Skip to content

v13.23.0

Latest
Latest

Choose a tag to compare

View all tags
@mondoo-mergebot mondoo-mergebot released this 16 Jun 09:57
· 62 commits to main since this release
v13.23.0
489f5da
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

  • 🧹 Bump patch versions for freebsd, gcp, github, m365, oci, okta, and vsphere policies by @tas50 in #2770
  • 🐛 linux: gate the su-restriction check on PAM config, simplify it, bump to 2.7.1 by @tas50 in #2769
  • 🧹 linux: use typed exim.localInterfaces for MTA loopback check by @tas50 in #2772
  • 🐛 linux: make su-restriction check crash-safe via pam.conf.service by @tas50 in #2774
  • ⭐ executor: attach the running query to panic reports by @jaym in #2773
  • 🐛 linux: fix incorrect and incomplete remediations across the security policy by @tas50 in #2775
  • 📚 linux: correct check descriptions that misstate what is checked by @tas50 in #2776
  • 🧹 Simplify AWS Batch/Lightsail/SQS/SNS checks with new provider fields by @tas50 in #2733
  • 🧹 Update spellcheck config by @tas50 in #2779
  • 🧹 tailscale: use typed hasExpiration/isRevoked for authkey checks by @tas50 in #2765
  • 🧹 snowflake: use typed networkPolicy for network-policy check by @tas50 in #2762
  • Use exim, inetd, and snmpd resources in Linux and FreeBSD policies by @tas50 in #2730
  • 🧹 nutanix: use typed usesLdaps for directory LDAPS check by @tas50 in #2763
  • Simplify macOS sharing and software update checks using new MQL resources by @tas50 in #2622
  • 🐛 vsphere: fix PowerCLI remediations that fail or misfire as written by @tas50 in #2787
  • 🐛 windows: fix remediations whose end state fails their own check by @tas50 in #2785
  • 🐛 oci: fix incorrect and incomplete remediations across the security policy by @tas50 in #2784
  • 🐛 aws: fix incorrect and incomplete remediations across the security policy by @tas50 in #2780
  • 🐛 azure: fix incorrect and incomplete remediations across the security policy by @tas50 in #2782
  • 🐛 freebsd: fix remediations that lock out, misfire, or use Linux tools by @tas50 in #2788
  • 🐛 unifi: fix incorrect and incomplete remediations across the security policy by @tas50 in #2786
  • 🐛 k8s-best-practices: fix remediations that target the wrong kind and a probe mql gap by @tas50 in #2790
  • 🐛 proxmox: fix remediations that fail, lock out, or destroy data as written by @tas50 in #2791
  • 🐛 arista-eos: replace Cisco IOS commands and fix never-pass/never-fail checks by @tas50 in #2793
  • 🐛 m365: fix lockout-prone MFA guidance and never-fail checks by @tas50 in #2794
  • 🐛 digitalocean: fix remediations with invalid doctl columns and destructive updates by @tas50 in #2792
  • 🐛 github: fix terraform arguments the provider rejects and API calls that change nothing by @tas50 in #2799
  • 🐛 panos: fix CLI commands PAN-OS rejects and version-blind IKE checks by @tas50 in #2797
  • 🐛 macos: fix checks unmanaged Macs could never pass and GUI steps for controls that have no GUI by @tas50 in #2800
  • 🐛 cisco-iosxe: fix lockout-prone AAA guidance and commands IOS XE rejects by @tas50 in #2798
  • 🐛 ai-security: point remediations at the paths and IDs the checks actually read by @tas50 in #2795
  • 🐛 cisco-nxos: fix SSH key commands that fail on live devices and lockout-prone guidance by @tas50 in #2802
  • 🐛 nutanix: remove invented ncli commands and close the open-allowlist mql gap by @tas50 in #2803
  • 🐛 fortios: fix license checks unlicensed devices pass and a lockout-prone telnet fix by @tas50 in #2801
  • 🐛 gcp: fix incorrect and incomplete remediations across the security policy by @tas50 in #2781
  • Add missing spellcheck terms by @tas50 in #2805
  • 🐛 junos: fix append-semantics SSH fixes that never removed weak algorithms by @tas50 in #2804
  • ⭐ Validate nutanix ncli remediation commands against the AOS Command Reference by @tas50 in #2806
  • 🐛 okta: fix inverted recovery checks and remediations that miss the inspected state by @tas50 in #2796
  • 🐛 cloudflare: fix token updates that strip definitions and HSTS examples that force preload by @tas50 in #2808
  • 🐛 cisco-iosxr: fix the never-pass SSH version check and IOS-isms XR rejects by @tas50 in #2807
  • ⭐ Validate Cloudflare API request bodies against the OpenAPI spec by @tas50 in #2810
  • 🐛 dockerfile-best-practices: stop teaching scanner evasion and broken healthchecks by @tas50 in #2813
  • ✨ Use typed auditpol/eventlog/secureboot accessors in Windows policies by @tas50 in #2744
  • 🐛 dockerfile-security: correct the bind-mount premise and close short-option gaps by @tas50 in #2814
  • ⭐ Generalize REST API remediation validation; add Tailscale, Slack, Atlassian, Grafana by @tas50 in #2815
  • ⭐ Validate kubectl, gh, glab, and hcloud commands via Cobra introspection by @tas50 in #2817
  • 🐛 openstack: fix delete-before-replace ordering that severs live access by @tas50 in #2809
  • 🐛 esxi: fix remediations that misfire and checks that reject their own fix by @tas50 in #2789
  • 🐛 chef-infra-server: stop add-on removals from uninstalling the whole server by @tas50 in #2819
  • 🐛 plcnext: fix the firmware pin that fails updated devices and never-fail SSH checks by @tas50 in #2812
  • 🐛 gitlab: fix calls to a nonexistent approval_settings endpoint and inverted UI steps by @tas50 in #2818
  • 🐛 tailscale: fix remediations that read instead of write and stale console paths by @tas50 in #2816
  • 🐛 tls: close the expired-cert blind spot and drop retired OCSP guidance by @tas50 in #2811
  • 🐛 vllm: name the flags the checks inspect and fix the wrong-route audit by @tas50 in #2822
  • 🐛 google-workspace: drop guidance for removed and nonexistent console settings by @tas50 in #2825
  • 🐛 chef-client: stop loosening the client key and drop a fabricated setting by @tas50 in #2827
  • 🐛 win11-compat: fix the disk check that inverted reality on both sides by @tas50 in #2830
  • fix: split approve and merge steps to use separate tokens by @username-is-already-taken2 in #2829
  • 🐛 slack: fix a never-fail conjunction and a domain check that swept DMs and bots by @tas50 in #2832
  • 🐛 github-best-practices: fix create-only terraform attributes and audit drift by @tas50 in #2831
  • 🐛 grafana: keep server admin rights through the default-admin swap by @tas50 in #2826
  • 🐛 bigip: stop the cipher checks from failing their own remediation by @tas50 in #2828
  • 🐛 http: fix two never-fail header checks and remediations the servers ignore by @tas50 in #2834
  • 🐛 http: match remaining header names and values case-insensitively by @tas50 in #2836
  • 🐛 mcp: stop the PII fix from tripping the Unicode check and screen prompt names by @tas50 in #2835
  • 🐛 atlassian: point remediations at admin surfaces that exist by @tas50 in #2837
  • 🧹 windows-workstation: fix destructive BitLocker guidance and false-passing checks by @tas50 in #2839
  • 🧹 linux-workstation: fix destructive and broken remediation guidance by @tas50 in #2838
  • 🧹 shodan: fix unverifiable membership audit and add re-scan latency guidance by @tas50 in #2841
  • 🐛 linux-operational: fix always-failing disk check on snap hosts by @tas50 in #2843
  • 🐛 terraform-deprecations: close template-provider detection gaps by @tas50 in #2844
  • 🐛 linux-snmp: close case-insensitivity bypass and RHEL filter gap by @tas50 in #2840
  • 🐛 reporter: collapse double blank line for assets with no checks by @tas50 in #2845
  • Bump the gomodupdates group with 2 updates by @dependabot[bot] in #2848
  • 🐛 edr: fix never-pass ESET/Wazuh variants and quantifier logic bugs by @tas50 in #2842
  • 🧹 Bump mql to v13.23.0 by @mondoo-mergebot[bot] in #2851

Full Changelog: v13.22.1...v13.23.0

Contributors

jaym, tas50, and 2 other contributors
Assets 28
Loading