ```bash - kubectl get cronjobs -A -o json | jq -r '.items[] | select( (.spec.jobTemplate.spec.template.spec.containers[].ports | . != null and any(.[].hostPort; . != null) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get cronjobs -A -o json | jq -r '.items[] | select( (.spec.jobTemplate.spec.template.spec.containers[].ports | . != empty and any(.[].hostPort; . != empty) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any CronJobs that bind to a host port, update the CronJobs to ensure they do not bind to a host port: @@ -6086,10 +6086,10 @@ queries: impact: 80 mql: | k8s.pod.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6104,10 +6104,10 @@ queries: } } k8s.pod.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['initContainers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6122,10 +6122,10 @@ queries: } } k8s.pod.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['ephemeralContainers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6147,7 +6147,7 @@ queries: Check to ensure no containers in a Pod are mounting hostPath volumes as read-write: ```bash - kubectl get pods -A -o json | jq -r '.items[] | [.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get pods -A -o json | jq -r '.items[] | [.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Pod containers that mount a hostPath volume as read-write, update them (or the Deployment/StatefulSet/etc that created the Pod): @@ -6174,10 +6174,10 @@ queries: impact: 80 mql: | k8s.daemonset.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6199,7 +6199,7 @@ queries: Check to ensure no containers in a DaemonSet are mounting hostPath volumes as read-write: ```bash - kubectl get daemonsets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get daemonsets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any DaemonSet containers that mount a hostPath volume as read-write, update them: @@ -6228,10 +6228,10 @@ queries: impact: 80 mql: | k8s.replicaset.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6253,7 +6253,7 @@ queries: Check to ensure no containers in a ReplicaSet are mounting hostPath volumes as read-write: ```bash - kubectl get replicasets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get replicasets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any ReplicaSet containers that mount a hostPath volume as read-write, update them: @@ -6282,10 +6282,10 @@ queries: impact: 80 mql: | k8s.job.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6307,7 +6307,7 @@ queries: Check to ensure no containers in a Job are mounting hostPath volumes as read-write: ```bash - kubectl get jobs -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get jobs -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Job containers that mount a hostPath volume as read-write, update them: @@ -6336,10 +6336,10 @@ queries: impact: 80 mql: | k8s.deployment.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6361,7 +6361,7 @@ queries: Check to ensure no containers in a Deployment are mounting hostPath volumes as read-write: ```bash - kubectl get deployments -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get deployments -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any Deployment containers that mount a hostPath volume as read-write, update them: @@ -6390,10 +6390,10 @@ queries: impact: 80 mql: | k8s.statefulset.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6415,7 +6415,7 @@ queries: Check to ensure no containers in a StatefulSet are mounting hostPath volumes as read-write: ```bash - kubectl get statefulsets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get statefulsets -A -o json | jq -r '.items[] | [.spec.template.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.template.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any StatefulSet containers that mount a hostPath volume as read-write, update them: @@ -6444,10 +6444,10 @@ queries: impact: 80 mql: | k8s.cronjob.podSpec { - hostPathVolumes = _['volumes'].where(_['hostPath'] != null).map(_['name']) + hostPathVolumes = _['volumes'].where(_['hostPath'] != empty).map(_['name']) _['containers'] { _['name'] - if( _['volumeMounts'] != null ) { + if( _['volumeMounts'] != empty ) { _['volumeMounts'] { n = _['name'] if( hostPathVolumes.contains(n) ) { @@ -6469,7 +6469,7 @@ queries: Check to ensure no containers in a CronJob are mounting hostPath volumes as read-write: ```bash - kubectl get cronjobs -A -o json | jq -r '.items[] | [.spec.jobTemplate.spec.template.spec.volumes[] | select(.hostPath != null) | .name] as $myVar | select(.spec.jobTemplate.spec.template.spec.containers[].volumeMounts | (. != null and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq + kubectl get cronjobs -A -o json | jq -r '.items[] | [.spec.jobTemplate.spec.template.spec.volumes[] | select(.hostPath != empty) | .name] as $myVar | select(.spec.jobTemplate.spec.template.spec.containers[].volumeMounts | (. != empty and ( .[] | ( [.name] | inside($myVar) ) and .readOnly != true ) ) ) | .metadata.namespace + "/" + .metadata.name' | uniq ``` remediation: | For any CronJob containers that mount a hostPath volume as read-write, update them: diff --git a/core/mondoo-macos-security.mql.yaml b/core/mondoo-macos-security.mql.yaml index 27c49cf8..a3391a71 100644 --- a/core/mondoo-macos-security.mql.yaml +++ b/core/mondoo-macos-security.mql.yaml @@ -962,10 +962,10 @@ queries: name filePath = "/Library/Managed Preferences/" + name + "/complete.plist" a = file(filePath).exists == true && [filePath].where(file(_).exists) { - parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] != null && + parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] != empty && parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["maxPINAgeInDays"]["value"] <= 365 } - b = macos.globalAccountPolicies['policyCategoryPasswordChange'] != null && + b = macos.globalAccountPolicies['policyCategoryPasswordChange'] != empty && macos.globalAccountPolicies['policyCategoryPasswordChange'].any(_['policyParameters']['policyAttributeDaysUntilExpiration'] <= 365) filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist" c = file(filePath2).exists == true && @@ -1001,14 +1001,14 @@ queries: name filePath = "/Library/Managed Preferences/" + name + "/complete.plist" a = file(filePath).exists == true && [filePath].where(file(_).exists) { - parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["pinHistory"]["value"] != null && + parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["pinHistory"]["value"] != empty && parse.plist(filePath).params["com.apple.mobiledevice.passwordpolicy"]["pinHistory"]["value"] >= 15 } - b = macos.globalAccountPolicies['policyCategoryPasswordContent'] != null && + b = macos.globalAccountPolicies['policyCategoryPasswordContent'] != empty && macos.globalAccountPolicies['policyCategoryPasswordContent'].any(_['policyParameters']['policyAttributePasswordHistoryDepth'] >= 15 ) filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist" c = file(filePath2).exists == true && - parse.plist(filePath2).params['pinHistory'] != null && + parse.plist(filePath2).params['pinHistory'] != empty && parse.plist(filePath2).params['pinHistory'] >= 15 a || b || c } @@ -1101,10 +1101,10 @@ queries: name filePath1 = "/Library/Managed Preferences/" + name + "/complete.plist" a = file(filePath1).exists == true && [filePath1].where(file(_).exists) { - parse.plist(filePath1).params["com.apple.mobiledevice.passwordpolicy"]["minLength"]["value"] != null && + parse.plist(filePath1).params["com.apple.mobiledevice.passwordpolicy"]["minLength"]["value"] != empty && parse.plist(filePath1).params["com.apple.mobiledevice.passwordpolicy"]["minLength"]["value"] >= 15 } - b = macos.globalAccountPolicies['policyCategoryPasswordContent'] != null && + b = macos.globalAccountPolicies['policyCategoryPasswordContent'] != empty && macos.globalAccountPolicies['policyCategoryPasswordContent'].any(_['policyParameters']['minimumLength'] >= 15) filePath2 = "/Library/Managed Preferences/com.apple.mobiledevice.passwordpolicy.plist" c = file(filePath2).exists == true && diff --git a/core/mondoo-slack-security.mql.yaml b/core/mondoo-slack-security.mql.yaml index 0f783c51..7383a635 100644 --- a/core/mondoo-slack-security.mql.yaml +++ b/core/mondoo-slack-security.mql.yaml @@ -173,7 +173,7 @@ queries: title: Ensure all users use 2FA impact: 60 mql: | - slack.users.members.where(name != /deactivateduser/).all( has2FA == true || enterpriseUser != null || id=="USLACKBOT" ) + slack.users.members.where(name != /deactivateduser/).all( has2FA == true || enterpriseUser != empty || id=="USLACKBOT" ) docs: desc: | All user accounts should be protected with two-factor authentication. This enhances protection against account takeovers by attackers. diff --git a/core/mondoo-terraform-aws-security.mql.yaml b/core/mondoo-terraform-aws-security.mql.yaml index e44c3a87..84fcf83b 100644 --- a/core/mondoo-terraform-aws-security.mql.yaml +++ b/core/mondoo-terraform-aws-security.mql.yaml @@ -252,7 +252,7 @@ queries: - uid: terraform-aws-security-ec2-user-data-no-secrets title: Ensure EC2 instance user data does not contain secrets mql: | - terraform.resources.where( nameLabel == "aws_instance" && arguments["user_data"] != null ) { + terraform.resources.where( nameLabel == "aws_instance" && arguments["user_data"] != empty ) { # ensure that all used AWS_ACCESS_KEY_ID are the sample key arguments["user_data"] { _.find(/(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}/).all("AKIAIOSFODNN7EXAMPLE") @@ -276,8 +276,8 @@ queries: title: Ensure IAM policy do not use wildcards and instead apply the principle of least privilege mql: | # verify aws_iam_policy - terraform.resources.where( nameLabel == "aws_iam_policy" && arguments["policy"] != null ) { - arguments["policy"].where( _["Statement"] != null) { + terraform.resources.where( nameLabel == "aws_iam_policy" && arguments["policy"] != empty ) { + arguments["policy"].where( _["Statement"] != empty) { _["Statement"] { # Resource is either not * or DENY is used (where wildcard is great) _["Resource"] != "*" || _["Effect"].upcase == "DENY" @@ -286,8 +286,8 @@ queries: } # verify aws_iam_user_policy - terraform.resources.where( nameLabel == "aws_iam_user_policy" && arguments["policy"] != null ) { - arguments["policy"].where( _["Statement"] != null) { + terraform.resources.where( nameLabel == "aws_iam_user_policy" && arguments["policy"] != empty ) { + arguments["policy"].where( _["Statement"] != empty) { _["Statement"] { # Resource is either not * or DENY is used (where wildcard is great) _["Resource"] != "*" || _["Effect"].upcase == "DENY" @@ -296,8 +296,8 @@ queries: } # verify iam_role_policy - terraform.resources.where( nameLabel == "iam_role_policy" && arguments["policy"] != null ) { - arguments["policy"].where( _["Statement"] != null) { + terraform.resources.where( nameLabel == "iam_role_policy" && arguments["policy"] != empty ) { + arguments["policy"].where( _["Statement"] != empty) { _["Statement"] { # Resource is either not * or DENY is used (where wildcard is great) _["Resource"] != "*" || _["Effect"].upcase == "DENY" @@ -306,8 +306,8 @@ queries: } # verify iam_group_policy - terraform.resources.where( nameLabel == "iam_group_policy" && arguments["policy"] != null ) { - arguments["policy"].where( _["Statement"] != null) { + terraform.resources.where( nameLabel == "iam_group_policy" && arguments["policy"] != empty ) { + arguments["policy"].where( _["Statement"] != empty) { _["Statement"] { # Resource is either not * or DENY is used (where wildcard is great) _["Resource"] != "*" || _["Effect"].upcase == "DENY" @@ -360,7 +360,7 @@ queries: terraform.resources.where( nameLabel == 'aws_s3_bucket') { blocks.one( type == 'logging') blocks.where(type == 'logging') { - arguments['target_bucket'] != null + arguments['target_bucket'] != empty } } } @@ -369,7 +369,7 @@ queries: bucketnames = _ terraform.resources.where( nameLabel == 'aws_s3_bucket_logging' && arguments['bucket'].split('.')[1] == bucketnames ) != [] terraform.resources.where( nameLabel == 'aws_s3_bucket_logging' && arguments['bucket'].split('.')[1] == bucketnames ) { - arguments['target_bucket'] != null + arguments['target_bucket'] != empty } } } From a590f88bd2e8423a95dd19a572515c528141f9f9 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:18:40 +0200 Subject: [PATCH 03/15] fix: Ensure strong account password policy requirements are used Signed-off-by: Manuel Weber --- core/mondoo-aws-security.mql.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index f720c57c..1e24c5b2 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -265,25 +265,25 @@ queries: title: Ensure strong account password policy requirements are used impact: 60 props: - - uid: iamPasswordPolicyMaxPasswordAge + - uid: iamPasswordPolicyMaxPasswordAgeMondoo title: Define the maximum number of days a password is allowed to exist before being rotated mql: "90" - - uid: iamPasswordPolicyMinimumPasswordLength + - uid: iamPasswordPolicyMinimumPasswordLengthMondoo title: Minimum password length mql: "14" - - uid: iamPasswordPolicyPasswordReusePrevention + - uid: iamPasswordPolicyPasswordReusePreventionMondoo title: Number of passwords before allowing reuse mql: "24" - - uid: iamPasswordPolicyRequireLowercaseCharacters + - uid: iamPasswordPolicyRequireLowercaseCharactersMondoo title: Denotes whether lowercase characters are required for passwords mql: "true" - - uid: iamPasswordPolicyRequireNumbers + - uid: iamPasswordPolicyRequireNumbersMondoo title: Denotes whether numbers are required for passwords mql: "true" - - uid: iamPasswordPolicyRequireSymbols + - uid: iamPasswordPolicyRequireSymbolsMondoo title: Denotes whether symbols are required for passwords mql: "true" - - uid: iamPasswordPolicyRequireUppercaseCharacters + - uid: iamPasswordPolicyRequireUppercaseCharactersMondoo title: Denotes whether uppercase characters are required for passwords mql: "true" mql: | @@ -296,13 +296,13 @@ queries: aws.iam.accountPasswordPolicy.PasswordReusePrevention != empty aws.iam.accountPasswordPolicy.MaxPasswordAge != empty // Validate each policy setting against props - aws.iam.accountPasswordPolicy.where(RequireUppercaseCharacters != empty).all(RequireUppercaseCharacters == props.iamPasswordPolicyRequireUppercaseCharacters) - aws.iam.accountPasswordPolicy.where(RequireLowercaseCharacters != empty).all(RequireLowercaseCharacters == props.iamPasswordPolicyRequireLowercaseCharacters) - aws.iam.accountPasswordPolicy.where(RequireSymbols != empty).all(RequireSymbols == props.iamPasswordPolicyRequireSymbols) - aws.iam.accountPasswordPolicy.where(RequireNumbers != empty).all(RequireNumbers == props.iamPasswordPolicyRequireNumbers) - aws.iam.accountPasswordPolicy.where(MinimumPasswordLength != empty).all(MinimumPasswordLength >= props.iamPasswordPolicyMinimumPasswordLength) - aws.iam.accountPasswordPolicy.where(PasswordReusePrevention != empty).all(PasswordReusePrevention >= props.iamPasswordPolicyPasswordReusePrevention) - aws.iam.accountPasswordPolicy.where(MaxPasswordAge != empty).all(MaxPasswordAge <= props.iamPasswordPolicyMaxPasswordAge) + aws.iam.accountPasswordPolicy.where(RequireUppercaseCharacters != empty).all(RequireUppercaseCharacters == props.iamPasswordPolicyRequireUppercaseCharactersMondoo) + aws.iam.accountPasswordPolicy.where(RequireLowercaseCharacters != empty).all(RequireLowercaseCharacters == props.iamPasswordPolicyRequireLowercaseCharactersMondoo) + aws.iam.accountPasswordPolicy.where(RequireSymbols != empty).all(RequireSymbols == props.iamPasswordPolicyRequireSymbolsMondoo) + aws.iam.accountPasswordPolicy.where(RequireNumbers != empty).all(RequireNumbers == props.iamPasswordPolicyRequireNumbersMondoo) + aws.iam.accountPasswordPolicy.where(MinimumPasswordLength != empty).all(MinimumPasswordLength >= props.iamPasswordPolicyMinimumPasswordLengthMondoo) + aws.iam.accountPasswordPolicy.where(PasswordReusePrevention != empty).all(PasswordReusePrevention >= props.iamPasswordPolicyPasswordReusePreventionMondoo) + aws.iam.accountPasswordPolicy.where(MaxPasswordAge != empty).all(MaxPasswordAge <= props.iamPasswordPolicyMaxPasswordAgeMondoo) docs: desc: | AWS allows custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. IAM user passwords must meet the default AWS password policy if you don't set a custom password policy. AWS security best practices recommend these password complexity requirements: From b42ce80948454f1c7ff65acb0284aa95ace2124a Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:21:21 +0200 Subject: [PATCH 04/15] fix/props: - uid: maxAccessKeyAgeMondoo Signed-off-by: Manuel Weber --- core/mondoo-aws-security.mql.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index 1e24c5b2..a3d0b23d 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -397,15 +397,15 @@ queries: title: Ensure active access keys are rotated impact: 70 props: - - uid: maxAccessKeyAge + - uid: maxAccessKeyAgeMondoo title: Define the maximum number of days an IAM key is allowed to exist before rotation mql: "90" mql: | - aws.iam.credentialReport.where(accessKey1Active == true && time.now - userCreationTime > props.maxAccessKeyAge * time.day).all(time.now - accessKey1LastRotated < props.maxAccessKeyAge * time.day) - aws.iam.credentialReport.where(accessKey2Active == true && time.now - userCreationTime > props.maxAccessKeyAge * time.day).all(time.now - accessKey2LastRotated < props.maxAccessKeyAge * time.day) + aws.iam.credentialReport.where(accessKey1Active == true && time.now - userCreationTime > props.maxAccessKeyAgeMondoo * time.day).all(time.now - accessKey1LastRotated < props.maxAccessKeyAgeMondoo * time.day) + aws.iam.credentialReport.where(accessKey2Active == true && time.now - userCreationTime > props.maxAccessKeyAgeMondoo * time.day).all(time.now - accessKey2LastRotated < props.maxAccessKeyAgeMondoo * time.day) docs: desc: | - It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAge property. + It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAgeMondoo property. audit: | __cnspec shell__ From 9a2227ebc9340ca72320f2718b287e5d03a61137 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:22:56 +0200 Subject: [PATCH 05/15] fix/props: - uid: ebsVolumeDeleteOnTerminationMondoo Signed-off-by: Manuel Weber --- core/mondoo-aws-security.mql.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index a3d0b23d..49f0d5f0 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -2154,7 +2154,7 @@ queries: title: Ensure EBS volumes attached to EC2 instances are configured for deletion on instance termination impact: 60 props: - - uid: ebsVolumeDeleteOnTermination + - uid: ebsVolumeDeleteOnTerminationMondoo title: Defines whether instances should be configured to delete volumes on termination mql: "true" variants: @@ -2232,7 +2232,7 @@ queries: - uid: mondoo-aws-security-ec2-volume-inuse-check-all filters: asset.platform == "aws" mql: | - aws.ec2.volumes.where(attachments != empty).all(attachments.any(DeleteOnTermination == props.ebsVolumeDeleteOnTermination)) + aws.ec2.volumes.where(attachments != empty).all(attachments.any(DeleteOnTermination == props.ebsVolumeDeleteOnTerminationMondoo)) - uid: mondoo-aws-security-ec2-volume-inuse-check-single filters: asset.platform == "aws-ec2-volume" && aws.ec2.volume.attachments != empty mql: | From 277c871d8f3fe71a891d3311c1d6693b187176f5 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:24:06 +0200 Subject: [PATCH 06/15] fix/props: - uid: disallowedPortsSSHMondoo Signed-off-by: Manuel Weber --- core/mondoo-azure-security.mql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index 5ff3af85..f34b8cdd 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -216,7 +216,7 @@ queries: title: Ensure that SSH access is restricted from the internet impact: 80 props: - - uid: disallowedPortsSSH + - uid: disallowedPortsSSHMondoo title: a list of disallowed TCP ports, by default SSH listens only on TCP port 22, add more ports as needed mql: | return [ @@ -305,7 +305,7 @@ queries: && properties.sourceAddressPrefix == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) allNsgTCP.all(properties.destinationPortRange != "*") - props.disallowedPortsSSH { + props.disallowedPortsSSHMondoo { disallowedPortSSH = _ disallowedPortSSH allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortSSH && toPort >= disallowedPortSSH)) @@ -323,7 +323,7 @@ queries: ) ) allNsgTCP.all(securityRules.all(properties.destinationPortRange != "*")) - props.disallowedPortsSSH { + props.disallowedPortsSSHMondoo { disallowedPortSSH = _ disallowedPortSSH allNsgTCP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortSSH && toPort >= disallowedPortSSH))) From b20fca898a5f4594894c028bc519980828869fbb Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:30:38 +0200 Subject: [PATCH 07/15] fix/props: - uid: disallowedPortsRDPMondoo Signed-off-by: Manuel Weber --- core/mondoo-azure-security.mql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index f34b8cdd..166738f6 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -332,7 +332,7 @@ queries: title: Ensure that RDP access is restricted from the internet impact: 80 props: - - uid: disallowedPortsRDP + - uid: disallowedPortsRDPMondoo title: a list of disallowed TCP ports, by default RDP listens only on TCP port 3389, add more ports as needed mql: | return [ @@ -419,7 +419,7 @@ queries: && properties.sourceAddressPrefix == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) allNsgTCP.all(properties.destinationPortRange != "*") - props.disallowedPortsRDP { + props.disallowedPortsRDPMondoo { disallowedPortRDP = _ disallowedPortRDP allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDP)) @@ -437,7 +437,7 @@ queries: ) ) allNsgTCP.all(securityRules.all(properties.destinationPortRange != "*")) - props.disallowedPortsRDP { + props.disallowedPortsRDPMondoo { disallowedPortRDP = _ disallowedPortRDP allNsgTCP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDP))) From 959572d1a9a90d81f32b17805e4f6035896eaf11 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:31:10 +0200 Subject: [PATCH 08/15] fix/props: - uid: disallowedPortsUDPMondoo Signed-off-by: Manuel Weber --- core/mondoo-azure-security.mql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index 166738f6..e5b2f1ba 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -2081,7 +2081,7 @@ queries: title: Ensure direct UDP access to Resources from the internet is restricted impact: 80 props: - - uid: disallowedPortsUDP + - uid: disallowedPortsUDPMondoo title: a list of disallowed UDP ports, by default covering common UDP services, add more as needed mql: | return [ @@ -2165,7 +2165,7 @@ queries: && properties.sourceAddressPrefix == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) allNsgUDP.all(properties.destinationPortRange != "*") - props.disallowedPortsUDP { + props.disallowedPortsUDPMondoo { disallowedPortUDP = _ disallowedPortUDP allNsgUDP.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP)) @@ -2183,7 +2183,7 @@ queries: ) ) allNsgUDP.all(securityRules.all(properties.destinationPortRange != "*")) - props.disallowedPortsUDP { + props.disallowedPortsUDPMondoo { disallowedPortUDP = _ disallowedPortUDP allNsgUDP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP))) From 6253af5abad06912ad060bd48637642bf29f520a Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:32:54 +0200 Subject: [PATCH 09/15] fix/props: - uid: allowedCiphersMondoo Signed-off-by: Manuel Weber --- core/mondoo-kubernetes-security.mql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/mondoo-kubernetes-security.mql.yaml b/core/mondoo-kubernetes-security.mql.yaml index 5421b1af..1827045a 100644 --- a/core/mondoo-kubernetes-security.mql.yaml +++ b/core/mondoo-kubernetes-security.mql.yaml @@ -236,7 +236,7 @@ policies: - uid: mondoo-kubernetes-security-pod-tiller scoring_system: highest impact props: - - uid: allowedCiphers + - uid: allowedCiphersMondoo title: Define the hardened SSL/ TLS ciphers mql: | return ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", @@ -349,7 +349,7 @@ queries: title: Configure kubelet to use only strong cryptography impact: 100 props: - - uid: allowedCiphers + - uid: allowedCiphersMondoo title: Define the hardened SSL/ TLS ciphers mql: | return ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", @@ -364,7 +364,7 @@ queries: mql: | kubelet.configuration['tlsCipherSuites'] != empty if (kubelet.configuration['tlsCipherSuites'] != empty) { - kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.allowedCiphers) + kubelet.configuration['tlsCipherSuites'].map( _.trim ).containsOnly(props.allowedCiphersMondoo) } docs: desc: | From 6cd829d4afcd9da596d0c979db0debf66a8c4c55 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:34:20 +0200 Subject: [PATCH 10/15] fix/props: - uid: auditFilesMondoo Signed-off-by: Manuel Weber --- core/mondoo-linux-security.mql.yaml | 170 ++++++++++++++-------------- 1 file changed, 85 insertions(+), 85 deletions(-) diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index 66f5dfc1..0b233263 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -1263,14 +1263,14 @@ queries: title: Ensure changes to system administration scope (sudoers) is collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/sudoers\.d(\/?)\s+\-p\s+wa\s+\-k\s+scope(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/sudoers(\/?)\s+\-p\s+wa\s+\-k\s+scope(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/sudoers\.d(\/?)\s+\-p\s+wa\s+\-k\s+scope(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/sudoers(\/?)\s+\-p\s+wa\s+\-k\s+scope(\s+)?$/)) docs: desc: |- Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the `sudo` @@ -1306,14 +1306,14 @@ queries: title: Ensure login and logout events are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+\-k\s+logins(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+logins(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+\-k\s+logins(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+logins(\s+)?$/)) docs: desc: |- Monitor login and logout events. The parameters below track changes to files associated with login/logout events. @@ -1362,15 +1362,15 @@ queries: title: Ensure session initiation information is collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/run\/utmp\s+\-p\s+wa\s+\-k\s+session(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/wtmp\s+\-p\s+wa\s+\-k\s+(logins|session)(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/btmp\s+\-p\s+wa\s+\-k\s+(logins|session)(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/var\/run\/utmp\s+\-p\s+wa\s+\-k\s+session(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/wtmp\s+\-p\s+wa\s+\-k\s+(logins|session)(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/btmp\s+\-p\s+wa\s+\-k\s+(logins|session)(\s+)?$/)) docs: desc: |- Monitor session initiation events. The parameters in this section track changes to the files associated with session events. @@ -1411,17 +1411,17 @@ queries: title: Ensure events that modify date and time information are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+adjtimex(\s+\-S\s+|,)settimeofday(\s+\-S\s+|,)?(clock_settime)?\s+\-k\s+time-change(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+adjtimex(\s+\-S\s+|,)settimeofday(\s+\-S\s+|,)?(clock_settime)?(stime)?\s+\-k\s+time-change(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+clock\_settime\s+\-k\s+time-change(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+clock\_settime\s+\-k\s+time-change(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/localtime\s+\-p\s+wa\s+\-k\s+time-change(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+adjtimex(\s+\-S\s+|,)settimeofday(\s+\-S\s+|,)?(clock_settime)?\s+\-k\s+time-change(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+adjtimex(\s+\-S\s+|,)settimeofday(\s+\-S\s+|,)?(clock_settime)?(stime)?\s+\-k\s+time-change(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+clock\_settime\s+\-k\s+time-change(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+clock\_settime\s+\-k\s+time-change(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/localtime\s+\-p\s+wa\s+\-k\s+time-change(\s+)?$/)) docs: desc: |- Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the `adjtimex` @@ -1482,16 +1482,16 @@ queries: title: Ensure events that modify the system's Mandatory Access Controls are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - appArmorSys = props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/apparmor(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) - && props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/apparmor.d(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) - seLinuxSys = props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/selinux(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) - && props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/usr\/share\/selinux(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) + appArmorSys = props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/apparmor(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) + && props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/apparmor.d(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) + seLinuxSys = props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/selinux(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) + && props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/usr\/share\/selinux(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/)) appArmorSys || seLinuxSys docs: desc: |- @@ -1536,17 +1536,17 @@ queries: title: Ensure events that modify the system's network environment are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+system-locale(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+system-locale(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/issue\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/issue.net\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/hosts\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/sysconfig\/network\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+system-locale(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+system-locale(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/issue\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/issue.net\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/hosts\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/sysconfig\/network\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/)) docs: desc: |- Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) @@ -1629,18 +1629,18 @@ queries: title: Ensure discretionary access control permission modification events are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+chmod(\s+\-S\s+|,)fchmod(\s+\-S\s+|,)fchmodat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key=perm\_mod(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+chown(\s+\-S\s+|,)fchown(\s+\-S\s+|,)lchown(\s+\-S\s+|,)fchownat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+chmod(\s+\-S\s+|,)fchmod(\s+\-S\s+|,)fchmodat\s+\-F+\s+auid\>\=1000\s+\-F\s+auid\!=(4294967295|unset|-1)\s+\-F\s+key\=perm_mod$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+lchown(\s+\-S\s+|,)fchown(\s+\-S\s+|,)chown(\s+\-S\s+|,)fchownat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+setxattr(\s+\-S\s+|,)lsetxattr(\s+\-S\s+|,)fsetxattr(\s+\-S\s+|,)removexattr(\s+\-S\s+|,)lremovexattr(\s+\-S\s+|,)fremovexattr\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+setxattr(\s+\-S\s+|,)lsetxattr(\s+\-S\s+|,)fsetxattr(\s+\-S\s+|,)removexattr(\s+\-S\s+|,)lremovexattr(\s+\-S\s+|,)fremovexattr\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+chmod(\s+\-S\s+|,)fchmod(\s+\-S\s+|,)fchmodat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key=perm\_mod(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+chown(\s+\-S\s+|,)fchown(\s+\-S\s+|,)lchown(\s+\-S\s+|,)fchownat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+chmod(\s+\-S\s+|,)fchmod(\s+\-S\s+|,)fchmodat\s+\-F+\s+auid\>\=1000\s+\-F\s+auid\!=(4294967295|unset|-1)\s+\-F\s+key\=perm_mod$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+lchown(\s+\-S\s+|,)fchown(\s+\-S\s+|,)chown(\s+\-S\s+|,)fchownat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+setxattr(\s+\-S\s+|,)lsetxattr(\s+\-S\s+|,)fsetxattr(\s+\-S\s+|,)removexattr(\s+\-S\s+|,)lremovexattr(\s+\-S\s+|,)fremovexattr\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+setxattr(\s+\-S\s+|,)lsetxattr(\s+\-S\s+|,)fsetxattr(\s+\-S\s+|,)removexattr(\s+\-S\s+|,)lremovexattr(\s+\-S\s+|,)fremovexattr\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+key\=perm\_mod(\s+)?$/)) docs: desc: |- Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. @@ -1710,14 +1710,14 @@ queries: title: Ensure unsuccessful unauthorized file access attempts are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EACCES\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EACCES\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EPERM\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EPERM\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EACCES\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EACCES\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EPERM\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EPERM\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) docs: desc: |- Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( `creat` ), opening ( `open`, `openat` ) and @@ -1781,17 +1781,17 @@ queries: title: Ensure events that modify user/group information are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/)) docs: desc: |- Record events affecting the `group`, `passwd` (user IDs), `shadow` and `gshadow` (passwords) or `/etc/security/opasswd` @@ -1833,13 +1833,13 @@ queries: title: Ensure successful file system mounts are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+mount\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+mounts(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+mount\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+mounts(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+mount\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+mounts(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+mount\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+mounts(\s+)?$/)) docs: desc: |- Monitor the use of the `mount` @@ -1886,14 +1886,14 @@ queries: title: Ensure file deletion events by users are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+rename\,unlink\,unlinkat\,renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=unset\s+\-F\s+key\=delete(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+delete(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+rename\,unlink\,unlinkat\,renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=unset\s+\-F\s+key\=delete(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+delete(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+rename\,unlink\,unlinkat\,renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=unset\s+\-F\s+key\=delete(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+delete(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+rename\,unlink\,unlinkat\,renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=unset\s+\-F\s+key\=delete(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+delete(\s+)?$/)) docs: desc: |- Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the `unlink` @@ -1947,16 +1947,16 @@ queries: title: Ensure kernel module loading and unloading is collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/sbin\/insmod\s+\-p\s+x\s+\-k\s+modules(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/sbin\/rmmod\s+\-p\s+x\s+\-k\s+modules(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/sbin\/modprobe\s+\-p\s+x\s+\-k\s+modules(\s+)?$/)) - props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always,exit\s+\-F\s+arch\=b64\s+\-S\s+init\_module\s+\-S\s+delete\_module\s+\-k\s+modules(\s+)?$/)) || props.auditFiles.any(_.contains(/^(\s+)?\-a\s+always,exit\s+\-F\s+arch\=b32\s+\-S\s+init\_module\s+\-S\s+delete\_module\s+\-k\s+modules(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/sbin\/insmod\s+\-p\s+x\s+\-k\s+modules(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/sbin\/rmmod\s+\-p\s+x\s+\-k\s+modules(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/sbin\/modprobe\s+\-p\s+x\s+\-k\s+modules(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always,exit\s+\-F\s+arch\=b64\s+\-S\s+init\_module\s+\-S\s+delete\_module\s+\-k\s+modules(\s+)?$/)) || props.auditFilesMondoo.any(_.contains(/^(\s+)?\-a\s+always,exit\s+\-F\s+arch\=b32\s+\-S\s+init\_module\s+\-S\s+delete\_module\s+\-k\s+modules(\s+)?$/)) docs: desc: |- Monitor the loading and unloading of kernel modules. The programs `insmod` @@ -2015,13 +2015,13 @@ queries: title: Ensure system administrator actions (sudolog) are collected impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/sudo\.log\s+\-p\s+wa\s+\-k\s+actions(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/sudo\.log\s+\-p\s+wa\s+\-k\s+actions(\s+)?$/)) docs: desc: |- Monitor the `sudo` log file. If the system has been properly configured to disable the use of the `su` @@ -2061,13 +2061,13 @@ queries: title: Ensure the audit configuration is immutable impact: 50 props: - - uid: auditFiles + - uid: auditFilesMondoo title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules mql: | - auditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] - return auditFiles.map(file(_).content.lines.where( _ == /^[^#]/ )) + auditFilesMondoo = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"] + return auditFilesMondoo.map(file(_).content.lines.where( _ == /^[^#]/ )) mql: | - props.auditFiles.any(_.contains(/(\s+)?\-e\s+2(\s+)?$/)) + props.auditFilesMondoo.any(_.contains(/(\s+)?\-e\s+2(\s+)?$/)) docs: desc: |- Set system audit so that audit rules cannot be modified with `auditctl` From 7ad1f4c27535406e4153c031c8219d2126e04e19 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:37:15 +0200 Subject: [PATCH 11/15] fix/props: - uid: macAlgosMondoo Signed-off-by: Manuel Weber --- core/mondoo-linux-security.mql.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index 0b233263..99fde86c 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -2484,14 +2484,14 @@ queries: title: Ensure only strong MAC algorithms are used impact: 80 props: - - uid: macAlgos + - uid: macAlgosMondoo title: Define the accepted MAC algorithms mql: | return ["umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512"] mql: | sshd.config.macs != empty - sshd.config.macs.containsOnly(props.macAlgos) + sshd.config.macs.containsOnly(props.macAlgosMondoo) docs: desc: This variable limits the types of MAC algorithms that SSH can use during communication. remediation: |- From 4f804cc8b2497c3dd89ffc22f0806250740354e5 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:37:48 +0200 Subject: [PATCH 12/15] fix/props: - uid: kexAlgosMondoo Signed-off-by: Manuel Weber --- core/mondoo-linux-security.mql.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index 99fde86c..0a505dfd 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -2506,7 +2506,7 @@ queries: title: Ensure that strong Key Exchange algorithms are used impact: 100 props: - - uid: kexAlgos + - uid: kexAlgosMondoo title: Define the hardened key exchange algorithms for all SSH configurations mql: | if( package('openssh-server').version == /6./) { @@ -2521,7 +2521,7 @@ queries: return ["sntrup761x25519-sha512@openssh.com","curve25519-sha256@libssh.org","diffie-hellman-group18-sha512"] mql: | sshd.config.kexs != empty - sshd.config.kexs.containsOnly(props.kexAlgos) + sshd.config.kexs.containsOnly(props.kexAlgosMondoo) docs: desc: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received remediation: |- From 448ca1d9657cf37c6fbf135882df98a7bf84bbca Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:38:21 +0200 Subject: [PATCH 13/15] fix/props: - uid: sudoGroupMondoo Signed-off-by: Manuel Weber --- core/mondoo-linux-security.mql.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index 0a505dfd..a6ab81a5 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -3027,7 +3027,7 @@ queries: filters: | asset.kind != "container-image" props: - - uid: sudoGroup + - uid: sudoGroupMondoo title: Define the members of the sudo or wheel group mql: | return /root|ec2-user|centos|ubuntu|admin|mondoo/ @@ -3037,7 +3037,7 @@ queries: groups.where(name == "wheel" || name == "sudo") { members { name - name == props.sudoGroup + name == props.sudoGroupMondoo } } docs: @@ -3069,7 +3069,7 @@ queries: ``` wheel:x:10:root, ``` - NOTE: The users allowed in the wheel group are defined in the properties `props.SudoGroup` field of this policy. By default the users "root", "ec2-user", "centos" and "ubuntu" are included. To include custom users you need to manually modify this policy. Otherwise the check will fail. + NOTE: The users allowed in the wheel group are defined in the properties `props.sudoGroupMondoo` field of this policy. By default the users "root", "ec2-user", "centos" and "ubuntu" are included. To include custom users you need to manually modify this policy. Otherwise the check will fail. If you want to lock down the use of the command `su` entirely instead, you need to create an empty group, for example `sugroup`: From f8285dd237c24d25747241d59597cd6164643326 Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 16:58:02 +0200 Subject: [PATCH 14/15] fix/props: - uid: auditpolSuccessFailure etc. Signed-off-by: Manuel Weber --- core/mondoo-windows-security.mql.yaml | 216 +++++++++++++------------- 1 file changed, 108 insertions(+), 108 deletions(-) diff --git a/core/mondoo-windows-security.mql.yaml b/core/mondoo-windows-security.mql.yaml index 5bdbabdb..e0740f30 100644 --- a/core/mondoo-windows-security.mql.yaml +++ b/core/mondoo-windows-security.mql.yaml @@ -465,7 +465,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo1 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -473,7 +473,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo1 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -481,7 +481,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -491,7 +491,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9217-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9217-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolFailure || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9217-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolFailureMondoo || inclusionsetting == props.auditpolSuccessFailureMondoo1) docs: desc: |- This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: @@ -528,7 +528,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo2 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -536,7 +536,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo2 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -544,7 +544,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo1 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -554,7 +554,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9239-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9239-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9239-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo2) docs: desc: |- This policy setting allows you to audit events generated by changes to application groups such as the following: @@ -603,7 +603,7 @@ queries: case _ == "it-IT": "Modifica del criterio di controllo"; default: "Audit Policy Change"; } - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo3 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -611,7 +611,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo3 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -619,7 +619,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo2 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -629,7 +629,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE922F-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE922F-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE922F-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo3 || inclusionsetting == props.auditpolSuccessFailureMondoo3) docs: desc: |- This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: @@ -674,7 +674,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo4 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -682,7 +682,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo4 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -690,7 +690,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo3 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -700,7 +700,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9230-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9230-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9230-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo4 || inclusionsetting == props.auditpolSuccessFailureMondoo4) docs: desc: |- This subcategory reports changes in authentication policy. Events for this subcategory include: @@ -747,7 +747,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo5 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -755,7 +755,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo5 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -763,7 +763,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo4 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -773,7 +773,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9231-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9231-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9231-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo5 || inclusionsetting == props.auditpolSuccessFailureMondoo5) docs: desc: |- This subcategory reports changes in authorization policy. Events for this subcategory include: @@ -814,7 +814,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo6 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -822,7 +822,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo6 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -830,7 +830,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo5 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -840,7 +840,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE923F-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE923F-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE923F-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo6) docs: desc: |- This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: @@ -880,7 +880,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo7 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -888,7 +888,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo7 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -896,7 +896,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo6 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -906,7 +906,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9244-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9244-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolFailure || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9244-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolFailureMondoo6 || inclusionsetting == props.auditpolSuccessFailureMondoo7) docs: desc: |- This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: @@ -943,7 +943,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo8 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -951,7 +951,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo8 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -959,7 +959,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo7 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -969,7 +969,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9224-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9224-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9224-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo8) docs: desc: |- This policy setting allows you to audit attempts to access a shared folder. @@ -1055,7 +1055,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo9 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1063,7 +1063,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo9 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1071,7 +1071,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo8 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1081,7 +1081,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9249-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9249-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9249-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo9 || inclusionsetting == props.auditpolSuccessFailureMondoo9) docs: desc: |- This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. @@ -1119,7 +1119,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo10 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1127,7 +1127,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo10 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1135,7 +1135,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo9 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1145,7 +1145,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9213-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9213-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9213-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo10) docs: desc: |- This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: @@ -1192,7 +1192,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo11 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1200,7 +1200,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo11 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1208,7 +1208,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo10 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1218,7 +1218,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9216-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9216-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9216-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo11 || inclusionsetting == props.auditpolSuccessFailureMondoo11) docs: desc: |- This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: @@ -1256,7 +1256,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo12 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1264,7 +1264,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo12 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1272,7 +1272,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo11 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1282,7 +1282,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9215-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9215-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9215-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo12) docs: desc: |- This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: @@ -1322,7 +1322,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo13 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1330,7 +1330,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo13 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1338,7 +1338,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo12 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1348,7 +1348,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9232-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9232-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9232-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo13) docs: desc: |- This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: @@ -1399,7 +1399,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo14 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1407,7 +1407,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo14 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1415,7 +1415,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo13 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1425,7 +1425,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE921C-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE921C-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE921C-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo14) docs: desc: |- This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: @@ -1471,7 +1471,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo15 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1479,7 +1479,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo15 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1487,7 +1487,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo14 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1497,7 +1497,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9227-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9227-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9227-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo15) docs: desc: |- This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. @@ -1546,7 +1546,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo16 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1554,7 +1554,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo16 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1562,7 +1562,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo15 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1572,7 +1572,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9234-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9234-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolFailure) + auditpol.where(subcategoryguid == "0CCE9234-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolFailureMondoo15) docs: desc: |- This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. @@ -1617,7 +1617,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo16 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1625,7 +1625,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo17 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1633,7 +1633,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo16 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1643,7 +1643,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9214-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9214-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9214-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo16) docs: desc: |- This subcategory reports on other system events. Events for this subcategory include: @@ -1692,7 +1692,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo17 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1700,7 +1700,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo18 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1708,7 +1708,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo17 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1718,7 +1718,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9248-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9248-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9248-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo18 || inclusionsetting == props.auditpolSuccessFailureMondoo17) docs: desc: |- This policy setting allows you to audit when plug and play detects an external device. @@ -1756,7 +1756,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo18 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1764,7 +1764,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo19 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1772,7 +1772,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo18 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1782,7 +1782,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE922B-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE922B-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE922B-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo19 || inclusionsetting == props.auditpolSuccessFailureMondoo18) docs: desc: |- This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: @@ -1823,7 +1823,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo19 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1831,7 +1831,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo20 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1839,7 +1839,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo19 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1849,7 +1849,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9245-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9245-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9245-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo19) docs: desc: |- This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. @@ -1887,7 +1887,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo20 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1895,7 +1895,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo21 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1903,7 +1903,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo20 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1913,7 +1913,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9237-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9237-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9237-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo21 || inclusionsetting == props.auditpolSuccessFailureMondoo20) docs: desc: |- This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: @@ -1965,7 +1965,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo21 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1973,7 +1973,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo22 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1981,7 +1981,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo21 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -1991,7 +1991,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9210-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9210-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9210-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo22 || inclusionsetting == props.auditpolSuccessFailureMondoo21) docs: desc: |- This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: @@ -2031,7 +2031,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo22 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2039,7 +2039,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo23 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2047,7 +2047,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo22 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2057,7 +2057,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9211-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9211-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9211-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo23 || inclusionsetting == props.auditpolSuccessFailureMondoo22) docs: desc: |- This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: @@ -2098,7 +2098,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo23 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2106,7 +2106,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo24 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2114,7 +2114,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo23 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2124,7 +2124,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9228-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9228-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9228-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo23) docs: desc: |- This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: @@ -2224,7 +2224,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo24 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2232,7 +2232,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo25 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2240,7 +2240,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo24 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2250,7 +2250,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE921B-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE921B-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccess || inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE921B-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessMondoo25 || inclusionsetting == props.auditpolSuccessFailureMondoo24) docs: desc: |- This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: @@ -2287,7 +2287,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo25 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2295,7 +2295,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo26 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2303,7 +2303,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo25 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2313,7 +2313,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9212-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9212-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9212-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo25) docs: desc: |- This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: @@ -2359,7 +2359,7 @@ queries: filters: | asset.platform == "windows" props: - - uid: auditpolSuccessFailure + - uid: auditpolSuccessFailureMondoo26 title: Returns 'Success and Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2367,7 +2367,7 @@ queries: case _ == "it-IT": "Esito positivo e negativo"; default: "Success and Failure"; } - - uid: auditpolSuccess + - uid: auditpolSuccessMondoo27 title: Returns 'Success' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2375,7 +2375,7 @@ queries: case _ == "it-IT": "Operazione riuscita"; default: "Success"; } - - uid: auditpolFailure + - uid: auditpolFailureMondoo26 title: Returns 'Failure' depending on the operating system language mql: | switch(windows.computerInfo['OsLanguage']) { @@ -2385,7 +2385,7 @@ queries: } mql: | auditpol.where(subcategoryguid == "0CCE9235-69AE-11D9-BED3-505054503030").list != [] - auditpol.where(subcategoryguid == "0CCE9235-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailure) + auditpol.where(subcategoryguid == "0CCE9235-69AE-11D9-BED3-505054503030").all(inclusionsetting == props.auditpolSuccessFailureMondoo26) docs: desc: |- This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: From ae4147d08231ee80a51720dc5054b2a8c060cd4e Mon Sep 17 00:00:00 2001 From: Manuel Weber Date: Fri, 28 Jun 2024 17:06:43 +0200 Subject: [PATCH 15/15] fix/versions Signed-off-by: Manuel Weber --- core/mondoo-aws-security.mql.yaml | 2 +- core/mondoo-azure-security.mql.yaml | 2 +- core/mondoo-http-security.mql.yaml | 2 +- core/mondoo-kubernetes-best-practices.mql.yaml | 2 +- core/mondoo-kubernetes-security.mql.yaml | 2 +- core/mondoo-linux-security.mql.yaml | 2 +- core/mondoo-macos-security.mql.yaml | 2 +- core/mondoo-slack-security.mql.yaml | 2 +- core/mondoo-terraform-aws-security.mql.yaml | 2 +- core/mondoo-terraform-gcp-security.mql.yaml | 2 +- core/mondoo-windows-security.mql.yaml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/core/mondoo-aws-security.mql.yaml b/core/mondoo-aws-security.mql.yaml index 49f0d5f0..cb6921f8 100644 --- a/core/mondoo-aws-security.mql.yaml +++ b/core/mondoo-aws-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-aws-security name: AWS Security - version: 3.0.0 + version: 3.0.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index e5b2f1ba..602cc995 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-azure-security name: Microsoft Azure Security - version: 2.0.0 + version: 2.0.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-http-security.mql.yaml b/core/mondoo-http-security.mql.yaml index 0d8ef727..9d6f7a06 100644 --- a/core/mondoo-http-security.mql.yaml +++ b/core/mondoo-http-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-http-security name: HTTP Security - version: 1.1.0 + version: 1.1.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-kubernetes-best-practices.mql.yaml b/core/mondoo-kubernetes-best-practices.mql.yaml index 2d8e168c..919af24d 100644 --- a/core/mondoo-kubernetes-best-practices.mql.yaml +++ b/core/mondoo-kubernetes-best-practices.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-kubernetes-best-practices name: Kubernetes Best Practices - version: 1.1.0 + version: 1.1.1 license: BUSL-1.1 tags: mondoo.com/category: best-practices diff --git a/core/mondoo-kubernetes-security.mql.yaml b/core/mondoo-kubernetes-security.mql.yaml index 1827045a..d4c000cf 100644 --- a/core/mondoo-kubernetes-security.mql.yaml +++ b/core/mondoo-kubernetes-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-kubernetes-security name: Kubernetes Cluster and Workload Security - version: 1.2.0 + version: 1.2.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index a6ab81a5..7191180c 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-linux-security name: Linux Security - version: 2.4.0 + version: 2.4.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-macos-security.mql.yaml b/core/mondoo-macos-security.mql.yaml index a3391a71..f5f63139 100644 --- a/core/mondoo-macos-security.mql.yaml +++ b/core/mondoo-macos-security.mql.yaml @@ -3,7 +3,7 @@ policies: - uid: mondoo-macos-security name: macOS Security - version: 1.3.0 + version: 1.3.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-slack-security.mql.yaml b/core/mondoo-slack-security.mql.yaml index 7383a635..a62eb435 100644 --- a/core/mondoo-slack-security.mql.yaml +++ b/core/mondoo-slack-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-slack-security name: Slack Team Security - version: 1.4.0 + version: 1.4.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-terraform-aws-security.mql.yaml b/core/mondoo-terraform-aws-security.mql.yaml index 84fcf83b..58b63a70 100644 --- a/core/mondoo-terraform-aws-security.mql.yaml +++ b/core/mondoo-terraform-aws-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-terraform-aws-security name: Terraform HCL Security Static Analysis for AWS - version: 1.2.0 + version: 1.2.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-terraform-gcp-security.mql.yaml b/core/mondoo-terraform-gcp-security.mql.yaml index 466ce48a..98b98b1d 100644 --- a/core/mondoo-terraform-gcp-security.mql.yaml +++ b/core/mondoo-terraform-gcp-security.mql.yaml @@ -4,7 +4,7 @@ policies: - uid: mondoo-terraform-gcp-security name: Terraform HCL Security Static Analysis for Google Cloud - version: 1.2.0 + version: 1.2.1 license: BUSL-1.1 tags: mondoo.com/category: security diff --git a/core/mondoo-windows-security.mql.yaml b/core/mondoo-windows-security.mql.yaml index e0740f30..eab239fa 100644 --- a/core/mondoo-windows-security.mql.yaml +++ b/core/mondoo-windows-security.mql.yaml @@ -3,7 +3,7 @@ policies: - uid: mondoo-windows-security name: Windows Security - version: 2.3.0 + version: 2.3.1 license: BUSL-1.1 tags: mondoo.com/category: security