1.1 is in core now, but this one is going to production instead. Nuke it.

Delete the Slack Security policy in extra (#201)

1.1 is in core now, but this one is going to production instead. Nuke it.

Signed-off-by: Tim Smith tsmith84@gmail.com

1.1 is in core now, but this one is going to production instead. Nuke it.

Describe the bug A clear and concise description of what the bug is.

This query is missing an impact as seen in the registry:

:broom: fixed/impact: Ensure audit logs are not automatically deleted (#199)

Fixes: https://github.com/mondoohq/cnspec-policies/issues/146

Signed-off-by: Manuel Weber manuel@mondoo.com

Describe the bug Something weird is going on here with Ensure login and logout events are collected in the Linux Security policy on Debian that causes the control to fail even if the remediation steps are followed.

It has the query

if( platform.family.contains('debian') ) {
  command("auditctl -l") {
    stdout.contains("-w /var/log/faillog -p wa -k logins")
  }
} else {
  command("auditctl -l") {
    stdout.contains("-w /var/run/faillock -p wa -k logins")
  }
}
command("auditctl -l") {
  stdout.contains("-w /var/log/lastlog -p wa -k logins")
  stdout.contains("-w /var/log/tallylog -p wa -k logins")
}

and on debian we suggest adding the following lines to a auditd config file:

-w /var/log/lastlog -p wa -k logins

-w /var/log/tallylog -p wa -k logins

and

-w /var/log/faillog -p wa -k logins

I've added the following to /etc/audit/rules.d/50-logins.rules:

-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/log/faillog -p wa -k logins

The problem is event though I have /var/log/lastlog defined here the auditctl -l output is /var/run/lastlog:

-w /etc/selinux -p wa -k MAC-policy
-w /usr/share/selinux -p wa -k MAC-policy
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete
-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /var/log/sudo.log -p wa -k actions
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change

This causes this control to always fail on my Debian host.

Update core/mondoo-azure-security.mql.yaml

Co-authored-by: Letha letha@mondoo.com Signed-off-by: Tim Smith tim@mondoo.com

This should be applied for the subscription

Describe the bug If the user writes a policy to check a file they don't have access to, the error returned makes it sound like the file doesn't exist when it's purely the second part of the error: lack of file permissions.

To Reproduce Steps to reproduce the behavior:

1. run cnquery shell
2. run file("/etc/PATH/OWNED/BY/ROOT/THAT/EXISTS").content
3. See error about file not existing

Expected behavior The error should state the lack of file permissions w/o mentioning the file doesn't exist since we can filestat it.

Screenshots or CLI Output

cnquery> file('/etc/master.passwd').content
Query encountered errors:
file '/etc/master.passwd' does not exist: open /etc/master.passwd: permission denied

From non-root user:

ls -lah /etc/master.passwd
-rw-------  1 root  wheel   8.5K Feb  9 01:39 /etc/master.passwd

Describe the bug If a user provides us with a .pem file that does not include the private key we don't throw an error in the application. Instead there's an error in each check in the policies, but those are not immediately apparent on the CLI.

To Reproduce Steps to reproduce the behavior:

1. Go to '...'
2. Select '....'
3. Scroll down to '....'
4. Note the error

Expected behavior Validate the .PEM file is the correct format and throw an error if it's missing either the certificate or the private key portion.

Screenshots or CLI Output

cnquery scan ms365 --tenant-id 2919c383-55f1-4d5b-9d3e-12345 --certificate-path ~/dev/cert.pem
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1

 Microsoft 365 tenant 2919c383-55f1-4d5b-9d3e-12345 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: X


Asset: Microsoft 365 tenant 2919c383-55f1-4d5b-9d3e-12345
----------------------------------------------------------------

Data queries:
mondoo.jobEnvironment: {
  id: "client.mondoo.com"
  name: "Mondoo Client"
}
platform.release: ""
platform.title: "Microsoft 365"
mondoo.version: "8.3.0"
platform.arch: ""

Controls:
! Error: Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data
! Error: Ensure that mobile devices require complex passwords (Type = Alphanumeric)
! Error: Ensure that at least three global admins are designated and not more than four
! Error: Ensure modern authentication for SharePoint applications is required
! Error: Ensure mailbox auditing for all users is Enabled
! Error: Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)
! Error: Ensure devices lock after a period of inactivity to prevent unauthorized access
! Error: Ensure mail transport rules do not whitelist specific domains
! Error: Ensure that Office 365 passwords never Expire
! Error: Ensure modern authentication for Exchange Online is enabled
! Error: Ensure self-service password reset is enabled
! Error: Ensure notifications for internal users sending malware is Enabled
! Error: Ensure that the security Defaults is disabled
! Error: Enable Azure AD Identity Protection sign-in
! Error: Ensure Microsoft 365 audit log search is Enabled
! Error: Ensure that no third party integrated applications are allowed
! Error: Ensure that DKIM is enabled for all Exchange Online Domains
! Error: Ensure the Common Attachment Types Filter is enabled
! Error: Ensure that the legacy authentication has been disabled by Conditional access policies
! Error: Ensure that minimum password length has been set in order to prevent any brute force attack
! Error: Ensure all forms of mail forwarding are blocked and/or disabled
. Skipped: Ensure that 'Users can create Azure AD Tenants' is set to 'No'
! Error: Ensure Sender Policy Record (SPF) exists for each domain in Exchange
! Error: Ensure mobile devices require the use of a password
! Error: Ensure that multi-factor authentication has been enabled for all users
! Error: Ensure multifactor authentication is enabled for all users in administrative roles
! Error: Enable Azure AD Identity Protection sign-in
! Error: Ensure expiration time for external sharing links is set
! Error: Ensure that mobile devices require a minimum password length to prevent brute force attacks
! Error: Ensure Exchange Online Spam Policies are set to notify administrators


Scanned 1 assets

Microsoft 365
    X Microsoft 365 tenant 2919c383-55f1-4d5b-9d3e-12345

For detailed output, run this scan with "-o full".

See more scan results and asset relationships on the Mondoo Console: NOPE

Describe the bug To scan a ms365 tenant you need to provide a tenant id and client id, but these are both optional. This results in really confusing output when you don't provide the necessary data.

To Reproduce Steps to reproduce the behavior:

1. Run `cnquery scan ms365 --certificate-path 'foo'
2. See cryptic error message about the backend

Expected behavior These should be required fields so our error messages are clear that you need to pass in this required data.

Screenshots or CLI Output

cnquery scan ms365 --certificate-path ~/dev/combined.pem
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ using service account credentials
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=0
x could not resolve asset error="ms365 backend requires a tenant-id" asset=
FTL failed to run scan error="failed to resolve multiple assets"

Describe the bug MS365 scanning can be done via either .pfx or .pem files. Our help only mentions pfx files and the certificate path switch only mentions pfx files.

To Reproduce Steps to reproduce the behavior:

1. cnquery scan ms365 help
2. See example scan text and the certificate path help

Expected behavior

1. Examples of scanning using a certificate + private key PEM file
2. certificate path flag should mention PEM file

Screenshots or CLI Output

cnquery scan ms365 --help

Here is an example using Microsoft 365:

    $ cnquery scan ms365 --tenant-id {tenant id} --client-id {client id} --client-secret {client secret}

This example connects to Microsoft 365 using the PKCS #12 formatted certificate:

    $ cnquery scan ms365 --tenant-id {tenant id} --client-id {client id} --certificate-path {certificate.pfx} --certificate-secret {certificate secret}
    $ cnquery scan ms365 --tenant-id {tenant id} --client-id {client id} --certificate-path {certificate.pfx} --ask-pass

Usage:
  cnquery scan ms365 [flags]

Aliases:
  ms365, microsoft365

Flags:
      --annotation stringToString        Add an annotation to the asset. (default [])
      --ask-pass                         Ask for connection password.
      --asset-name string                User-override for the asset name
      --certificate-path string          path to certificate that's used for certificate-based authentication in PKCS 12 format (pfx)

Fix grammar is azure checks (#197)

A few minor fixes I noticed when adding these to the release notes

Signed-off-by: Tim Smith tsmith84@gmail.com

A few minor fixes I noticed when adding these to the release notes

A few minor fixes I noticed when adding these to the release notes

Ensure everywhere.