mondoohq / cnspec Goto Github PK
View Code? Open in Web Editor NEWAn open source, cloud-native security to protect everything from build to runtime
Home Page: https://cnspec.io
License: Other
cnspec's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
Stargazers
Watchers
Forkers
kmf wolfsrudel rafaelbattesti jsoref stnert iq-scm mariuskimmina luis-sousa-pinto ahasunos geast16cnspec's Issues
confusing scoring results
Describe the bug
Asset: i-0b5f....
==========================
Controls:
✕ Fail: F 0 /etc exists
Query:
file("/etc").exists == true
Result:
[ok] value: true
Summary (1 assets)
==================
Target: i-0b5f87....
Score: A 100/100 (100% completed)
✓ Passed: 0% (0)
✕ Failed: ███████████████ 100% (1)
! Errors: 0% (0)
» Skipped: 0% (0)
Policies:
A 100 My First Simple Test
- the query seems to get a value of true (expected) ✅
- the query is marked as fail ❓ ❓
- summary gives a score of A ✅
- summary says nothing passed, and one failed ❓ ❓
No vulnerability information for Ubuntu 20.04 and 22.04
Describe the bug
When querying for vulnerability data, the result is empty:
cnspec> asset.vulnerabilityReport
asset.vulnerabilityReport: {
platform: {
arch: "x86_64"
name: "ubuntu"
release: "22.04"
title: "Ubuntu 22.04.1 LTS, bare metal"
}
published: "2022-11-10T14:11:31+01:00"
stats: {
advisories: {}
cves: {}
exploits: {}
packages: {
total: 2315.000000
}
}
}
cnspec> asset.title
asset.title: "Ubuntu 22.04.1 LTS, bare metal"
The same happens for Ubuntu 20.04.
To Reproduce
Steps to reproduce the behavior:
- Open a cnspec shell into an ubuntu:20.04 image:
cnspec shell docker image ubuntu:20.04 - query for vulnerability data:
asset.vulnerabilityReport - See empty report
Expected behavior
Report should show data, when the are known CVEs.
Screenshots or CLI Output
Desktop (please complete the following information):
- OS: Ubuntu 22.04 or 20.04
- cnspec 7.2.0
Additional context
Windows Defender reports cnspec has a virus
Describe the bug
When I download cnspec for windows from github: https://github.com/mondoohq/cnspec/releases, Windows defender gives me the following...
To Reproduce
Steps to reproduce the behavior:
- Go to '...'
- Click on '....'
- Scroll down to '....'
- See error
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots or CLI Output
If applicable, add screenshots or the CLI ouput to help explain your problem.
Desktop (please complete the following information):
- OS: Windows 10
- OS Version: [e.g. 13.0]
- Browser - Chrome
Additional context
Add any other context about the problem here.
terminal left in a strange state after scan
Describe the bug
After running a scan with something like cnspec scan k8s --config ./path/to/config.json my terminal is left not echoing back the characters I type
To Reproduce
Steps to reproduce the behavior:
- Build cnspec
- Run a scan like
cnspec scan k8s --discover deployments --namespace kube-system --config ./path/to/your/config.json - After it completes the scan, the terminal prompt no longer is echoing back the characters typed into the keyboard.
Expected behavior
Terminal back in previous state.
Screenshots or CLI Output
[jdiaz@fedora cnspec (main %=)]$ ./cnspec scan k8s --discover deployments --namespace kube-system --config ~/Downloads/mondoo.json
→ loaded configuration from /home/jdiaz/Downloads/mondoo.json using source --config
→ using service account credentials
→ discover related assets for 1 asset(s)
→ namespace filter has been set to "kube-system"
→ use cluster name from kube config cluster-name=minikube
→ resolved assets resolved-assets=1
→ connecting to asset kube-system/coredns (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% kube-system/coredns
Asset: kube-system/coredns
==========================
Data queries:
mondoo.version: "unstable"
platform.title: "Kubernetes Deployment, Kubernetes Cluster"
platform.release: ""
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.arch: ""
Controls:
Summary (1 assets)
==================
Target: kube-system/coredns
Datapoints: 5
Policies:
. .. Platform Overview Information by Mondoo
Report URL: https://console.mondoo.com/space/fleet/2IgUu43unL7aRsy7TC8Haye1vzq?spaceId=exciting-kare-592956
To get more information, please run this scan with "-o full".
[jdiaz@fedora cnspec (main %=)]$ <---- HERE I TYPED 'asdfasdfasdfasdf' AND NOTHING ON THE SCREEN
bash: asdfasdfasdfasdf: command not found...
[jdiaz@fedora cnspec (main %=)]$
Desktop (please complete the following information):
- OS: linux
- OS Version: Fedora 37
- Browser if applicable n/a
- Browser Version: n/a
Additional context
Also hearing reports of similar behavior for MacOS users.
Don't display (unknown) when connecting to assets
Describe the bug
The ASSET_NAME (HELPFUL TYPE VALUE) is only useful if we know it. When it's unknown it's just confusing. Just leave it out.
To Reproduce
Steps to reproduce the behavior:
- `cnspec cnspec scan ssh IP_OF_A_HOST --incognito
Expected behavior
If we don't know sugar just skip it.
Screenshots
Desktop (please complete the following information):
- OS: macOS
Windows scan output formatting is not working ...
Describe the bug
Output from cnspec scan local in PowerShell is not working ...
I tested this in both AWS and GCP with WIndows 2019
cnspec scan prints github token warning regardless of target
When I run a scan of a target I get a warning about github environment variable not set even if i am not scanning github
cnspec scan gcp --policy-bundle core/mondoo-gcp-security.mql.yaml
→ no configuration file provided
! Scanning with local policy bundles will switch into --incognito mode by default. Your results will not be sent upstream.
! invalid github token via environment variable, ignoring it
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1Using the first example on the cnquery webpage on macOS doesn't work
Describe the bug
The cnquery web page shows users a ports.listening example as the first thing to try:
ports.listening{
port
process {
executable
pid
}
user.name
}
However, trying this on macOS results in an error message.
To Reproduce
Steps to reproduce the behavior:
- open
cnspec shell local - paste in the following query:
ports.listening{
port
process {
executable
pid
}
user.name
}
- Observe the error output:
cnquery> ports.listening {}
Query encountered errors:
could not detect suitable ports manager for platform: macos
ports.listening: []
Expected behavior
cnspec should return an array of open ports, with process, pid, executable, and user.
Desktop (please complete the following information):
- OS: macOS 12.6 ARM
- cnspec 7.0.0-alpha1 ARM
terraform scan with `-f` does not work
Describe the bug
Running cnspec terraform scan with a local policy-bundle does not work:
cnspec scan terraform ~/workspace/mondoo/github.com/mondoo-operator/.github/terraform/aws --policy-bundle ../cnspec-policies/core/mondoo-terraform-aws-security.mql.yaml
→ loaded configuration from /home/christian/workspace/mondoo/examples/google-prod-local.yaml using source $MONDOO_CONFIG_PATH
→ using service account credentials
! Scanning with local policy bundles will switch into --incognito mode by default. Your results will not be sent upstream.
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset Terraform Static Analysis aws (code)
With the same policy taken from upstream, it works:
cnspec scan terraform ~/workspace/mondoo/github.com/mondoo-operator/.github/terraform/aws
→ loaded configuration from /home/christian/workspace/mondoo/examples/google-prod-local.yaml using source $MONDOO_CONFIG_PATH
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset Terraform Static Analysis aws (code)
███████████████████████████████████████████████████████████████████████████ 100% Terraform Static Analysis aws
Asset: Terraform Static Analysis aws
====================================
Data queries:
...
Controls:
. Skipped: Ensure that the API Gateway uses a secure SSL/TLS configuration
...
✓ Pass: Providers should not contain hard-coded credentials
Summary (1 assets)
==================
Target: Terraform Static Analysis aws
Score: A 100/100 (100% completed)
✓ Passed: ███ 18% (3)
✕ Failed: 0% (0)
! Errors: 0% (0)
» Skipped: ████████████ 82% (14)
Policies:
. .. Platform Overview Information by Mondoo
A 100 Terraform HCL Security Static Analysis for AWS by Mondoo
...
To Reproduce
Steps to reproduce the behavior:
- Scan a terraform directory with a local policy
- See, that the output for the policy is missing
Expected behavior
cnspec should scan the directory and return the same results as with the upstream policy.
Desktop (please complete the following information):
- OS: Ubuntu 22.04
- cnspec version: 7.7.1
Additional context
-f or --policy-bundle has the same result.
Doing the same with cnspec scan k8s ... works.
Errors in output should line up with other scores
Describe the bug
When an asset scan has an error in a control it leaves out the score which means the text doesn't line up and the table of data becomes hard to read.
To Reproduce
Steps to reproduce the behavior:
- Scan a linux box with either
mondoo scan localor mondoo scan ssh`
Expected behavior
Control titles should all line up
Screenshots
Desktop (please complete the following information):
- OS: macOS
error scanning k8s cluster
cnspec scan k8s -f ../../cnspec-policies/core/mondoo-kubernetes-security.mql.yaml
→ loaded configuration from /Users/chris/.config/mondoo/mondoo.yml using source default
! Scanning with local policy bundles will switch into --incognito mode by default. Your results will not be sent upstream.
! invalid github token via environment variable, ignoring it
→ discover related assets for 1 asset(s)
→ use cluster name from kube config cluster-name=minikube
→ resolved assets resolved-assets=11
→ connecting to asset K8S Cluster minikube (api)
→ connecting to asset kube-system/coredns (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXKk5iHVE91HlS3VTuesypL3
→ connecting to asset kube-system/coredns-64897985d-b7t87 (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXO8uDDyIl0kV1yJGuCNmopG
→ connecting to asset kube-system/etcd-minikube (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXOU0ibh3ysBgIRmpVZsGxcc
→ connecting to asset kube-system/kube-apiserver-minikube (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXN84ugoY5TIyG9n1TuFPW6Z
→ connecting to asset kube-system/kube-controller-manager-minikube (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXOd9Td7XCgaWYpHtajibRuE
→ connecting to asset kube-system/kube-proxy-f4djp (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXP3754Klh2cTx8UzdInG0nJ
→ connecting to asset kube-system/kube-scheduler-minikube (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXP28wfPDZiWG8kYbb1EVSMR
→ connecting to asset kube-system/storage-provisioner (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXOAOISkLFkSFf6XS5931MAs
→ connecting to asset kube-system/kube-proxy (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXQqJelKFwylrWhLJdEhp4K3
→ connecting to asset kube-system/coredns-64897985d (k8s-object)
→ client> send all results asset=//policy.api.mondoo.com/assets/2FlOXKseCVFsEDkjFfBMjyF62uT
FTL failed to run scan error="1 error occurred:\n\t* rpc error: code = InvalidArgument desc = asset does not match any of the activated policies\n\n"
The expectation is that it displays this as an asset error not as fatal error.
cnspec panics when running in GitHub Actions
Describe the bug
I tried to run the image scan GitHub action with cnspec inside a container.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x637d5b0]
goroutine 1 [running]:
go.mondoo.com/cnspec/policy/scan.(*LocalScanner).distributeJob(0xc0007fc780, 0xc001319bd0, {0x86ee748?, 0xc0011d4f60}, {{0x0, 0x0}, {0xc00116af80, 0x35}, {0xc0000c2120, 0x19}, ...})
/home/benr/actions-runner/_work/cnspec/cnspec/policy/scan/local_scanner.go:180 +0xf50
go.mondoo.com/cnspec/policy/scan.(*LocalScanner).Run(0xc0007fc780, {0x86ee748?, 0xc0011d4f00?}, 0xc0009bfbd0)
/home/benr/actions-runner/_work/cnspec/cnspec/policy/scan/local_scanner.go:100 +0x12c
go.mondoo.com/cnspec/apps/cnspec/cmd.RunScan(0xc0010f7e00)
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cmd/scan.go:515 +0x317
go.mondoo.com/cnspec/apps/cnspec/cmd.glob..func18(0x0?, {0xc00031fb90?, 0x0?, 0x0?}, 0x0?, 0x0?)
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cmd/scan.go:347 +0xc5
go.mondoo.com/cnquery/apps/cnquery/cmd/builder.dockerImageProviderCmd.func1(0xc000f4d200?, {0xc00031fb90?, 0x7?, 0x7?})
/home/benr/go/pkg/mod/go.mondoo.com/[email protected]/apps/cnquery/cmd/builder/builder.go:387 +0x2e
github.com/spf13/cobra.(*Command).execute(0xc000f4d200, {0xc00031fab0, 0x7, 0x7})
/home/benr/go/pkg/mod/github.com/spf13/[email protected]/command.go:920 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0xbb18a40)
/home/benr/go/pkg/mod/github.com/spf13/[email protected]/command.go:1044 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/benr/go/pkg/mod/github.com/spf13/[email protected]/command.go:[96](https://github.com/mondoohq/actions/actions/runs/3376068206/jobs/5603368838#step:6:97)8
go.mondoo.com/cnspec/apps/cnspec/cmd.Execute()
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cmd/root.go:70 +0x25
main.main()
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cnspec.go:6 +0x17
To Reproduce
Steps to reproduce the behavior:
- Start the workflow in this PR: mondoohq/actions#40
- Wait for the image scan to start
- Wait for it to crash
- See error
Expected behavior
Scan should run without error.
Screenshots
Desktop (please complete the following information):
cnspec latest image:
Digest: sha256:f9350303514e8b16af624304215318a2f9ef4ff74b28a64cdc9e6e850f6393a5
Status: Downloaded newer image for mondoo/cnspec:latest
Additional context
Link to a failed run:
https://github.com/mondoohq/actions/actions/runs/3376068206/jobs/5603368838
From what I currently know, it is a mismatch between the platform-id and the platformMrn:
→ syncing assets
DBG got assets details assets=1
DBG asset mapping asset=//assets.api.mondoo.app/spaces/mondoo-github-actions/assets/2Gz67q8Woe5MsAztNXK8RwwC8hf platform-mrn=//platformid.api.mondoo.app/runtime/cicd/actions.github.com/mondoohq-actions/ref/refs-pull-40-merge/run/3376068206/job/docker-build-scan-push/action/__self/hash/3e84d63b07343b5fa4fbf5dbf6fbf41fefd7aa76b4c06ebcfeb1ebde31d072ff
DBG update asset asset=index.docker.io/library/ubuntu@7cfe75438fc7 platform-ids=["//platformid.api.mondoo.app/runtime/docker/images/7cfe75438fc77c9d7235ae502bf229b15ca86647ac01c844b272b56326d56184"]
cnspec exits when too much args are specified
Describe the bug
When we call cnspec from inside a GitHub action, the action might add an empty arg to the command, e.g.:
/usr/bin/docker run ... mondoo/cnspec "scan" "docker" "image" "mondoo-test:0.1.0" "--output" "compact" "--score-threshold" "0" "--log-level" "debug" ""
This results in an error:
...
Status: Downloaded newer image for mondoo/cnspec:latest
Error: accepts 1 arg(s), received 2
Usage:
...
This happens, because the action allows the user to specify additional args/parameters:
https://github.com/mondoohq/actions/pull/40/files#diff-d39e3d8374eded08ccdff5f7a8615006dd4d646d94f4eea996e30dca97790669R42
But, when nothing is specified it results in an empty arg "".
To Reproduce
Steps to reproduce the behavior:
- Re-run the job linked below
- Wait
- See error
Expected behavior
cnspec should ignore the empty arg.
Additional context
Failed action job: https://github.com/mondoohq/actions/actions/runs/3419398794/jobs/5692869897
Looks similar to this one: actions/runner#924
No built in policies for `cnspec scan github user FOO`
We dont' have any policies that apply when doing github user scans:
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ discover related assets for 1 asset(s)
! WARNING: you are using an early access feature feature=GITHUB status=experimental
→ resolved assets resolved-assets=1
→ connecting to asset Tim Smith (api)
! WARNING: you are using an early access feature feature=GITHUB status=experimental
FTL failed to run scan error="1 error occurred:\n\t* rpc error: code = InvalidArgument desc = asset does not match any of the activated policies\n\n"
`--token` flag doesn't show up in `cnspec scan github -h`
cnspec scan github requires the use of the --token flag, but it doesn't show up in the GitHub help. Weirdly enough it shows up in GitLab, but that's a totally different bug.
~/d/cnspec $ cnspec scan github -h
Scan a GitHub organization or repository
Usage:
cnspec scan github SUBCOMMAND [flags]
cnspec scan github [command]
Available Commands:
org
repo Scan a GitHub repository
user Scan a GitHub user
Flags:
--annotation stringToString annotation for asset (default [])
--ask-pass ask for connection password
-t, --connection string set the method used to connect to the asset. supported connections are 'local://', 'docker://' and 'ssh://'
--detect-cicd tries to detect CI/CD environments and sets the asset category to 'cicd' if detected (default true)
--discover string enable the discovery of nested assets. Supported are 'all|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets'
--discover-filter stringToString additional filter for asset discovery (default [])
-h, --help help for github
--id-detector string user-override for platform id detection mechanism, supported are hostname, machine-id, aws-ec2, cloud-detect, ssh-host-key, transport-platform-id
-i, --identity-file string selects a file from which the identity (private key) for public key authentication is read
--incognito incognito mode. do not report scan results to the Mondoo platform.
--insecure disable TLS/SSL checks or SSH hostkey config
--inventory-ansible set inventory format to ansible
--inventory-domainlist set inventory format to domain list
--inventory-file string path to inventory file
--no-pager disable interactive scan output pagination
--option stringToString addition connection options, multiple options can be passed in via --option key=value (default [])
-o, --output string set output format: json, junit, csv, compact, summary, full, report, yaml (default "compact")
--pager string enable scan output pagination with custom pagination command. default is 'less -R'
-p, --password string password e.g. for ssh/winrm
--path string path to a local file or directory that the connection should use
--policy strings list of policies to be executed (requires incognito mode), multiple policies can be passed in via --policy POLICY
-f, --policy-bundle strings path to local policy bundle file
--score-threshold int if any score falls below the threshold, exit 1
--sudo run with sudo
Global Flags:
--config string config file (default is $HOME/.config/mondoo/mondoo.yml)
--log-level string set log-level: error, warn, info, debug, trace (default "info")
-v, --verbose verbose output
Use "cnspec scan github [command] --help" for more information about a command.
~/d/cnspec $ cnspec scan github org foo --incognito
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
! invalid github token via environment variable, ignoring it
→ discover related assets for 1 asset(s)
! WARNING: you are using an early access feature feature=GITHUB status=experimental
→ resolved assets resolved-assets=0
x could not resolve asset error="a valid GitHub token is required, pass --token '<yourtoken>' or set GITHUB_TOKEN environment variable" asset=
FTL failed to run scan error="failed to resolve multiple assets"
Implement token authentication for scan API
We have implemented a scan API but currently it has no authentication. Try incorporating the k8s service account token
FTL failed to run query error="exec: \"cnquery\": executable file not found in $PATH"
I installed cnspec on a new Linux VM (amazon linux 2) and ran the following query:
sudo cnspec run -c "sshd.config.params["MaxAuthTries"] <= 4"
The result:
FTL failed to run query error="exec: \"cnquery\": executable file not found in $PATH"To Reproduce
Steps to reproduce the behavior:
- Provision new linux host
- install
cnspec sudo cnspec run -c "sshd.config.params["MaxAuthTries"] <= 4"
cnspec version
cnspec 7.5.1 (e401f52, 2022-11-24T17:42:30Z)Additional context
Add any other context about the problem here.
Turn off GH Projects
Unless we're going to use it we should turn off GH Projects.
Add non-root container images
Is your feature request related to a problem? Please describe.
The container images currently run as root by default:
docker run -ti --entrypoint=sh mondoo/cnspec / # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Describe the solution you'd like
They should run with a non-root user by default.
Describe alternatives you've considered
Additional context
Scan results output should include passing score as well
cnspec scan <target> does not include a passing score such as A 100. We should include passing scores both from a data perspective, and also for aesthetic reasons.
Doesn't work with podman
What is not working as you expected it?
When running
cnspec scan docker container ddb24f700640
You get the error...
x could not resolve asset error="Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?" asset=ddb24f700640
FTL failed to run scan error="failed to resolve multiple assets"
The error is correct, I am not using docker.
Where on the platform does it happen?
cnspec
How do we replicate the issue?
Ubuntu OS with podman installed, no docker installed.
From ubuntu 20.10 onward can be installed with apt get install podman
Expected behavior (i.e. solution)
I don't know if I would expect the docker sub command to be able to pick up that podman is being used or if maybe an additional podman sub command should be added, or if maybe there should be a generic container sub command that covers all possible container engines.
Podman containers are stored in ~/.local/share/containers
https://docs.podman.io/en/latest/_static/api.html
It would be nice to be able to scan any container regardless of container engine.
Maybe even a option where you can point it at the image on disk?
All up for discussion, I'm just raising awareness of my use case.
Other Comments
All these other tools like podman use the OCI standard so there should be a way of doing this that I'm not clever enough to figure out.
Maybe there is a way to do this that I've just missed?
I expected the container sub command to work on local files but that does not seem to be the case...
$ cnspec scan container ddb24f700640
→ no configuration file provided
! No credentials provided. Switching to --incogito mode.
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=0
x could not resolve asset error="could not find the container reference: cannot list repo index.docker.io/library/ddb24f700640:latest due to missing container registry credentials" asset=ddb24f700640
FTL failed to run scan error="failed to resolve multiple assets"
Also this looks like an amazing tool.
Thank you :-)
Scanning an asset that does not have a matching policy results in an error
Describe the bug
When I run a scan with and I do not have any policies applicable for an asset from that scan I see errors:
Summary (11 assets)
===================
Target: K8s Cluster minikube
✕ Errors: rpc error: code = InvalidArgument desc = asset does not match any of the activated policies
Target: kube-system/coredns
✕ Errors: rpc error: code = InvalidArgument desc = asset does not match any of the activated policies
Target: kube-system/coredns-565d847f94
✕ Errors: rpc error: code = InvalidArgument desc = asset does not match any of the activated policies
Target: kube-system/coredns-565d847f94-l7gxx
Score: A 100/100 (100% completed)
✓ Passed: ███████████████ 100% (1)
✕ Failed: 0% (0)
! Errors: 0% (0)
» Skipped: 0% (0)
To Reproduce
Steps to reproduce the behavior:
- Create a new space
- Disable all policies
- Scan something
Expected behavior
I think we can show a warning or info message but this should definitely not be an error.
panics when invalid --policy filter is used
Describe the bug
as reported by @username-is-already-taken2
cnspec scan local --policy cnspec-policies/core/mondoo-linux-security.mql.yaml
→ loaded configuration from /home/chris/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x63136ee]
goroutine 1 [running]:
go.mondoo.com/cnspec/policy.(*Bundle).FilterPolicies(0x0, {0xc000f541a0, 0x1, 0xc000fd1918?})
/home/benr/actions-runner/_work/cnspec/cnspec/policy/bundle.go:222 +0x12e
go.mondoo.com/cnspec/policy/scan.(*LocalScanner).distributeJob(0xc000863320?, 0xc000fd1b58, {0x8ba2c28?, 0xc001611ec0}, {{0x0, 0x0}, {0xc00138c180, 0x32}, {0xc000582780, 0x19}, ...})
/home/benr/actions-runner/_work/cnspec/cnspec/policy/scan/local_scanner.go:224 +0x5e8
go.mondoo.com/cnspec/policy/scan.(*LocalScanner).Run(0x8ba2bb8?, {0x8ba2c28?, 0xc001611e60?}, 0xc000fd1b58)
/home/benr/actions-runner/_work/cnspec/cnspec/policy/scan/local_scanner.go:142 +0x15b
go.mondoo.com/cnspec/apps/cnspec/cmd.RunScan(0xc0010221b0)
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cmd/scan.go:539 +0x35f
go.mondoo.com/cnspec/apps/cnspec/cmd.glob..func18(0x0?, {0xc0000ffb40?, 0x0?, 0x0?}, 0x0?, 0x0?)
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cmd/scan.go:348 +0xd9
go.mondoo.com/cnquery/apps/cnquery/cmd/builder.localProviderCmd.func1(0xc001400000?, {0xc0000ffb40?, 0x2?, 0x2?})
/home/benr/go/pkg/mod/go.mondoo.com/[email protected]/apps/cnquery/cmd/builder/builder.go:193 +0x2b
github.com/spf13/cobra.(*Command).execute(0xc001400000, {0xc0000ffb20, 0x2, 0x2})
/home/benr/go/pkg/mod/github.com/spf13/[email protected]/command.go:920 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0xc192f60)
/home/benr/go/pkg/mod/github.com/spf13/[email protected]/command.go:1044 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/benr/go/pkg/mod/github.com/spf13/[email protected]/command.go:968
go.mondoo.com/cnspec/apps/cnspec/cmd.Execute()
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cmd/root.go:76 +0x25
main.main()
/home/benr/actions-runner/_work/cnspec/cnspec/apps/cnspec/cnspec.go:6 +0x17
To Reproduce
Download latest cnspec and provide an invalid --policy filter
Expected behavior
- detect that the provided policy is not available and display a warning
- if the user provides an argument with
.mql.yamlat the end, display warning that--policy-bundleis probably the right argument
Screenshots or CLI Output
n/a
Desktop (please complete the following information):
- OS: [e.g. macOS]
- OS Version: [e.g. 13.0]
- Browser if applicable [e.g. Chrome, Firefox]
- Browser Version: [e.g. 106]
Additional context
n/a
Progress bars not displayed correctly
Describe the bug
The progress bars for scanning an asset do not show up correctly in the CLI. It happens consistently when I run a cluster scan that has a decent amount of assets.
To Reproduce
Steps to reproduce the behavior:
- Run
cnspec scan k8sfor a cluster - See output
Expected behavior
There should be 1 line with a progress bar per asset.
Screenshots
Scan errors are not reported upstream
Describe the bug
When an error occurs while scanning an asset, the error is not reported upstream. The asset remains unscored and there is no message containing the scan error. This is something that Mondoo already does.
To Reproduce
Steps to reproduce the behavior:
- Scan an asset with an error (we did it with EBS scanning)
- Open the UI
- See the asset is U and has no error message
Expected behavior
The asset should be X and the error should be there
Add a v7 tag to the container image
Is your feature request related to a problem? Please describe.
For the actions, it would be nice to have a tag with the major version.
Currently, we pull latest: mondoohq/actions#40
We should be able to pin to a major version.
Describe the solution you'd like
Add a tag, currently v7, which points to the latest release version, e.g., v7.3.0.
Describe alternatives you've considered
We could pin to v7.3.0, but would then need to update the action with every cnspec release.
Additional context
Add any other context or screenshots about the feature request here.
Batch SynchronizeAssets calls
In #172 we moved from calling SynchronizeAssets after discovery to calling it for each asset individually before running the actual scan. This was needed in order to properly set the platform information for the asset. The solution is a quick fix and is not ideal. We should look into batching SynchronizeAssets calls such that we don't spam our back-ends.
cnspec scan with no parameters should print the help for scan
What is not working as you expected it?
When you run cnspec scan with no target you get the following...
cnspec scan
→ no configuration file provided
! No credentials provided. Switching to --incogito mode.
→ discover related assets for 0 asset(s)
→ resolved assets resolved-assets=0
FTL failed to run scan error="could not find an asset that we can connect to"Where on the platform does it happen?
cnspec binary on a local system
How do we replicate the issue?
run cnspec scan with no target
Expected behavior (i.e. solution)
when a user runs cnspec scan with no target I would expect a useful error message that we expected a target, but no target was specified and then print the help for cnspec scan
Other Comments
cnspec Hosted Policies Score 0
Testing a scan of Ubuntu:18.04 from within a container controls are scored but policies are scored 0. cnspec client version was 7.6.0.
$ docker run -ti ubuntu:18.04 bash
...
root@1b3c9f51e368:/# export MONDOO_CONFIG_BASE64=eyJt.....
root@1b3c9f51e368:/# cnspec scan local
....
Controls:
✕ Fail: B 70 Ensure minimum days between password changes is configured
✓ Pass: Ensure IMAP and POP3 server are not installed
✓ Pass: Ensure telnet server is stopped and not enabled
....
✕ Fail: D 20 Ensure permissions on /etc/cron.daily are configured
✓ Pass: Ensure rsh server is stopped and not enabled
✓ Pass: Ensure noexec option set on /dev/shm partition
✓ Pass: Ensure Samba is stopped and not enabled
. Skipped: Ensure journald is configured to write logfiles to persistent disk
✓ Pass: Ensure system accounts are non-login
. Skipped: Ensure secure permissions on /etc/group- are set
✓ Pass: Ensure password hashing algorithm is SHA-512
Vulnerabilities:
■ SCORE PACKAGE INSTALLED FIXED AVAILABLE
■ 3.3 login 1:4.5-1ubuntu2.3 1:4.5-1ubuntu2.5 1:4.5-1ubuntu2.3
■ 3.3 passwd 1:4.5-1ubuntu2.3 1:4.5-1ubuntu2.5 1:4.5-1ubuntu2.3
Overall CVSS score: 3.3
Summary (1 assets)
==================
Target: 1b3c9f51e368
Score: D 25/100 (100% completed)
✓ Passed: ██████ 43% (100)
✕ Failed: █████ 30% (70)
! Errors: ███ 20% (46)
» Skipped: █ 7% (17)
Policies:
F 0 Linux Security Baseline by Mondoo (deprecated)
F 0 CIS Ubuntu Linux 18.04 LTS Benchmark - Level 1 - Server
. .. Platform Overview Information by Mondoo
F 0 CIS Ubuntu Linux 18.04 LTS Benchmark - Level 2 - Server
B 60 Platform End-of-Life Policy by Mondoo
B 67 Platform Vulnerability Policy by Mondoo
Report URL: https://console.mondoo.com/space/fleet/2IKhCIokyTv2SAvAVVTIMdz0Wgi?spaceId=wizardly-sanderson-742451
cnspec scan is returning failures for everything
Describe the bug
Right now cnspec scans of a Linux host of mine is showing everything as failed even when the queries are OK.
To Reproduce
Steps to reproduce the behavior:
- Scan a host:
cnspec scan ssh IP_OF_HOST --incognito -o full
Expected behavior
Queries that pass should not fail the controls
Screenshots
Desktop (please complete the following information):
- OS: macOS
Add GitHub issue and PR templates
We should encourage good issues and pull requests by adding templates to this repo.
Confusing output when scanning multiple K8s manifests by folder
Describe the bug
When you provide cnspec with a directory to scan for manifests the output is not entirely clear.
~/dev cnspec scan k8s lunalectric/
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=5
→ connecting to asset K8s Manifest lunalectric (code)
███████████████████████████████████████████████████████████████████████████ 100% K8s Manifest lunalectric
→ connecting to asset luna/postgres (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset luna/luna-frontend (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
→ connecting to asset luna/postgres (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/postgres
→ connecting to asset luna/luna-frontend (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
The start of the scan states K8s Manifest lunalectric when there is no actual manifest named lunalectric. lunalectric is the directory of manifests. We then proceed to provide a progress bar for this fictitious manifests which is confusing.
Switch to an easier to read ASCII art banner
Describe the bug
The ascii art banner is hard to read, especially on a dark terminal. We need to switch to a better font.
To Reproduce
Steps to reproduce the behavior:
- Run
cnspec -h
Expected behavior
Easy to read banner name
Screenshots
Desktop (please complete the following information):
- OS: macOS
- Version: 13
Edge binaries and containers
It would help testing if we get edge binaries and containers released for each commit to main
Errors are not printing out correctly in cnspec
Describe the bug
When scanning a docker image I hit an error in cnspec that printed to the screen with \n and \t printed instead of being interpreted. The same error printed out correctly in mondoo client.
To Reproduce
Steps to reproduce the behavior:
- Run
cnspec scan docker image openjdk:18.0-nanoserver --incognito - See error
Expected behavior
\n and \t are interpreted to format the error message correctly.
Screenshots
Desktop (please complete the following information):
- OS: macOS
- Browser: N/A
- Version: N/A
Additional context
Nope
"error": "cannot convert primitive with NO type information"
Describe the bug
When running the Mondoo Linux Security policy the Ensure mail transfer agent is configured for local-only mode control fails with "error": "cannot convert primitive with NO type information".
To Reproduce
Steps to reproduce the behavior:
- cnspec scan container ubuntu:latest
- Follow scan result
- Look at linux security policy
- See error
Expected behavior
In this case I think it should have passed.
Screenshots
`cnspec scan github -h` doesn't include a description of org scan
The cnspec scan github help includes descriptions of repo and user, but not org.
! ~/d/cnspec $ cnspec scan github -h
Scan a GitHub organization or repository
Usage:
cnspec scan github SUBCOMMAND [flags]
cnspec scan github [command]
Available Commands:
org
repo Scan a GitHub repository
user Scan a GitHub user
Flags:
Some output formatters don't do anything
Describe the bug
Some of the listed output formatters silently do nothing.
help says it supports these formats:
-o, --output string set output format: yaml, json, junit, csv, compact, summary, full, report (default "compact")
To Reproduce
Steps to reproduce the behavior:
- run
cnspec scan k8s lunaelectric/frontend/frontend.yml --output junit - run
cnspec scan k8s lunaelectric/frontend/frontend.yml --output yaml - run
cnspec scan k8s lunaelectric/frontend/frontend.yml --output csv
Expected behavior
Should work similar to cnspec scan k8s lunaelectric/frontend/frontend.yml --output json where we get output
Screenshots or CLI Output
junit output that just reports nothing instead of junit:
~/dev cnspec scan k8s lunaelectric/frontend/frontend.yml --output junit
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ discovery option auto is used. This will detect the assets: cluster, jobs, cronjobs, pods, statefulsets, deployments, replicasets, daemonsets
→ resolved assets resolved-assets=2
→ connecting to asset K8s Manifest frontend (code)
███████████████████████████████████████████████████████████████████████████ 100% K8s Manifest frontend
→ connecting to asset luna/luna-frontend (k8s-object)
███████████████████████████████████████████████████████████████████████████ 100% luna/luna-frontend
Desktop (please complete the following information):
- OS: macOS
- OS Version: 13
Running `cnspec shell` on macOS without specifying a target returns an unhelpful error message
Describe the bug
Running cnspec shell on macOS without specifying a target returns an unhelpful error message
To Reproduce
Steps to reproduce the behavior:
- Run
cnspec shellwithout additional arguments. - Observe output:
❯ ./cnspec shell
→ loaded configuration from /Users/chip/.config/mondoo/mondoo.yml using source default
→ discover related assets for 0 asset(s)
→ resolved assets resolved-assets=0
FTL could not find an asset that we can connect to
Expected behavior
cnspec shell should either connect to local by default, or it should provide friendly output with a list of possible targets, explaining how to use them.
Desktop (please complete the following information):
This bug was observed using cnspec 6.19, on macOS 12.6.
cnspec bundle format should accept multiple files
Is your feature request related to a problem? Please describe.
cnspec bundle format is an interesting command, but I want to quickly format all my files. Instead I have to specify them one at a time or write a loop in bash/fish to run the command for each file in a dir.
Describe the solution you'd like
It would be nice in a dir to be able to run cnspec bundle format * and have cnspec do the right thing with the multiple inputs.
Describe alternatives you've considered
🤷
Additional context
-o full is not working
Describe the bug
After running a scan such as cnspec scan aws a message is printed that says: To get more information, please run this scan with "-o full" However, if I run cnspec scan aws -o full I get the same message as before
To Reproduce
Steps to reproduce the behavior:
- Open a terminal
- run
cnspec scan aws - run
cnspec scan aws -o full
Expected behavior
I am expecting to see the full output with the queries and results.
Screenshots
Desktop (please complete the following information):
- OS: macOS
- Browser if applicable [e.g. Chrome, Safari]
- Version
cnspec 6.19.0 (3ca9767, 2022-10-11T19:21:29Z)
Additional context
Add any other context about the problem here.
Add timestamps to scan API logger output
Make sure that every log statement in the scan API has timestamps. This is a long-living process and timestamps really help debugging.
AlmaLinux 8&9 container scan not detecting OS properly
Describe the bug
AlmaLinux 8 container scan not detecting OS which breaks service, package, and basically the whole mondoo scan.
To Reproduce
Steps to reproduce the behavior:
cnspec scan container almalinux:8- See errors
Expected behavior
Scans w/o error.
Screenshots
~/dev cnspec scan container almalinux:8
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ syncing assets
→ connecting to asset index.docker.io/library/almalinux@56ec0a505cbd (container-image)
! resolver.db> failed to store data, types don't match asset=//assets.api.mondoo.app/spaces/practical-visvesvaraya-957532/assets/2H3sJ4Pw5FDqr8SF5IvLQLxHU7K checksum=aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA== data={"type":"\u001bservice"} expected=block received=service
x failed to send datapoints error="1 error occurred:\n\t* failed to store data for \"aqYNhAltcEb8Us9rrSndGyONs5+/eu8zKLjtc3MhT1V9wzIHoZniQylGNL6k9+ftj8MnoMI/18dd3mMzIxBBhA==\", types don't match: expected block, got service\n\n"
Asset: index.docker.io/library/almalinux@56ec0a505cbd
=====================================================
Data queries:
packages.list.length: 149
error: Query encountered errors:
failed to create resource 'service': could not retrieve service list
service: no data available
error: Query encountered errors:
could not determine kernel version
kernel.installed: []
error: Query encountered errors:
could not parse uptime:
os.uptime: 3 seconds
platform.arch: "amd64"
error: Query encountered errors:
run command not supported on this transport
command.stderr: ""
error: Query encountered errors:
run command not supported on this transport
if: no data available
platform.eol.date: 2029-05-31 17:00:00 -0700 PDT
error: Query encountered errors:
could not detect hostname
os.hostname: ""
platform.vulnerabilityReport: {
platform: {
arch: "amd64"
name: "almalinux"
release: "8.6"
title: "AlmaLinux 8.6 (Sky Tiger), Docker Image"
}
published: "2022-11-04T01:34:45Z"
stats: {
advisories: {}
... 7 more lines ...
mondoo.jobEnvironment: {
id: "client.mondoo.com"
name: "Mondoo Client"
}
platform.release: "8.6"
mondoo.version: "unstable"
platform.title: "AlmaLinux 8.6 (Sky Tiger), Docker Image"
Controls:
! Error: Ensure events that modify date and time information are collected
✕ Fail: Ensure audit logs are not automatically deleted
! Error: Ensure tftp server is stopped and not enabled
! Error: Ensure file deletion events by users are collected
✓ Pass: Ensure secure permissions on /etc/group are set
! Error: Ensure rsyslog Service is enabled
! Error: Ensure HTTP servers are stopped and not enabled
✓ Pass: Ensure X Window System is not installed
✕ Fail: F 0 Ensure IPv6 router advertisements are not accepted
! Error: Ensure Avahi server is stopped and not enabled
! Error: Ensure core dumps are restricted
✓ Pass: Ensure default group for the root account is GID 0
! Error: Ensure rsh server is stopped and not enabled
! Error: Ensure NFS and RPC are stopped and not enabled
✓ Pass: Ensure system accounts are non-login
✓ Pass: Ensure UID_MIN is set to 1000
✓ Pass: Ensure no duplicate group names exist
! Error: Ensure IMAP and POP3 server is stopped and not enabled
✕ Fail: F 0 Ensure source routed packets are not accepted
✕ Fail: C 40 Ensure rsyslog default file permissions configured
! Error: Ensure events that modify the system's network environment are collected
! Error: Ensure session initiation information is collected
✓ Pass: Ensure root group is empty
. Skipped: Ensure secure permissions on all log files are set
✕ Fail: C 40 Ensure Advanced Intrusion Detection Environment (AIDE) is installed
✕ Fail: C 40 Ensure IP forwarding is disabled
✕ Fail: F 0 Ensure broadcast ICMP requests are ignored
✕ Fail: C 40 Ensure journald is configured to send logs to rsyslog
✓ Pass: Ensure secure permissions on /etc/gshadow are set
✕ Fail: F 0 Ensure secure ICMP redirects are not accepted
! Error: Ensure FTP server is stopped and not enabled
✕ Fail: F 0 Ensure packet redirect sending is disabled
✕ Fail: C 40 Ensure rsyslog is installed
✕ Fail: F 0 Ensure access to the su command is restricted
✓ Pass: Ensure no duplicate GIDs exist
! Error: Ensure rsync service is stopped and not enabled
! Error: Ensure CUPS is stopped and not enabled
✓ Pass: Ensure secure permissions on /etc/shadow are set
! Error: Ensure filesystem integrity is regularly checked
✕ Fail: D 20 Ensure audit log storage size is configured
! Error: Ensure talk server is stopped and not enabled
! Error: Ensure LDAP server is stopped and not enabled
✕ Fail: F 0 Ensure Reverse Path Filtering is enabled
! Error: Ensure login and logout events are collected
✕ Fail: B 60 Ensure journald is configured to compress large log files
! Error: Ensure events that modify the system's Mandatory Access Controls are collected
✕ Fail: F 0 Ensure TCP SYN Cookies is enabled
✕ Fail: C 40 Ensure journald is configured to write logfiles to persistent disk
✓ Pass: Ensure secure permissions on /etc/gshadow- are set
✓ Pass: Ensure no known platform CVEs exist
✓ Pass: Ensure the platform is not End-of-Life
✓ Pass: Ensure no known platform advisories exist
! Error: Ensure events that modify user/group information are collected
✕ Fail: D 20 Ensure suspicious packets are logged
✓ Pass: Ensure each user is a member of a group
! Error: Ensure SNMP server is stopped and not enabled
✓ Pass: Ensure secure permissions on /etc/passwd are set
! Error: Ensure NIS server is stopped and not enabled
✓ Pass: Platform is not end-of-life
! Error: Ensure Samba is stopped and not enabled
! Error: Ensure system administrator actions (sudolog) are collected
! Error: Ensure discretionary access control permission modification events are collected
! Error: Ensure the audit configuration is immutable
! Error: Ensure mail transfer agent is configured for local-only mode
. Skipped: Ensure auditing for processes that start prior to auditd is enabled
✓ Pass: Ensure all GIDs in /etc/passwd exist in /etc/group
. Skipped: Ensure shadow group is empty
! Error: Ensure HTTP Proxy server is stopped and not enabled
✕ Fail: F 0 Ensure secure permissions on /etc/group- are set
✕ Fail: C 40 Ensure system is disabled when audit logs are full
! Error: Ensure telnet server is stopped and not enabled
! Error: Ensure unsuccessful unauthorized file access attempts are collected
✕ Fail: F 0 Ensure address space layout randomization (ASLR) is enabled
✓ Pass: Ensure no duplicate UIDs exist
! Error: Ensure successful file system mounts are collected
✓ Pass: Ensure secure permissions on /etc/shadow- are set
✓ Pass: Ensure no duplicate user names exist
! Error: Ensure kernel module loading and unloading is collected
✕ Fail: F 0 Ensure ICMP redirects are not accepted
! Error: Ensure sudo logging is enabled
✕ Fail: F 0 Ensure bogus ICMP responses are ignored
✕ Fail: D 20 Ensure auditd is installed
! Error: Ensure changes to system administration scope (sudoers) is collected
! Error: Ensure DNS server is stopped and not enabled
✕ Fail: F 0 Ensure secure permissions on /etc/passwd- are set
! Error: Ensure DHCP server is stopped and not enabled
✓ Pass: Ensure prelink is disabled
! Error: Ensure auditd service is enabled
Vulnerabilities:
■ No advisories found (passed)
Overall CVSS score: 0.0
Summary (1 assets)
==================
Target: index.docker.io/library/almalinux@56ec0a505cbd
Score: B 66/100 (100% completed)
✓ Passed: ████ 25% (22)
✕ Failed: ████ 28% (25)
! Errors: ██████ 43% (38)
» Skipped: █ 3% (3)
Policies:
F 0 Linux Security by Mondoo
. .. Platform Overview Information by Mondoo
A 100 Platform Vulnerability Policy by Mondoo
A 100 Platform End-of-Life Policy by Mondoo
Report URL: FOO
To get more information, please run this scan with "-o full".
`Mondoo Client` still used in several errors
Describe the bug
There are several places in the code base that still say Mondoo Client
To Reproduce
Steps to reproduce the behavior:
- Open the source code
- Search for
Mondoo Client
Expected behavior
cnspec for life!
Screenshots
Failed to find GitHub asset error message is not clear
Describe the bug
If you typo a github repo in your cnspec scan you get an unclear error message that we should improve. Today it's fairly generic since it comes from a function that handles orgs and repos. We need to be more clear what we couldn't find and what that means for the user. This is the sort of message they're going to get day 1, so it's critical we hold hands on these.
To Reproduce
Steps to reproduce the behavior:
- Run
cnspec scan github repo Lunalectric/does-not-exist - See error that doesn't lead the user to check if they typo'd the name.
Expected behavior
Help user to figure out what they should do next.
Screenshots or CLI Output
→ loaded configuration from /Users/tsmith/.config/mondoo/luna.yml using source --config
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=0
x could not resolve asset error="could not detect GitHub asset type" asset=
FTL failed to run scan error="failed to resolve multiple assets"
When cnspec encounters an error, then it disregards --score-threshold
Describe the bug
When cnspec encounters an error, then it disregards --score-threshold.
To Reproduce
cat <<'EOF1' >test.sh
cat <<'EOF2' >/tmp/test.yaml
policies:
- uid: my-policies
specs:
- asset_filter:
query: platform.family.contains(_ == 'unix')
scoring_queries:
test1: null
queries:
- uid: test1
title: /tmp1 exists
severity: 100
query: |
file("/tmp1") {
permissions.user_readable == true
}
EOF2
cnspec version
grep -i pretty_name /etc/os-release
cnspec scan local --incognito --score-threshold 100 -o full -f /tmp/test.yaml --json >/tmp/out.json
echo exit:$?
cat /tmp/out.json | jq --monochrome-output
EOF1
bash -x test.sh
Expected behavior
I expect cnspec to exit with non-zero if it encounters an error and if the score is less than 100.
root@80297ad0b51e:/tmp# bash -x test.sh
+ cat
+ cnspec version
cnspec 7.2.0 (babecff, 2022-10-31T23:38:24Z)
+ grep -i pretty_name /etc/os-release
PRETTY_NAME="Ubuntu 22.10"
+ cnspec scan local --incognito --score-threshold 100 -o full -f /tmp/test.yaml --json
→ no configuration file provided
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset 80297ad0b51e (baremetal)
+ echo exit:0
exit:0
+ cat /tmp/out.json
+ jq --monochrome-output
{
"assets": {
"//policy.api.mondoo.com/assets/2H0y07mHIsJffl5hljM7DiAR5uM": {
"mrn": "//policy.api.mondoo.com/assets/2H0y07mHIsJffl5hljM7DiAR5uM",
"name": "80297ad0b51e"
}
},
"data": {
"//policy.api.mondoo.com/assets/2H0y07mHIsJffl5hljM7DiAR5uM": {}
},
"scores": {
"//policy.api.mondoo.com/assets/2H0y07mHIsJffl5hljM7DiAR5uM": {
"//local.cnspec.io/run/local-execution/queries/test1": {
"score": 0,
"status": "error"
}
}
},
"errors": {}
}
root@80297ad0b51e:/tmp#
Extend the policy format to include "icon" field
Is your feature request related to a problem? Please describe.
We have policyhub icons for different technologies. Right now this is done somewhat manually. We include a handful of icons in the frontend and we assign them in the frontend based on the policy name. When we renamed policies, the new policies lost their icons. If users upload their own policies they don't get icons. It would be really great if we had a set list of icons with names and let users define them. This is similar to how you define your icon and color GitHub actions within the metadata of your action.
Describe the solution you'd like
A new field for icon names. You'd get to choose from a list we maintained and extended over time.
Describe alternatives you've considered
I'm open to anything that gets us user-defined icons and removes frontend logic.
Running `cnspec shell local` on a macOS host that has Docker installed but not running results in an error
Describe the bug
Running cnspec shell local on a macOS host that has Docker installed but not running results in an error
To Reproduce
Steps to reproduce the behavior:
- Run
cnspec shell localwithout Docker running. - Observe output:
❯ ./cnspec shell local
→ loaded configuration from /Users/chip/.config/mondoo/mondoo.yml using source default
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=0
x could not connect to asset error="Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?" asset=
FTL could not resolve assets
Expected behavior
The shell should still open, even if the Docker daemon is not started.
Desktop (please complete the following information):
This bug was observed using cnspec 6.19, on macOS 12.6, with Docker Desktop 4.9.0 (80466) installed.
Add a policy linting command
Is your feature request related to a problem? Please describe.
Policies are often really large and it's hard to know you're including all the proper information. It would be great if we could lint them to make sure we had all the necessary fields.
Describe the solution you'd like
I'd like a command I could run that would ensure I had things like a desc field, audit field, remediation field, author information, a valid version number, etc.
Describe alternatives you've considered
I'm open for anything that allows us to check that policies have all the data necessary to share them with others.
Improve error handling when not connected to Mondoo Platform - "mondoo upstream configuration is missing"
Describe the bug
When not connected to Mondoo platform, cnspec returns errors mondoo upstream configuration is missing
platform { *}
Query encountered errors:
4 errors occurred:
* mondoo upstream configuration is missing
* mondoo upstream configuration is missing
* mondoo upstream configuration is missing
* mondoo upstream configuration is missingTo Reproduce
Steps to reproduce the behavior:
- Open terminal
cnspec shell host mondoo.comcnspec> platform {*}- See error
cnspec> platform { *}
Query encountered errors:
4 errors occurred:
* mondoo upstream configuration is missing
* mondoo upstream configuration is missing
* mondoo upstream configuration is missing
* mondoo upstream configuration is missing
platform: {
arch: ""
kind: "network"
virtualization: platform.virtualization id = platform.virtualization
name: ""
labels: {}
cves: platform.cves id = platform.cves
fqdn: "mondoo.com"
runtime: ""
vulnerabilityReport: mondoo upstream configuration is missing
build: ""
title: "Network API"
family: [
0: "network"
]
version: ""
runtimeEnv: ""
release: ""
advisories: platform.advisories id = platform.advisoriesExpected behavior
Just handle the error better. We should know cnspec is not connected and provide a better error
Desktop (please complete the following information):
- OS: [macos]
- Browser if applicable [e.g. Chrome, Safari]
- Version
cnspec 7.0.0-alpha1 (9761bb7, 2022-10-14T09:36:16Z)
Additional context
Add any other context about the problem here.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.