🧹 Fixes double mql issues: Mondoo Linux Policy

community/mondoo-phoenix-plcnext-security.mql.yaml

@@ -118,7 +118,7 @@ queries:
         mql: |
           return ["sntrup761x25519-sha512@openssh.com","curve25519-sha256@libssh.org","diffie-hellman-group-exchange-sha256"]
     mql: |
-      sshd.config.kexs != null
+      sshd.config.kexs != empty
       sshd.config.kexs.containsOnly(props.PLCKexAlgos)
     docs:
       desc: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received
@@ -136,7 +136,7 @@ queries:
         mql: |
           return ["hmac-sha2-512-etm@openssh.com","hmac-sha2-256-etm@openssh.com","umac-128-etm@openssh.com","hmac-sha2-512","hmac-sha2-256"]
     mql: |
-      sshd.config.macs != null
+      sshd.config.macs != empty
       sshd.config.macs.containsOnly(props.PLCMacAlgos)
     docs:
       desc: This variable limits the types of MAC algorithms that SSH can use during communication.
@@ -156,7 +156,7 @@ queries:
         mql: |
           return ["chacha20-poly1305@openssh.com","aes256-gcm@openssh.com","aes128-gcm@openssh.com","aes256-ctr","aes192-ctr","aes128-ctr"]
     mql: |
-      sshd.config.ciphers != null
+      sshd.config.ciphers != empty
       sshd.config.ciphers.containsOnly(props.PLCSshdCiphers)
     docs:
       desc: This variable limits the ciphers that SSH can use during communication.

core/mondoo-aws-security.mql.yaml

@@ -4,7 +4,7 @@
 policies:
   - uid: mondoo-aws-security
     name: AWS Security
-    version: 3.0.0
+    version: 3.0.1
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -265,25 +265,25 @@ queries:
     title: Ensure strong account password policy requirements are used
     impact: 60
     props:
-      - uid: iamPasswordPolicyMaxPasswordAge
+      - uid: iamPasswordPolicyMaxPasswordAgeMondoo
         title: Define the maximum number of days a password is allowed to exist before being rotated
         mql: "90"
-      - uid: iamPasswordPolicyMinimumPasswordLength
+      - uid: iamPasswordPolicyMinimumPasswordLengthMondoo
         title: Minimum password length
         mql: "14"
-      - uid: iamPasswordPolicyPasswordReusePrevention
+      - uid: iamPasswordPolicyPasswordReusePreventionMondoo
         title: Number of passwords before allowing reuse
         mql: "24"
-      - uid: iamPasswordPolicyRequireLowercaseCharacters
+      - uid: iamPasswordPolicyRequireLowercaseCharactersMondoo
         title: Denotes whether lowercase characters are required for passwords
         mql: "true"
-      - uid: iamPasswordPolicyRequireNumbers
+      - uid: iamPasswordPolicyRequireNumbersMondoo
         title: Denotes whether numbers are required for passwords
         mql: "true"
-      - uid: iamPasswordPolicyRequireSymbols
+      - uid: iamPasswordPolicyRequireSymbolsMondoo
         title: Denotes whether symbols are required for passwords
         mql: "true"
-      - uid: iamPasswordPolicyRequireUppercaseCharacters
+      - uid: iamPasswordPolicyRequireUppercaseCharactersMondoo
         title: Denotes whether uppercase characters are required for passwords
         mql: "true"
     mql: |
@@ -296,13 +296,13 @@ queries:
       aws.iam.accountPasswordPolicy.PasswordReusePrevention != empty
       aws.iam.accountPasswordPolicy.MaxPasswordAge != empty
       // Validate each policy setting against props
-      aws.iam.accountPasswordPolicy.where(RequireUppercaseCharacters != empty).all(RequireUppercaseCharacters == props.iamPasswordPolicyRequireUppercaseCharacters)
-      aws.iam.accountPasswordPolicy.where(RequireLowercaseCharacters != empty).all(RequireLowercaseCharacters == props.iamPasswordPolicyRequireLowercaseCharacters)
-      aws.iam.accountPasswordPolicy.where(RequireSymbols != empty).all(RequireSymbols == props.iamPasswordPolicyRequireSymbols)
-      aws.iam.accountPasswordPolicy.where(RequireNumbers != empty).all(RequireNumbers == props.iamPasswordPolicyRequireNumbers)
-      aws.iam.accountPasswordPolicy.where(MinimumPasswordLength != empty).all(MinimumPasswordLength >= props.iamPasswordPolicyMinimumPasswordLength)
-      aws.iam.accountPasswordPolicy.where(PasswordReusePrevention != empty).all(PasswordReusePrevention >= props.iamPasswordPolicyPasswordReusePrevention)
-      aws.iam.accountPasswordPolicy.where(MaxPasswordAge != empty).all(MaxPasswordAge <= props.iamPasswordPolicyMaxPasswordAge)
+      aws.iam.accountPasswordPolicy.where(RequireUppercaseCharacters != empty).all(RequireUppercaseCharacters == props.iamPasswordPolicyRequireUppercaseCharactersMondoo)
+      aws.iam.accountPasswordPolicy.where(RequireLowercaseCharacters != empty).all(RequireLowercaseCharacters == props.iamPasswordPolicyRequireLowercaseCharactersMondoo)
+      aws.iam.accountPasswordPolicy.where(RequireSymbols != empty).all(RequireSymbols == props.iamPasswordPolicyRequireSymbolsMondoo)
+      aws.iam.accountPasswordPolicy.where(RequireNumbers != empty).all(RequireNumbers == props.iamPasswordPolicyRequireNumbersMondoo)
+      aws.iam.accountPasswordPolicy.where(MinimumPasswordLength != empty).all(MinimumPasswordLength >= props.iamPasswordPolicyMinimumPasswordLengthMondoo)
+      aws.iam.accountPasswordPolicy.where(PasswordReusePrevention != empty).all(PasswordReusePrevention >= props.iamPasswordPolicyPasswordReusePreventionMondoo)
+      aws.iam.accountPasswordPolicy.where(MaxPasswordAge != empty).all(MaxPasswordAge <= props.iamPasswordPolicyMaxPasswordAgeMondoo)
     docs:
       desc: |
         AWS allows custom password policies on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. IAM user passwords must meet the default AWS password policy if you don't set a custom password policy. AWS security best practices recommend these password complexity requirements:
@@ -397,15 +397,15 @@ queries:
     title: Ensure active access keys are rotated
     impact: 70
     props:
-      - uid: maxAccessKeyAge
+      - uid: maxAccessKeyAgeMondoo
         title: Define the maximum number of days an IAM key is allowed to exist before rotation
         mql: "90"
     mql: |
-      aws.iam.credentialReport.where(accessKey1Active == true && time.now - userCreationTime > props.maxAccessKeyAge * time.day).all(time.now - accessKey1LastRotated < props.maxAccessKeyAge * time.day)
-      aws.iam.credentialReport.where(accessKey2Active == true && time.now - userCreationTime > props.maxAccessKeyAge * time.day).all(time.now - accessKey2LastRotated < props.maxAccessKeyAge * time.day)
+      aws.iam.credentialReport.where(accessKey1Active == true && time.now - userCreationTime > props.maxAccessKeyAgeMondoo * time.day).all(time.now - accessKey1LastRotated < props.maxAccessKeyAgeMondoo * time.day)
+      aws.iam.credentialReport.where(accessKey2Active == true && time.now - userCreationTime > props.maxAccessKeyAgeMondoo * time.day).all(time.now - accessKey2LastRotated < props.maxAccessKeyAgeMondoo * time.day)
     docs:
       desc: |
-        It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAge property.
+        It is highly recommended that you regularly rotate (change) IAM user access keys to reduce the risk of unwanted access to your account. Change the value enforced in this check by modifying the maxAccessKeyAgeMondoo property.
       audit: |
         __cnspec shell__
 
@@ -1211,7 +1211,7 @@ queries:
 
         ```mql
           aws.s3.buckets.all(
-            publicAccessBlock != null && publicAccessBlock.values.all(_ == true)
+            publicAccessBlock != empty && publicAccessBlock.values.all(_ == true)
           )
         ```
 
@@ -2154,7 +2154,7 @@ queries:
     title: Ensure EBS volumes attached to EC2 instances are configured for deletion on instance termination
     impact: 60
     props:
-      - uid: ebsVolumeDeleteOnTermination
+      - uid: ebsVolumeDeleteOnTerminationMondoo
         title: Defines whether instances should be configured to delete volumes on termination
         mql: "true"
     variants:
@@ -2232,7 +2232,7 @@ queries:
   - uid: mondoo-aws-security-ec2-volume-inuse-check-all
     filters: asset.platform == "aws"
     mql: |
-      aws.ec2.volumes.where(attachments != empty).all(attachments.any(DeleteOnTermination == props.ebsVolumeDeleteOnTermination))
+      aws.ec2.volumes.where(attachments != empty).all(attachments.any(DeleteOnTermination == props.ebsVolumeDeleteOnTerminationMondoo))
   - uid: mondoo-aws-security-ec2-volume-inuse-check-single
     filters: asset.platform == "aws-ec2-volume" && aws.ec2.volume.attachments != empty
     mql: |
@@ -2393,7 +2393,7 @@ queries:
 
         ```mql
         aws.cloudtrail.trails.all(
-          kmsKey != null
+          kmsKey != empty
         )
         ```
 

core/mondoo-azure-security.mql.yaml

@@ -4,7 +4,7 @@
 policies:
   - uid: mondoo-azure-security
     name: Microsoft Azure Security
-    version: 2.0.0
+    version: 2.0.1
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -216,7 +216,7 @@ queries:
     title: Ensure that SSH access is restricted from the internet
     impact: 80
     props:
-      - uid: disallowedPortsSSH
+      - uid: disallowedPortsSSHMondoo
         title: a list of disallowed TCP ports, by default SSH listens only on TCP port 22, add more ports as needed
         mql: |
           return [
@@ -305,7 +305,7 @@ queries:
             && properties.sourceAddressPrefix == /\*|0\.0\.0\.0|<nw>\/0|\/0|internet|any/
         )
       allNsgTCP.all(properties.destinationPortRange != "*")
-      props.disallowedPortsSSH {
+      props.disallowedPortsSSHMondoo {
         disallowedPortSSH = _
         disallowedPortSSH
         allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortSSH && toPort >= disallowedPortSSH))
@@ -323,7 +323,7 @@ queries:
         )
       )
       allNsgTCP.all(securityRules.all(properties.destinationPortRange != "*"))
-      props.disallowedPortsSSH {
+      props.disallowedPortsSSHMondoo {
         disallowedPortSSH = _
         disallowedPortSSH
         allNsgTCP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortSSH && toPort >= disallowedPortSSH)))
@@ -332,7 +332,7 @@ queries:
     title: Ensure that RDP access is restricted from the internet
     impact: 80
     props:
-      - uid: disallowedPortsRDP
+      - uid: disallowedPortsRDPMondoo
         title: a list of disallowed TCP ports, by default RDP listens only on TCP port 3389, add more ports as needed
         mql: |
           return [
@@ -419,7 +419,7 @@ queries:
             && properties.sourceAddressPrefix == /\*|0\.0\.0\.0|<nw>\/0|\/0|internet|any/
         )
       allNsgTCP.all(properties.destinationPortRange != "*")
-      props.disallowedPortsRDP {
+      props.disallowedPortsRDPMondoo {
         disallowedPortRDP = _
         disallowedPortRDP
         allNsgTCP.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDP))
@@ -437,7 +437,7 @@ queries:
         )
       )
       allNsgTCP.all(securityRules.all(properties.destinationPortRange != "*"))
-      props.disallowedPortsRDP {
+      props.disallowedPortsRDPMondoo {
         disallowedPortRDP = _
         disallowedPortRDP
         allNsgTCP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortRDP && toPort >= disallowedPortRDP)))
@@ -2081,7 +2081,7 @@ queries:
     title: Ensure direct UDP access to Resources from the internet is restricted
     impact: 80
     props:
-      - uid: disallowedPortsUDP
+      - uid: disallowedPortsUDPMondoo
         title: a list of disallowed UDP ports, by default covering common UDP services, add more as needed
         mql: |
           return [
@@ -2165,7 +2165,7 @@ queries:
             && properties.sourceAddressPrefix == /\*|0\.0\.0\.0|<nw>\/0|\/0|internet|any/
         )
       allNsgUDP.all(properties.destinationPortRange != "*")
-      props.disallowedPortsUDP {
+      props.disallowedPortsUDPMondoo {
         disallowedPortUDP = _
         disallowedPortUDP
         allNsgUDP.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP))
@@ -2183,7 +2183,7 @@ queries:
         )
       )
       allNsgUDP.all(securityRules.all(properties.destinationPortRange != "*"))
-      props.disallowedPortsUDP {
+      props.disallowedPortsUDPMondoo {
         disallowedPortUDP = _
         disallowedPortUDP
         allNsgUDP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP)))

core/mondoo-http-security.mql.yaml

@@ -4,7 +4,7 @@
 policies:
   - uid: mondoo-http-security
     name: HTTP Security
-    version: 1.1.0
+    version: 1.1.1
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -48,7 +48,7 @@ policies:
       - title: Headers for HTTPS communication
         filters: |
           asset.platform == 'host'
-          tls.certificates != null
+          tls.certificates != empty
         checks:
           - uid: mondoo-http-security-strict-transport-security
     scoring_system: highest impact