├── .copywrite.hcl
├── .github
    ├── actions
    │   └── spelling
    │   │   ├── README.md
    │   │   ├── advice.md
    │   │   ├── allow.txt
    │   │   ├── excludes.txt
    │   │   ├── expect.txt
    │   │   ├── line_forbidden.patterns
    │   │   ├── only.txt
    │   │   ├── patterns.txt
    │   │   └── reject.txt
    ├── dependabot.yml
    └── workflows
    │   ├── cla.yaml
    │   ├── lint.yaml
    │   ├── release.yaml
    │   └── spell-check.yaml
├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── community
    ├── .gitkeep
    ├── README.md
    └── mondoo-windows-operational-inventory.mql.yaml
├── core
    ├── .gitkeep
    ├── mondoo-aws-incident-response.mql.yaml
    ├── mondoo-aws-inventory.mql.yaml
    ├── mondoo-azure-inventory.mql.yaml
    ├── mondoo-dns-inventory.mql.yaml
    ├── mondoo-email-inventory.mql.yaml
    ├── mondoo-gcp-inventory.mql.yaml
    ├── mondoo-github-incident-response.mql.yaml
    ├── mondoo-github-inventory.mql.yaml
    ├── mondoo-kubernetes-incident-response.mql.yaml
    ├── mondoo-kubernetes-inventory.mql.yaml
    ├── mondoo-linux-incident-response.mql.yaml
    ├── mondoo-linux-inventory.mql.yaml
    ├── mondoo-macos-incident-response.mql.yaml
    ├── mondoo-macos-inventory.mql.yaml
    ├── mondoo-openssl-incident-response.mql.yaml
    ├── mondoo-shodan-inventory.mql.yaml
    ├── mondoo-slack-inventory.mql.yaml
    ├── mondoo-ssl-tls-certificate-incident-response.mql.yaml
    ├── mondoo-terraform-inventory.mql.yaml
    ├── mondoo-vmware-incident-response.mql.yaml
    ├── mondoo-vmware-inventory.mql.yaml
    ├── mondoo-windows-incident-response.mql.yaml
    └── mondoo-windows-inventory.mql.yaml
└── extra
    ├── .gitkeep
    ├── README.md
    ├── mondoo-asset-count.mql.yaml
    ├── mondoo-googleworkplace-incident-response.mql.yaml
    └── mondoo-okta-incident-response.mql.yaml


/.copywrite.hcl:
--------------------------------------------------------------------------------
 1 | schema_version = 1
 2 | 
 3 | project {
 4 |   license          = "BUSL-1.1"
 5 |   copyright_holder = "Mondoo, Inc."
 6 |   copyright_year   = 2024
 7 | 
 8 |   # (OPTIONAL) A list of globs that should not have copyright/license headers.
 9 |   # Supports doublestar glob patterns for more flexibility in defining which
10 |   # files or folders should be ignored
11 |   header_ignore = [
12 |     "**/*.tf",
13 |     "**/testdata/**",
14 |     "**/*.pb.go",
15 |     "**/*_string.go",
16 |   ]
17 | }


--------------------------------------------------------------------------------
/.github/actions/spelling/README.md:
--------------------------------------------------------------------------------
 1 | # check-spelling/check-spelling configuration
 2 | 
 3 | | File                                               | Purpose                                                         | Format                                                    | Info                                                                                                 |
 4 | | -------------------------------------------------- | --------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
 5 | | [allow.txt](allow.txt)                             | Add words to the dictionary                                     | one word per line (only letters and `'`s allowed)         | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow)                   |
 6 | | [reject.txt](reject.txt)                           | Remove words from the dictionary (after allow)                  | grep pattern matching whole dictionary words              | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject)     |
 7 | | [excludes.txt](excludes.txt)                       | Files to ignore entirely                                        | perl regular expression                                   | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes) |
 8 | | [only.txt](only.txt)                               | Only check matching files (applied after excludes)              | perl regular expression                                   | [only](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-only)         |
 9 | | [patterns.txt](patterns.txt)                       | Patterns to ignore from checked lines                           | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) |
10 | | [line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines                               | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) |
11 | | [expect.txt](expect.txt)                           | Expected words that aren't in the dictionary                    | one word per line (sorted, alphabetically)                | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect)                 |
12 | | [advice.md](advice.md)                             | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown                                           | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice)     |
13 | 
14 | Note: you can replace any of these files with a directory by the same name (minus the suffix)
15 | and then include multiple files inside that directory (with that suffix) to merge multiple files together.
16 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/advice.md:
--------------------------------------------------------------------------------
 1 | <!-- See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice --> <!-- markdownlint-disable MD033 MD041 -->
 2 | <details><summary>If the flagged items are false positives</summary>
 3 | 
 4 | If items relate to a ...
 5 | 
 6 | - binary file (or some other file you wouldn't want to check at all).
 7 | 
 8 |   Please add a file path to the `excludes.txt` file matching the containing file.
 9 | 
10 |   File paths are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files.
11 | 
12 |   `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude README.md (on whichever branch you're using).
13 | 
14 | - well-formed pattern.
15 | 
16 |   If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it,
17 |   try adding it to the `patterns.txt` file.
18 | 
19 |   Patterns are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines.
20 | 
21 |   Note that patterns can't match multiline strings.
22 | 
23 | </details>
24 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/allow.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mondoohq/cnquery-packs/668679608f3614967fc581dbdfd840771bd61308/.github/actions/spelling/allow.txt


--------------------------------------------------------------------------------
/.github/actions/spelling/excludes.txt:
--------------------------------------------------------------------------------
 1 | # See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes
 2 | (?:^|/)(?i)COPYRIGHT
 3 | (?:^|/)(?i)LICEN[CS]E
 4 | (?:^|/)3rdparty/
 5 | (?:^|/)go\.sum$
 6 | (?:^|/)package(?:-lock|)\.json$
 7 | (?:^|/)Pipfile$
 8 | (?:^|/)pyproject.toml
 9 | (?:^|/)requirements(?:-dev|-doc|-test|)\.txt$
10 | (?:^|/)vendor/
11 | ignore$
12 | \.a$
13 | \.ai$
14 | \.all-contributorsrc$
15 | \.avi$
16 | \.bmp$
17 | \.bz2$
18 | \.cer$
19 | \.class$
20 | \.coveragerc$
21 | \.crl$
22 | \.crt$
23 | \.csr$
24 | \.dll$
25 | \.docx?$
26 | \.drawio$
27 | \.DS_Store$
28 | \.eot$
29 | \.eps$
30 | \.exe$
31 | \.gif$
32 | \.git-blame-ignore-revs$
33 | \.gitattributes$
34 | \.gitkeep$
35 | \.graffle$
36 | \.gz$
37 | \.icns$
38 | \.ico$
39 | \.ipynb$
40 | \.jar$
41 | \.jks$
42 | \.jpe?g$
43 | \.key$
44 | \.lib$
45 | \.lock$
46 | \.map$
47 | \.min\..
48 | \.mo$
49 | \.mod$
50 | \.mp[34]$
51 | \.o$
52 | \.ocf$
53 | \.otf$
54 | \.p12$
55 | \.parquet$
56 | \.pdf$
57 | \.pem$
58 | \.pfx$
59 | \.png$
60 | \.psd$
61 | \.pyc$
62 | \.pylintrc$
63 | \.qm$
64 | \.s$
65 | \.sig$
66 | \.so$
67 | \.svgz?$
68 | \.sys$
69 | \.tar$
70 | \.tgz$
71 | \.tiff?$
72 | \.ttf$
73 | \.wav$
74 | \.webm$
75 | \.webp$
76 | \.woff2?$
77 | \.xcf$
78 | \.xlsx?$
79 | \.xpm$
80 | \.xz$
81 | \.zip$
82 | ^\.github/actions/spelling/
83 | ^\Q.github/workflows/spelling.yml\E$
84 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/expect.txt:
--------------------------------------------------------------------------------
 1 | Adddays
 2 | bigquery
 3 | cea
 4 | CUSTOMERID
 5 | linux
 6 | mpim
 7 | nsrecords
 8 | openssh
 9 | saas
10 | spdx
11 | sshkeys
12 | xorg
13 | xoxp
14 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/line_forbidden.patterns:
--------------------------------------------------------------------------------
  1 | # Detect common combinations of valid words that are in fact invalid.
  2 | # Useful for brand capitalizations
  3 | 
  4 | #
  5 | # Catch placeholder text
  6 | #
  7 | 
  8 | \b[Ll]orem [Ii]psum\b
  9 | 
 10 | #
 11 | # Overly formal style
 12 | #
 13 | 
 14 | # s.b. Whether
 15 | \bIndicates whether\b
 16 | \bIndicates if\b
 17 | \bIndicates\b
 18 | \bWhether or not\b
 19 | \bDenotes if\b
 20 | 
 21 | #
 22 | # Terms to avoid
 23 | #
 24 | 
 25 | # s.b. Allow list
 26 | \b[Ww]hitelist\b
 27 | \b[Ww]hitelisting\b
 28 | \b[Ww]hitelisted\b
 29 | \b[Ww]hite list\b
 30 | \b[Ww]hite listing\b
 31 | \b[Ww]hite listed\b
 32 | 
 33 | # s.b. Block list
 34 | \b[Bb]lacklist\b
 35 | \b[Bb]lacklisting\b
 36 | \b[Bb]lacklisted\b
 37 | \b[Bb]lack list\b
 38 | \b[Bb]lack listing\b
 39 | \b[Bb]lack listed\b
 40 | 
 41 | #
 42 | # Our Terms
 43 | #
 44 | 
 45 | # s.b. Mondoo Platform
 46 | \bthe Mondoo Platform\b
 47 | \bMondoo platform\b
 48 | 
 49 | # s.b. Compliance Hub
 50 | \b[Cc]ompliance hub\b
 51 | 
 52 | #
 53 | # Compliance Terms
 54 | #
 55 | 
 56 | # s.b. SOC 2
 57 | \bSOC2\b
 58 | 
 59 | # s.b. NIS2
 60 | \bNIS 2\b
 61 | 
 62 | # s.b. ISO 270001
 63 | \bISO270001\b
 64 | 
 65 | #
 66 | # Industry Terms
 67 | #
 68 | 
 69 | # s.b. NetFlow
 70 | \bNetflow\b
 71 | 
 72 | # s.b. Side scanning
 73 | \b[Ss]idescanning\b
 74 | 
 75 | # s.b. DevOps
 76 | \bDev Ops\b
 77 | \bDevops\b
 78 | 
 79 | # s.b. SaaS
 80 | # \b[Ss]aas\b # disabled due to false positives
 81 | \bSaas\b
 82 | 
 83 | # s.b. Docker Hub
 84 | \bDocker[Hh]ub\b
 85 | \bdocker hub\b
 86 | 
 87 | # s.b. REST API
 88 | \b[Rr]est API\b
 89 | \brest api\b
 90 | 
 91 | # s.b. DevSecOps
 92 | \bDevsec[Oo]ps\b
 93 | 
 94 | # s.b. on-premises
 95 | \bon-premise\b
 96 | 
 97 | # s.b. email
 98 | \be-mail\b
 99 | 
100 | # s.b. APIs
101 | \bapis\b
102 | 
103 | #
104 | # Product Names
105 | #
106 | 
107 | # s.b. Cloudflare
108 | \bCloudFlare\b
109 | 
110 | # s.b. Memcached
111 | \bMemCached\b
112 | 
113 | # s.b. Jira
114 | \bJIRA\b
115 | 
116 | # s.b. MariaDB
117 | \bMaria DB\b
118 | \bmariaDB\b
119 | # \bmariaDb\b causes failures in MQL queries
120 | 
121 | # s.b. PostgreSQL
122 | \bPostgreSql\b
123 | 
124 | # s.b. Firefox
125 | \bFireFox\b
126 | 
127 | # s.b. CentOS
128 | \bCentos\b
129 | \bCent OS\b
130 | \bcentOS\b
131 | 
132 | # s.b. macOS
133 | \bOS X\b
134 | \bMacOS\b
135 | \bMac OS\b
136 | 
137 | # s.b. Okta
138 | \bOcta\b
139 | 
140 | # s.b. Elasticsearch
141 | \bElasticSearch\b
142 | 
143 | # s.b. DocuSign
144 | \bDocu Sign\b
145 | 
146 | # s.b. DocuSign
147 | \bDocu Sign\b
148 | 
149 | # s.b. DocuSign
150 | \bDocu Sign\b
151 | \bDocusign\b
152 | 
153 | # s.b. MongoDB
154 | \bMongo DB\b
155 | \bMongoDb\b
156 | 
157 | # s.b. MySQL
158 | \bMysql\b
159 | \bMySql\b
160 | 
161 | # s.b. OpenStack
162 | \bOpen Stack\b
163 | \bOpenstack\b
164 | 
165 | # s.b. Red Hat
166 | \bRedHat\b
167 | \bRedhat\b
168 | 
169 | # s.b. EuroLinux
170 | \bEurolinux\b
171 | \bEuro Linux\b
172 | 
173 | # s.b. AlmaLinux
174 | \bAlma Linux\b
175 | 
176 | # s.b. CloudLinux
177 | \bCloud Linux\b
178 | \bCloudlinux\b
179 | 
180 | # s.b. openSUSE
181 | \bOpenSUSE\b
182 | 
183 | # s.b. openSUSE
184 | \bopenSuse\b
185 | 
186 | # s.b. CircleCI
187 | \bCircleCi\b
188 | \bCircle CI\b
189 | 
190 | # s.b. AppArmor
191 | \bApparmor\b
192 | \bApp Armor\b
193 | 
194 | # s.b. SELinux
195 | \bSeLinux\b
196 | \bSelinux\b
197 | 
198 | # s.b. InSpec
199 | \b[Ii]nspec\b
200 | 
201 | # s.b. GitHub
202 | \bGithub\b
203 | 
204 | # s.b. GitLab
205 | \bGitlab\b
206 | 
207 | # s.b. JavaScript
208 | \bJavascript\b
209 | 
210 | # s.b. OpenSSL
211 | \bOpenssl\b
212 | \bopenSSL\b
213 | 
214 | # s.b. CloudBees
215 | \b[Cc]loudbees\b
216 | 
217 | # s.b. System76
218 | \bSystem 76\b
219 | 
220 | # s.b. VirtualBox
221 | \b[Vv]irtualbox\b
222 | \bVirtual Box\b
223 | 
224 | # s.b. SentinelOne
225 | \bSentinal[Oo]ne\b
226 | \bSentin[ae]lone\b
227 | \bSentin[ae]l One\b
228 | 
229 | # s.b. CrowdStrike
230 | \bCrowd Strike\b
231 | \b[Cc]rowdstrike\b
232 | 
233 | # s.b. Zendesk
234 | \bZenDesk\b
235 | 
236 | # s.b. ServiceNow
237 | \bService Now\b
238 | \bServicenow\b
239 | 
240 | # s.b. name server
241 | \bnameserver\b
242 | \bnameservers\b
243 | 
244 | #
245 | # Kubernetes Terms
246 | #
247 | 
248 | # s.b. DaemonSet
249 | \bDaemonset\b
250 | 
251 | # s.b. Dockershim
252 | \bDockerShim\b
253 | \bdockershim\b
254 | 
255 | # s.b. LimitRange
256 | \bLimitrange\b
257 | 
258 | # s.b. Minikube
259 | \bMiniKube\b
260 | 
261 | # s.b. ReplicaSet
262 | \bReplicaset\b
263 | 
264 | # s.b. StatefulSet
265 | \bStatefulset\b
266 | 
267 | #
268 | # HashiCorp Products
269 | #
270 | 
271 | # s.b. HashiCorp
272 | \bHashicorp\b
273 | 
274 | # s.b. Terraform
275 | \bTerraForm\b
276 | 
277 | # s.b. Vagrantfile
278 | \bVagrant file\b
279 | \bVagrantFile\b
280 | 
281 | #
282 | # Microsoft Products
283 | #
284 | 
285 | # s.b. Microsoft
286 | \bMicroSoft\b
287 | 
288 | # s.b. PowerPoint
289 | \bPower Point\b
290 | \bPowerpoint\b
291 | 
292 | # s.b. OneNote
293 | \bOne Note\b
294 | \bOnenote\b
295 | 
296 | # s.b. Windows Server
297 | \bWindows server\b
298 | 
299 | # s.b. Team Foundation Server
300 | \bTeam foundation server\b
301 | \bteam foundation server\b
302 | 
303 | # s.b. Active Directory
304 | \bActive directory\b
305 | \bactive directory\b
306 | 
307 | # s.b. Group Policy Object
308 | \bGroup policy object\b
309 | \bgroup policy object\b
310 | \bGroup Policy object\b
311 | 
312 | # s.b. Power BI
313 | \bPowerBI\b
314 | 
315 | # s.b. SharePoint
316 | \bSharepoint\b
317 | \bShare Point\b
318 | 
319 | # s.b. BitLocker
320 | \bBitlocker\b
321 | \bbitLocker\b
322 | 
323 | # s.b. VS Code
324 | \bVSCode\b
325 | \bVScode\b
326 | 
327 | # s.b. LinkedIn
328 | \bLinked In\b
329 | \bLinkedin\b
330 | 
331 | # s.b. Microsoft IIS
332 | \bIIS Server\b
333 | 
334 | # s.b. Microsoft SQL Server
335 | \bSQL server\b
336 | \bMSSQL\b
337 | 
338 | #
339 | # VMware Products
340 | #
341 | 
342 | # s.b. VMware
343 | \bVmware\b
344 | \bVMWare\b
345 | 
346 | # s.b. vCenter
347 | \bVcenter\b
348 | \bVCenter\b
349 | 
350 | # s.b. vSphere
351 | \bVsphere\b
352 | \bVSphere\b
353 | 
354 | # s.b. ESXi
355 | \bEsxi\b
356 | 
357 | #
358 | # AWS Products
359 | #
360 | 
361 | # s.b. App2Container
362 | \bApp2container\b
363 | 
364 | # s.b. AppFlow
365 | \bAppflow\b
366 | 
367 | # s.b. AppSync
368 | \bAppsync\b
369 | 
370 | # s.b. CloudEnsure
371 | \bCloudensure\b
372 | 
373 | # s.b. CloudFormation
374 | \bCloudformation\b
375 | \bCloud Formation\b
376 | 
377 | # s.b. CloudFront
378 | \bCloudfront\b
379 | 
380 | # s.b. CloudHSM
381 | \bCloud[Hh]sm\b
382 | 
383 | # s.b. CloudSearch
384 | \bCloudsearch\b
385 | 
386 | # s.b. CloudShell
387 | # we can't check for Cloud Shell since that's what Azure calls it
388 | \bCloudshell\b
389 | \bcloudshell\b
390 | 
391 | # s.b. CloudTrail
392 | \bCloudtrail\b
393 | 
394 | # s.b. CloudWatch
395 | \bCloudwatch\b
396 | 
397 | # s.b. CodeArtifact
398 | \bCodeartifact\b
399 | 
400 | # s.b. CodeBuild
401 | \bCodebuild\b
402 | 
403 | # s.b. CodeCommit
404 | \bCodecommit\b
405 | 
406 | # s.b. CodeDeploy
407 | \bCodedeploy\b
408 | 
409 | # s.b. CodeGuru
410 | \bCodeguru\b
411 | 
412 | # s.b. CodePipeline
413 | \bCodepipeline\b
414 | 
415 | # s.b. CodeStar
416 | \bCodestar\b
417 | 
418 | # s.b. AWS Config
419 | \bAWS config\b
420 | 
421 | # s.b. Copilot
422 | \bCoPilot\b
423 | 
424 | # s.b. DeepRacer
425 | \bDeepracer\b
426 | 
427 | # s.b. DocumentDB
428 | \bDocument DB\b
429 | \bDocumentDb\b
430 | 
431 | # s.b. DynamoDB
432 | \bDynamo DB\b
433 | \bDynamoDb\b
434 | 
435 | # s.b. ElastiCache
436 | \bElasticache\b
437 | 
438 | # s.b. EventBridge
439 | \bEventbridge\b
440 | 
441 | # s.b. Fargate
442 | \bFarGate\b
443 | \bFar Gate\b
444 | 
445 | # s.b. FinSpace
446 | \bFinSpace\b
447 | 
448 | # s.b. FSx
449 | \bFSX\b
450 | 
451 | # s.b. GameLift
452 | \bGamelift\b
453 | 
454 | # s.b. GuardDuty
455 | \bGuardduty\b
456 | 
457 | # s.b. Honeycode
458 | \bHoneyCode\b
459 | 
460 | # s.b. Lambda
461 | \bLamba\b
462 | 
463 | # s.b. Lightsail
464 | \bLightSail\b
465 | 
466 | # s.b. MXNet
467 | \bMxnet\b
468 | \bMXnet\b
469 | 
470 | # s.b. OpenSearch
471 | \bOpensearch\b
472 | 
473 | # s.b. OpenShift
474 | \bOpenshift\b
475 | 
476 | # s.b. PrivateLink
477 | \bPrivatelink\b
478 | 
479 | # s.b. QuickSight
480 | \bQuicksight\b
481 | 
482 | # s.b. Redshift
483 | \bRedShift\b
484 | 
485 | # s.b. RoboMaker
486 | \bRobomaker\b
487 | 
488 | # s.b. Route 53
489 | \bRoute53\b
490 | 
491 | # s.b. SageMaker
492 | \bSagemaker\b
493 | 
494 | # s.b. SiteWise
495 | \bSitewise\b
496 | 
497 | # s.b. StackSets
498 | \bStacksets\b
499 | 
500 | # s.b. WorkDocs
501 | \bWorkdocs\b
502 | 
503 | # s.b. WorkMail
504 | \bWorkmail\b
505 | 
506 | #
507 | # Google Cloud Products
508 | #
509 | 
510 | # s.b. AlloyDB
511 | \bAlloy DB\b
512 | 
513 | # s.b. AppEngine
514 | \bApp Engine\b
515 | 
516 | # s.b. BigLake
517 | \bBig Lake\b
518 | \bBiglake\b
519 | 
520 | # s.b. BigQuery
521 | \bBig Query\b
522 | \bBigquery\b
523 | 
524 | # s.b. Cloud Build
525 | \bCloudBuild\b
526 | \bCloud build\b
527 | 
528 | # s.b. Cloud CDN
529 | \bCloudCDN\b
530 | 
531 | # s.b. Cloud Functions
532 | \bCloud functions\b
533 | 
534 | # s.b. Cloud Run
535 | \bCloudRun\b
536 | \bCloud run\b
537 | 
538 | # s.b. Cloud SQL
539 | \bCloudSQL\b
540 | 
541 | # s.b. Compute Engine
542 | \bComputeEngine\b
543 | \bCompute engine\b
544 | 
545 | # s.b. Dataplex
546 | \bDataPlex\b
547 | 
548 | # s.b. Datastream
549 | \bDataStream\b
550 | \bData Stream\b
551 | 
552 | # s.b. Dialogflow
553 | \bDialogFlow\b
554 | 
555 | # s.b. Firestore
556 | \bFireStore\b
557 | 
558 | # s.b. gVNIC
559 | \bGVNIC\b
560 | 
561 | # s.b. Knative
562 | \bKNative\b
563 | 
564 | # s.b. Memorystore
565 | \bMemoryStore\b
566 | \bMemory Store\b
567 | 
568 | # s.b. Pub/Sub
569 | \bPubSub\b
570 | 
571 | # s.b. TensorFlow
572 | \bTensor Flow\b
573 | 
574 | # s.b. Vertex AI
575 | \bVertexAI\b
576 | 
577 | # s.b. VMware Engine
578 | \bVMware engine\b
579 | \bVMWare Engine\b
580 | 
581 | # s.b. Bigtable
582 | \bBigTable\b
583 | \bBig Table\b
584 | 
585 | # s.b. Datastore
586 | \bDataStore\b
587 | 
588 | # s.b. Memorystore
589 | \bMemoryStore\b
590 | 
591 | #
592 | # Azure Products
593 | #
594 | 
595 | # s.b. Azure Pipelines
596 | \bAzure DevOps Pipelines\b
597 | 
598 | # s.b. Key Vault
599 | \bKey vault\b
600 | \bKeyVault\b
601 | 
602 | # s.b. Ampere
603 | \bampere\b
604 | 
605 | # s.b. Azure DevOps Server
606 | \bAzure DevOps server\b
607 | 
608 | # s.b. Synapse Analytics
609 | \bSynapse analytics\b
610 | \bsynapse analytics\b
611 | 
612 | # s.b. Cognitive Services
613 | \bCognitive services\b
614 | \bcognitive services\b
615 | 
616 | # s.b. Event Hubs
617 | \bEvent hubs\b
618 | \bevent hubs\b
619 | 
620 | # s.b. CloudOps
621 | \bCloud Ops\b
622 | \bCloud ops\b
623 | \bcloud ops\b
624 | 
625 | # s.b. Batch Service
626 | \bBatch service\b
627 | \bbatch service\b
628 | 
629 | # s.b. Service Fabric Cluster
630 | \bservice fabric cluster\b
631 | 
632 | # s.b. Azure Kubernetes Service
633 | \bAzure Kubernetes service\b
634 | 
635 | # s.b. Cosmos DB
636 | \bCosmosDB\b
637 | \bCosmoDB\b
638 | \bCosmo DB\b
639 | 
640 | # s.b. SignalR Service
641 | \bSignalR service\b
642 | \bSignal R Service\b
643 | 
644 | # s.b. App Service Certificate
645 | \bapp service certificate\b
646 | 
647 | # s.b. Privileged Identity Management
648 | \bprivileged identity management\b
649 | 
650 | # s.b. BizTalk Service
651 | \bBizTalk service\b
652 | \bBiztalk service\b
653 | \bBiz Talk service\b
654 | \bBiz Talk Service\b
655 | 
656 | # s.b. Data Box
657 | \bdata box\b
658 | 
659 | # s.b. Database Migration Service
660 | \bdatabase migration service\b
661 | 
662 | # s.b. Internet Analyzer
663 | \bInternet analyzer\b
664 | \binternet analyzer\b
665 | 
666 | # s.b. Web Application Firewall
667 | \bWeb application firewall\b
668 | \bweb Application Firewall\b
669 | 
670 | # s.b. SQL Vulnerability Assessment
671 | \bSQL vulnerability assessment\b
672 | 
673 | # s.b. StorSimple
674 | \bStor Simple\b
675 | 
676 | #
677 | # Common Typos
678 | #
679 | 
680 | # s.b. another
681 | \ban[- ]other\b
682 | 
683 | # s.b. greater than
684 | \bgreater then\b
685 | 
686 | # s.b. less than
687 | \bless then\b
688 | 
689 | # s.b. otherwise
690 | \bother[- ]wise\b
691 | 
692 | # s.b. nonexistent
693 | \bnon existing\b
694 | \b[Nn]o[nt][- ]existent\b
695 | 
696 | # s.b. preexisting
697 | [Pp]re-existing
698 | 
699 | # s.b. preempt
700 | [Pp]re-empt\b
701 | 
702 | # s.b. preemptively
703 | [Pp]re-emptively
704 | 
705 | # s.b. reentrancy
706 | [Rr]e-entrancy
707 | 
708 | # s.b. reentrant
709 | [Rr]e-entrant
710 | 
711 | # s.b. policies
712 | [Pp]olices
713 | 
714 | # s.b. ID
715 | # \bId\b # disabled in this repo due to false positives
716 | 
717 | # s.b. CSV
718 | \bCVS\b
719 | 
720 | # Reject duplicate words
721 | \s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s
722 | 
723 | # s.b. it's or its
724 | \bits['’]
725 | 
726 | # s.b. understand
727 | \bunder stand\b
728 | 
729 | # find spaces before a comma
730 | ( )+,
731 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/only.txt:
--------------------------------------------------------------------------------
1 | \.md$
2 | \.mql.yaml$
3 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/patterns.txt:
--------------------------------------------------------------------------------
  1 | # See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns
  2 | 
  3 | # acceptable duplicates
  4 | # ls directory listings
  5 | [-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+
  6 | 
  7 | # Commit message -- Signed-off-by and friends
  8 | ^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$
  9 | 
 10 | # Autogenerated revert commit message
 11 | ^This reverts commit [0-9a-f]{40}\.$
 12 | 
 13 | # ignore long runs of a single character:
 14 | \b([A-Za-z])\g{-1}{3,}\b
 15 | 
 16 | # ignore funky space IDs that blow up spell checking
 17 | api\.mondoo\.app\/.*\b
 18 | console\.mondoo\.com\/.*\b
 19 | 
 20 | # azure subscription ID
 21 | [0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}
 22 | 
 23 | # azure subscriptions URL
 24 | \/subscriptions\/\S*
 25 | 
 26 | # docker container
 27 | \b[a-z,0-9]{12}\b
 28 | 
 29 | # URLs in markdown links / images
 30 | ]\(.*\)
 31 | 
 32 | # Azure Key Vault Vault. It feels wrong, but it's technically right
 33 | Key Vault Vault
 34 | 
 35 | # luna containers in scan output
 36 | \bluna/.*\b
 37 | 
 38 | # this comes up in permissions and is valid
 39 | \broot root\b
 40 | 
 41 | # AWS resources
 42 | (ami|subnet|vpc|sg|fs)-[0-9a-fA-F]{17}
 43 | 
 44 | # http and https URLs
 45 | https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)
 46 | 
 47 | # registry key paths
 48 | HKEY_[\w\\]*
 49 | 
 50 | # Container digests
 51 | \bsha256:\w*
 52 | 
 53 | # mime types
 54 | \bapplication\/\S*
 55 | 
 56 | # mql certificate IDs
 57 | certificate:\w*
 58 | 
 59 | # ARN values
 60 | \barn:\S*
 61 | 
 62 | # Azure postgreSql resource
 63 | postgreSql
 64 | 
 65 | # mac user dir path
 66 | \/Users\/\S*
 67 | 
 68 | # AWS Token, ID access key, etc
 69 | aws_session_token\s+\=(\s+)?.+
 70 | aws_access_key_id\s+\=(\s+)?.+
 71 | aws_secret_access_key\s+\=(\s+)?.+
 72 | 
 73 | # PGP
 74 | \b(?:[0-9A-F]{4} ){9}[0-9A-F]{4}\b
 75 | # GPG keys
 76 | \b(?:[0-9A-F]{4} ){5}(?: [0-9A-F]{4}){5}\b
 77 | 
 78 | # uuid
 79 | \b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b
 80 | 
 81 | # curl arguments
 82 | \b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)*
 83 | 
 84 | # set arguments
 85 | \bset(?:\s+-[abefimouxE]{1,2})*\s+-[abefimouxE]{3,}(?:\s+-[abefimouxE]+)*
 86 | 
 87 | # tar arguments
 88 | \b(?:\\n|)g?tar(?:\.exe|)(?:(?:\s+--[-a-zA-Z]+|\s+-[a-zA-Z]+|\s[ABGJMOPRSUWZacdfh-pr-xz]+\b)(?:=[^ ]*|))+
 89 | 
 90 | # file permissions
 91 | ['"`\s][-bcdLlpsw](?:[-r][-w][-Ssx]){2}[-r][-w][-SsTtx]\+?['"`\s]
 92 | 
 93 | # score score is valid in MQL docs
 94 | score score
 95 | 
 96 | # macOS temp folders
 97 | /var/folders/\w\w/[+\w]+/(?:T|-Caches-)/
 98 | 
 99 | # ssh
100 | (?:ssh-\S+|-nistp256) [-a-zA-Z=;:\/0-9+]{12,}
101 | 
102 | # kubernetes object suffix
103 | -[0-9a-f]{10}-\w{5}\s
104 | 
105 | # sed regular expressions
106 | sed 's/(?:[^/]*?[a-zA-Z]{3,}[^/]*?/){2}
107 | 
108 | # UNIX device paths
109 | \/dev\/\w*
110 | 
111 | # AWS RDS instance types
112 | db.\w{2}.\w*
113 | 
114 | # uuid
115 | [<({"'>][0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[<'"})>]
116 | 
117 | # rsa private keys
118 | MII[BCEJ]\w*
119 | 
120 | # UID in MQL policy
121 | - uid: \S*
122 | 


--------------------------------------------------------------------------------
/.github/actions/spelling/reject.txt:
--------------------------------------------------------------------------------
 1 | ad-hoc
 2 | ^attache$
 3 | ^bellow$
 4 | benefitting
 5 | occurences?
 6 | ^dependan.*
 7 | ^oer$
 8 | Sorce
 9 | ^[Ss]pae.*
10 | ^untill$
11 | ^untilling$
12 | ^wether.*
13 | \w*(?<!right-)click
14 | deets
15 | organisation
16 | 
17 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | ---
2 | version: 2
3 | updates:
4 |   - package-ecosystem: "github-actions"
5 |     directory: "/"
6 |     schedule:
7 |       interval: "weekly"
8 | 


--------------------------------------------------------------------------------
/.github/workflows/cla.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: "CLA Assistant"
 3 | on:
 4 |   issue_comment:
 5 |     types: [created]
 6 |   pull_request_target:
 7 |     types: [opened, closed, synchronize]
 8 | 
 9 | jobs:
10 |   CLAssistant:
11 |     runs-on: ubuntu-latest
12 |     steps:
13 |       - name: "CLA Assistant"
14 |         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Mondoo CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
15 |         uses: contributor-assistant/github-action@v2.6.1
16 |         env:
17 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
18 |           PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }}
19 |         with:
20 |           path-to-signatures: "signatures/version1/cla.json"
21 |           path-to-document: "https://github.com/mondoohq/.github/blob/master/CLA.md"
22 |           custom-pr-sign-comment: "I have read the Mondoo CLA Document and I hereby sign the CLA"
23 |           custom-notsigned-prcomment: "Thank you for your submission. We really appreciate it. Before we can accept your contribution, we ask that you sign the [Mondoo Contributor License Agreement](https://github.com/mondoohq/.github/blob/master/CLA.md). You can sign the CLA by adding a new comment to this pull request and pasting exactly the following text."
24 |           remote-repository-name: cla
25 |           remote-organization-name: mondoohq
26 |           branch: "main"
27 |           allowlist: mondoo-tools,github-actions[bot],dependabot[bot]
28 | 


--------------------------------------------------------------------------------
/.github/workflows/lint.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Lint Packs
 3 | 
 4 | on:
 5 |   pull_request:
 6 |   push:
 7 |     branches:
 8 |       - main
 9 | 
10 | jobs:
11 |   build:
12 |     runs-on: ubuntu-latest
13 |     name: Validate changed packs
14 |     steps:
15 |       - uses: actions/checkout@v4
16 |       - name: Installing cnquery
17 |         run: |
18 |           bash -c "$(curl -sSL https://install.mondoo.com/sh/cnquery)"
19 |       - name: Ensure providers are installed
20 |         # can be removed once https://github.com/mondoohq/cnquery/issues/2188 is solved
21 |         run: |
22 |           cnquery providers install aws
23 |           cnquery providers install azure
24 |           cnquery providers install gcp
25 |           cnquery providers install github
26 |           cnquery providers install k8s
27 |           cnquery providers install os
28 |           cnquery providers install slack
29 |           cnquery providers install vsphere
30 |           cnquery providers install gitlab  
31 |           cnquery providers install network
32 |           cnquery providers install ms365
33 |           cnquery providers install google-workspace
34 |           cnquery providers install okta
35 |           cnquery providers install terraform
36 |       - name: Lint packs
37 |         run: |
38 |           cnquery bundle validate .
39 | 
40 |   license-check:
41 |     runs-on: ubuntu-latest
42 |     steps:
43 |       - name: Checkout code
44 |         uses: actions/checkout@v4
45 | 
46 |       - name: Setup Copywrite
47 |         uses: hashicorp/setup-copywrite@v1.1.3
48 |         with:
49 |           version: v0.16.4
50 | 
51 |       - name: Check Header Compliance
52 |         run: copywrite headers --plan
53 |         


--------------------------------------------------------------------------------
/.github/workflows/release.yaml:
--------------------------------------------------------------------------------
 1 | name: Release Packs
 2 | 
 3 | on:
 4 |   push:
 5 |     tags:
 6 |       - "v*.*.*"
 7 | 
 8 | jobs:
 9 |   build:
10 |     runs-on: ubuntu-latest
11 |     steps:
12 |       - name: Checkout
13 |         uses: actions/checkout@v4
14 |       - name: Release
15 |         uses: softprops/action-gh-release@v2
16 |         with:
17 |           files: "**/*.mql.yaml"
18 |           generate_release_notes: true
19 |           fail_on_unmatched_files: true
20 |       - name: Trigger Registry Update
21 |         uses: peter-evans/repository-dispatch@v3
22 |         with:
23 |           token: ${{ secrets.SERVER_ACTION_TOKEN }}
24 |           repository: mondoohq/server
25 |           event-type: update
26 |           client-payload: '{"source": "${{ github.repository }}", "tag": "${{ github.ref }}"}'
27 | 


--------------------------------------------------------------------------------
/.github/workflows/spell-check.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Spell Checking
 3 | 
 4 | on:
 5 |   pull_request:
 6 |     types: [opened, reopened, synchronize]
 7 | 
 8 | jobs:
 9 |   spelling:
10 |     name: Run spell check
11 |     permissions:
12 |       contents: read
13 |       pull-requests: read
14 |       actions: read
15 |     outputs:
16 |       followup: ${{ steps.spelling.outputs.followup }}
17 |     runs-on: ubuntu-latest
18 |     if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'"
19 |     concurrency:
20 |       group: spelling-${{ github.event.pull_request.number || github.ref }}
21 |       # note: If you use only_check_changed_files, you do not want cancel-in-progress
22 |       cancel-in-progress: true
23 |     steps:
24 |       - name: check-spelling
25 |         id: spelling
26 |         uses: check-spelling/check-spelling@v0.0.25
27 |         with:
28 |           suppress_push_for_open_pull_request: 1
29 |           checkout: true
30 |           post_comment: 0
31 |           dictionary_source_prefixes: '{"mondoo": "https://raw.githubusercontent.com/mondoohq/spellcheck-dictionary/main/", "cspell": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20230509/dictionaries/"}'
32 |           extra_dictionaries:
33 |             cspell:aws/aws.txt
34 |             cspell:filetypes/filetypes.txt
35 |             cspell:software-terms/src/software-terms.txt
36 |             cspell:software-terms/src/software-tools.txt
37 |             cspell:companies/src/companies.txt
38 |             mondoo:mondoo_dictionary.txt
39 | 
40 |   comment:
41 |     name: Report
42 |     runs-on: ubuntu-latest
43 |     needs: spelling
44 |     permissions:
45 |       contents: write
46 |       pull-requests: write
47 |     if: (success() || failure()) && needs.spelling.outputs.followup
48 |     steps:
49 |       - name: comment
50 |         uses: check-spelling/check-spelling@v0.0.25
51 |         with:
52 |           checkout: true
53 |           task: ${{ needs.spelling.outputs.followup }}
54 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
 2 | “Business Source License” is a trademark of MariaDB Corporation Ab.
 3 | 
 4 | Parameters
 5 | 
 6 | Licensor:               Mondoo, Inc. (“Mondoo”)
 7 | Licensed Work(s):       cnquery packs version 1.14.0 and
 8 |                         later. The Licensed Work is (c) 2024 Mondoo, Inc.
 9 | Additional Use Grant:   You may use, distribute or host the Licensed Work in
10 |                         your own or your direct customers’ production
11 |                         environment, provided that such use, distribution or
12 |                         hosting does not include offering the Licensed Work to
13 |                         third parties as part of or in connection with an
14 |                         offering that is competitive with any of Mondoo’s
15 |                         products.
16 | Change Date:            Four years from the date the Licensed Work is published
17 | Change License:         MPL 2.0
18 | 
19 | For information about alternative licensing arrangements for the Licensed Work, please contact licensing@mondoo.com.
20 | 
21 | Notice
22 | 
23 | Business Source License 1.1
24 | 
25 | Terms
26 | 
27 | The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor may make an Additional Use Grant, above, permitting limited production use.
28 | 
29 | Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.
30 | 
31 | If your use of the Licensed Work does not comply with the requirements currently in effect as described in this License, you must purchase a commercial license from the Licensor, its affiliated entities, or authorized resellers, or you must refrain from using the Licensed Work.
32 | 
33 | All copies of the original and modified Licensed Work, and derivative works of the Licensed Work, are subject to this License. This License applies separately for each version of the Licensed Work and the Change Date may vary for each version of the Licensed Work released by Licensor.
34 | 
35 | You must conspicuously display this License on each original or modified copy of the Licensed Work. If you receive the Licensed Work in original or modified form from a third party, the terms and conditions set forth in this License apply to your use of that work.
36 | 
37 | Any use of the Licensed Work in violation of this License will automatically terminate your rights under this License for the current and all other versions of the Licensed Work.
38 | 
39 | This License does not grant you any right in any trademark or logo of Licensor or its affiliates (provided that you may use a trademark or logo of Licensor as expressly required by this License).
40 | 
41 | TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.
42 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | lint:
 2 | 	cnquery bundle validate . 
 3 | 
 4 | # Copywrite Check Tool: https://github.com/hashicorp/copywrite
 5 | license: license/headers/check
 6 | 
 7 | license/headers/check:
 8 | 	copywrite headers --plan
 9 | 
10 | license/headers/apply:
11 | 	copywrite headers
12 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # cnquery Query Packs
 2 | 
 3 | This project contains inventory and incident response query packs for [`cnquery`](https://github.com/mondoohq/cnquery). We've organized them into these directories:
 4 | 
 5 | - [core](core) - Core packs contain baseline queries such as incident response probes for different targets. Core query packs are maintained by Mondoo and have strict quality requirements.
 6 | - [extra](extra) - Extra packs are a mix of community- and Mondoo-maintained queries that are outside Mondoo's core support tier.
 7 | - [community](community) - Community packs are primarily maintained by the community with support from the Mondoo team. Community packs may move to extra or core over time.
 8 | 
 9 | ## Join the community!
10 | 
11 | Join the [Mondoo Community GitHub Discussions](https://github.com/orgs/mondoohq/discussions) to collaborate on policy as code and security automation.
12 | 
13 | ## License
14 | 
15 | [Business Source License 1.1](LICENSE)
16 | 


--------------------------------------------------------------------------------
/community/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mondoohq/cnquery-packs/668679608f3614967fc581dbdfd840771bd61308/community/.gitkeep


--------------------------------------------------------------------------------
/community/README.md:
--------------------------------------------------------------------------------
 1 | # Community Packs
 2 | 
 3 | Community policies are primarily maintained by the community with support of the Mondoo team. Community policies may move to extra or core over time.
 4 | 
 5 | ## Contributing
 6 | 
 7 | We welcome all contributions. For more information on contributing to cnquery-packs, see our [Contributing](https://github.com/mondoohq/.github/blob/master/CONTRIBUTING.md) guide.
 8 | 
 9 | ### Join the community!
10 | 
11 | Join the [Mondoo Community GitHub Discussions](https://github.com/orgs/mondoohq/discussions) to collaborate on policy as code and security automation.
12 | 


--------------------------------------------------------------------------------
/community/mondoo-windows-operational-inventory.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-windows-operational-inventory
 6 |     name: Windows Client/Server Operational Inventory Pack
 7 |     version: 1.0.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: windows
14 |       mondoo.com/category: best-practices
15 |     docs:
16 |       desc: |-
17 |         The Windows Operational Inventory Pack by Mondoo retrieves monitoring data about Windows hosts.
18 | 
19 |         ## Local scan
20 |         To run this pack locally on a Windows host:
21 | 
22 |         ```bash
23 |         cnquery scan local -f mondoo-windows-operational-inventory.mql.yaml
24 |         ```
25 | 
26 |         ## Remote execution
27 |         To run this pack against a remote Windows host using SSH:
28 | 
29 |         ```bash
30 |         cnquery scan ssh <user>@<ip_address> -f mondoo-windows-operational-inventory.mql.yaml
31 |         ```
32 | 
33 |         ## Join the community!
34 |         Our goal is to build query packs that are simple to deploy and provide accurate and useful data.
35 | 
36 |         If you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
37 |     filters:
38 |       - mql: asset.family.contains("windows")
39 |     queries:
40 |       - uid: mondoo-windows-operational-inventory-memory-usage
41 |         title: Memory usage in %
42 |         mql: |
43 |           parse.json(content: powershell("Get-Counter '\\Memory\\% Committed Bytes In Use' | ConvertTo-Json -Compress").stdout).params['CounterSamples'] { Path CookedValue }
44 |       - uid: mondoo-windows-operational-inventory-cpu-usage
45 |         title: CPU usage in %
46 |         mql: |
47 |           parse.json(content: powershell("Get-Counter '\\Processor(*)\\% Processor Time' | ConvertTo-Json -Compress").stdout).params['CounterSamples'] { Path CookedValue }
48 |       - uid: mondoo-windows-operational-inventory-disk-usage
49 |         title: Disk usage in %
50 |         mql: |
51 |           parse.json(content: powershell("Get-Counter '\\LogicalDisk(*)\\% Free Space' | ConvertTo-Json -Compress").stdout).params['CounterSamples'] { Path CookedValue }
52 |     


--------------------------------------------------------------------------------
/core/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mondoohq/cnquery-packs/668679608f3614967fc581dbdfd840771bd61308/core/.gitkeep


--------------------------------------------------------------------------------
/core/mondoo-aws-incident-response.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-incident-response-aws
  6 |     name: AWS Incident Response Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: aws,cloud
 14 |       mondoo.com/category: security
 15 |     docs:
 16 |       desc: |
 17 |         ### Overview
 18 | 
 19 |         The AWS Incident Response Pack by Mondoo query pack retrieves data about AWS services and resources for investigation during a security incident.
 20 | 
 21 |         ### Run query pack
 22 | 
 23 |         To run this query pack against an AWS account:
 24 | 
 25 |         ```bash
 26 |         cnquery scan aws -f mondoo-aws-incident-response.mql.yaml
 27 |         ```
 28 |     groups:
 29 |       - uid: mondoo-incident-response-aws-group
 30 |         title: AWS Asset Inventory Pack Group
 31 |         filters: |
 32 |           asset.runtime == "aws"
 33 |         queries:
 34 |           - uid: mondoo-incident-response-aws-account-id
 35 |           - uid: mondoo-incident-response-aws-enabled-regions
 36 |           - uid: mondoo-incident-response-aws-user-info
 37 |           - uid: mondoo-incident-response-aws-iam-users-multiple-keys
 38 |           - uid: mondoo-incident-response-aws-iam-administrator-access
 39 |           - uid: mondoo-incident-response-aws-iam-full-access
 40 |           - uid: mondoo-incident-response-aws-ec2-instances-public-ip
 41 |           - uid: mondoo-incident-response-aws-ec2-instances-without-tags
 42 |           - uid: mondoo-incident-response-aws-s3-buckets-public
 43 | 
 44 | 
 45 | 
 46 | 
 47 | 
 48 | queries:
 49 |   - uid: mondoo-incident-response-aws-account-id
 50 |     title: AWS account ID
 51 |     filters: |
 52 |       asset.platform == "aws"
 53 |     mql: |
 54 |       aws.account.id
 55 | 
 56 | 
 57 | 
 58 |   - uid: mondoo-incident-response-aws-enabled-regions
 59 |     title: All regions enabled in the AWS account
 60 |     filters: |
 61 |       asset.platform == "aws"
 62 |     docs:
 63 |       desc: |
 64 |         This query retrieves all AWS regions enabled in the account
 65 |     mql: |
 66 |       aws { regions }
 67 | 
 68 | 
 69 | 
 70 |   - uid: mondoo-incident-response-aws-user-info
 71 |     title: IAM users with console access
 72 |     filters: |
 73 |       asset.platform == "aws"
 74 |     docs:
 75 |       desc: |
 76 |         This query retrieves data for users with console access. The following fields are retrieved:
 77 | 
 78 |         ```
 79 |         properties['user']
 80 |         passwordLastUsed
 81 |         passwordLastChanged
 82 |         mfaActive
 83 |         ```
 84 |     mql: |
 85 |       aws.iam.credentialReport.
 86 |         where( passwordEnabled == true ) {
 87 |           properties['user']
 88 |           passwordLastUsed
 89 |           passwordLastChanged
 90 |           mfaActive
 91 |         }
 92 | 
 93 | 
 94 | 
 95 |   - uid: mondoo-incident-response-aws-iam-users-multiple-keys
 96 |     title: IAM users with API access
 97 |     filters: |
 98 |       asset.platform == "aws"
 99 |     docs:
100 |       desc: |
101 |         This query retrieves all of the IAM users that have API access along with the following fields:
102 | 
103 |         ```
104 |         properties['user']
105 |         accessKey1Active
106 |         accessKey1LastUsedDate
107 |         accessKey1LastUsedService
108 |         accessKey1LastRotated
109 |         accessKey2Active
110 |         accessKey2LastUsedDate
111 |         accessKey2LastUsedService
112 |         accessKey2LastRotated
113 |         ```
114 |     mql: |
115 |       aws.iam.credentialReport.
116 |         where( accessKey1Active || accessKey2Active ) {
117 |           properties['user']
118 |           accessKey1Active
119 |           accessKey1LastUsedDate
120 |           accessKey1LastUsedService
121 |           accessKey1LastRotated
122 |           accessKey2Active
123 |           accessKey2LastUsedDate
124 |           accessKey2LastUsedService
125 |           accessKey2LastRotated
126 |         }
127 | 
128 | 
129 | 
130 |   - uid: mondoo-incident-response-aws-iam-administrator-access
131 |     title: IAM users, groups, and roles to which the AdministratorAccess policy is attached
132 |     docs:
133 |       desc: |
134 |         This query retrieves all IAM users, groups, and roles with the `AdministratorAccess` role attached.
135 |     variants:
136 |       - uid: mondoo-incident-response-aws-iam-administrator-access-all
137 |       - uid: mondoo-incident-response-aws-iam-administrator-access-user
138 |       - uid: mondoo-incident-response-aws-iam-administrator-access-group
139 |   - uid: mondoo-incident-response-aws-iam-administrator-access-all
140 |     filters: |
141 |       asset.platform == "aws"
142 |     mql: |
143 |       aws.iam.attachedPolicies.
144 |         where( arn == "arn:aws:iam::aws:policy/AdministratorAccess" ) {
145 |           attachedUsers
146 |           attachedGroups
147 |           attachedRoles
148 |         }
149 |   - uid: mondoo-incident-response-aws-iam-administrator-access-user
150 |     filters: |
151 |       asset.platform == "aws-iam-user"
152 |       aws.iam.attachedPolicies
153 |         .where(arn == "arn:aws:iam::aws:policy/AdministratorAccess")
154 |         .any(attachedUsers
155 |           .contains(
156 |             arn.in(asset.ids)
157 |           )
158 |         )
159 |     mql: |
160 |       aws.iam.user {
161 |         arn
162 |         name
163 |         policies
164 |         id
165 |         tags
166 |         attachedPolicies
167 |         createDate
168 |         accessKeys
169 |         loginProfile
170 |         groups
171 |       }
172 |   - uid: mondoo-incident-response-aws-iam-administrator-access-group
173 |     filters: |
174 |       asset.platform == "aws-iam-group"
175 |       aws.iam.attachedPolicies
176 |         .where(arn == "arn:aws:iam::aws:policy/AdministratorAccess")
177 |         .any(attachedGroups
178 |           .contains(
179 |             arn.in(asset.ids)
180 |           )
181 |         )
182 |     mql: |
183 |       aws.iam.group {
184 |         arn
185 |         name
186 |         createDate
187 |         id
188 |         usernames
189 |       }
190 | 
191 | 
192 | 
193 |   - uid: mondoo-incident-response-aws-iam-full-access
194 |     title: IAM users, groups, and roles to which any 'FullAccess' policy is attached
195 |     filters: |
196 |       asset.platform == "aws"
197 |     docs:
198 |       desc: |
199 |         This query retrieves all IAM users, groups, and roles with an AWS FullAccess role attached.
200 |     mql: |
201 |       aws.iam.policies.
202 |         where( name == /FullAccess/i && attachmentCount != 0) {
203 |           name
204 |           createDate
205 |           updateDate
206 |           attachedUsers
207 |           attachedGroups
208 |           attachedRoles
209 |         }
210 | 
211 | 
212 | 
213 |   - uid: mondoo-incident-response-aws-ec2-instances-public-ip
214 |     title: EC2 instances that have a public IP address
215 |     docs:
216 |       desc: |
217 |         This query retrieves all EC2 instances that have a public IP address attached along with the following fields:
218 | 
219 |         ```
220 |         arn
221 |         instanceId
222 |         region
223 |         state
224 |         vpc.id
225 |         keypair {
226 |           name
227 |         }
228 |         securityGroups {
229 |           name
230 |           description
231 |           ipPermissions
232 |         }
233 |         tags
234 |         ```
235 |     variants:
236 |       - uid: mondoo-incident-response-aws-ec2-instances-public-ip-all
237 |       - uid: mondoo-incident-response-aws-ec2-instances-public-ip-single
238 |   - uid: mondoo-incident-response-aws-ec2-instances-public-ip-all
239 |     filters: |
240 |       asset.platform == "aws"
241 |     mql: |
242 |       aws.ec2.instances.
243 |         where( publicIp != '' ) {
244 |           arn
245 |           instanceId
246 |           region
247 |           state
248 |           vpc.id
249 |           keypair {
250 |             name
251 |           }
252 |           securityGroups {
253 |             name
254 |             description
255 |             ipPermissions
256 |           }
257 |           tags
258 |         }
259 |   - uid: mondoo-incident-response-aws-ec2-instances-public-ip-single
260 |     filters: |
261 |       asset.platform == "aws-ec2-instance"
262 |       aws.ec2.instance.publicIp != empty
263 |     mql: |
264 |       aws.ec2.instance {
265 |           arn
266 |           instanceId
267 |           region
268 |           state
269 |           vpc.id
270 |           keypair {
271 |             name
272 |           }
273 |           securityGroups {
274 |             name
275 |             description
276 |             ipPermissions
277 |           }
278 |           tags
279 |         }
280 | 
281 | 
282 | 
283 |   - uid: mondoo-incident-response-aws-ec2-instances-without-tags
284 |     title: EC2 instances that do not have tags configured
285 |     docs:
286 |       desc: |
287 |         This query retrieves all EC2 instances that do not have tags configured, along with the following fields:
288 |         ```mql
289 |         instanceId
290 |         region
291 |         keypair { name }
292 |         image.name
293 |         image.id
294 |         state
295 |         ```
296 |     variants:
297 |       - uid: mondoo-incident-response-aws-ec2-instances-without-tags-all
298 |       - uid: mondoo-incident-response-aws-ec2-instances-without-tags-single
299 |   - uid: mondoo-incident-response-aws-ec2-instances-without-tags-all
300 |     filters: |
301 |       asset.platform == "aws"
302 |     mql: |
303 |       aws.ec2.instances.
304 |         where( tags.length == 0 ) {
305 |           instanceId
306 |           region
307 |           keypair { name }
308 |           image.name
309 |           image.id
310 |           state
311 |         }
312 |   - uid: mondoo-incident-response-aws-ec2-instances-without-tags-single
313 |     filters: |
314 |       asset.platform == "aws-ec2-instance"
315 |       aws.ec2.instance.tags.length == 0
316 |     mql: |
317 |       aws.ec2.instance {
318 |           instanceId
319 |           region
320 |           keypair { name }
321 |           image.name
322 |           image.id
323 |           state
324 |         }
325 | 
326 | 
327 | 
328 |   - uid: mondoo-incident-response-aws-s3-buckets-public
329 |     title: S3 buckets that are public
330 |     docs:
331 |       desc: |
332 |         This query retrieves all S3 buckets that are configured with public access and returns the following fields:
333 |         ```mql
334 |         arn
335 |         name
336 |         location
337 |         publicAccessBlock
338 |         encryption
339 |         tags
340 |         policy
341 |         ```
342 |     variants:
343 |       - uid: mondoo-incident-response-aws-s3-buckets-public-all
344 |       - uid: mondoo-incident-response-aws-s3-buckets-public-single
345 |   - uid: mondoo-incident-response-aws-s3-buckets-public-all
346 |     filters: |
347 |       asset.platform == "aws"
348 |     mql: |
349 |       aws.s3.buckets.
350 |         where( public == true ) {
351 |           arn
352 |           name
353 |           location
354 |           publicAccessBlock
355 |           encryption
356 |           tags
357 |           policy
358 |         }
359 |   - uid: mondoo-incident-response-aws-s3-buckets-public-single
360 |     filters: |
361 |       asset.platform == "aws-s3-bucket"
362 |       aws.s3.bucket.public == true
363 |     mql: |
364 |       aws.s3.bucket {
365 |           arn
366 |           name
367 |           location
368 |           publicAccessBlock
369 |           encryption
370 |           tags
371 |           policy
372 |         }
373 | 


--------------------------------------------------------------------------------
/core/mondoo-aws-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-asset-inventory-aws
  6 |     name: AWS Asset Inventory Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: aws,cloud
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The AWS Asset Inventory Pack retrieves information about AWS accounts for asset inventory.
 18 |     groups:
 19 |       - uid: mondoo-asset-inventory-aws-group
 20 |         title: AWS Asset Inventory Pack Group
 21 |         filters: |
 22 |           asset.runtime == "aws"
 23 |         queries:
 24 |           - uid: mondoo-asset-inventory-aws-account-id
 25 |           - uid: mondoo-asset-inventory-aws-enabled-regions
 26 |           - uid: mondoo-asset-inventory-aws-vpcs
 27 |           - uid: mondoo-asset-inventory-aws-iam-users
 28 |           - uid: mondoo-asset-inventory-aws-iam-groups
 29 |           - uid: mondoo-asset-inventory-aws-iam-roles
 30 |           - uid: mondoo-asset-inventory-aws-iam-policies
 31 |           - uid: mondoo-asset-inventory-aws-ec2-security-groups
 32 |           - uid: mondoo-asset-inventory-aws-ec2-volumes
 33 |           - uid: mondoo-asset-inventory-aws-ec2-retrieve-all-data
 34 |           - uid: mondoo-asset-inventory-aws-rds-dbclusters-all-data
 35 |           - uid: mondoo-asset-inventory-aws-rds-dbinstances-all-data
 36 |           - uid: mondoo-asset-inventory-aws-s3-retrieve-all-data
 37 |           - uid: mondoo-asset-inventory-aws-eks-clusters
 38 |           - uid: mondoo-asset-inventory-aws-lambda
 39 |           - uid: mondoo-asset-inventory-aws-access-analyzer
 40 |           - uid: mondoo-asset-inventory-aws-acm-certificates
 41 |           - uid: mondoo-asset-inventory-aws-cloudtrail-trails
 42 | 
 43 | queries:
 44 |       - uid: mondoo-asset-inventory-aws-account-id
 45 |         filters: |
 46 |           asset.platform == "aws"
 47 |         title: AWS account ID
 48 |         mql: |
 49 |           aws.account.id
 50 | 
 51 | 
 52 | 
 53 |       - uid: mondoo-asset-inventory-aws-enabled-regions
 54 |         title: Regions enabled in the AWS account
 55 |         filters: |
 56 |           asset.platform == "aws"
 57 |         docs:
 58 |           desc: |
 59 |             This query retrieves all AWS regions enabled in the account
 60 |         mql: |
 61 |           aws { regions }
 62 | 
 63 | 
 64 | 
 65 |       - uid: mondoo-asset-inventory-aws-vpcs
 66 |         title: VPCs
 67 |         docs:
 68 |           desc: |
 69 |             This query retrieves all of the configuration data for AWS VPCs
 70 |         variants:
 71 |           - uid: mondoo-asset-inventory-aws-vpcs-all
 72 |           - uid: mondoo-asset-inventory-aws-vpcs-single
 73 |       - uid: mondoo-asset-inventory-aws-vpcs-all
 74 |         filters: |
 75 |           asset.platform == "aws"
 76 |         mql: |
 77 |           aws.vpcs
 78 |       - uid: mondoo-asset-inventory-aws-vpcs-single
 79 |         filters: |
 80 |           asset.platform == "aws-vpc"
 81 |         mql: |
 82 |           aws.vpc
 83 | 
 84 | 
 85 | 
 86 |       - uid: mondoo-asset-inventory-aws-iam-users
 87 |         title: IAM users
 88 |         docs:
 89 |           desc: |
 90 |             This query retrieves data for all IAM users
 91 |         variants:
 92 |           - uid: mondoo-asset-inventory-aws-iam-users-all
 93 |           - uid: mondoo-asset-inventory-aws-iam-users-single
 94 |       - uid: mondoo-asset-inventory-aws-iam-users-all
 95 |         filters: |
 96 |           asset.platform == "aws"
 97 |         mql: |
 98 |           aws.iam.users
 99 |       - uid: mondoo-asset-inventory-aws-iam-users-single
100 |         filters: |
101 |           asset.platform == "aws-iam-user"
102 |         mql: |
103 |           aws.iam.user
104 | 
105 | 
106 | 
107 |       - uid: mondoo-asset-inventory-aws-iam-groups
108 |         title: IAM groups
109 |         docs:
110 |           desc: |
111 |             This query retrieves all of the IAM groups.
112 |         variants:
113 |           - uid: mondoo-asset-inventory-aws-iam-groups-all
114 |           - uid: mondoo-asset-inventory-aws-iam-groups-single
115 |       - uid: mondoo-asset-inventory-aws-iam-groups-all
116 |         filters: |
117 |           asset.platform == "aws"
118 |         mql: |
119 |           aws.iam.groups
120 |       - uid: mondoo-asset-inventory-aws-iam-groups-single
121 |         filters: |
122 |           asset.platform == "aws-iam-group"
123 |         mql: |
124 |           aws.iam.group
125 | 
126 | 
127 | 
128 |       - uid: mondoo-asset-inventory-aws-iam-roles
129 |         title: IAM roles
130 |         docs:
131 |           desc: |
132 |             This query retrieves all IAM Roles
133 |         variants:
134 |           - uid: mondoo-asset-inventory-aws-iam-roles-all
135 |       - uid: mondoo-asset-inventory-aws-iam-roles-all
136 |         filters: |
137 |           asset.platform == "aws"
138 |         mql: |
139 |           aws.iam.roles
140 | 
141 | 
142 | 
143 |       - uid: mondoo-asset-inventory-aws-iam-policies
144 |         title: Attached IAM policies
145 |         filters: |
146 |           asset.platform == "aws"
147 |         docs:
148 |           desc: |
149 |             This query retrieves all IAM policies attached to a user, group, or role.
150 |         mql: aws.iam.policies.where( attachmentCount > 0 )
151 | 
152 | 
153 | 
154 |       - uid: mondoo-asset-inventory-aws-ec2-security-groups
155 |         title: EC2 Security Groups
156 |         docs:
157 |           desc: |
158 |             This query retrieves all AWS EC2 Security Groups
159 |         variants:
160 |           - uid: mondoo-asset-inventory-aws-ec2-security-groups-all
161 |           - uid: mondoo-asset-inventory-aws-ec2-security-groups-single
162 |       - uid: mondoo-asset-inventory-aws-ec2-security-groups-all
163 |         filters: |
164 |           asset.platform == "aws"
165 |         mql: |
166 |           aws.ec2.securityGroups
167 |       - uid: mondoo-asset-inventory-aws-ec2-security-groups-single
168 |         filters: |
169 |           asset.platform == "aws-security-group"
170 |         mql: |
171 |           aws.ec2.securitygroup
172 | 
173 | 
174 | 
175 |       - uid: mondoo-asset-inventory-aws-ec2-volumes
176 |         title: EBS volumes
177 |         docs:
178 |           desc: |
179 |             This query retrieves all AWS EBS volumes
180 |         variants:
181 |           - uid: mondoo-asset-inventory-aws-ec2-volumes-all
182 |           - uid: mondoo-asset-inventory-aws-ec2-volumes-single
183 |       - uid: mondoo-asset-inventory-aws-ec2-volumes-all
184 |         filters: |
185 |           asset.platform == "aws"
186 |         mql: |
187 |           aws.ec2.volumes
188 |       - uid: mondoo-asset-inventory-aws-ec2-volumes-single
189 |         filters: |
190 |           asset.platform == "aws-ebs-volume"
191 |         mql: |
192 |           aws.ec2.volume
193 | 
194 | 
195 | 
196 |       - uid: mondoo-asset-inventory-aws-ec2-retrieve-all-data
197 |         title: Running EC2 instances
198 |         variants:
199 |           - uid: mondoo-asset-inventory-aws-ec2-retrieve-all-data-all
200 |           - uid: mondoo-asset-inventory-aws-ec2-retrieve-all-data-single
201 |       - uid: mondoo-asset-inventory-aws-ec2-retrieve-all-data-all
202 |         filters: |
203 |           asset.platform == "aws"
204 |         mql: |
205 |           aws.ec2.instances.where(state != "terminated")
206 |       - uid: mondoo-asset-inventory-aws-ec2-retrieve-all-data-single
207 |         filters: |
208 |           asset.platform == "aws-ec2-instance"
209 |           aws.ec2.instance.state != "terminated"
210 |         mql: |
211 |           aws.ec2.instance
212 | 
213 | 
214 | 
215 |       - uid: mondoo-asset-inventory-aws-rds-dbclusters-all-data
216 |         title: RDS database clusters configuration
217 |         variants:
218 |           - uid: mondoo-asset-inventory-aws-rds-dbclusters-all-data-all
219 |       - uid: mondoo-asset-inventory-aws-rds-dbclusters-all-data-all
220 |         filters: |
221 |           asset.platform == "aws"
222 |         mql: |
223 |           aws.rds.clusters
224 | 
225 | 
226 | 
227 |       - uid: mondoo-asset-inventory-aws-rds-dbinstances-all-data
228 |         title: RDS database instances
229 |         variants:
230 |           - uid: mondoo-asset-inventory-aws-rds-dbinstances-all-data-all
231 |           - uid: mondoo-asset-inventory-aws-rds-dbinstances-all-data-single
232 |       - uid: mondoo-asset-inventory-aws-rds-dbinstances-all-data-all
233 |         filters: |
234 |           asset.platform == "aws"
235 |         mql: |
236 |           aws.rds.instances
237 |       - uid: mondoo-asset-inventory-aws-rds-dbinstances-all-data-single
238 |         filters: |
239 |           asset.platform == "aws-rds-dbinstance"
240 |         mql: |
241 |           aws.rds.dbinstance
242 | 
243 | 
244 | 
245 |       - uid: mondoo-asset-inventory-aws-s3-retrieve-all-data
246 |         title: S3 buckets
247 |         variants:
248 |           - uid: mondoo-asset-inventory-aws-s3-retrieve-all-data-all
249 |           - uid: mondoo-asset-inventory-aws-s3-retrieve-all-data-single
250 |       - uid: mondoo-asset-inventory-aws-s3-retrieve-all-data-all
251 |         filters: |
252 |           asset.platform == "aws"
253 |         mql: |
254 |           aws.s3.buckets
255 |       - uid: mondoo-asset-inventory-aws-s3-retrieve-all-data-single
256 |         filters: |
257 |           asset.platform == "aws-s3-bucket"
258 |         mql: |
259 |           aws.s3.bucket
260 | 
261 | 
262 | 
263 |       - uid: mondoo-asset-inventory-aws-eks-clusters
264 |         title: EKS clusters
265 |         variants:
266 |           - uid: mondoo-asset-inventory-aws-eks-clusters-all
267 |       - uid: mondoo-asset-inventory-aws-eks-clusters-all
268 |         filters: |
269 |           asset.platform == "aws"
270 |         mql: |
271 |           aws.eks.clusters
272 | 
273 | 
274 | 
275 |       - uid: mondoo-asset-inventory-aws-lambda
276 |         title: Lambda functions
277 |         variants:
278 |           - uid: mondoo-asset-inventory-aws-lambda-all
279 |           - uid: mondoo-asset-inventory-aws-lambda-single
280 |       - uid: mondoo-asset-inventory-aws-lambda-all
281 |         filters: |
282 |           asset.platform == "aws"
283 |         mql: |
284 |           aws.lambda.functions
285 |       - uid: mondoo-asset-inventory-aws-lambda-single
286 |         filters: |
287 |           asset.platform == "aws-lambda-function"
288 |         mql: |
289 |           aws.lambda.function
290 | 
291 | 
292 | 
293 |       - uid: mondoo-asset-inventory-aws-access-analyzer
294 |         title: Access Analyzers
295 |         variants:
296 |           - uid: mondoo-asset-inventory-aws-access-analyzer-all
297 |       - uid: mondoo-asset-inventory-aws-access-analyzer-all
298 |         filters: |
299 |           asset.platform == "aws"
300 |         mql: |
301 |           aws.accessAnalyzer.analyzers
302 | 
303 | 
304 | 
305 |       - uid: mondoo-asset-inventory-aws-acm-certificates
306 |         title: Certificate Manager certificates
307 |         variants:
308 |           - uid: mondoo-asset-inventory-aws-acm-certificates-all
309 |       - uid: mondoo-asset-inventory-aws-acm-certificates-all
310 |         filters: |
311 |           asset.platform == "aws"
312 |         mql: |
313 |           aws.acm.certificates
314 | 
315 | 
316 | 
317 |       - uid: mondoo-asset-inventory-aws-cloudtrail-trails
318 |         title: CloudTrail trails
319 |         variants:
320 |           - uid: mondoo-asset-inventory-aws-cloudtrail-trails-all
321 |           - uid: mondoo-asset-inventory-aws-cloudtrail-trails-single
322 |       - uid: mondoo-asset-inventory-aws-cloudtrail-trails-all
323 |         filters: |
324 |           asset.platform == "aws"
325 |         mql: |
326 |           aws.cloudtrail.trails
327 |       - uid: mondoo-asset-inventory-aws-cloudtrail-trails-single
328 |         filters: |
329 |           asset.platform == "aws-cloudtrail-trail"
330 |         mql: |
331 |           aws.cloudtrail.trail
332 | 


--------------------------------------------------------------------------------
/core/mondoo-azure-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-asset-inventory-azure
  6 |     name: Azure Asset Inventory Pack
  7 |     version: 1.2.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: azure,cloud
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The Azure Asset Inventory by Mondoo query pack retrieves information about Azure subscriptions and resources for asset inventory.
 18 |     groups:
 19 |       - uid: mondoo-incident-response-aws-group
 20 |         title: AWS Asset Inventory Pack Group
 21 |         filters: asset.runtime == "azure"
 22 |         queries:
 23 |           - uid: mondoo-asset-inventory-azure-roleDefinitions
 24 |           - uid: mondoo-asset-inventory-azure-cloudDefender
 25 |           - uid: mondoo-asset-inventory-azure-storageAccounts
 26 |           - uid: mondoo-asset-inventory-azure-storageAccounts-containers
 27 |           - uid: mondoo-asset-inventory-azure-storageAccounts-blobs
 28 |           - uid: mondoo-asset-inventory-azure-storageAccounts-tables
 29 |           - uid: mondoo-asset-inventory-azure-sqlServers
 30 |           - uid: mondoo-asset-inventory-azure-sqlServers-firewallrules
 31 |           - uid: mondoo-asset-inventory-azure-sqlServers-databases
 32 |           - uid: mondoo-asset-inventory-azure-postgresql
 33 |           - uid: mondoo-asset-inventory-azure-postgresql-firewallrules
 34 |           - uid: mondoo-asset-inventory-azure-mysql
 35 |           - uid: mondoo-asset-inventory-azure-mysql-firewallrules
 36 |           - uid: mondoo-asset-inventory-azure-mariaDb
 37 |           - uid: mondoo-asset-inventory-azure-keyVaults
 38 |           - uid: mondoo-asset-inventory-azure-keyVaults-keys
 39 |           - uid: mondoo-asset-inventory-azure-keyVaults-secrets
 40 |           - uid: mondoo-asset-inventory-azure-keyVaults-certificates
 41 |           - uid: mondoo-asset-inventory-azure-activitylogs
 42 |           - uid: mondoo-asset-inventory-azure-networkSecurityGroups
 43 |           - uid: mondoo-asset-inventory-azure-publicip
 44 |           - uid: mondoo-asset-inventory-azure-virtualmachines
 45 |           - uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk
 46 |           - uid: mondoo-asset-inventory-azure-webapp
 47 |           - uid: mondoo-asset-inventory-azure-cosmosDb
 48 |           - uid: mondoo-asset-inventory-azure-applicationInsight
 49 |           - uid: mondoo-asset-inventory-azure-networkWatcher
 50 |           - uid: mondoo-asset-inventory-azure-bastionHosts
 51 |           - uid: mondoo-asset-inventory-azure-compute-disks
 52 |           - uid: mondoo-asset-inventory-azure-network-interfaces
 53 |           - uid: mondoo-asset-inventory-azure-resourcegroups
 54 |           - uid: mondoo-asset-inventory-azure-resources
 55 | queries:
 56 |   - uid: mondoo-asset-inventory-azure-roleDefinitions
 57 |     title: Azure role definitions
 58 |     filters: asset.platform == "azure"
 59 |     docs:
 60 |       desc: |
 61 |         This query retrieves data for all role definitions in the subscription
 62 |     mql: azure.subscription.authorization.roleDefinitions
 63 | 
 64 | 
 65 |   - uid: mondoo-asset-inventory-azure-cloudDefender
 66 |     title: Microsoft Defender for Cloud configuration
 67 |     filters: asset.platform == "azure"
 68 |     docs:
 69 |       desc: |
 70 |         This query retrieves data for Microsoft Defender for Cloud
 71 |     mql: azure.subscription.cloudDefender { defenderForServers defenderForContainers securityContacts { name alertNotifications }  }
 72 | 
 73 | 
 74 |   - uid: mondoo-asset-inventory-azure-storageAccounts
 75 |     title: Azure Storage accounts
 76 |     docs:
 77 |       desc: |
 78 |         This query retrieves data for all storage accounts
 79 |     variants:
 80 |       - uid: mondoo-asset-inventory-azure-storageAccounts-single
 81 |       - uid: mondoo-asset-inventory-azure-storageAccounts-api
 82 |   - uid: mondoo-asset-inventory-azure-storageAccounts-single
 83 |     filters: asset.platform == "azure-storage-account"
 84 |     mql: azure.subscription.storage.account
 85 |   - uid: mondoo-asset-inventory-azure-storageAccounts-api
 86 |     filters: asset.platform == "azure"
 87 |     mql: azure.subscription.storage.accounts
 88 | 
 89 | 
 90 |   - uid: mondoo-asset-inventory-azure-storageAccounts-containers
 91 |     title: Azure Storage account containers
 92 |     docs:
 93 |       desc: |
 94 |         This query retrieves data for all containers in storage accounts
 95 |     variants:
 96 |       - uid: mondoo-asset-inventory-azure-storageAccounts-containers-single
 97 |       - uid: mondoo-asset-inventory-azure-storageAccounts-containers-api
 98 |   - uid: mondoo-asset-inventory-azure-storageAccounts-containers-api
 99 |     filters: asset.platform == "azure"
100 |     mql: azure.subscription.storage.accounts { containers }
101 |   - uid: mondoo-asset-inventory-azure-storageAccounts-containers-single
102 |     filters: asset.platform == "azure-storage-account" && azure.subscription.storage.account.containers != empty
103 |     mql: azure.subscription.storage.account.containers
104 | 
105 | 
106 |   - uid: mondoo-asset-inventory-azure-storageAccounts-blobs
107 |     title: Azure storage accounts blobs
108 |     docs:
109 |       desc: |
110 |         This query retrieves data for all blobs in storage accounts
111 |     variants:
112 |       - uid: mondoo-asset-inventory-azure-storageAccounts-blobs-single
113 |       - uid: mondoo-asset-inventory-azure-storageAccounts-blobs-api
114 |   - uid: mondoo-asset-inventory-azure-storageAccounts-blobs-api
115 |     filters: asset.platform == "azure"
116 |     mql: azure.subscription.storage.accounts { blobProperties }
117 |   - uid: mondoo-asset-inventory-azure-storageAccounts-blobs-single
118 |     filters: asset.platform == "azure-storage-account"
119 |     mql: azure.subscription.storage.account.blobProperties
120 | 
121 | 
122 |   - uid: mondoo-asset-inventory-azure-storageAccounts-tables
123 |     title: Azure Storage accounts tables
124 |     docs:
125 |       desc: |
126 |         This query retrieves data for all tables in storage accounts
127 |     variants:
128 |       - uid: mondoo-asset-inventory-azure-storageAccounts-tables-single
129 |       - uid: mondoo-asset-inventory-azure-storageAccounts-tables-api
130 |   - uid: mondoo-asset-inventory-azure-storageAccounts-tables-api
131 |     filters: asset.platform == "azure"
132 |     mql: azure.subscription.storage.accounts { tableProperties }
133 |   - uid: mondoo-asset-inventory-azure-storageAccounts-tables-single
134 |     filters: asset.platform == "azure-storage-account"
135 |     mql: azure.subscription.storage.account.tableProperties
136 | 
137 | 
138 |   - uid: mondoo-asset-inventory-azure-sqlServers
139 |     title: Azure SQL Database servers
140 |     docs:
141 |       desc: |
142 |         This query retrieves data for all Azure SQL Database servers
143 |     variants:
144 |       - uid: mondoo-asset-inventory-azure-sqlServers-single
145 |       - uid: mondoo-asset-inventory-azure-sqlServers-api
146 |   - uid: mondoo-asset-inventory-azure-sqlServers-api
147 |     filters: asset.platform == "azure"
148 |     mql: azure.subscription.sql.servers
149 |   - uid: mondoo-asset-inventory-azure-sqlServers-single
150 |     filters: asset.platform == "azure-sql-server"
151 |     mql: azure.subscription.sql.server
152 | 
153 | 
154 |   - uid: mondoo-asset-inventory-azure-sqlServers-firewallrules
155 |     title: Azure SQL Database server firewall rules
156 |     docs:
157 |       desc: |
158 |         This query retrieves data for all firewall rules in Azure SQL Database servers
159 |     variants:
160 |       - uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-single
161 |       - uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-api
162 |   - uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-api
163 |     filters: asset.platform == "azure"
164 |     mql: azure.subscription.sql.servers { firewallRules }
165 |   - uid: mondoo-asset-inventory-azure-sqlServers-firewallrules-single
166 |     filters: asset.platform == "azure-sql-server"
167 |     mql: azure.subscription.sql.server.firewallRules
168 | 
169 | 
170 |   - uid: mondoo-asset-inventory-azure-sqlServers-databases
171 |     title: Azure SQL Database server databases
172 |     docs:
173 |       desc: |
174 |         This query retrieves data for all databases in Azure SQL Database servers
175 |     variants:
176 |       - uid: mondoo-asset-inventory-azure-sqlServers-databases-single
177 |       - uid: mondoo-asset-inventory-azure-sqlServers-databases-api
178 |   - uid: mondoo-asset-inventory-azure-sqlServers-databases-api
179 |     filters: asset.platform == "azure"
180 |     mql: azure.subscription.sql.servers { databases }
181 |   - uid: mondoo-asset-inventory-azure-sqlServers-databases-single
182 |     filters: asset.platform == "azure-sql-server"
183 |     mql: azure.subscription.sql.server.databases
184 | 
185 | 
186 |   - uid: mondoo-asset-inventory-azure-postgresql
187 |     title: Azure PostgreSQL servers
188 |     docs:
189 |       desc: |
190 |         This query retrieves data for all PostgreSQL servers
191 |     variants:
192 |       - uid: mondoo-asset-inventory-azure-postgresql-all
193 |       - uid: mondoo-asset-inventory-azure-postgresql-legacy
194 |       - uid: mondoo-asset-inventory-azure-postgresql-flexible
195 |   - uid: mondoo-asset-inventory-azure-postgresql-all
196 |     filters: asset.platform == "azure"
197 |     mql: |
198 |       azure.subscription.postgreSql.servers
199 |       azure.subscription.postgreSql.flexibleServers
200 |   - uid: mondoo-asset-inventory-azure-postgresql-legacy
201 |     filters: asset.platform == "azure-postgresql-server"
202 |     mql: azure.subscription.postgreSql.server
203 |   - uid: mondoo-asset-inventory-azure-postgresql-flexible
204 |     filters: asset.platform == "azure-postgresql-flexible-server"
205 |     mql: azure.subscription.postgreSql.flexibleServer
206 | 
207 | 
208 |   - uid: mondoo-asset-inventory-azure-postgresql-firewallrules
209 |     title: Azure PostgreSQL server firewall rules
210 |     docs:
211 |       desc: |
212 |         This query retrieves data for all firewall rules in Azure PostgreSQL servers
213 |     variants:
214 |       - uid: mondoo-asset-inventory-azure-postgresql-firewallrules-all
215 |       - uid: mondoo-asset-inventory-azure-postgresql-firewallrules-legacy
216 |       - uid: mondoo-asset-inventory-azure-postgresql-firewallrules-flexible
217 |   - uid: mondoo-asset-inventory-azure-postgresql-firewallrules-all
218 |     filters: asset.platform == "azure"
219 |     mql: |
220 |       azure.subscription.postgreSql.servers { firewallRules }
221 |       azure.subscription.postgreSql.flexibleServers { firewallRules }
222 |   - uid: mondoo-asset-inventory-azure-postgresql-firewallrules-legacy
223 |     filters: asset.platform == "azure-postgresql-server"
224 |     mql: azure.subscription.postgreSql.server.firewallRules
225 |   - uid: mondoo-asset-inventory-azure-postgresql-firewallrules-flexible
226 |     filters: asset.platform == "azure-postgresql-flexible-server"
227 |     mql: azure.subscription.postgreSql.flexibleServer.firewallRules
228 | 
229 | 
230 |   - uid: mondoo-asset-inventory-azure-mysql-firewallrules
231 |     title: Azure MySQL servers
232 |     docs:
233 |       desc: |
234 |         This query retrieves data for all Azure MySQL servers
235 |     variants:
236 |       - uid: mondoo-asset-inventory-azure-mysql-firewallrules-all
237 |       - uid: mondoo-asset-inventory-azure-mysql-firewallrules-legacy
238 |       - uid: mondoo-asset-inventory-azure-mysql-firewallrules-flexible
239 |   - uid: mondoo-asset-inventory-azure-mysql-firewallrules-all
240 |     filters: asset.platform == "azure"
241 |     mql: |
242 |       azure.subscription.mySql.servers { firewallRules }
243 |       azure.subscription.mySql.flexibleServers { firewallRules }
244 |   - uid: mondoo-asset-inventory-azure-mysql-firewallrules-legacy
245 |     filters: asset.platform == "azure-mysql-server"
246 |     mql: azure.subscription.mySql.server.firewallRules
247 |   - uid: mondoo-asset-inventory-azure-mysql-firewallrules-flexible
248 |     filters: asset.platform == "azure-mysql-flexible-server"
249 |     mql: azure.subscription.mySql.flexibleServer.firewallRules
250 | 
251 | 
252 |   - uid: mondoo-asset-inventory-azure-mysql
253 |     title: Azure MySQL servers
254 |     docs:
255 |       desc: |
256 |         This query retrieves data for all Azure MySQL servers
257 |     variants:
258 |       - uid: mondoo-asset-inventory-azure-mysql-all
259 |       - uid: mondoo-asset-inventory-azure-mysql-legacy
260 |       - uid: mondoo-asset-inventory-azure-mysql-flexible
261 |   - uid: mondoo-asset-inventory-azure-mysql-all
262 |     filters: asset.platform == "azure"
263 |     mql: |
264 |       azure.subscription.mySql.servers
265 |       azure.subscription.mySql.flexibleServers
266 |   - uid: mondoo-asset-inventory-azure-mysql-legacy
267 |     filters: asset.platform == "azure-mysql-server"
268 |     mql: azure.subscription.mySql.server
269 |   - uid: mondoo-asset-inventory-azure-mysql-flexible
270 |     filters: asset.platform == "azure-mysql-flexible-server"
271 |     mql: azure.subscription.mySql.flexibleServer
272 | 
273 | 
274 |   - uid: mondoo-asset-inventory-azure-mariaDb
275 |     title: Azure MariaDB servers
276 |     docs:
277 |       desc: |
278 |         This query retrieves data for all Azure MariaDB servers
279 |     variants:
280 |       - uid: mondoo-asset-inventory-azure-mariaDb-single
281 |       - uid: mondoo-asset-inventory-azure-mariaDb-api
282 |   - uid: mondoo-asset-inventory-azure-mariaDb-api
283 |     filters: asset.platform == "azure"
284 |     mql: azure.subscription.mariaDb.servers
285 |   - uid: mondoo-asset-inventory-azure-mariaDb-single
286 |     filters: asset.platform == "azure-mariadb-server"
287 |     mql: azure.subscription.mariaDb.server
288 | 
289 | 
290 |   - uid: mondoo-asset-inventory-azure-diagnosticSettings
291 |     title: Azure diagnostic settings
292 |     filters: asset.platform == "azure"
293 |     docs:
294 |       desc: |
295 |         This query retrieves data for all diagnostic settings
296 |     mql: azure.subscription.monitor.diagnosticSettings
297 | 
298 | 
299 |   - uid: mondoo-asset-inventory-azure-keyVaults
300 |     title: Azure Key Vault vaults
301 |     docs:
302 |       desc: |
303 |         This query retrieves data for all Azure Key Vault vaults
304 |     variants:
305 |       - uid: mondoo-asset-inventory-azure-keyVaults-single
306 |       - uid: mondoo-asset-inventory-azure-keyVaults-api
307 |   - uid: mondoo-asset-inventory-azure-keyVaults-api
308 |     filters: asset.platform == "azure"
309 |     mql: azure.subscription.keyVault.vaults
310 |   - uid: mondoo-asset-inventory-azure-keyVaults-single
311 |     filters: asset.platform == "azure-keyvault-vault"
312 |     mql: azure.subscription.keyVault.vault
313 | 
314 | 
315 |   - uid: mondoo-asset-inventory-azure-keyVaults-keys
316 |     title: Azure Key Vault vault keys
317 |     docs:
318 |       desc: |
319 |         This query retrieves data for all keys in Key Vaults
320 |     variants:
321 |       - uid: mondoo-asset-inventory-azure-keyVaults-keys-api
322 |       - uid: mondoo-asset-inventory-azure-keyVaults-keys-single
323 |   - uid: mondoo-asset-inventory-azure-keyVaults-keys-api
324 |     filters: asset.platform == "azure"
325 |     mql: azure.subscription.keyVault.vaults { keys }
326 |   - uid: mondoo-asset-inventory-azure-keyVaults-keys-single
327 |     filters: asset.platform == "azure-keyvault-vault"
328 |     mql: azure.subscription.keyVault.vault.keys
329 | 
330 | 
331 |   - uid: mondoo-asset-inventory-azure-keyVaults-secrets
332 |     title: Azure Key Vault vault secrets
333 |     docs:
334 |       desc: |
335 |         This query retrieves data for all secrets in Key Vaults
336 |     variants:
337 |       - uid: mondoo-asset-inventory-azure-keyVaults-secrets-api
338 |       - uid: mondoo-asset-inventory-azure-keyVaults-secrets-single
339 |   - uid: mondoo-asset-inventory-azure-keyVaults-secrets-api
340 |     filters: asset.platform == "azure"
341 |     mql: azure.subscription.keyVault.vaults { secrets }
342 |   - uid: mondoo-asset-inventory-azure-keyVaults-secrets-single
343 |     filters: asset.platform == "azure-keyvault-vault"
344 |     mql: azure.subscription.keyVault.vault.secrets
345 | 
346 | 
347 |   - uid: mondoo-asset-inventory-azure-keyVaults-certificates
348 |     title: Azure Key Vault vault certificates
349 |     docs:
350 |       desc: |
351 |         This query retrieves data for all certificates in Key Vaults
352 |     variants:
353 |       - uid: mondoo-asset-inventory-azure-keyVaults-certificates-api
354 |       - uid: mondoo-asset-inventory-azure-keyVaults-certificates-single
355 |   - uid: mondoo-asset-inventory-azure-keyVaults-certificates-api
356 |     filters: asset.platform == "azure"
357 |     mql: azure.subscription.keyVault.vaults { certificates }
358 |   - uid: mondoo-asset-inventory-azure-keyVaults-certificates-single
359 |     filters: asset.platform == "azure-keyvault-vault"
360 |     mql: azure.subscription.keyVault.vault.certificates
361 | 
362 | 
363 |   - uid: mondoo-asset-inventory-azure-activitylogs
364 |     title: Azure activity logs
365 |     filters: asset.platform == "azure"
366 |     docs:
367 |       desc: |
368 |         This query retrieves data for all activity logs
369 |     mql: azure.subscription.monitor.activityLog
370 | 
371 | 
372 |   - uid: mondoo-asset-inventory-azure-networkSecurityGroups
373 |     title: Azure network security groups
374 |     docs:
375 |       desc: |
376 |         This query retrieves data for all network security groups
377 |     variants:
378 |       - uid: mondoo-asset-inventory-azure-networkSecurityGroups-api
379 |       - uid: mondoo-asset-inventory-azure-networkSecurityGroups-single
380 |   - uid: mondoo-asset-inventory-azure-networkSecurityGroups-api
381 |     filters: asset.platform == "azure"
382 |     mql: azure.subscription.network.securityGroups
383 |   - uid: mondoo-asset-inventory-azure-networkSecurityGroups-single
384 |     filters: asset.platform == "azure-network-security-group"
385 |     mql: azure.subscription.network.securityGroup
386 | 
387 | 
388 |   - uid: mondoo-asset-inventory-azure-publicip
389 |     title: Azure public IP addresses
390 |     filters: asset.platform == "azure"
391 |     docs:
392 |       desc: |
393 |         This query retrieves all public IP addresses in your subscription
394 |     mql: azure.subscription.networkService.publicIpAddresses{ name location ipAddress }
395 | 
396 | 
397 |   - uid: mondoo-asset-inventory-azure-virtualmachines
398 |     title: Azure virtual machines
399 |     docs:
400 |       desc: |
401 |         This query retrieves data for all virtual machines
402 |     variants:
403 |       - uid: mondoo-asset-inventory-azure-virtualmachines-api
404 |       - uid: mondoo-asset-inventory-azure-virtualmachines-single
405 |   - uid: mondoo-asset-inventory-azure-virtualmachines-api
406 |     filters: asset.platform == "azure"
407 |     mql: azure.subscription.compute.vms
408 |   - uid: mondoo-asset-inventory-azure-virtualmachines-single
409 |     filters: asset.platform == "azure-compute-vm-api"
410 |     mql: azure.subscription.compute.vm
411 | 
412 | 
413 |   - uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk
414 |     title: Azure virtual machines with managed disks
415 |     docs:
416 |       desc: |
417 |         This query retrieves data for all virtual machines with managed disks
418 |     variants:
419 |       - uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-api
420 |       - uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-single
421 |   - uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-api
422 |     filters: asset.platform == "azure"
423 |     mql: azure.subscription.compute.vms.where( properties["storageProfile"]["osDisk"]["managedDisk"] != empty )
424 |   - uid: mondoo-asset-inventory-azure-virtualmachines-managedDisk-single
425 |     filters: asset.platform == "azure-compute-vm-api" && azure.subscription.compute.vm.properties["storageProfile"]["osDisk"]["managedDisk"] != empty
426 |     mql: azure.subscription.compute.vm.properties["storageProfile"]["osDisk"]["managedDisk"] != empty
427 | 
428 | 
429 |   - uid: mondoo-asset-inventory-azure-webapp
430 |     title: Azure web apps
431 |     filters: asset.platform == "azure"
432 |     docs:
433 |       desc: |
434 |         This query retrieves data for all web apps
435 |     mql: azure.subscription.web.apps
436 | 
437 | 
438 |   - uid: mondoo-asset-inventory-azure-cosmosDb
439 |     title: Azure Cosmos DB accounts
440 |     filters: asset.platform == "azure"
441 |     docs:
442 |       desc: |
443 |         This query retrieves data for all Cosmos DB accounts
444 |     mql: azure.subscription.cosmosDb.accounts
445 | 
446 | 
447 |   - uid: mondoo-asset-inventory-azure-applicationInsight
448 |     title: Azure Monitor Application Insights
449 |     filters: asset.platform == "azure"
450 |     docs:
451 |       desc: |
452 |         This query retrieves data for all Application Insights
453 |     mql: azure.subscription.monitor.applicationInsights
454 | 
455 | 
456 |   - uid: mondoo-asset-inventory-azure-networkWatcher
457 |     title: Azure Network Watchers
458 |     filters: asset.platform == "azure"
459 |     docs:
460 |       desc: |
461 |         This query retrieves data for Azure Network Watchers
462 |     mql: azure.subscription.network.watchers
463 | 
464 | 
465 |   - uid: mondoo-asset-inventory-azure-bastionHosts
466 |     title: Azure Bastion hosts
467 |     filters: asset.platform == "azure"
468 |     docs:
469 |       desc: |
470 |         This query retrieves data for all Bastion hosts
471 |     mql: azure.subscription.network.bastionHosts
472 | 
473 | 
474 |   - uid: mondoo-asset-inventory-azure-compute-disks
475 |     title: Compute disks
476 |     filters: asset.platform == "azure"
477 |     docs:
478 |       desc: |
479 |         This query retrieves data for all compute disks available in the subscription
480 |     mql: azure.subscription.compute.disks
481 | 
482 | 
483 |   - uid: mondoo-asset-inventory-azure-network-interfaces
484 |     title: Network interfaces
485 |     filters: asset.platform == "azure"
486 |     docs:
487 |       desc: |
488 |         This query retrieves data for all network interfaces
489 |     mql: azure.subscription.network.interfaces{ name location properties['nicType'] properties['nicType'] properties['macAddress'] properties['virtualMachine']['id'] }
490 | 
491 | 
492 |   - uid: mondoo-asset-inventory-azure-resourcegroups
493 |     title: Azure subscription resource groups
494 |     filters: asset.platform == "azure"
495 |     docs:
496 |       desc: |
497 |         This query retrieves data for all resource groups inside the subscription
498 |     mql: azure.subscription.resourceGroups
499 | 
500 | 
501 |   - uid: mondoo-asset-inventory-azure-resources
502 |     title: Azure subscription resources
503 |     filters: asset.platform == "azure"
504 |     docs:
505 |       desc: |
506 |         This query retrieves data for all resources inside the subscription
507 |     mql: azure.subscription.resources
508 | 


--------------------------------------------------------------------------------
/core/mondoo-dns-inventory.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-dns-inventory
 6 |     name: DNS Inventory Pack
 7 |     version: 1.0.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: host,network
14 |       mondoo.com/category: security
15 |     docs:
16 |       desc: |
17 |         ### Overview
18 | 
19 |         The DNS Inventory Pack by Mondoo query pack retrieves information about DNS entries.
20 | 
21 |         ### Prerequisites
22 | 
23 |         To run this query pack, you will need to install the cnquery binary ([Get Started with cnquery](https://mondoo.com/docs/cnquery/)).
24 | 
25 |         ### Run query pack
26 | 
27 |         To run this query pack against a Domain:
28 | 
29 |         ```bash
30 |         cnquery scan host <domain> -f mondoo-dns-inventory.mql.yaml
31 |         ```
32 |     filters:
33 |       - asset.family.contains('network')
34 |     queries:
35 |       - uid: mondoo-dns-inventory-dns-records
36 |         title: Retrieve information about DNS records
37 |         mql: dns.params
38 |       - uid: mondoo-dns-inventory-dns-mx-records
39 |         title: Retrieve information about the MX records
40 |         filters: dns.params.MX.name != empty
41 |         mql:  dns.mx { domainName preference }


--------------------------------------------------------------------------------
/core/mondoo-email-inventory.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-email-inventory
 6 |     name: Email Inventory Pack
 7 |     version: 1.0.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: host,network
14 |       mondoo.com/category: security
15 |     docs:
16 |       desc: |
17 |         ### Overview
18 | 
19 |         The Email Inventory Pack by Mondoo query pack retrieves information about Email entries.
20 | 
21 |         ### Prerequisites
22 | 
23 |         To run this query pack, you will need to install the cnquery binary ([Get Started with cnquery](https://mondoo.com/docs/cnquery/)).
24 | 
25 |         ### Run query pack
26 | 
27 |         To run this query pack against a Domain:
28 | 
29 |         ```bash
30 |         cnquery scan host <domain> -f mondoo-mail-inventory.mql.yaml
31 |         ```
32 |     filters: asset.family.contains('network')
33 |     queries:
34 |       - uid: mondoo-email-inventory-mail-records
35 |         title: Retrieve reverse IP Lookup PTR record
36 |         mql: |
37 |           reverseDNSDomain =
38 |             dns.params.A.rData.first.split(".")[3] + "."
39 |               + dns.params.A.rData.first.split(".")[2] + "."
40 |               +  dns.params.A.rData.first.split(".")[1] + "."
41 |               +  dns.params.A.rData.first.split(".")[0]
42 |               + ".in-addr.arpa"
43 |           dns(reverseDNSDomain).params.PTR
44 |       - uid: mondoo-email-inventory-spf-record
45 |         title: Retrieve SPF record
46 |         mql: dns.params.TXT
47 |       - uid: mondoo-email-inventory-dmarc-entry
48 |         title: Retrieve DMARC DNS entry
49 |         mql: dns("_dmarc."+domainName.fqdn).params.TXT
50 |       - uid: mondoo-email-inventory-dkim-configuration
51 |         title: Retrieve DKIM entry
52 |         props:
53 |           - uid: mondooEmailSecurityDkimSelectors
54 |             title: Define a list of valid DKIM selectors
55 |             mql: |
56 |               [
57 |                 "google",
58 |                 "selector1",
59 |                 "selector2",
60 |                 "k1",
61 |                 "dkim",
62 |                 "mx",
63 |                 "mailjet"
64 |               ]
65 |         mql: |
66 |           props.mondooEmailSecurityDkimSelectors{ dns(_+"._domainkey."+domainName.fqdn).params['TXT'] }
67 |           


--------------------------------------------------------------------------------
/core/mondoo-gcp-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-asset-inventory-gcp
  6 |     name: GCP Asset Inventory Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: gcp,gcp-project,cloud
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The GCP Asset Inventory by Mondoo query pack retrieves information about GCP projects for asset inventory.
 18 |     groups:
 19 |       - uid: mondoo-asset-inventory-gcp-group
 20 |         title: GCP Asset Inventory Pack Group
 21 |         filters: |
 22 |           asset.runtime == "gcp"
 23 |         queries:
 24 |           - uid: mondoo-asset-inventory-gcp-project-info
 25 |           - uid: mondoo-asset-inventory-gcp-project-owners
 26 |           - uid: mondoo-asset-inventory-gcp-project-editors
 27 |           - uid: mondoo-asset-inventory-gcp-iam-roles
 28 |           - uid: mondoo-asset-inventory-gcp-enabled-services
 29 |           - uid: mondoo-asset-inventory-gcp-gke-clusters-count
 30 |           - uid: mondoo-asset-inventory-gcp-gke-clusters-data
 31 |           - uid: mondoo-asset-inventory-gcp-compute-instances-count
 32 |           - uid: mondoo-asset-inventory-gcp-compute-instances-data
 33 |           - uid: mondoo-asset-inventory-gcp-compute-instances-public
 34 |           - uid: mondoo-asset-inventory-gcp-compute-networks-count
 35 |           - uid: mondoo-asset-inventory-gcp-compute-networks-data
 36 | queries:
 37 |       - uid: mondoo-asset-inventory-gcp-project-info
 38 |         title: GCP Project Information
 39 |         filters: asset.platform == "gcp-project"
 40 |         mql: |
 41 |           gcp.project {
 42 |             name
 43 |             id
 44 |             number
 45 |             state
 46 |             labels
 47 |           }
 48 | 
 49 | 
 50 | 
 51 |       - uid: mondoo-asset-inventory-gcp-project-owners
 52 |         title: GCP project owners
 53 |         filters: asset.platform == "gcp-project"
 54 |         docs:
 55 |           desc: |
 56 |             This query retrieves data for all owners of the GCP project
 57 |         mql: |
 58 |           gcp.project.iamPolicy.where( role == "roles/owner" ) {
 59 |             id
 60 |             members
 61 |           }
 62 | 
 63 | 
 64 | 
 65 |       - uid: mondoo-asset-inventory-gcp-project-editors
 66 |         title: GCP project editors
 67 |         filters: asset.platform == "gcp-project"
 68 |         docs:
 69 |           desc: |
 70 |             This query retrieves data for all editors of the GCP project
 71 |         mql: |
 72 |           gcp.project.iamPolicy.where( role == "roles/editors" ) {
 73 |             id
 74 |             members
 75 |           }
 76 | 
 77 | 
 78 | 
 79 |       - uid: mondoo-asset-inventory-gcp-iam-roles
 80 |         title: IAM Policy roles
 81 |         filters: asset.platform == "gcp-project"
 82 |         docs:
 83 |           desc: |
 84 |             This query retrieves all roles defined for a GCP project
 85 |         mql: gcp.project.iamPolicy { role }
 86 | 
 87 | 
 88 | 
 89 |       - uid: mondoo-asset-inventory-gcp-enabled-services
 90 |         title: Services enabled in the GCP project
 91 |         filters: asset.platform == "gcp-project"
 92 |         docs:
 93 |           desc: |
 94 |             This query retrieves all services enabled in the GCP Project
 95 |         mql: gcp.project.services.where( enabled == true )
 96 | 
 97 | 
 98 | 
 99 |       - uid: mondoo-asset-inventory-gcp-gke-clusters-count
100 |         title: GKE clusters count
101 |         filters: asset.platform == "gcp-project"
102 |         docs:
103 |           desc: |
104 |             This query retrieves a count of GKE clusters running in a GCP project
105 |         mql: gcp.project.gke.clusters.length
106 | 
107 | 
108 | 
109 |       - uid: mondoo-asset-inventory-gcp-gke-clusters-data
110 |         title: GKE clusters configuration
111 |         docs:
112 |           desc: |
113 |             This query retrieves all of the configuration data for GKE clusters within a project
114 |         variants:
115 |           - uid: mondoo-asset-inventory-gcp-gke-clusters-data-all
116 |           - uid: mondoo-asset-inventory-gcp-gke-clusters-data-single
117 |       - uid: mondoo-asset-inventory-gcp-gke-clusters-data-all
118 |         filters: asset.platform == "gcp-project"
119 |         mql: |
120 |           gcp.project.gke.clusters
121 |       - uid: mondoo-asset-inventory-gcp-gke-clusters-data-single
122 |         filters: asset.platform == "gcp-gke-cluster"
123 |         mql: |
124 |           gcp.project.gke.cluster
125 | 
126 | 
127 |       - uid: mondoo-asset-inventory-gcp-compute-instances-count
128 |         title: GCP compute instances count
129 |         filters: asset.platform == "gcp-project"
130 |         docs:
131 |           desc: |
132 |             This query retrieves a count of running GCP compute instances in a GCP project
133 |         mql: gcp.compute.instances.where( status == "RUNNING" ).length
134 | 
135 | 
136 | 
137 |       - uid: mondoo-asset-inventory-gcp-compute-instances-data
138 |         title: GCP compute instances
139 |         docs:
140 |           desc: |
141 |             This query retrieves the data for all running GCP compute instances in a GCP project
142 |         variants:
143 |           - uid: mondoo-asset-inventory-gcp-compute-instances-data-all
144 |           - uid: mondoo-asset-inventory-gcp-compute-instances-data-single
145 |       - uid: mondoo-asset-inventory-gcp-compute-instances-data-all
146 |         filters: asset.platform == "gcp-project"
147 |         mql: |
148 |           gcp.compute.instances.where( status == "RUNNING" )
149 |       - uid: mondoo-asset-inventory-gcp-compute-instances-data-single
150 |         filters: |
151 |           asset.platform == "gcp-compute-instance"
152 |           gcp.compute.instance.status == "RUNNING"
153 |         mql: |
154 |           gcp.compute.instance
155 | 
156 | 
157 | 
158 |       - uid: mondoo-asset-inventory-gcp-compute-instances-public
159 |         title: GCP Compute Engine instances
160 |         docs:
161 |           desc: |
162 |             This query retrieves the data for all GCP Compute Engine instances that have been configured with an external IP address.
163 |         variants:
164 |           - uid: mondoo-asset-inventory-gcp-compute-instances-public-all
165 |           - uid: mondoo-asset-inventory-gcp-compute-instances-public-single
166 |       - uid: mondoo-asset-inventory-gcp-compute-instances-public-all
167 |         filters: asset.platform == "gcp-project"
168 |         mql: |
169 |           gcp.compute.instances.where(networkInterfaces.where(_['accessConfigs'].where(_['name'] == "External NAT")))
170 |       - uid: mondoo-asset-inventory-gcp-compute-instances-public-single
171 |         filters: |
172 |           asset.platform == "gcp-compute-instance"
173 |           gcp.compute.instance.networkInterfaces.any(_['accessConfigs'].where(_['name'] == "External NAT"))
174 |         mql: |
175 |           gcp.compute.instance
176 | 
177 | 
178 | 
179 |       - uid: mondoo-asset-inventory-gcp-compute-networks-count
180 |         title: GCP Compute Engine networks count
181 |         filters: asset.platform == "gcp-project"
182 |         docs:
183 |           desc: |
184 |             This query retrieves a count of GCP Compute Engine networks configured in a GCP project
185 |         mql: gcp.compute.networks.length
186 | 
187 | 
188 | 
189 |       - uid: mondoo-asset-inventory-gcp-compute-networks-data
190 |         title: GCP Compute Engine networks
191 |         docs:
192 |           desc: |
193 |             This query retrieves the data for all GCP Compute Engine networks configured in a GCP project.
194 |         variants:
195 |           - uid: mondoo-asset-inventory-gcp-compute-networks-data-all
196 |           - uid: mondoo-asset-inventory-gcp-compute-networks-data-single
197 |           - uid: mondoo-asset-inventory-gcp-compute-networks-data-subnet
198 |       - uid: mondoo-asset-inventory-gcp-compute-networks-data-all
199 |         filters: |
200 |           asset.platform == "gcp-project"
201 |         mql: |
202 |           gcp.compute.networks
203 |       - uid: mondoo-asset-inventory-gcp-compute-networks-data-single
204 |         filters: |
205 |           asset.platform == "gcp-compute-network"
206 |         mql: |
207 |           gcp.compute.network
208 |       - uid: mondoo-asset-inventory-gcp-compute-networks-data-subnet
209 |         filters: |
210 |           asset.platform == "gcp-compute-subnetwork"
211 |         mql: |
212 |           gcp.compute.subnetwork
213 | 


--------------------------------------------------------------------------------
/core/mondoo-github-incident-response.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-incident-response-github-org
  6 |     name: GitHub Organization Incident Response Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: github,saas
 14 |       mondoo.com/category: security
 15 |     docs:
 16 |       desc: |
 17 |         ### Overview
 18 | 
 19 |         The GitHub Organization Incident Response Pack by Mondoo query pack retrieves configuration data about GitHub organizations and the repositories within them for investigation during a security incident.
 20 | 
 21 |         ### Prerequisites
 22 | 
 23 |         To run this query pack, you will need a [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with read access to the GitHub organization you are scanning.
 24 | 
 25 |         ### Run query pack
 26 | 
 27 |         To run this query pack against a GitHub Organization:
 28 | 
 29 |         ```bash
 30 |         export GITHUB_TOKEN=<your personal access token>
 31 |         cnquery scan github org <org_name> -f mondoo-github-org-incident-response.mql.yaml
 32 |         ```
 33 |     filters:
 34 |       - asset.platform == "github-org"
 35 |     queries:
 36 |       - uid: mondoo-incident-response-github-org-name
 37 |         title: GitHub Organization Name
 38 |         mql: |
 39 |           github.organization.name
 40 |       - uid: mondoo-incident-response-github-org-login
 41 |         title: GitHub Organization Login
 42 |         mql: |
 43 |           github.organization.login
 44 |       - uid: mondoo-incident-response-github-org-description
 45 |         title: GitHub Organization description
 46 |         mql: |
 47 |           github.organization.description
 48 |       - uid: mondoo-incident-response-github-org-mfa-status
 49 |         title: GitHub Organization MFA status
 50 |         docs:
 51 |           desc: |
 52 |             This query retrieves whether multi-factor authentication is required for users of the organization. A null value means the API token used to query the information doesn't have sufficient permissions in the organization. The API token must have owner permissions in the organization to access this data.
 53 |         mql: |
 54 |           github.organization.twoFactorRequirementEnabled
 55 |       - uid: mondoo-incident-response-github-org-owners
 56 |         title: GitHub Organization Owners
 57 |         docs:
 58 |           desc: |
 59 |             This query retrieves all GitHub organization owners.
 60 |         mql: |
 61 |           github.organization.owners.length
 62 |           github.organization {
 63 |             owners {
 64 |               name
 65 |               email
 66 |               login
 67 |             }
 68 |           }
 69 |       - uid: mondoo-incident-response-github-org-members
 70 |         title: GitHub Organization Members
 71 |         docs:
 72 |           desc: |
 73 |             This query retrieves all of the members of the GitHub organization.
 74 |         mql: |
 75 |           github.organization.members.length
 76 |           github.organization {
 77 |             members {
 78 |               name
 79 |               login
 80 |               email
 81 |             }
 82 |           }
 83 |       - uid: mondoo-incident-response-github-org-teams
 84 |         title: GitHub Organization Teams
 85 |         docs:
 86 |           desc: |
 87 |             This query retrieves all GitHub organization teams.
 88 |         mql: |
 89 |           github.organization {
 90 |             teams {
 91 |               slug
 92 |               privacy
 93 |               defaultPermission
 94 |               members {
 95 |                 login
 96 |                 email
 97 |                 name
 98 |               }
 99 |             }
100 |           }
101 |       - uid: mondoo-incident-response-github-private-repos
102 |         title: GitHub Organization private repositories
103 |         docs:
104 |           desc: |
105 |             This query retrieves all of the public repositories within the GitHub organization. The query returns the repo's name and whether the default branch is [protected](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) using protection rules.
106 |         mql: |
107 |           github.organization.repositories.
108 |             where( private == false ) {
109 |               name
110 |               branches.
111 |                 where( isDefault ) {
112 |                   isProtected
113 |                 }
114 |             }
115 |       - uid: mondoo-incident-response-github-packages
116 |         title: GitHub Organization private repositories
117 |         docs:
118 |           desc: |
119 |             This query retrieves the packages published to GHCR.io.
120 |         mql: |
121 |           github.organization {
122 |             packages {
123 |               name
124 |               visibility
125 |               packageType
126 |               owner {
127 |                 name
128 |               }
129 |             }
130 |           }
131 | 


--------------------------------------------------------------------------------
/core/mondoo-github-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-github-inventory-org
  6 |     name: GitHub Organization Inventory Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: github,saas
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         ### Overview
 18 | 
 19 |         The GitHub Organization Inventory Pack by Mondoo query pack retrieves configuration data about GitHub organizations.
 20 | 
 21 |         ### Prerequisites
 22 | 
 23 |         To run this query pack, you will need a [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with read access to the GitHub organization you are scanning.
 24 | 
 25 |         ### Run query pack
 26 | 
 27 |         To run this query pack against a GitHub organization:
 28 | 
 29 |         ```bash
 30 |         export GITHUB_TOKEN=<your personal access token>
 31 |         cnquery scan github org <org_name> -f mondoo-github-inventory.mq.yaml
 32 |         ```
 33 |     filters:
 34 |       - asset.platform == "github-org"
 35 |     queries:
 36 |       - uid: mondoo-github-inventory-org-login
 37 |         title: GitHub organization login
 38 |         mql: github.organization.login
 39 |       - uid: mondoo-github-inventory-org-id
 40 |         title: GitHub organization ID
 41 |         mql: github.organization.id
 42 |       - uid: mondoo-github-inventory-org-profile-photo
 43 |         title: GitHub organization profile photo
 44 |         mql: github.organization.avatarUrl
 45 |       - uid: mondoo-github-inventory-org-email
 46 |         title: GitHub organization email
 47 |         mql: github.organization.email
 48 |       - uid: mondoo-github-inventory-org-desc
 49 |         title: GitHub organization description
 50 |         mql: github.organization.description
 51 |       - uid: mondoo-github-inventory-org-blog
 52 |         title: GitHub organization blog
 53 |         mql: github.organization.blog
 54 |       - uid: mondoo-github-inventory-org-location
 55 |         title: GitHub organization location
 56 |         mql: github.organization.location
 57 |       - uid: mondoo-github-inventory-org-followers
 58 |         title: GitHub organization followers
 59 |         mql: github.organization.followers
 60 |       - uid: mondoo-github-inventory-org-following
 61 |         title: GitHub organization following
 62 |         mql: github.organization.following
 63 |       - uid: mondoo-github-inventory-org-twitter
 64 |         title: GitHub organization twitter handle
 65 |         mql: github.organization.twitterUsername
 66 |       - uid: mondoo-github-inventory-org-number-repositories
 67 |         title: GitHub organization repositories
 68 |         mql: github.organization.repositories.length
 69 |       - uid: mondoo-github-inventory-org-created
 70 |         title: GitHub organization created
 71 |         mql: github.organization.createdAt
 72 |       - uid: mondoo-github-inventory-org-updated
 73 |         title: GitHub organization updated
 74 |         mql: github.organization.updatedAt
 75 |   - uid: mondoo-github-inventory-user
 76 |     name: GitHub User Inventory Pack
 77 |     version: 1.0.0
 78 |     authors:
 79 |       - name: Mondoo, Inc
 80 |         email: hello@mondoo.com
 81 |     tags:
 82 |       mondoo.com/platform: github,saas
 83 |       mondoo.com/category: best-practices
 84 |     docs:
 85 |       desc: |
 86 |         ### Overview
 87 | 
 88 |         The Mondoo GitHub User Inventory query pack retrieves configuration data about GitHub users.
 89 | 
 90 |         ### Prerequisites
 91 | 
 92 |         To run this query pack, you will need a [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with read access to the GitHub organization you are scanning.
 93 | 
 94 |         ### Run query pack
 95 | 
 96 |         To run this query pack against a GitHub user:
 97 | 
 98 |         ```bash
 99 |         export GITHUB_TOKEN=<your personal access token>
100 |         cnquery scan github user <user_name> -f mondoo-github-inventory.mq.yaml
101 |         ```
102 |     filters:
103 |       - asset.platform == "github-user"
104 |     queries:
105 |       - uid: mondoo-github-inventory-user-login
106 |         title: GitHub user login
107 |         mql: github.user.login
108 |       - uid: mondoo-github-inventory-user-id
109 |         title: GitHub user ID
110 |         mql: github.user.id
111 |       - uid: mondoo-github-inventory-user-profile-photo
112 |         title: GitHub user profile photo
113 |         mql: github.user.avatarUrl
114 |       - uid: mondoo-github-inventory-user-email
115 |         title: GitHub user email
116 |         mql: github.user.email
117 |       - uid: mondoo-github-inventory-user-bio
118 |         title: GitHub user bio
119 |         mql: github.user.bio
120 |       - uid: mondoo-github-inventory-user-blog
121 |         title: GitHub user blog
122 |         mql: github.user.blog
123 |       - uid: mondoo-github-inventory-user-location
124 |         title: GitHub user location
125 |         mql: github.user.location
126 |       - uid: mondoo-github-inventory-user-followers
127 |         title: GitHub user followers
128 |         mql: github.user.followers
129 |       - uid: mondoo-github-inventory-user-following
130 |         title: GitHub user following
131 |         mql: github.user.following
132 |       - uid: mondoo-github-inventory-user-twitter
133 |         title: GitHub user twitter handle
134 |         mql: github.user.twitterUsername
135 |       - uid: mondoo-github-inventory-user-number-repositories
136 |         title: GitHub user repositories
137 |         mql: github.user.repositories.length
138 |       - uid: mondoo-github-inventory-user-created
139 |         title: GitHub user created
140 |         mql: github.user.createdAt
141 |       - uid: mondoo-github-inventory-user-updated
142 |         title: GitHub user updated
143 |         mql: github.user.updatedAt
144 |   - uid: mondoo-github-inventory-repo
145 |     name: GitHub Repository Inventory Pack
146 |     version: 1.0.0
147 |     authors:
148 |       - name: Mondoo, Inc
149 |         email: hello@mondoo.com
150 |     tags:
151 |       mondoo.com/platform: github,saas
152 |       mondoo.com/category: best-practices
153 |     docs:
154 |       desc: |
155 |         ### Overview
156 | 
157 |         The Mondoo GitHub Repository Inventory query pack retrieves configuration data about GitHub repositories.
158 | 
159 |         ### Prerequisites
160 | 
161 |         To run this query pack, you will need a [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with read access to the GitHub organization you are scanning.
162 | 
163 |         ### Run query pack
164 | 
165 |         To run this query pack against a GitHub repository:
166 | 
167 |         ```bash
168 |         export GITHUB_TOKEN=<your personal access token>
169 |         cnquery scan github repo <owner>/<repo> -f mondoo-github-inventory.mq.yaml
170 |         ```
171 |     filters:
172 |       - asset.platform == "github-repo"
173 |     queries:
174 |       - uid: mondoo-github-inventory-repo-id
175 |         title: GitHub repository ID
176 |         mql: github.repository.id
177 |       - uid: mondoo-github-inventory-repo-description
178 |         title: GitHub repository description
179 |         mql: github.repository.description
180 |       - uid: mondoo-github-inventory-repo-forks
181 |         title: Number GitHub repository forks
182 |         mql: github.repository.forksCount
183 |       - uid: mondoo-github-inventory-repo-stargazers
184 |         title: Number GitHub repository stargazers
185 |         mql: github.repository.stargazersCount
186 |       - uid: mondoo-github-inventory-repo-watchers
187 |         title: Number GitHub repository watchers
188 |         mql: github.repository.watchersCount
189 |       - uid: mondoo-github-inventory-repo-license
190 |         title: GitHub repository license
191 |         mql: github.repository.license.spdxId
192 |       - uid: mondoo-github-inventory-repo-default-branch
193 |         title: GitHub repo default branch
194 |         mql: github.repository.defaultBranchName
195 |       - uid: mondoo-github-inventory-repo-visibility
196 |         title: GitHub repository visibility
197 |         mql: github.repository.visibility
198 |       - uid: mondoo-github-inventory-repo-languages
199 |         title: GitHub repository languages
200 |         mql: github.repository.language
201 |       - uid: mondoo-github-inventory-repo-open-issues
202 |         title: GitHub repository open issues
203 |         mql: github.repository.openIssuesCount
204 |       - uid: mondoo-github-inventory-repo-topics
205 |         title: GitHub repository topics
206 |         mql: github.repository.topics
207 |       - uid: mondoo-github-inventory-repo-homepage
208 |         title: GitHub repository homepage
209 |         mql: github.repository.homepage
210 |       - uid: mondoo-github-inventory-repo-clone-url
211 |         title: GitHub repository Clone URL
212 |         mql: github.repository.cloneUrl
213 |       - uid: mondoo-github-inventory-repo-ssl-url
214 |         title: GitHub repository SSH URL
215 |         mql: github.repository.sshUrl
216 |       - uid: mondoo-github-inventory-repo-is-fork
217 |         title: Is fork
218 |         mql: github.repository.isFork
219 |       - uid: mondoo-github-inventory-repo-is-forkable
220 |         title: Is forkable
221 |         mql: github.repository.allowForking
222 |       - uid: mondoo-github-inventory-repo-is-private
223 |         title: Is private
224 |         mql: github.repository.private
225 |       - uid: mondoo-github-inventory-repo-is-archived
226 |         title: Is archived
227 |         mql: github.repository.archived
228 |       - uid: mondoo-github-inventory-repo-has-downloads
229 |         title: Has downloads
230 |         mql: github.repository.hasDownloads
231 |       - uid: mondoo-github-inventory-repo-has-issues
232 |         title: Has issues
233 |         mql: github.repository.hasIssues
234 |       - uid: mondoo-github-inventory-repo-has-pages
235 |         title: Has pages
236 |         mql: github.repository.hasPages
237 |       - uid: mondoo-github-inventory-repo-has-projects
238 |         title: Has projects
239 |         mql: github.repository.hasProjects
240 |       - uid: mondoo-github-inventory-repo-has-wiki
241 |         title: Has wiki
242 |         mql: github.repository.hasWiki
243 |       - uid: mondoo-github-inventory-repo-pushed-at
244 |         title: Pushed at
245 |         mql: github.repository.pushedAt
246 |       - uid: mondoo-github-inventory-repo-created-at
247 |         title: Created at
248 |         mql: github.repository.createdAt
249 |       - uid: mondoo-github-inventory-repo-updated-at
250 |         title: Updated at
251 |         mql: github.repository.updatedAt
252 | 


--------------------------------------------------------------------------------
/core/mondoo-kubernetes-incident-response.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-kubernetes-incident-response
  6 |     name: Kubernetes Incident Response Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: kubernetes
 14 |       mondoo.com/category: security
 15 |     groups:
 16 |       - title: Cluster Incident Response
 17 |         filters:
 18 |           - asset.platform == "kubernetes" || asset.platform == "k8s-cluster"
 19 |         queries:
 20 |           - uid: mondoo-kubernetes-incident-response-cluster-version
 21 |             title: Kubernetes Cluster Version
 22 |             mql: |
 23 |               k8s.serverVersion
 24 |           - uid: mondoo-kubernetes-incident-response-role-bindings-with-cluster-admin-permissions
 25 |             title: Role bindings with cluster-admin permissions
 26 |             mql: |
 27 |               k8s.rolebindings.where(roleRef["kind"] == "ClusterRole" && roleRef["name"] == "cluster-admin") {
 28 |                 name
 29 |                 namespace
 30 |                 subjects
 31 |                 roleRef
 32 |               }
 33 |           - uid: mondoo-kubernetes-incident-response-clusterrole-bindings-with-cluster-admin-permissions
 34 |             title: ClusterRoleBindings with cluster-admin permissions
 35 |             mql: |
 36 |               k8s.clusterrolebindings.where(roleRef["kind"] == "ClusterRole" && roleRef["name"] == "cluster-admin") {
 37 |                 name
 38 |                 subjects
 39 |                 roleRef
 40 |               }
 41 |       - title: Pods Incident Response
 42 |         filters:
 43 |           - asset.platform == "k8s-pod"
 44 |         queries:
 45 |           - uid: mondoo-kubernetes-incident-response-pod-security-context
 46 |             title: Pod Security Context
 47 |             mql: |
 48 |               k8s.pod {
 49 |                 ephemeralContainers {
 50 |                   securityContext
 51 |                 }
 52 |                 initContainers {
 53 |                   securityContext
 54 |                 }
 55 |                 containers {
 56 |                   securityContext
 57 |                 }
 58 |               }
 59 |           - uid: mondoo-kubernetes-incident-response-pod-container
 60 |             title: Container image information
 61 |             mql: |
 62 |               k8s.pod {
 63 |                 name
 64 |                 namespace
 65 |                 initContainers {
 66 |                   image
 67 |                   containerImage {
 68 |                     name
 69 |                     identifier
 70 |                     identifierType
 71 |                     repository {
 72 |                       name
 73 |                       registry
 74 |                     }
 75 |                   }
 76 |                 }
 77 |                 containers {
 78 |                   image
 79 |                   containerImage {
 80 |                     name
 81 |                     identifier
 82 |                     identifierType
 83 |                     repository {
 84 |                       name
 85 |                       registry
 86 |                     }
 87 |                   }
 88 |                 }
 89 |                 ephemeralContainers {
 90 |                   image
 91 |                   containerImage {
 92 |                     name
 93 |                     identifier
 94 |                     identifierType
 95 |                     repository {
 96 |                       name
 97 |                       registry
 98 |                     }
 99 |                   }
100 |                 }
101 |                 podSpec["nodeName"]
102 |               }
103 |       - title: Deployments Incident Response
104 |         filters:
105 |           - asset.platform == "k8s-deployment"
106 |         queries:
107 |           - uid: mondoo-kubernetes-incident-response-deployment-security-context
108 |             title: Deployment Security Context
109 |             mql: |
110 |               k8s.deployment {
111 |                 initContainers {
112 |                   securityContext
113 |                 }
114 |                 containers {
115 |                   securityContext
116 |                 }
117 |               }
118 |           - uid: mondoo-kubernetes-incident-response-deployment-container
119 |             title: Container image information
120 |             mql: |
121 |               k8s.deployment {
122 |                 name
123 |                 namespace
124 |                 initContainers {
125 |                   image
126 |                   containerImage {
127 |                     name
128 |                     identifier
129 |                     identifierType
130 |                     repository {
131 |                       name
132 |                       registry
133 |                     }
134 |                   }
135 |                 }
136 |                 containers {
137 |                   image
138 |                   containerImage {
139 |                     name
140 |                     identifier
141 |                     identifierType
142 |                     repository {
143 |                       name
144 |                       registry
145 |                     }
146 |                   }
147 |                 }
148 |               }
149 |       - title: CronJobs Incident Response
150 |         filters:
151 |           - asset.platform == "k8s-cronjob"
152 |         queries:
153 |           - uid: mondoo-kubernetes-incident-response-cronjob-security-context
154 |             title: CronJob Security Context
155 |             mql: |
156 |               k8s.cronjob {
157 |                 initContainers {
158 |                   securityContext
159 |                 }
160 |                 containers {
161 |                   securityContext
162 |                 }
163 |               }
164 |           - uid: mondoo-kubernetes-incident-response-cronjob-container
165 |             title: Container image information
166 |             mql: |
167 |               k8s.cronjob {
168 |                 name
169 |                 namespace
170 |                 initContainers {
171 |                   image
172 |                   containerImage {
173 |                     name
174 |                     identifier
175 |                     identifierType
176 |                     repository {
177 |                       name
178 |                       registry
179 |                     }
180 |                   }
181 |                 }
182 |                 containers {
183 |                   image
184 |                   containerImage {
185 |                     name
186 |                     identifier
187 |                     identifierType
188 |                     repository {
189 |                       name
190 |                       registry
191 |                     }
192 |                   }
193 |                 }
194 |               }
195 |       - title: Jobs Incident Response
196 |         filters:
197 |           - asset.platform == "k8s-job"
198 |         queries:
199 |           - uid: mondoo-kubernetes-incident-response-job-security-context
200 |             title: Job Security Context
201 |             mql: |
202 |               k8s.job {
203 |                 initContainers {
204 |                   securityContext
205 |                 }
206 |                 containers {
207 |                   securityContext
208 |                 }
209 |               }
210 |           - uid: mondoo-kubernetes-incident-response-job-container
211 |             title: Container image information
212 |             mql: |
213 |               k8s.job {
214 |                 name
215 |                 namespace
216 |                 initContainers {
217 |                   image
218 |                   containerImage {
219 |                     name
220 |                     identifier
221 |                     identifierType
222 |                     repository {
223 |                       name
224 |                       registry
225 |                     }
226 |                   }
227 |                 }
228 |                 containers {
229 |                   image
230 |                   containerImage {
231 |                     name
232 |                     identifier
233 |                     identifierType
234 |                     repository {
235 |                       name
236 |                       registry
237 |                     }
238 |                   }
239 |                 }
240 |               }
241 |       - title: DaemonSets Incident Response
242 |         filters:
243 |           - asset.platform == "k8s-daemonset"
244 |         queries:
245 |           - uid: mondoo-kubernetes-incident-response-daemonset-security-context
246 |             title: DaemonSet Security Context
247 |             mql: |
248 |               k8s.daemonset {
249 |                 initContainers {
250 |                   securityContext
251 |                 }
252 |                 containers {
253 |                   securityContext
254 |                 }
255 |               }
256 |           - uid: mondoo-kubernetes-incident-response-daemonset-container
257 |             title: Container image information
258 |             mql: |
259 |               k8s.daemonset {
260 |                 name
261 |                 namespace
262 |                 initContainers {
263 |                   image
264 |                   containerImage {
265 |                     name
266 |                     identifier
267 |                     identifierType
268 |                     repository {
269 |                       name
270 |                       registry
271 |                     }
272 |                   }
273 |                 }
274 |                 containers {
275 |                   image
276 |                   containerImage {
277 |                     name
278 |                     identifier
279 |                     identifierType
280 |                     repository {
281 |                       name
282 |                       registry
283 |                     }
284 |                   }
285 |                 }
286 |               }
287 |       - title: StatefulSets Incident Response
288 |         filters:
289 |           - asset.platform == "k8s-statefulset"
290 |         queries:
291 |           - uid: mondoo-kubernetes-incident-response-statefulset-security-context
292 |             title: StatefulSet Security Context
293 |             mql: |
294 |               k8s.statefulset {
295 |                 initContainers {
296 |                   securityContext
297 |                 }
298 |                 containers {
299 |                   securityContext
300 |                 }
301 |               }
302 |           - uid: mondoo-kubernetes-incident-response-statefulset-container
303 |             title: Container image information
304 |             mql: |
305 |               k8s.statefulset {
306 |                 name
307 |                 namespace
308 |                 initContainers {
309 |                   image
310 |                   containerImage {
311 |                     name
312 |                     identifier
313 |                     identifierType
314 |                     repository {
315 |                       name
316 |                       registry
317 |                     }
318 |                   }
319 |                 }
320 |                 containers {
321 |                   image
322 |                   containerImage {
323 |                     name
324 |                     identifier
325 |                     identifierType
326 |                     repository {
327 |                       name
328 |                       registry
329 |                     }
330 |                   }
331 |                 }
332 |               }
333 |       - title: ReplicaSets Incident Response
334 |         filters:
335 |           - asset.platform == "k8s-replicaset"
336 |         queries:
337 |           - uid: mondoo-kubernetes-incident-response-replicaset-security-context
338 |             title: ReplicaSet Security Context
339 |             mql: |
340 |               k8s.replicaset {
341 |                 initContainers {
342 |                   securityContext
343 |                 }
344 |                 containers {
345 |                   securityContext
346 |                 }
347 |               }
348 |           - uid: mondoo-kubernetes-incident-response-replicaset-container
349 |             title: Container image information
350 |             mql: |
351 |               k8s.replicaset {
352 |                 name
353 |                 namespace
354 |                 initContainers {
355 |                   image
356 |                   containerImage {
357 |                     name
358 |                     identifier
359 |                     identifierType
360 |                     repository {
361 |                       name
362 |                       registry
363 |                     }
364 |                   }
365 |                 }
366 |                 containers {
367 |                   image
368 |                   containerImage {
369 |                     name
370 |                     identifier
371 |                     identifierType
372 |                     repository {
373 |                       name
374 |                       registry
375 |                     }
376 |                   }
377 |                 }
378 |               }
379 | 


--------------------------------------------------------------------------------
/core/mondoo-kubernetes-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-kubernetes-inventory
  6 |     name: Kubernetes Inventory Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: kubernetes
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The Kubernetes Inventory Pack by Mondoo pack retrieves data about a Kubernetes Cluster for asset inventory.
 18 | 
 19 |         To run this pack for a Kubernetes Cluster:
 20 | 
 21 |         ```bash
 22 |         cnquery scan k8s -f mondoo-kubernetes-inventory.mql.yaml
 23 |         ```
 24 | 
 25 |         ## Join the community!
 26 |         Our goal is to build query packs that are simple to deploy and provide accurate and useful data.
 27 | 
 28 |         If you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
 29 |     groups:
 30 |       - title: Cluster inventory
 31 |         filters:
 32 |           - asset.platform == "kubernetes" || asset.platform == "k8s-cluster"
 33 |         queries:
 34 |           - uid: k8s-cluster-version
 35 |             title: Kubernetes cluster version
 36 |             mql: |
 37 |               k8s.serverVersion
 38 |           - uid: k8s-cluster-namespaces
 39 |             title: Kubernetes cluster namespaces
 40 |             mql: |
 41 |               k8s.namespaces
 42 |           - uid: k8s-cluster-nodes
 43 |             title: Cluster modes
 44 |             mql: |
 45 |               k8s.nodes
 46 |           - uid: k8s-cluster-clusterroles
 47 |             title: Cluster RBAC ClusterRoles
 48 |             mql: |
 49 |               k8s.clusterroles
 50 |           - uid: k8s-cluster-roles
 51 |             title: RBAC Roles
 52 |             mql: |
 53 |               k8s.roles
 54 |           - uid: k8s-cluster-clusterrolebindings
 55 |             title: RBAC cluster-rolebindings
 56 |             mql: |
 57 |               k8s.clusterrolebindings
 58 |           - uid: k8s-cluster-rolebindings
 59 |             title: RBAC rolebindings
 60 |             mql: |
 61 |               k8s.rolebindings
 62 |       - title: Pods inventory
 63 |         filters:
 64 |           - asset.platform == "k8s-pod"
 65 |         queries:
 66 |           - uid: k8s-pod
 67 |             title: Pod information
 68 |             mql: |
 69 |               k8s.pod
 70 |           - uid: k8s-pod-container
 71 |             title: Container information
 72 |             mql: |
 73 |               k8s.pod.containers
 74 |       - title: Deployments inventory
 75 |         filters:
 76 |           - asset.platform == "k8s-deployment"
 77 |         queries:
 78 |           - uid: k8s-deployment
 79 |             title: Deployment information
 80 |             mql: |
 81 |               k8s.deployments
 82 |           - uid: k8s-deployment-container
 83 |             title: Container information
 84 |             mql: |
 85 |               k8s.deployment.containers { * }
 86 |       - title: CronJobs inventory
 87 |         filters:
 88 |           - asset.platform == "k8s-cronjob"
 89 |         queries:
 90 |           - uid: k8s-cronjob
 91 |             title: CronJob information
 92 |             mql: |
 93 |               k8s.cronjob { * }
 94 |           - uid: k8s-cronjob-container
 95 |             title: Container information
 96 |             mql: |
 97 |               k8s.cronjob.containers { * }
 98 |       - title: Jobs inventory
 99 |         filters:
100 |           - asset.platform == "k8s-job"
101 |         queries:
102 |           - uid: k8s-job
103 |             title: Job information
104 |             mql: |
105 |               k8s.job { * }
106 |           - uid: k8s-job-container
107 |             title: Container information
108 |             mql: |
109 |               k8s.job.containers { * }
110 |       - title: DaemonSets inventory
111 |         filters:
112 |           - asset.platform == "k8s-daemonset"
113 |         queries:
114 |           - uid: k8s-daemonset
115 |             title: DaemonSet information
116 |             mql: |
117 |               k8s.daemonset { * }
118 |           - uid: k8s-daemonset-container
119 |             title: Container information
120 |             mql: |
121 |               k8s.daemonset.containers { * }
122 |       - title: StatefulSets inventory
123 |         filters:
124 |           - asset.platform == "k8s-statefulset"
125 |         queries:
126 |           - uid: k8s-statefulset
127 |             title: StatefulSet information
128 |             mql: |
129 |               k8s.statefulset { * }
130 |           - uid: k8s-statefulset-container
131 |             title: Container information
132 |             mql: |
133 |               k8s.statefulset.containers { * }
134 |       - title: ReplicaSets inventory
135 |         filters:
136 |           - asset.platform == "k8s-replicaset"
137 |         queries:
138 |           - uid: k8s-replicaset
139 |             title: ReplicaSet information
140 |             mql: |
141 |               k8s.replicaset { * }
142 |           - uid: k8s-replicaset-container
143 |             title: Container information
144 |             mql: |
145 |               k8s.replicaset.containers { * }
146 |       - title: Ingresses inventory
147 |         filters:
148 |           - asset.platform == "k8s-ingress"
149 |         queries:
150 |           - uid: k8s-ingress
151 |             title: Ingress information
152 |             mql: |
153 |               k8s.ingress { * }
154 | 


--------------------------------------------------------------------------------
/core/mondoo-linux-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-linux-incident-response
 6 |     name: Linux Incident Response Pack
 7 |     version: 1.2.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: linux
14 |       mondoo.com/category: security
15 |     filters:
16 |       - asset.family.contains("linux")
17 |     queries:
18 |       - uid: mondoo-linux-incident-response-installed-kernel
19 |         title: Installed kernels
20 |         filters: mondoo.capabilities.contains("run-command")
21 |         mql: kernel.installed
22 |       - uid: mondoo-linux-incident-response-kernel-info
23 |         title: Running kernel version
24 |         filters: mondoo.capabilities.contains("run-command")
25 |         mql: kernel.info
26 |       - uid: mondoo-linux-incident-response-kernel-modules
27 |         title: Kernel modules
28 |         mql: kernel.modules { name loaded }
29 |       - uid: mondoo-linux-incident-response-processes
30 |         title: Running processes
31 |         filters: mondoo.capabilities.contains("run-command")
32 |         mql: processes { pid  command }
33 |       - uid: mondoo-linux-incident-response-mounts
34 |         title: Mounted devices
35 |         mql: mount.list { path fstype device options }
36 |       - uid: mondoo-linux-incident-response-listening-ports
37 |         title: Listening ports
38 |         filters: mondoo.capabilities.contains("run-command")
39 |         mql: ports.listening
40 |       - uid: mondoo-linux-incident-response-uptime
41 |         title: Operating system uptime
42 |         filters: mondoo.capabilities.contains("run-command")
43 |         mql: os.uptime
44 |       - uid: mondoo-linux-incident-response-installed-packages
45 |         title: Installed packages
46 |         mql: packages { name version arch installed }
47 |       - uid: mondoo-linux-incident-response-running-services
48 |         title: Running services
49 |         mql: services.where(running == true) { name running enabled masked type }
50 | 


--------------------------------------------------------------------------------
/core/mondoo-linux-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-linux-inventory
  6 |     name: Linux Inventory Pack
  7 |     version: 1.7.2
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: linux
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The Linux Inventory Pack by Mondoo retrieves data about Linux hosts for asset inventory.
 18 | 
 19 |         ## Local scan
 20 |         To run this pack locally on a Linux host:
 21 | 
 22 |         ```bash
 23 |         cnquery scan local -f mondoo-linux-inventory.mql.yaml
 24 |         ```
 25 | 
 26 |         ## Remote scan
 27 |         To run this pack against a remote Linux host using SSH:
 28 | 
 29 |         ```bash
 30 |         cnquery scan ssh <user>@<ip_address> -i <identity_file> -f mondoo-linux-inventory.mql.yaml
 31 |         ```
 32 | 
 33 |         ## Join the community!
 34 |         Our goal is to build query packs that are simple to deploy and provide accurate and useful data.
 35 | 
 36 |         If you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
 37 |     filters:
 38 |       - asset.family.contains("linux")
 39 |     queries:
 40 |       - uid: mondoo-linux-asset-info
 41 |         title: Asset information
 42 |         mql: asset { kind title platform name arch runtime version }
 43 |       - uid: mondoo-linux-hostname
 44 |         title: Hostname
 45 |         mql: os.hostname
 46 |       - uid: mondoo-linux-platform
 47 |         title: Platform
 48 |         mql: asset.platform
 49 |       - uid: mondoo-linux-users
 50 |         title: Regular users with shell access
 51 |         mql: users.where(shell != "/sbin/nologin" && uid >= 1000 && name != "root") { name sid uid gid shell authorizedkeys.list sshkeys home group }
 52 |       - uid: mondoo-linux-groups-wheel
 53 |         title: Members of the wheel group
 54 |         mql: groups.where(name == "wheel") { members }
 55 |       - uid: mondoo-linux-installed-kernel
 56 |         title: Installed kernels
 57 |         filters: mondoo.capabilities.contains("run-command")
 58 |         mql: kernel.installed
 59 |       - uid: mondoo-linux-kernel-info
 60 |         title: Running kernel versions
 61 |         filters: mondoo.capabilities.contains("run-command")
 62 |         mql: kernel.info
 63 |       - uid: mondoo-linux-kernel-modules
 64 |         title: Kernel modules
 65 |         filters: mondoo.capabilities.contains("run-command")
 66 |         mql: kernel.modules { name loaded }
 67 |       - uid: mondoo-linux-kernel-parameters
 68 |         title: Kernel parameters
 69 |         filters: mondoo.capabilities.contains("run-command")
 70 |         mql: kernel.parameters
 71 |       - uid: mondoo-linux-processes
 72 |         title: Running processes
 73 |         filters: mondoo.capabilities.contains("run-command")
 74 |         mql: processes { pid command flags }
 75 |       - uid: mondoo-linux-mounts
 76 |         title: Mounted devices
 77 |         mql: mount.list { path fstype device options }
 78 |       - uid: mondoo-linux-listening-ports
 79 |         title: Listening ports
 80 |         filters: mondoo.capabilities.contains("run-command")
 81 |         mql: ports.listening { user state port address protocol process remoteAddress remotePort }
 82 |       - uid: mondoo-linux-active-connections
 83 |         title: Active network connections
 84 |         filters: mondoo.capabilities.contains("run-command")
 85 |         mql: ports.where(state != "close") { user state port address protocol process remoteAddress remotePort }
 86 |       - uid: mondoo-linux-uptime
 87 |         title: Operating system uptime
 88 |         filters: mondoo.capabilities.contains("run-command")
 89 |         mql: os.uptime
 90 |       - uid: mondoo-linux-installed-packages
 91 |         title: Installed packages
 92 |         mql: packages { name version arch installed }
 93 |       - uid: mondoo-linux-running-services
 94 |         title: Running services
 95 |         filters: mondoo.capabilities.contains("run-command")
 96 |         mql: services.where(running == true) { name running enabled masked type }
 97 |       - uid: mondoo-linux-interface-configuration
 98 |         title: Network interface configuration
 99 |         filters: mondoo.capabilities.contains("run-command")
100 |         mql: |
101 |           parse.json(content: command('ip -j a').stdout).params
102 |       - uid: mondoo-sshd-interface-configuration
103 |         title: sshd configuration
104 |         filters: package('openssh-server').installed || package('openssh').installed
105 |         mql: sshd.config.params
106 |       - uid: mondoo-linux-system-manufacturer
107 |         title: System manufacturer
108 |         mql: machine.baseboard.manufacturer
109 |       - uid: mondoo-linux-system-product-name
110 |         title: System product name
111 |         mql: machine.baseboard.product
112 |       - uid: mondoo-linux-cpu-type
113 |         title: CPU type
114 |         mql: |
115 |           file("/proc/cpuinfo").content.lines.where(_.contains("model name")).first().split(":").last().trim()
116 |       - uid: mondoo-linux-root-volume
117 |         title: Root volume size and filesystem type
118 |         mql: |
119 |           command("df -TH / | awk '{ print $3 "+'" "'+" $2 }'").stdout.trim
120 |       - uid: mondoo-linux-physical-memory
121 |         title: Physical memory size
122 |         mql: |
123 |           file("/proc/meminfo").content.lines.where(_.contains("MemTotal")).first().split(":").last().trim()
124 |       - uid: mondoo-linux-smbios-baseboard
125 |         title: SMBIOS baseboard (or module) information
126 |         mql: machine.baseboard { manufacturer version serial assetTag product }
127 |       - uid: mondoo-linux-smbios-bios
128 |         title: SMBIOS BIOS information
129 |         mql: machine.bios { vendor version releaseDate }
130 |       - uid: mondoo-linux-smbios-system
131 |         title: SMBIOS System information
132 |         mql: machine.system { sku serial family version product uuid manufacturer }
133 |       - uid: mondoo-linux-smbios-chassis
134 |         title: SMBIOS Chassis information
135 |         mql: machine.chassis { manufacturer serial version assetTag }
136 |       - uid: mondoo-linux-workstation-security-permissions-on-bootloader-config-metadata
137 |         title: Bootloader configuration metadata
138 |         filters: |
139 |           asset.family.contains('linux')
140 |           packages.where(name == /xorg|xserver|wayland/i).any(installed)
141 |         mql: |
142 |           if (file("/boot/grub/grub.cfg").exists) {file("/boot/grub/grub.cfg") {dirname basename permissions}}
143 |           if (file("/boot/grub2/grub.cfg").exists) {file("/boot/grub2/grub.cfg") {dirname basename permissions}}
144 |           if (file("/boot/grub/user.cfg").exists) {file("/boot/grub/user.cfg") {dirname basename permissions}}
145 |           if (file("/boot/grub2/user.cfg").exists) {file("/boot/grub2/user.cfg") {dirname basename permissions}}
146 |       - uid: mondoo-linux-workstation-security-secure-boot-is-enabled-metadata
147 |         title: Secure Boot status
148 |         filters: |
149 |           asset.family.contains('linux')
150 |           packages.where(name == /xorg|xserver|wayland/i).any(installed)
151 |         mql: |
152 |           command('mokutil --sb-state').stdout
153 |       - uid: mondoo-linux-workstation-security-aes-encryption-algo-metadata
154 |         title: Disk encryption cipher suite
155 |         filters: |
156 |           asset.family.contains('linux')
157 |           packages.where(name == /xorg|xserver|wayland/i).any(installed)
158 |         mql: |
159 |           lsblk.list.where(fstype == /crypt/) {parse.json(content: command('cryptsetup --dump-json-metadata luksDump /dev/' + name).stdout).params}
160 |       - uid: mondoo-linux-workstation-security-disk-encryption-metadata
161 |         title: Disk encryption metadata
162 |         filters: |
163 |           asset.family.contains('linux')
164 |           packages.where(name == /xorg|xserver|wayland/i).any(installed)
165 |         mql: |
166 |           lsblk { name label uuid fstype mountpoints }
167 |       - uid: mondoo-linux-logged-in-users
168 |         title: Logged-in users
169 |         mql: command('w -h').stdout
170 | 


--------------------------------------------------------------------------------
/core/mondoo-macos-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-macos-incident-response
 6 |     name: macOS Incident Response Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: macos
14 |       mondoo.com/category: security
15 |     filters:
16 |       - asset.platform == "macos"
17 |     queries:
18 |       - uid: mondoo-macos-incident-response-platform-info
19 |         title: Platform information
20 |         mql: asset { platform title version arch }
21 |       - uid: mondoo-macos-incident-response-regular-users
22 |         title: Regular users
23 |         mql: users.where( name != /^_/ && shell != /\/usr\/bin\/false/ )
24 |       - uid: mondoo-macos-incident-response-kernel-info
25 |         title: Running macOS kernel
26 |         mql: kernel.info["version"]
27 |       - uid: mondoo-macos-incident-response-kernel-modules
28 |         title: macOS kernel modules
29 |         mql: kernel.modules { name loaded }
30 |       - uid: mondoo-macos-incident-response-processes
31 |         title: Running processes
32 |         mql: processes.list { pid  command }
33 |       - uid: mondoo-macos-incident-response-mounts
34 |         title: Mounted devices
35 |         mql: mount.list
36 |       - uid: mondoo-macos-incident-response-uptime
37 |         title: Operating system uptime
38 |         mql: os.uptime
39 |       - uid: mondoo-macos-incident-response-installed-packages
40 |         title: Installed packages
41 |         mql: packages
42 |       - uid: mondoo-macos-incident-response-running-services
43 |         title: Running services
44 |         mql: services.where(running == true) { name running enabled masked type }
45 |       - uid: mondoo-macos-incident-response-alf-extensions
46 |         title: Exceptions from the Application Layer Firewall
47 |         mql: macos.alf.exceptions
48 |       - uid: mondoo-macos-incident-response-check-recommended-updates
49 |         title: Recommended OS and application updates
50 |         mql: parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').params['RecommendedUpdates']
51 | 


--------------------------------------------------------------------------------
/core/mondoo-macos-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-macos-inventory
  6 |     name: macOS Inventory Pack
  7 |     version: 1.6.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: macos
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The macOS Inventory Pack by Mondoo retrieves data about macOS hosts for asset inventory.
 18 | 
 19 |         ## Local scan
 20 |         To run this pack locally on a macOS host:
 21 | 
 22 |         ```bash
 23 |         cnquery scan local -f mondoo-macos-inventory.mql.yaml
 24 |         ```
 25 | 
 26 |         ## Remote scan
 27 |         To run this pack against a remote macOS host using SSH (requires Remote Management is activated in System Preferences):
 28 | 
 29 |         ```bash
 30 |         cnquery scan ssh <user>@<ip_address> -i <identity_file> -f mondoo-macos-inventory.mql.yaml
 31 |         ```
 32 | 
 33 |         ## Join the community!
 34 |         Our goal is to build query packs that are simple to deploy and provide accurate and useful data.
 35 | 
 36 |         If you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
 37 |     filters:
 38 |       - asset.platform == "macos"
 39 |     queries:
 40 |       - uid: mondoo-macos-machine-model-identifier
 41 |         title: Machine model identifier
 42 |         mql: |
 43 |           parse.json(content: command('system_profiler SPHardwareDataType -json').stdout).params['SPHardwareDataType'].first['machine_model']
 44 |       - uid: mondoo-macos-machine-model-name
 45 |         title: Machine model name
 46 |         mql: |
 47 |           parse.json(content: command('system_profiler SPHardwareDataType -json').stdout).params['SPHardwareDataType'].first['machine_name']
 48 |       - uid: mondoo-macos-model-part-number
 49 |         title: Model part number
 50 |         mql: |
 51 |           parse.json(content: command('system_profiler SPHardwareDataType -json').stdout).params['SPHardwareDataType'].first['model_number']
 52 |       - uid: mondoo-macos-serial-number
 53 |         title: System serial number
 54 |         mql: |
 55 |           parse.json(content: command('system_profiler SPHardwareDataType -json').stdout).params['SPHardwareDataType'].first['serial_number']
 56 |       - uid: mondoo-macos-cpu-type
 57 |         title: CPU type
 58 |         mql: |
 59 |           parse.json(content: command('system_profiler SPHardwareDataType -json').stdout).params['SPHardwareDataType'].first['chip_type']
 60 |       - uid: mondoo-macos-physical-memory
 61 |         title: Physical memory size
 62 |         mql: |
 63 |           parse.json(content: command('system_profiler SPHardwareDataType -json').stdout).params['SPHardwareDataType'].first['physical_memory']
 64 |       - uid: mondoo-asset-info
 65 |         title: Asset information
 66 |         mql: asset { kind title platform name arch runtime version }
 67 |       - uid: mondoo-hostname
 68 |         title: Hostname
 69 |         mql: os.hostname
 70 |       - uid: mondoo-macos-uptime
 71 |         title: Operating system uptime
 72 |         filters: mondoo.capabilities.contains("run-command")
 73 |         mql: os.uptime
 74 |       - uid: mondoo-macos-processes
 75 |         title: Running processes
 76 |         filters: mondoo.capabilities.contains("run-command")
 77 |         mql: processes { pid command flags }
 78 |       - uid: mondoo-macos-kernel-modules
 79 |         title: Kernel modules
 80 |         filters: mondoo.capabilities.contains("run-command")
 81 |         mql: kernel.modules { name loaded }
 82 |       - uid: mondoo-macos-mounts
 83 |         title: Mounted devices
 84 |         mql: mount.list { path fstype device options }
 85 |       - uid: mondoo-macos-users
 86 |         title: Regular users
 87 |         mql: users.where( name != /^_/ && shell != "/usr/bin/false" && name != "root")
 88 |       - uid: mondoo-macos-packages
 89 |         title: Installed packages
 90 |         mql: packages { name version arch installed }
 91 |       - uid: mondoo-macos-running-services
 92 |         title: Running services
 93 |         filters: mondoo.capabilities.contains("run-command")
 94 |         mql: services.where(running == true) { name running enabled masked type }
 95 |       - uid: mondoo-macos-ports-listening
 96 |         title: Listening ports
 97 |         filters: mondoo.capabilities.contains("run-command")
 98 |         mql: ports.where(state != "close") { user state port address protocol process remoteAddress remotePort }
 99 |       - uid: mondoo-macos-active-connections
100 |         title: Active network connections
101 |         filters: mondoo.capabilities.contains("run-command")
102 |         mql: ports.where(state != "close") { user state port address protocol process remoteAddress remotePort }
103 |       - uid: mondoo-macos-interface-configuration
104 |         title: Network interface configuration
105 |         filters: mondoo.capabilities.contains("run-command")
106 |         mql: command("ifconfig").stdout
107 |       - uid: mondoo-macos-sshd-interface-configuration
108 |         title: sshd configuration
109 |         mql: sshd.config.params
110 |       - uid: mondoo-macos-recommended-software-updates
111 |         title: Recommended software updates
112 |         mql: parse.plist('/Library/Preferences/com.apple.SoftwareUpdate.plist').params['RecommendedUpdates']
113 |       - uid: mondoo-macos-smbios-system
114 |         title: SMBIOS System information
115 |         mql: machine.system { sku serial family version product uuid manufacturer }
116 |       - uid: mondoo-macos-storage
117 |         title: Storage Data
118 |         mql: |
119 |           parse.json(content: command('system_profiler SPStorageDataType -json').stdout).params
120 |       - uid: mondoo-macos-power
121 |         title: Power Data
122 |         mql: |
123 |           parse.json(content: command('system_profiler SPPowerDataType -json').stdout).params
124 |       - uid: mondoo-macos-network
125 |         title: Network Data
126 |         mql: |
127 |           parse.json(content: command('system_profiler SPNetworkDataType -json').stdout).params
128 |       - uid: mondoo-macos-profile
129 |         title: Configuration Profile Data
130 |         mql: |
131 |           parse.json(content: command('system_profiler SPConfigurationProfileDataType -json').stdout).params
132 |       - uid: mondoo-macos-logged-in-users
133 |         title: Logged-in users
134 |         mql: command('w -h').stdout
135 |       - uid: mondoo-macos-system-extensions
136 |         title: macOS System Extensions
137 |         mql: macos.systemExtensions { active enabled identifier state version }
138 | 


--------------------------------------------------------------------------------
/core/mondoo-openssl-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-openssl-incident-response
 6 |     name: OpenSSL Incident Response Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: linux
14 |       mondoo.com/category: security
15 |     filters:
16 |       - asset.family.contains("linux")
17 |     queries:
18 |       - uid: mondoo-openssl-incident-response-platform
19 |         title: Platform details
20 |         mql: |
21 |           asset {
22 |             platform
23 |             version
24 |             arch
25 |           }
26 |       - uid: mondoo-openssl-incident-response-installed-version
27 |         title: Installed ssl libraries
28 |         mql: packages.where(name == /ssl/)
29 |       - uid: mondoo-openssl-incident-response-listening-ports
30 |         title: Listening ports for running systems
31 |         mql: |
32 |           if ( mondoo.capabilities.contains('run-command') ) {
33 |             ports.listening { 
34 |               protocol
35 |               address
36 |               port
37 |             }
38 |           }
39 | 


--------------------------------------------------------------------------------
/core/mondoo-shodan-inventory.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-shodan-inventory
 6 |     name: Shodan Inventory Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: shodan
14 |       mondoo.com/category: best-practices
15 |     docs:
16 |       desc: |
17 |         The Shodan Inventory Pack by Mondoo retrieves data about shodan.io assets. 
18 | 
19 |         ## Local scan
20 |         To run this pack locally:
21 | 
22 |         ```bash
23 |         export SHODAN_TOKEN="XXX"
24 |         cnquery scan shodan --networks "1.1.1.1/28" --discover hosts -f mondoo-shodan-inventory.mql.yaml
25 |         ```
26 | 
27 |         ## Join the community!
28 |         Our goal is to build query packs that are simple to deploy and provide accurate and useful data. 
29 | 
30 |         If you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
31 |     filters: asset.family.contains("shodan")
32 |     queries:
33 |       - uid: mondoo-shodan-inventory-hostnames
34 |         title: Shodan info about Hostnames / DNS
35 |         filters: asset.platform == "shodan-host"
36 |         mql: |
37 |           shodan.host.hostnames
38 |       - uid: mondoo-shodan-inventory-asn
39 |         title: Shodan info about ASN
40 |         filters: asset.platform == "shodan-host"
41 |         mql: |
42 |           shodan.host.asn
43 |       - uid: mondoo-shodan-inventory-tags
44 |         title: Shodan info about Tags
45 |         filters: asset.platform == "shodan-host"
46 |         mql: |
47 |           shodan.host.tags
48 |       - uid: mondoo-shodan-inventory-isp
49 |         title: Shodan info about ISP
50 |         filters: asset.platform == "shodan-host"
51 |         mql: |
52 |           shodan.host.isp
53 |       - uid: mondoo-shodan-inventory-org
54 |         title: Shodan info about Org
55 |         filters: asset.platform == "shodan-host"
56 |         mql: |
57 |           shodan.host.org
58 |       - uid: mondoo-shodan-inventory-ip
59 |         title: Shodan info about IP
60 |         filters: asset.platform == "shodan-host"
61 |         mql: |
62 |           shodan.host.ip
63 |       - uid: mondoo-shodan-inventory-os
64 |         title: Shodan info about OS
65 |         filters: asset.platform == "shodan-host"
66 |         mql: |
67 |           shodan.host.os
68 |       - uid: mondoo-shodan-inventory-ports
69 |         title: Shodan info about Ports
70 |         filters: asset.platform == "shodan-host"
71 |         mql: |
72 |           shodan.host.ports
73 |       - uid: mondoo-shodan-inventory-vulns
74 |         title: Shodan info about vulnerabilities
75 |         filters: asset.platform == "shodan-host"
76 |         mql: |
77 |           shodan.host.vulnerabilities
78 |       - uid: mondoo-shodan-inventory-nsrecords
79 |         title: Shodan info about DNS NS records
80 |         filters: asset.platform == "shodan-domain"
81 |         mql: |
82 |           shodan.domain.nsrecords
83 |       - uid: mondoo-shodan-inventory-subdomains
84 |         title: Shodan info about Subdomains
85 |         filters: asset.platform == "shodan-domain"
86 |         mql: |
87 |           shodan.domain.subdomains
88 |       - uid: mondoo-shodan-inventory-domain-tags
89 |         title: Shodan info about Tags
90 |         filters: asset.platform == "shodan-domain"
91 |         mql: |
92 |           shodan.domain.tags
93 | 


--------------------------------------------------------------------------------
/core/mondoo-slack-inventory.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-slack-inventory
 6 |     name: Slack Inventory Pack
 7 |     version: 1.0.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: slack-team,saas
14 |       mondoo.com/category: best-practices
15 |     docs:
16 |       desc: |
17 |         ### Overview
18 | 
19 |         The Slack Inventory Pack retrieves information about Slack teams for asset inventory.
20 | 
21 |         ### Prerequisites
22 | 
23 |         To run this query pack, you will need access to the Slack API. To get a token, you need to create an App for the Slack workspace 
24 |         and assign the appropriate permissions:
25 | 
26 |         1. Sign in to [the Slack website](https://api.slack.com/apps/), and view "Your Apps"
27 |         2. Select "Create New App"
28 |         3. Select "From scratch"
29 |         4. Enter an "App Name" e.g. cnquery and select the workspace, then select "Create App"
30 |         5. In the section "Add features & functionality" select "Permissions"
31 |         6. Scroll to "Scopes" and then "User Token Scopes"
32 | 
33 |         Note: Bots are very limited in their access; therefore we need to set the user scopes
34 | 
35 |         7. Add the required permissions to "User Token Scopes"
36 | 
37 |         | OAuth Scope  |
38 |         | ---- | 
39 |         | [channels:read](https://api.slack.com/scopes/channels:read) | 
40 |         | [groups:read](https://api.slack.com/scopes/groups:read) |
41 |         | [im:read](https://api.slack.com/scopes/im:read) |
42 |         | [mpim:read](https://api.slack.com/scopes/mpim:read) | 
43 |         | [team:read](https://api.slack.com/scopes/team:read) | 
44 |         | [usergroups:read](https://api.slack.com/scopes/usergroups:read) | 
45 |         | [users:read](https://api.slack.com/scopes/users:read) |
46 | 
47 |         8. Scroll up to "OAuth Tokens for Your Workspace" and select "Install to Workspace"
48 |         9. Copy the provided "User OAuth Token", it will look like `xoxp-1234567890123-1234567890123-1234567890123-12345cea5ae0d3bed30dca43cb34c2d1`
49 | 
50 |         ### Run query pack
51 | 
52 |         To run this query pack against a Slack workspace:
53 | 
54 |         ```bash
55 |         export SLACK_TOKEN=xoxp-TOKEN
56 |         cnquery scan slack --query-pack mondoo-slack-inventory
57 |         ```
58 |     filters:
59 |       - asset.platform == "slack" || asset.platform == "slack-team"
60 |     queries:
61 |       - uid: mondoo-slack-inventory-team-domain
62 |         title: Slack Team Domain
63 |         mql: |
64 |           slack.team.domain
65 |       - uid: mondoo-slack-inventory-team-id
66 |         title: Slack Team ID
67 |         mql: |
68 |           slack.team.id
69 |       - uid: mondoo-slack-inventory-mfa-status
70 |         title: Slack Team MFA status
71 |         docs:
72 |           desc: |
73 |             This query retrieves the status of whether MFA is configured for all users.
74 |         mql: |
75 |           slack.users { id name profile["email"] isBot teamId has2FA }
76 |       - uid: mondoo-slack-inventory-owners
77 |         title: Slack Team Owners
78 |         docs:
79 |           desc: |
80 |             This query retrieves the list of all users with the Owner privilege.
81 |         mql: |
82 |           slack.users.owners.length
83 |           slack.users.owners { id name profile["email"] isBot teamId has2FA }
84 |       - uid: mondoo-slack-inventory-admins
85 |         title: Slack Admins
86 |         docs:
87 |           desc: |
88 |             This query retrieves the list of all users with the Admin privilege.
89 |         mql: slack.users.admins { id name }
90 |       - uid: mondoo-slack-inventory-external-channels
91 |         title: Externally shared channels
92 |         docs:
93 |           desc: |
94 |             This query retrieves the list of all channels that have been externally shared.
95 |         mql: slack.conversations.where(isExtShared == true) { id name }
96 | 


--------------------------------------------------------------------------------
/core/mondoo-ssl-tls-certificate-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-ssl-tls-certificate-incident-response
 6 |     name: SSL/TLS Certificate Incident Response Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: host,network
14 |       mondoo.com/category: security
15 |     docs:
16 |       desc: |
17 |         ### Overview
18 | 
19 |         The SSL/TLS Certificate Incident Response Pack by Mondoo query pack retrieves information about SSL/TLS certificates of a domain for investigation during a security incident.
20 | 
21 |         ### Prerequisites
22 | 
23 |         To run this query pack, you will need to install the cnquery binary ([Get Started with cnquery](https://mondoo.com/docs/cnquery/)).
24 | 
25 |         ### Run query pack
26 | 
27 |         To run this query pack against a Domain:
28 | 
29 |         ```bash
30 |         cnquery scan host <domain> -f mondoo-ssl-tls-certificate-incident-response.mql.yaml
31 |         ```
32 |     filters:
33 |       - asset.family.contains('network')
34 |     queries:
35 |       - uid: mondoo-ssl-tls-certificate-incident-response-domain-name
36 |         title: Domain Name
37 |         mql: |
38 |           tls.domainName
39 |       - uid: mondoo-ssl-tls-certificate-incident-response-versions
40 |         title: Supported SSL and TLS versions
41 |         mql: |
42 |           tls.versions
43 |       - uid: mondoo-ssl-tls-certificate-incident-response-ciphers
44 |         title: Supported SSl/TLS ciphers
45 |         mql: |
46 |           tls.ciphers
47 |       - uid: mondoo-ssl-tls-certificate-incident-response-signing-algo
48 |         title: Signature algorithm of all certificates in the certificate chain
49 |         mql: |
50 |           tls.certificates {
51 |             signingAlgorithm
52 |             subject.commonName
53 |           }
54 |       - uid: mondoo-ssl-tls-certificate-incident-response-is-revoked
55 |         title: Revoked, verified, and CA status of all certificates in the certificate chain
56 |         mql: |
57 |           tls.certificates {
58 |             subject.commonName
59 |             isCA
60 |             isRevoked
61 |             isVerified
62 |           }
63 |       - uid: mondoo-ssl-tls-certificate-incident-response-when-expire
64 |         title: Expiration dates for all certificates in the certificate chain
65 |         mql: |
66 |           tls.certificates {
67 |             subject.commonName
68 |             expiresIn
69 |             notAfter
70 |             notBefore
71 |           }
72 | 


--------------------------------------------------------------------------------
/core/mondoo-terraform-inventory.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-asset-inventory-terraform
 6 |     name: Terraform Asset Inventory Pack
 7 |     version: 1.0.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: terraform
14 |       mondoo.com/category: inventory
15 |     docs:
16 |       desc: |
17 |         The Terraform Asset Inventory Pack retrieves information about Terraform HCL, Terraform Plan, and Terraform State for asset inventory.
18 |     groups:
19 |       - title: Terraform State Asset inventory
20 |         filters: asset.platform == "terraform-state"
21 |         queries:
22 |           - uid: mondoo-asset-inventory-terraform-state-version
23 |           - uid: mondoo-asset-inventory-terraform-state-resources
24 | queries:
25 |   - uid: mondoo-asset-inventory-terraform-state-version
26 |     title: Terraform State Terraform Version
27 |     docs:
28 |       desc: |
29 |         This query gathers the version of Terraform that was used to execute a Terraform run.
30 |     mql: terraform.state.terraformVersion
31 |   - uid: mondoo-asset-inventory-terraform-state-resources
32 |     title: Terraform State resources
33 |     docs:
34 |       desc: |
35 |         This query gathers the resources stored in Terraform state files to provide an inventory of infrastructure managed by Terraform.
36 |     variants:
37 |       - uid: mondoo-asset-inventory-terraform-state-aws-resources
38 |       - uid: mondoo-asset-inventory-terraform-state-gcp-resources
39 |       - uid: mondoo-asset-inventory-terraform-state-azure-resources
40 |   - uid: mondoo-asset-inventory-terraform-state-aws-resources
41 |     filters: asset.platform == "terraform-state" && terraform.state.resources.any( type == /^aws_/ )
42 |     docs:
43 |       desc: |
44 |         This query gathers the resources stored in Terraform state files that manage any AWS resources. The data is only gather if any of the resources match 'aws_' such as 'aws_s3_bucket'.
45 |     mql: terraform.state.resources { type providerName values['arn']  values['owner_id'] }
46 |   - uid: mondoo-asset-inventory-terraform-state-gcp-resources
47 |     filters: asset.platform == "terraform-state" && terraform.state.resources.any( type == /^google_/ )
48 |     docs:
49 |       desc: |
50 |         This query gathers the resources stored in Terraform state files that manage any Google Cloud resources. The data is only gather if any of the resources match 'google_' such as 'google_compute_instance'.
51 |     mql: terraform.state.resources { type providerName values['project'] values['id'] }
52 |   - uid: mondoo-asset-inventory-terraform-state-azure-resources
53 |     filters: asset.platform == "terraform-state" && terraform.state.resources.any( type == /^azurerm_/ )
54 |     docs:
55 |       desc: |
56 |         This query gathers the resources stored in Terraform state files that manage any Microsoft Azure resources. The data is only gather if any of the resources match 'azurerm_' such as 'azurerm_resource_group'.
57 |     mql: terraform.state.resources { type providerName values['id'] }


--------------------------------------------------------------------------------
/core/mondoo-vmware-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-vmware-incident-response
 6 |     name: VMware vCenter Incident Response Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: vmware,vmware-esxi
14 |       mondoo.com/category: security
15 |     docs:
16 |       desc: |
17 |         ## Overview
18 | 
19 |         VMware vCenter Incident Response Pack by Mondoo retrieves data about vCenter and its ESXi hosts.
20 | 
21 |         ### Run query pack
22 | 
23 |         To run this query pack against VMware vCenter:
24 | 
25 |         ```bash
26 |         cnquery scan vsphere user@domain.local@192.168.5.24 --ask-pass -f core/mondoo-vmware-incident-response.mql.yaml
27 |         ```
28 | 
29 |         ## Join the community!
30 | 
31 |         Our goal is to build policies that are simple to deploy, accurate, and actionable. 
32 | 
33 |         If you have any suggestions for improving this policy, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
34 |     filters:
35 |       - asset.platform == "vmware-esxi"
36 |     queries:
37 |       - uid: mondoo-vmware-incident-response-kernel-modules
38 |         title: Kernel modules
39 |         mql: vsphere.host.kernelModules
40 |       - uid: mondoo-vmware-incident-response-installed-packages
41 |         title: Installed packages
42 |         mql: vsphere.host.packages
43 |       - uid: mondoo-vmware-incident-response-running-services
44 |         title: All services
45 |         mql: vsphere.host.services
46 |         refs:
47 |           - title: VMSA-2021-0002
48 |             url: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
49 |           - title: How to Disable/Enable the SLP Service on VMware ESXi (76372)
50 |             url: https://kb.vmware.com/s/article/76372
51 |       - uid: mondoo-vmware-incident-response-acceptance-level
52 |         title: Host acceptance level
53 |         docs:
54 |           desc: The host acceptance level determines which VIBs can be installed on a host.
55 |         mql: vsphere.host.acceptanceLevel
56 |         refs:
57 |           - title:
58 |             url: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.upgrade.doc/GUID-27BBBAB8-01EA-4238-8140-1C3C3EFC0AA6.html
59 |       - uid: mondoo-vmware-incident-response-ntp-servers
60 |         title: Configured NTP servers
61 |         mql: vsphere.host.ntp.server
62 | 


--------------------------------------------------------------------------------
/core/mondoo-vmware-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-vmware-asset-inventory
  6 |     name: VMware Asset Inventory Pack
  7 |     version: 1.1.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: vmware,vmware-esxi
 14 |       mondoo.com/category: security
 15 |     docs:
 16 |       desc: |
 17 |         ## Overview
 18 | 
 19 |         VMware vCenter Asset Inventory Pack by Mondoo retrieves data about vCenter and its ESXi hosts.
 20 | 
 21 |         ### Run query pack
 22 | 
 23 |         To run this query pack against VMware vCenter:
 24 | 
 25 |         ```bash
 26 |         cnquery scan vsphere user@domain.local@192.168.5.24 --ask-pass -f core/mondoo-vmware-inventory.mql.yaml
 27 |         ```
 28 | 
 29 |         ## Join the community!
 30 | 
 31 |         Our goal is to build policies that are simple to deploy, accurate, and actionable. 
 32 | 
 33 |         If you have any suggestions for improving this policy, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
 34 |     filters: asset.platform == "vmware-esxi" || asset.platform == "vmware-vsphere"
 35 |     queries:
 36 |       - uid: mondoo-vmware-asset-inventory-vcenter-datacenters
 37 |         title: VMware vSphere Datacenters
 38 |         filters: asset.platform == "vmware-vsphere"
 39 |         mql: |
 40 |           vsphere.datacenters { name }
 41 |       - uid: mondoo-vmware-asset-inventory-vcenter-clusters
 42 |         title: VMware vSphere Clusters per Datacenter
 43 |         filters: asset.platform == "vmware-vsphere"
 44 |         mql: |
 45 |           vsphere.datacenters { clusters }
 46 |       - uid: mondoo-vmware-asset-inventory-vcenter-vms
 47 |         title: VMware vSphere VMs per Datacenters
 48 |         filters: asset.platform == "vmware-vsphere"
 49 |         mql: |
 50 |           vsphere.datacenters { vms { name advancedSettings["guestInfo.detailed.data"] properties["guest"]["guestState"] } }
 51 |       - uid: mondoo-vmware-asset-inventory-esxi-kernel-modules
 52 |         title: VMware ESXi Kernel modules
 53 |         filters: asset.platform == "vmware-esxi"
 54 |         mql: |
 55 |           vsphere.host.kernelModules
 56 |       - uid: mondoo-vmware-asset-inventory-esxi-installed-packages
 57 |         title: VMware ESXi Installed packages
 58 |         filters: asset.platform == "vmware-esxi"
 59 |         mql: |
 60 |           esxi.host.packages
 61 |       - uid: mondoo-vmware-asset-inventory-esxi-services
 62 |         title: VMware ESXi Services
 63 |         filters: asset.platform == "vmware-esxi"
 64 |         mql: |
 65 |           esxi.host.services
 66 |       - uid: mondoo-vmware-asset-inventory-esxi-acceptance-level
 67 |         title: VMware ESXi Acceptance Level
 68 |         filters: asset.platform == "vmware-esxi"
 69 |         mql: |
 70 |           esxi.host.acceptanceLevel
 71 |       - uid: mondoo-vmware-asset-inventory-esxi-ntp-server
 72 |         title: VMware ESXi NTP servers
 73 |         filters: asset.platform == "vmware-esxi"
 74 |         mql: |
 75 |           esxi.host.ntp.server
 76 |       - uid: mondoo-vmware-asset-inventory-esxi-ntp-config
 77 |         title: VMware ESXi NTP configuration
 78 |         filters: asset.platform == "vmware-esxi"
 79 |         mql: |
 80 |           esxi.host.ntp.config
 81 |       - uid: mondoo-vmware-asset-inventory-esxi-fileSystemVolume
 82 |         title: VMware ESXi File System Volume
 83 |         filters: asset.platform == "vmware-esxi"
 84 |         mql: |
 85 |           esxi.host.properties["config"]["fileSystemVolume"]
 86 |       - uid: mondoo-vmware-asset-inventory-esxi-firewall
 87 |         title: VMware ESXi Firewall
 88 |         filters: asset.platform == "vmware-esxi"
 89 |         mql: |
 90 |           esxi.host.properties["config"]["firewall"]
 91 |       - uid: mondoo-vmware-asset-inventory-esxi-adapters
 92 |         title: VMware ESXi Physical Adapters
 93 |         filters: asset.platform == "vmware-esxi"
 94 |         mql: |
 95 |           esxi.host.adapters
 96 |       - uid: mondoo-vmware-asset-inventory-esxi-standardSwitch
 97 |         title: VMware ESXi Standard vSwitch
 98 |         filters: asset.platform == "vmware-esxi"
 99 |         mql: |
100 |           esxi.host.standardSwitch
101 | 
102 | 


--------------------------------------------------------------------------------
/core/mondoo-windows-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-windows-incident-response
 6 |     name: Windows Incident Response Pack
 7 |     version: 1.2.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: windows
14 |       mondoo.com/category: security
15 |     filters:
16 |       - asset.platform == "windows"
17 |     queries:
18 |       - uid: mondoo-windows-incident-response-installed-hotfixes
19 |         title: Installed hotfixes
20 |         mql: windows.hotfixes { hotfixId installedOn }
21 |       - uid: mondoo-windows-incident-response-uptime
22 |         title: Operating system uptime
23 |         mql: os.uptime
24 |       - uid: mondoo-windows-incident-response-installed-packages
25 |         title: Installed packages
26 |         mql: packages
27 |       - uid: mondoo-windows-incident-response-interface-configuration
28 |         title: Windows Computer/System information
29 |         mql: windows.computerInfo
30 |       - uid: mondoo-windows-incident-response-running-services
31 |         title: Running services
32 |         mql: services.where(running == true)
33 | 


--------------------------------------------------------------------------------
/core/mondoo-windows-inventory.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-windows-asset-inventory
  6 |     name: Windows Asset Inventory Pack
  7 |     version: 1.6.1
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/platform: windows
 14 |       mondoo.com/category: best-practices
 15 |     docs:
 16 |       desc: |
 17 |         The Windows Asset Inventory Pack by Mondoo retrieves data about Windows hosts for asset inventory.
 18 | 
 19 |         ## Local scan
 20 |         To run this pack locally on a Windows host:
 21 | 
 22 |         ```bash
 23 |         cnquery scan local -f mondoo-windows-inventory.mql.yaml
 24 |         ```
 25 | 
 26 |         ## Remote scan
 27 |         To run this pack against a remote macOS host using SSH (requires Remote Management is activated in System Preferences):
 28 | 
 29 |         ```bash
 30 |         cnquery scan winrm <user>@<ip_address> -f mondoo-windows-inventory.mql.yaml
 31 |         ```
 32 | 
 33 |         ## Join the community!
 34 |         Our goal is to build query packs that are simple to deploy and provide accurate and useful data.
 35 | 
 36 |         If you have any suggestions for improving this query pack, or if you need support, [join the Mondoo community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
 37 |     filters:
 38 |       - asset.platform == "windows"
 39 |     queries:
 40 |       - uid: mondoo-windows-asset-info
 41 |         title: Asset information
 42 |         mql: asset { kind title platform name arch runtime version }
 43 |       - uid: mondoo-windows-hostname
 44 |         title: Hostname
 45 |         mql: os.hostname
 46 |       - uid: mondoo-windows-uptime
 47 |         title: Operating system uptime
 48 |         filters: mondoo.capabilities.contains("run-command")
 49 |         mql: os.uptime
 50 |       - uid: mondoo-windows-processes
 51 |         title: Running processes
 52 |         filters: mondoo.capabilities.contains("run-command")
 53 |         mql: processes { pid executable }
 54 |       - uid: mondoo-windows-users
 55 |         title: Regular users
 56 |         mql: users
 57 |       - uid: mondoo-windows-packages
 58 |         title: Installed packages
 59 |         mql: packages { name version arch installed }
 60 |       - uid: mondoo-windows-hotfixes
 61 |         title: All installed Windows hotfixes
 62 |         mql: windows.hotfixes { hotfixId installedOn }
 63 |       - uid: mondoo-windows-features
 64 |         title: Installed Windows features
 65 |         mql: windows.features.where(installed == true) { path name displayName }
 66 |       - uid: mondoo-windows-running-services
 67 |         title: Running services
 68 |         filters: mondoo.capabilities.contains("run-command")
 69 |         mql: services.where(running == true) { name running enabled masked type }
 70 |       - uid: mondoo-windows-ports-listening
 71 |         title: Listening ports
 72 |         filters: mondoo.capabilities.contains("run-command")
 73 |         mql: ports.listening { user state port address protocol process remoteAddress remotePort }
 74 |       - uid: mondoo-windows-active-connections
 75 |         title: Active connections of the system
 76 |         filters: mondoo.capabilities.contains("run-command")
 77 |         mql: ports.where(state != "close") { user state port address protocol process remoteAddress remotePort }
 78 |       - uid: mondoo-windows-interface-configuration
 79 |         title: Network interfaces
 80 |         mql: windows.computerInfo['CsNetworkAdapters']
 81 |       - uid: mondoo-windows-computer-info
 82 |         title: Windows Computer/ System information
 83 |         mql: windows.computerInfo
 84 |       - uid: mondoo-windows-security-products
 85 |         title: Installed Security Products
 86 |         filters: |
 87 |           windows.computerInfo['OsProductType'] == 1
 88 |         mql: windows.security.products { guid state type name productState signatureState timestamp }
 89 |       - uid: mondoo-windows-bitlocker-volumes
 90 |         title: BitLocker Volumes
 91 |         filters: |
 92 |           windows.computerInfo['OsProductType'] == 1
 93 |         mql: windows.bitlocker.volumes { deviceID driveLetter encryptionMethod version persistentVolumeID protectionStatus lockStatus conversionStatus }
 94 |       - uid: mondoo-windows-security-center-health
 95 |         title: Windows Security Health Information
 96 |         filters: |
 97 |           windows.computerInfo['OsProductType'] == 1
 98 |         mql: windows.security.health { autoUpdate internetSettings securityCenterService firewall uac antiVirus antiSpyware }
 99 |       - uid: mondoo-windows-windows-firewall-settings
100 |         title: Windows Firewall settings
101 |         mql: windows.firewall { settings profiles { allowUnicastResponseToMulticast logIgnored enabled allowLocalFirewallRules allowLocalIPsecRules logAllowed logBlocked allowUserApps instanceID allowUserPorts name notifyOnListen logFileName enableStealthModeForIPsec defaultInboundAction logMaxSizeKilobytes defaultOutboundAction allowInboundRules } }
102 |       - uid: mondoo-windows-windows-firewall-rules
103 |         title: Windows Firewall rules
104 |         mql: windows.firewall.rules { edgeTraversalPolicy status instanceID enabled looseSourceMapping displayGroup policyStoreSource name enforcementStatus description direction displayName policyStoreSourceType primaryStatus localOnlyMapping action }
105 |       - uid: mondoo-windows-windows-audit-policies
106 |         title: Windows audit policies
107 |         mql: auditpol { exclusionsetting machinename policytarget subcategory inclusionsetting subcategoryguid }
108 |       - uid: mondoo-windows-windows-system-access-policy
109 |         title: Windows local System Access security policy
110 |         mql: secpol.systemaccess
111 |       - uid: mondoo-windows-windows-event-audit-policy
112 |         title: Windows local Event Audit security policy
113 |         mql: secpol.eventaudit
114 |       - uid: mondoo-windows-registry-values-policy
115 |         title: Windows local Registry Values security policy
116 |         mql: secpol.registryvalues
117 |       - uid: mondoo-windows-privilege-rights-policy
118 |         title: Windows local Privilege Rights security policy
119 |         mql: secpol.privilegerights
120 |       - uid: mondoo-windows-smbios-baseboard
121 |         title: SMBIOS baseboard (or module) information
122 |         mql: machine.baseboard { manufacturer version serial assetTag product }
123 |       - uid: mondoo-windows-smbios-bios
124 |         title: SMBIOS BIOS information
125 |         mql: machine.bios { vendor version releaseDate }
126 |       - uid: mondoo-windows-smbios-system
127 |         title: SMBIOS System information
128 |         mql: machine.system { sku serial family version product uuid manufacturer }
129 |       - uid: mondoo-windows-smbios-chassis
130 |         title: SMBIOS Chassis information
131 |         mql: machine.chassis { manufacturer serial version assetTag }
132 |       - uid: mondoo-windows-scheduled-tasks
133 |         title: Scheduled tasks
134 |         mql: |
135 |           parse.json(content: powershell("Get-ScheduledTask | ConvertTo-Json").stdout).params
136 |       - uid: mondoo-windows-logged-in-users
137 |         title: Logged-in users
138 |         mql: |
139 |           parse.json(content: powershell("Get-Process -IncludeUserName explorer | Select-Object Username | ConvertTo-Json").stdout).params
140 |       - uid: mondoo-windows-exchange-server-version
141 |         title: Exchange Server Version
142 |         filters: |
143 |           package('Microsoft Exchange Server').installed
144 |         mql: |
145 |          powershell('(Get-Command ExSetup.exe | ForEach-Object { $_.FileVersionInfo } | Select-Object -First 1).FileVersion').stdout
146 | 


--------------------------------------------------------------------------------
/extra/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mondoohq/cnquery-packs/668679608f3614967fc581dbdfd840771bd61308/extra/.gitkeep


--------------------------------------------------------------------------------
/extra/README.md:
--------------------------------------------------------------------------------
 1 | # Extra Packs
 2 | 
 3 | Extra packs are a mix of community- and Mondoo-maintained query packs that are outside Mondoo's core support tier..
 4 | 
 5 | ## Contributing
 6 | 
 7 | We welcome all contributions. For more information on contributing to cnquery-packs, see our [Contributing](https://github.com/mondoohq/.github/blob/master/CONTRIBUTING.md) guide.
 8 | 
 9 | ### Join the community!
10 | 
11 | Join the [Mondoo Community GitHub Discussions](https://github.com/orgs/mondoohq/discussions) to collaborate on policy as code and security automation.
12 | 


--------------------------------------------------------------------------------
/extra/mondoo-asset-count.mql.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright (c) Mondoo, Inc.
  2 | # SPDX-License-Identifier: BUSL-1.1
  3 | 
  4 | packs:
  5 |   - uid: mondoo-asset-count
  6 |     name: Asset Count Query Pack
  7 |     version: 1.2.0
  8 |     license: BUSL-1.1
  9 |     authors:
 10 |       - name: Mondoo, Inc
 11 |         email: hello@mondoo.com
 12 |     tags:
 13 |       mondoo.com/category: best-practices
 14 |     groups:
 15 |       - title: ESXi asset counts
 16 |         filters: asset.platform == 'vmware-vsphere'
 17 |         queries:
 18 |           - uid: mondoo-asset-count-on-vsphere-cluster-esxi
 19 |           - uid: mondoo-asset-count-on-vsphere-cluster-vms
 20 |       - title: Microsoft 365 asset counts
 21 |         filters: asset.platform == 'microsoft365'
 22 |         queries:
 23 |           - uid: mondoo-count-users-in-entra-id
 24 |       - title: Azure asset counts
 25 |         filters: asset.platform == 'azure'
 26 |         queries:
 27 |           - uid: mondoo-asset-count-azure-resource-groups
 28 |           - uid: mondoo-asset-count-azure-vms
 29 |           - uid: mondoo-asset-count-azure-subscription-name
 30 |           - uid: mondoo-asset-count-azure-cosmosdb-accounts
 31 |           - uid: mondoo-asset-count-azure-vaults
 32 |           - uid: mondoo-asset-count-azure-mariaDb-servers
 33 |           - uid: mondoo-asset-count-azure-mySql-servers
 34 |           - uid: mondoo-asset-count-azure-postgreSql-servers
 35 |           - uid: mondoo-asset-count-azure-application-gateways
 36 |           - uid: mondoo-asset-count-azure-bastion-hosts
 37 |           - uid: mondoo-asset-count-azure-firewalls
 38 |           - uid: mondoo-asset-count-azure-loadbalancers
 39 |           - uid: mondoo-asset-count-azure-natgateways
 40 |           - uid: mondoo-asset-count-azure-public-addresses
 41 |           - uid: mondoo-asset-count-azure-security-groups
 42 |           - uid: mondoo-asset-count-azure-virtual-network-gateways
 43 |           - uid: mondoo-asset-count-azure-virtual-networks
 44 |           - uid: mondoo-asset-count-azure-aks-clusters
 45 |           - uid: mondoo-asset-count-azure-aks-agent-pools
 46 |       - title: Windows Active Directory asset counts
 47 |         filters: asset.platform == "windows"
 48 |         queries:
 49 |           - uid: mondoo-asset-count-in-windows-domain
 50 |       - title: AWS asset counts
 51 |         filters: asset.platform == "aws"
 52 |         queries:
 53 |           - uid: mondoo-asset-count-aws-acm-certificates
 54 |           - uid: mondoo-asset-count-aws-api-gateways
 55 |           - uid: mondoo-asset-count-aws-active-regions
 56 |           - uid: mondoo-asset-count-aws-autoscaling-groups
 57 |           - uid: mondoo-asset-count-aws-cloudtrails
 58 |           - uid: mondoo-asset-count-aws-dynamodb-tables
 59 |           - uid: mondoo-asset-count-aws-dynamodb-global-tables
 60 |           - uid: mondoo-asset-count-aws-ec2-instances
 61 |           - uid: mondoo-asset-count-aws-ecr-container-images
 62 |           - uid: mondoo-asset-count-aws-ecs-clusters
 63 |           - uid: mondoo-asset-count-aws-ecs-container-instances
 64 |           - uid: mondoo-asset-count-aws-ecs-containers
 65 |           - uid: mondoo-asset-count-aws-efs-filesystems
 66 |           - uid: mondoo-asset-count-aws-eks-clusters
 67 |           - uid: mondoo-asset-count-aws-elasticache-cache-clusters
 68 |           - uid: mondoo-asset-count-aws-elb-application
 69 |           - uid: mondoo-asset-count-aws-elb-classic
 70 |           - uid: mondoo-asset-count-aws-emr-clusters
 71 |           - uid: mondoo-asset-count-aws-es-domains
 72 |           - uid: mondoo-asset-count-aws-guardduty-detectors
 73 |           - uid: mondoo-asset-count-aws-iam-groups
 74 |           - uid: mondoo-asset-count-aws-iam-policies
 75 |           - uid: mondoo-asset-count-aws-iam-users
 76 |           - uid: mondoo-asset-count-aws-kms-keys
 77 |           - uid: mondoo-asset-count-aws-private-ecr-container-registries
 78 |           - uid: mondoo-asset-count-aws-public-ecr-container-registries
 79 |           - uid: mondoo-asset-count-aws-rds-dbclusters
 80 |           - uid: mondoo-asset-count-aws-redshift-clusters
 81 |           - uid: mondoo-asset-count-aws-s3-buckets
 82 |           - uid: mondoo-asset-count-aws-sagemaker-endpoints
 83 |           - uid: mondoo-asset-count-aws-sagemaker-notebook-instances
 84 |           - uid: mondoo-asset-count-aws-secrets-manager-secrets
 85 |           - uid: mondoo-asset-count-aws-security-groups
 86 |           - uid: mondoo-asset-count-aws-security-hub
 87 |           - uid: mondoo-asset-count-aws-sns-topics
 88 |           - uid: mondoo-asset-count-aws-vpcs
 89 |       - title: GCP Project Asset Count
 90 |         filters: asset.platform == "gcp-project"
 91 |         queries:
 92 |           - uid: mondoo-asset-count-gcp-storage-buckets
 93 |           - uid: mondoo-asset-count-gcp-compute-instances
 94 |           - uid: mondoo-asset-count-gcp-service-accounts
 95 |           - uid: mondoo-asset-count-gcp-gke-clusters
 96 |           - uid: mondoo-asset-count-gcp-bigquery-datasets
 97 |           - uid: mondoo-asset-count-gcp-storage-buckets
 98 |           - uid: mondoo-asset-count-gcp-compute-instances
 99 |           - uid: mondoo-asset-count-gcp-service-accounts
100 |           - uid: mondoo-asset-count-gcp-gke-clusters
101 |           - uid: mondoo-asset-count-gcp-bigquery-datasets
102 |           - uid: mondoo-asset-count-gcp-cloudfunctions
103 |           - uid: mondoo-asset-count-gcp-cloudrun-jobs
104 |           - uid: mondoo-asset-count-gcp-cloudrun-services
105 |           - uid: mondoo-asset-count-gcp-cloudrun-operations
106 |           - uid: mondoo-asset-count-gcp-dns-managed-zones
107 |           - uid: mondoo-asset-count-gcp-iam-policies
108 |           - uid: mondoo-asset-count-gcp-kms-keyrings
109 |           - uid: mondoo-asset-count-gcp-sql-instances
110 |           - uid: mondoo-asset-count-gcp-services
111 |       - title: GitLab Asset Counts
112 |         filters: asset.platform == "gitlab-group"
113 |         queries:
114 |           - uid: mondoo-asset-count-gitlab-group-projects
115 |       - title: K8s Asset Counts
116 |         filters: asset.platform == "k8s-cluster"
117 |         queries:
118 |           - uid: mondoo-asset-count-k8s-nodes
119 |           - uid: mondoo-asset-count-k8s-daemonsets
120 |           - uid: mondoo-asset-count-k8s-cronjobs
121 |           - uid: mondoo-asset-count-k8s-jobs
122 |           - uid: mondoo-asset-count-k8s-deployments
123 |           - uid: mondoo-asset-count-k8s-replicasets
124 |           - uid: mondoo-asset-count-k8s-pods
125 | queries:
126 |   - uid: mondoo-asset-count-on-vsphere-cluster-esxi
127 |     title: ESXi hosts
128 |     mql: |
129 |       vsphere.datacenters { hosts.length }
130 | 
131 |   - uid: mondoo-asset-count-on-vsphere-cluster-vms
132 |     title: VMs in vSphere cluster
133 |     mql: |
134 |      vsphere.datacenters { vms.length }
135 | 
136 |   - uid: mondoo-asset-count-azure-resource-groups
137 |     title: Azure Resource Groups count
138 |     mql: |
139 |       azure.subscription.resourceGroups.length
140 | 
141 |   - uid: mondoo-asset-count-azure-vms
142 |     title: Azure virtual machine count
143 |     mql: |
144 |       azure.subscription.computeService.vms.length
145 | 
146 |   - uid: mondoo-asset-count-azure-subscription-name
147 |     title: Azure subscription name
148 |     mql: |
149 |       azure.subscription.name
150 | 
151 |   - uid: mondoo-asset-count-azure-cosmosdb-accounts
152 |     title: Azure cosmosDB accounts
153 |     mql: |
154 |       azure.subscription.cosmosDb.accounts.length
155 | 
156 |   - uid: mondoo-asset-count-azure-vaults
157 |     title: Azure key vaults
158 |     mql: |
159 |       azure.subscription.keyVault.vaults.length
160 | 
161 |   - uid: mondoo-asset-count-azure-mariaDb-servers
162 |     title: Azure MariaDB servers
163 |     mql: |
164 |       azure.subscription.mariaDb.servers.length
165 | 
166 |   - uid: mondoo-asset-count-azure-mySql-servers
167 |     title: Azure MySQL servers
168 |     mql: |
169 |       azure.subscription.mySql.servers.length
170 | 
171 |   - uid: mondoo-asset-count-azure-postgreSql-servers
172 |     title: Azure PostgreSQL servers
173 |     mql: |
174 |       azure.subscription.postgreSql.servers.length
175 | 
176 |   - uid: mondoo-asset-count-azure-application-gateways
177 |     title: Azure Application Gateways
178 |     mql: |
179 |       azure.subscription.network.applicationGateways.length
180 | 
181 |   - uid: mondoo-asset-count-azure-bastion-hosts
182 |     title: Azure Bastion Hosts
183 |     mql: |
184 |       azure.subscription.network.bastionHosts.length
185 | 
186 |   - uid: mondoo-asset-count-azure-firewalls
187 |     title: Azure Firewalls
188 |     mql: |
189 |       azure.subscription.network.firewalls.length
190 | 
191 |   - uid: mondoo-asset-count-azure-loadbalancers
192 |     title: Azure Load Balancers
193 |     mql: |
194 |       azure.subscription.network.loadBalancers.length
195 | 
196 |   - uid: mondoo-asset-count-azure-natgateways
197 |     title: Azure NAT Gateways
198 |     mql: |
199 |       azure.subscription.network.natGateways.length
200 | 
201 |   - uid: mondoo-asset-count-azure-public-addresses
202 |     title: Azure Public Addresses
203 |     mql: |
204 |       azure.subscription.network.publicIpAddresses.length
205 | 
206 |   - uid: mondoo-asset-count-azure-security-groups
207 |     title: Azure Security Groups
208 |     mql: |
209 |       azure.subscription.network.securityGroups.length
210 | 
211 |   - uid: mondoo-asset-count-azure-virtual-network-gateways
212 |     title: Azure virtual Network Security Gateways
213 |     mql: |
214 |       azure.subscription.network.virtualNetworkGateways.length
215 | 
216 |   - uid: mondoo-asset-count-azure-virtual-networks
217 |     title: Azure virtual Networks
218 |     mql: |
219 |       azure.subscription.network.virtualNetworks.length
220 | 
221 |   - uid: mondoo-asset-count-azure-aks-clusters
222 |     title: Azure AKS Clusters
223 |     mql: |
224 |       azure.subscription.aks.clusters.length
225 | 
226 |   - uid: mondoo-asset-count-azure-aks-agent-pools
227 |     title: Azure AKS Cluster Agent Pool Count
228 |     mql: |
229 |       azure.subscription.aks.clusters { agentPoolProfiles.length }
230 | 
231 |   - uid: mondoo-count-users-in-entra-id
232 |     title: Entra ID user count
233 |     mql: |
234 |       microsoft.users.length
235 | 
236 |   - uid: mondoo-asset-count-aws-account-id
237 |     title: AWS account ID
238 |     mql: aws.account.id
239 | 
240 |   - uid: mondoo-asset-count-aws-acm-certificates
241 |     title: AWS ACM Certificates
242 |     mql: aws.acm.certificates.length
243 | 
244 |   - uid: mondoo-asset-count-aws-api-gateways
245 |     title: AWS API Gateways
246 |     mql: aws.apigateway.restApis.length
247 | 
248 |   - uid: mondoo-asset-count-aws-autoscaling-groups
249 |     title: AWS Autoscaling Groups (not created by Mondoo)
250 |     mql: aws.autoscaling.groups.where( name != "mondoo-scanning-asg" ).length
251 | 
252 |   - uid: mondoo-asset-count-aws-iam-users
253 |     title: AWS IAM users
254 |     mql: aws.iam.users.length
255 | 
256 |   - uid: mondoo-asset-count-aws-iam-groups
257 |     title: AWS IAM groups
258 |     mql: aws.iam.groups.length
259 | 
260 |   - uid: mondoo-asset-count-aws-iam-policies
261 |     title: AWS IAM custom policies
262 |     mql: |
263 |       aws_account = aws.account.id
264 |       aws.iam.policies.where( arn.contains(aws_account)).length
265 | 
266 |   - uid: mondoo-asset-count-aws-active-regions
267 |     title: AWS Regions Active
268 |     mql: aws.regions.length
269 | 
270 |   - uid: mondoo-asset-count-aws-ec2-instances
271 |     title: AWS EC2 Instances
272 |     mql: aws.ec2.instances.length
273 | 
274 |   - uid: mondoo-asset-count-aws-s3-buckets
275 |     title: AWS S3 Buckets
276 |     mql: aws.s3.buckets.length
277 | 
278 |   - uid: mondoo-asset-count-aws-vpcs
279 |     title: AWS VPCs
280 |     mql: aws.vpcs.length
281 | 
282 |   - uid: mondoo-asset-count-aws-security-groups
283 |     title: AWS Security Groups
284 |     mql: aws.ec2.securityGroups.length
285 | 
286 |   - uid: mondoo-asset-count-aws-eks-clusters
287 |     title: AWS Elastic Kubernetes Clusters (EKS)
288 |     mql: aws.eks.clusters.length
289 | 
290 |   - uid: mondoo-asset-count-aws-private-ecr-container-registries
291 |     title: AWS Private Elastic Container Registries (ECR)
292 |     mql: aws.ecr.privateRepositories.length
293 | 
294 |   - uid: mondoo-asset-count-aws-public-ecr-container-registries
295 |     title: AWS Public Elastic Container Registries (ECR)
296 |     mql: aws.ecr.publicRepositories.length
297 | 
298 |   - uid: mondoo-asset-count-aws-ecr-container-images
299 |     title: AWS Elastic Container Images (ECR)
300 |     mql: aws.ecr.images.length
301 | 
302 |   - uid: mondoo-asset-count-aws-rds-dbclusters
303 |     title: AWS RDS Database Clusters
304 |     mql: aws.rds.clusters.length
305 | 
306 |   - uid: mondoo-asset-count-aws-cloudtrails
307 |     title: AWS CloudTrails
308 |     mql: aws.cloudtrail.trails.length
309 | 
310 |   - uid: mondoo-asset-count-aws-dynamodb-tables
311 |     title: AWS DynamoDB Tables
312 |     mql: aws.dynamodb.tables.length
313 | 
314 |   - uid: mondoo-asset-count-aws-dynamodb-global-tables
315 |     title: AWS DynamoDB Global Tables
316 |     mql: aws.dynamodb.globalTables.length
317 | 
318 |   - uid: mondoo-asset-count-aws-ecs-clusters
319 |     title: AWS ECS Clusters
320 |     mql: aws.ecs.clusters.length
321 | 
322 |   - uid: mondoo-asset-count-aws-ecs-container-instances
323 |     title: AWS ECS Container Instances
324 |     mql: aws.ecs.containerInstances.length
325 | 
326 |   - uid: mondoo-asset-count-aws-ecs-containers
327 |     title: AWS ECS Containers
328 |     mql: aws.ecs.containers.length
329 | 
330 |   - uid: mondoo-asset-count-aws-efs-filesystems
331 |     title: AWS EFS Filesystems
332 |     mql: aws.efs.filesystems.length
333 | 
334 |   - uid: mondoo-asset-count-aws-elasticache-cache-clusters
335 |     title: AWS ElastiCache Cache Clusters
336 |     mql: aws.elasticache.cacheClusters.length
337 | 
338 |   - uid: mondoo-asset-count-aws-elb-application
339 |     title: AWS Elastic Application Load Balancers
340 |     mql: aws.elb.loadBalancers.length
341 | 
342 |   - uid: mondoo-asset-count-aws-elb-classic
343 |     title: AWS Elastic Classic Load Balancers
344 |     mql: aws.elb.classicLoadBalancers.length
345 | 
346 |   - uid: mondoo-asset-count-aws-emr-clusters
347 |     title: AWS Elastic Map Reduce Clusters
348 |     mql: aws.emr.clusters.length
349 | 
350 |   - uid: mondoo-asset-count-aws-es-domains
351 |     title: AWS Elasticsearch Service Domain
352 |     mql: aws.es.domains.length
353 | 
354 |   - uid: mondoo-asset-count-aws-guardduty-detectors
355 |     title: AWS Guard Duty Detectors
356 |     mql: aws.guardduty.detectors.length
357 | 
358 |   - uid: mondoo-asset-count-aws-kms-keys
359 |     title: AWS KMS Keys
360 |     mql: aws.kms.keys.length
361 | 
362 |   - uid: mondoo-asset-count-aws-redshift-clusters
363 |     title: AWS Redshift Clusters
364 |     mql: aws.redshift.clusters.length
365 | 
366 |   - uid: mondoo-asset-count-aws-sagemaker-endpoints
367 |     title: AWS SageMaker Endpoints
368 |     mql: aws.sagemaker.endpoints.length
369 | 
370 |   - uid: mondoo-asset-count-aws-sagemaker-notebook-instances
371 |     title: AWS SageMaker Notebook Instances
372 |     mql: aws.sagemaker.notebookInstances.length
373 | 
374 |   - uid: mondoo-asset-count-aws-secrets-manager-secrets
375 |     title: AWS Secrets Manager Secrets
376 |     mql: aws.secretsmanager.secrets.length
377 | 
378 |   - uid: mondoo-asset-count-aws-security-hub
379 |     title: AWS Security Hub
380 |     mql: aws.securityhub.hubs.length
381 | 
382 |   - uid: mondoo-asset-count-aws-sns-topics
383 |     title: AWS SNS Topics
384 |     mql: aws.sns.topics.length
385 | 
386 |   - uid: mondoo-asset-count-in-windows-domain
387 |     title: All computer objects in the Windows domain
388 |     mql: |
389 |       parse.json(content: powershell('$time = (Get-Date).Adddays(-(180));Get-ADComputer -Filter {LastLogonTimeStamp -ge $time} -properties * | select Name,Enabled,OperatingSystem,OperatingSystemVersion,LastLogonDate | ConvertTo-Json').stdout).params
390 | 
391 |   - uid: mondoo-asset-count-gcp-storage-buckets
392 |     title: GCP Project Storage Buckets
393 |     mql: gcp.project.storage.buckets.length
394 | 
395 |   - uid: mondoo-asset-count-gcp-compute-instances
396 |     title: GCP Project Compute Instances
397 |     mql: gcp.project.compute.instances.length
398 | 
399 |   - uid: mondoo-asset-count-gcp-service-accounts
400 |     title: GCP Project Service Accounts
401 |     mql: gcp.project.iam.serviceAccounts.length
402 | 
403 |   - uid: mondoo-asset-count-gcp-gke-clusters
404 |     title: GCP Project GKE Clusters
405 |     mql: gcp.project.gke.clusters.length
406 | 
407 |   - uid: mondoo-asset-count-gcp-bigquery-datasets
408 |     title: GCP Project BigQuery Datasets
409 |     mql: gcp.project.bigquery.datasets.length
410 | 
411 |   - uid: mondoo-asset-count-gcp-cloudfunctions
412 |     title: GCP Project CloudFunctions
413 |     mql: gcp.project.cloudFunctions.length
414 | 
415 |   - uid: mondoo-asset-count-gcp-cloudrun-jobs
416 |     title: GCP Project Cloud Run Jobs
417 |     mql: gcp.project.cloudRun.jobs.length
418 | 
419 |   - uid: mondoo-asset-count-gcp-cloudrun-services
420 |     title: GCP Project Cloud Run Services
421 |     mql: gcp.project.cloudRun.services.length
422 | 
423 |   - uid: mondoo-asset-count-gcp-cloudrun-operations
424 |     title: GCP Project Cloud Run Operations
425 |     mql: gcp.project.cloudRun.operations.length
426 | 
427 |   - uid: mondoo-asset-count-gcp-dns-managed-zones
428 |     title: GCP Project DNS Managed Zones
429 |     mql: gcp.project.dns.managedZones.length
430 | 
431 |   - uid: mondoo-asset-count-gcp-iam-policies
432 |     title: GCP Project IAM Policies
433 |     mql: gcp.project.iamPolicy.length
434 | 
435 |   - uid: mondoo-asset-count-gcp-kms-keyrings
436 |     title: GCP Project KMS Keyrings
437 |     mql: gcp.project.kms.keyrings.length
438 | 
439 |   - uid: mondoo-asset-count-gcp-sql-instances
440 |     title: GCP Project SQL Instances
441 |     mql: gcp.project.sql.instances.length
442 | 
443 |   - uid: mondoo-asset-count-gcp-services
444 |     title: GCP Project Services Enabled
445 |     mql: gcp.project.services.where( enabled ).length
446 | 
447 |   - uid: mondoo-asset-count-gitlab-group-projects
448 |     title: GitLab Group Projects
449 |     mql: gitlab.group.projects.length
450 | 
451 |   - uid: mondoo-asset-count-k8s-nodes
452 |     title: K8s Nodes count
453 |     mql: k8s.nodes.length
454 | 
455 |   - uid: mondoo-asset-count-k8s-daemonsets
456 |     title: K8s Daemon Sets count
457 |     mql: k8s.daemonsets.length
458 | 
459 |   - uid: mondoo-asset-count-k8s-cronjobs
460 |     title: K8s Cronjobs count
461 |     mql: k8s.cronjobs.length
462 | 
463 |   - uid: mondoo-asset-count-k8s-jobs
464 |     title: K8s Jobs count
465 |     mql: k8s.jobs.length
466 | 
467 |   - uid: mondoo-asset-count-k8s-deployments
468 |     title: K8s Deployments count
469 |     mql: k8s.deployments.length
470 | 
471 |   - uid: mondoo-asset-count-k8s-replicasets
472 |     title: K8s Replicasets count
473 |     mql: k8s.replicasets.length
474 | 
475 |   - uid: mondoo-asset-count-k8s-pods
476 |     title: K8s PODs count
477 |     mql: k8s.pods.length
478 | 


--------------------------------------------------------------------------------
/extra/mondoo-googleworkplace-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-googleworkspace-incident-response
 6 |     name: Google Workspace Incident Response Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: google-workspace,saas
14 |       mondoo.com/category: security
15 |     docs:
16 |       desc: |
17 |         ### Overview
18 | 
19 |         The Google Workspace Incident Response query pack retrieves configuration data about your Google Workspace configuration during a security incident.
20 | 
21 |         ### Prerequisites
22 | 
23 |         1. Create/Select a GCP project
24 |         2. Navigate to the [Google API Console](https://console.cloud.google.com/apis/dashboard). 
25 |         3. Select "Enable APIs and Services" and enable the following APIs:
26 |           - Admin SDK API 
27 |           - Cloud Identity API 
28 |           - Google Calendar API
29 |           - Google Drive API
30 |           - Gmail API
31 |           - Google People API
32 |         4. Create a service account for [Google Workspace](https://support.google.com/a/answer/7378726?product_name=UnuFlow&hl=en&visit_id=638041387835615758-4147680582&rd=1&src=supportwidget0&hl=en)
33 |         5. Create credentials for the service account and download the json file
34 |         6. Enter the following scopes in Security -> Access and data controls -> API controls, and select [Domain-wide Delegation](https://developers.google.com/workspace/guides/create-credentials#delegate_domain-wide_authority_to_your_service_account) 
35 | 
36 |           - https://www.googleapis.com/auth/admin.chrome.printers.readonly
37 |           - https://www.googleapis.com/auth/admin.directory.customer.readonly
38 |           - https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
39 |           - https://www.googleapis.com/auth/admin.directory.device.mobile.readonly
40 |           - https://www.googleapis.com/auth/admin.directory.domain.readonly
41 |           - https://www.googleapis.com/auth/admin.directory.group.member.readonly
42 |           - https://www.googleapis.com/auth/admin.directory.group.readonly
43 |           - https://www.googleapis.com/auth/admin.directory.orgunit.readonly
44 |           - https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
45 |           - https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
46 |           - https://www.googleapis.com/auth/admin.directory.user.alias.readonly
47 |           - https://www.googleapis.com/auth/admin.directory.user.readonly
48 |           - https://www.googleapis.com/auth/admin.directory.userschema.readonly
49 |           - https://www.googleapis.com/auth/admin.reports.audit.readonly
50 |           - https://www.googleapis.com/auth/admin.reports.usage.readonly
51 |           - https://www.googleapis.com/auth/admin.directory.user.security
52 |           - https://www.googleapis.com/auth/cloud-identity.groups.readonly
53 | 
54 |         ### Run query pack
55 | 
56 |         To run this query pack against a Google Workspace customer:
57 | 
58 |         ```bash
59 |         export GOOGLEWORKSPACE_CREDENTIALS=$PWD/my-project-123456-1234ea722b12.json
60 |         cnquery scan google-workspace --customer-id <CUSTOMERID> --impersonated-user-email <EMAIL>
61 |         ```
62 |     filters:
63 |       - asset.platform == "googleworkspace" || asset.platform == "google-workspace"
64 |     queries:
65 |       - uid: mondoo-googleworkspace-incident-response-domain
66 |         title: Google Workspace domains
67 |         mql: googleworkspace.domains { domainName isPrimary verified }
68 |       - uid: mondoo-googleworkspace-incident-response-user-mfa-status
69 |         title: Google Workspace users' MFA status
70 |         mql: googleworkspace.users { primaryEmail isEnforcedIn2Sv }
71 |       - uid: mondoo-googleworkspace-incident-response-super-admins
72 |         title: Google Workspace super admins
73 |         mql: googleworkspace.report.users.where( security["isSuperAdmin"] == true) { userEmail  }
74 |       - uid: mondoo-googleworkspace-incident-response-super-admins-without-2FA-enrolled
75 |         title: Google Workspace super admins who are not enrolled in 2FA
76 |         mql: googleworkspace.users.where(isEnrolledIn2Sv != true && isAdmin == true) {primaryEmail isEnrolledIn2Sv isAdmin}
77 |       - uid: mondoo-googleworkspace-incident-response-users-without-2FA-enrolled
78 |         title: Google Workspace user accounts that are not enrolled in 2FA
79 |         mql: googleworkspace.users.where(isEnrolledIn2Sv != true) {primaryEmail isEnrolledIn2Sv isAdmin}
80 |       - uid: mondoo-googleworkspace-incident-response-super-admins-without-hardware-based-2fa
81 |         title: Super admin accounts that do not use hardware-based security keys
82 |         mql: googleworkspace.report.users.where(security["isSuperAdmin"] == true && security["numSecurityKeys"] <= 0 ) {account['adminSetName'] security['numSecurityKeys']}
83 |       - uid: mondoo-googleworkspace-incident-response-config-drift-recovery-email
84 |         title: Primary and recovery email accounts of all Google Workspace users
85 |         mql: googleworkspace.users {primaryEmail recoveryEmail}
86 | 


--------------------------------------------------------------------------------
/extra/mondoo-okta-incident-response.mql.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright (c) Mondoo, Inc.
 2 | # SPDX-License-Identifier: BUSL-1.1
 3 | 
 4 | packs:
 5 |   - uid: mondoo-okta-incident-response
 6 |     name: Okta Incident Response Pack
 7 |     version: 1.1.0
 8 |     license: BUSL-1.1
 9 |     authors:
10 |       - name: Mondoo, Inc
11 |         email: hello@mondoo.com
12 |     tags:
13 |       mondoo.com/platform: okta-org,saas
14 |       mondoo.com/category: security
15 |     docs:
16 |       desc: |
17 |         ### Overview
18 | 
19 |         During a security incident, the Okta Incident Response query pack retrieves configuration data about your Okta configuration.
20 | 
21 |         ### Prerequisites
22 | 
23 |         To run this query pack, you will need access to the Okta API:
24 | 
25 |         1. Create an Okta [API token](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) by going to https:/DOMAIN.okta.com/admin/access/api/tokens
26 |         2. Note your Okta domain https://DOMAIN.okta.com
27 | 
28 |         ### Run query pack
29 | 
30 |         To run this query pack against an Okta domain:
31 | 
32 |         ```bash
33 |         export OKTA_TOKEN=<TOKEN>
34 |         cnquery shell okta --organization DOMAIN.okta.com --token $OKTA_TOKEN 
35 |         ```
36 |     filters:
37 |       - asset.platform == "okta" || asset.platform == "okta-org"
38 |     queries:
39 |       - uid: mondoo-okta-incident-response-users
40 |         title: Users
41 |         mql: okta.users
42 |       - uid: mondoo-okta-incident-response-team-id
43 |         title: Installed applications
44 |         mql: okta.applications
45 | 


--------------------------------------------------------------------------------