Improve formatting + checks in Mondoo Linux policy

.github/actions/spelling/line_forbidden.patterns

@@ -167,6 +167,10 @@
 # s.b. AlmaLinux
 \bAlma Linux\b
 
+# s.b. CloudLinux
+\bCloud Linux\b
+\bCloudlinux\b
+
 # s.b. openSUSE
 \bOpenSUSE\b
 

community/mondoo-linux-operational-policy.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |-
-        ## Overview
-
         Linux Server Operational Policy by Mondoo provides guidance for operational best practices on Linux hosts.
 
         ## Local scan

community/mondoo-linux-snmp-policy.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         Linux Server SNMP Policy by Mondoo provides guidance for vulnerable SNMP configurations on Linux hosts.
 
         ## Local scan

core/mondoo-aws-security.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         The Mondoo AWS Security policy provides guidance for establishing minimum recommended security and operational best practices for Amazon Web Services (AWS). The checks in this policy bundle are based on AWS's Operational Best Practices recommendations as part of the [AWS Config conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html).
 
         ## Remote scan

core/mondoo-azure-security.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |-
-        ## Overview
-
         The Mondoo Microsoft Azure Security policy provides guidance for establishing minimum recommended security and operational best practices for Microsoft Azure.
 
         ## Getting Started
@@ -35,7 +33,7 @@ policies:
 
         Step 2: Authentication to Azure
         There are two primary methods to authenticate cnspec to your Azure environments:
-        
+
         **a. Azure CLI Login**
 
         ```
@@ -122,14 +120,14 @@ queries:
 
         ```bash
         az disk list --resource-group "yourResourceGroupName" --query "[].{Name:name, ResourceGroupName:resourceGroup, EncryptionSettings:encryptionSettingsCollection}" -o table
-        ``` 
+        ```
 
         **Automated Audit with PowerShell:**
 
         ```powershell
         Get-AzDisk -ResourceGroupName "yourResourceGroupName" | Select-Object Name, ResourceGroupName, EncryptionSettingsCollection
         ```
-        
+
         Ensure the EncryptionType is set to EncryptionAtRestWithCustomerKey for OS disks.
       remediation: |
         ### Microsoft Azure Portal
@@ -229,7 +227,7 @@ queries:
       desc: |
         Restricting SSH access from the internet minimizes the risk of brute force and other unauthorized access attempts on Azure resources such as virtual machines. Public internet exposure of SSH, especially on the default port 22, significantly increases the attack surface. It's crucial to evaluate and restrict SSH access by configuring network security groups (NSGs) to allow only necessary connections, preferably from known, secure sources. Implementing stringent access controls for SSH enhances security by preventing attackers from using compromised VMs as a pivot point for broader network intrusions.
       audit: |
-       **Manual Audit via Azure Portal:**     
+       **Manual Audit via Azure Portal:**
 
         **Checking via Network Security Groups (NSGs) for All Resources:**
         1. From the main Azure Portal menu, navigate to **Network security groups**.
@@ -345,7 +343,7 @@ queries:
       desc: |
         Restricting RDP access from the internet is crucial for protecting Azure resources against unauthorized access and potential security breaches. RDP, typically listening on TCP port 3389, is a common target for many Cyber attacks. By limiting RDP access to only trusted internal networks or through secure tunnels, the risk of these attacks is significantly reduced. This security measure is essential for maintaining the integrity and security of Azure environments, preventing attackers from using compromised VMs as launch points for further attacks within and beyond the Azure network.
       audit: |
-        **Manual Audit via Azure Portal:**     
+        **Manual Audit via Azure Portal:**
 
         1. Log into the Azure Portal.
         2. Navigate to **Network security groups** under the Networking or directly through the search bar.
@@ -530,7 +528,7 @@ queries:
 
         ```
         az storage account show --name <yourStorageAccountName> --query allowBlobPublicAccess
-        ``` 
+        ```
 
       remediation: |
         ### Terraform
@@ -557,7 +555,7 @@ queries:
           ```
           az storage account update --name <storage-account> --resource-group <resource-group> --public-network-access Disabled
           ```
-        
+
         - Set blob containers to private access:
           ```
           az storage container set-permission --name <container_name> --public-access off --account-name <account_name> --account-key <account_key>
@@ -1046,7 +1044,7 @@ queries:
         It is highly recommended to use the latest TLS version available with Azure App Services for all secure Web App connections. Currently Azure App Services supports TLS 1.2.
       audit: |
         **From Azure Portal:**
-  
+
         1. Log in to the Azure Portal at https://portal.azure.com.
         2. Navigate to **App Services**.
         3. Select an app service and select **TLS/SSL settings** under **Settings**.
@@ -1055,7 +1053,7 @@ queries:
         **From Azure CLI:**
 
         Verify that the minimum TLS version is set to 1.2 for each App Service:
-        
+
         ```bash
         az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query minTlsVersion
         ```
@@ -1076,7 +1074,7 @@ queries:
            b. Select **Configuration** and select the **General settings** tab.
            c. Under **Minimum Inbound TLS Version**, select **1.2**.
            d. Select **Save**.
-        
+
         **From Azure CLI:**
 
         Set the minimum TLS version to 1.2 for an existing app service:
@@ -1157,7 +1155,7 @@ queries:
            a. Select the key vault.
            b. Select **Keys** or **Secrets**.
            c. Make sure that the key/secret in the key vault has an expiration date.
-        
+
         **From Azure CLI:**
 
         - For keys:
@@ -2197,4 +2195,4 @@ queries:
         disallowedPortUDP = _
         disallowedPortUDP
         allNsgUDP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP)))
-      }
+      }

core/mondoo-dns-security.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         The Mondoo DNS Security policy includes checks for assessing the configuration of DNS records.
 
         ## Remote scan

core/mondoo-dockerfile-security.mql.yaml

@@ -13,8 +13,6 @@ policies:
         email: [email protected]
     docs:
         desc: |-
-          ## Overview
-
           The Dockerfile Security policy by Mondoo provides guidance for establishing secure Docker container configurations and deployments by securing Dockerfiles used to build container images.
 
           If you have questions, comments, or ways to improve this policy, please write us at [email protected], or reach out in GitHub Discussions.
@@ -72,7 +70,7 @@ queries:
       desc: |
         Management ports such as SSH (port 22), Docker Remote API (port 2375), Consul (port 8500), and Kubernetes API (port 6443) are commonly targeted by attackers. Exposing these ports in Docker containers increases the risk of unauthorized access and security vulnerabilities. This test ensures that these management ports are not exposed in Docker container configurations.
       remediation: |
-        Review and update your Dockerfile to ensure that management ports (22 for SSH, 2375 for Docker Remote API, 8500 for Consul HTTP API, 6443 for Kubernetes API) are not exposed. 
+        Review and update your Dockerfile to ensure that management ports (22 for SSH, 2375 for Docker Remote API, 8500 for Consul HTTP API, 6443 for Kubernetes API) are not exposed.
         - Remove or restrict the exposure of these ports using the `EXPOSE` instruction in your Dockerfile.
         - Use Docker's port mapping options (`-p` or `--publish`) cautiously to avoid exposing these ports.
         - Ensure that any required management access is secured and appropriately managed.
@@ -89,7 +87,7 @@ queries:
         Disabling certificate validation can expose the system to man-in-the-middle attacks and other security vulnerabilities.
       remediation: |
         - Review the Dockerfile and ensure that package managers are configured to use SSL certificate validation.
-        - Use secure practices for package installations to maintain system integrity: Remove any insecure options such as `--nogpgcheck`, `--no-check-certificate`, `--no-gpg-check`, and similar flags. 
+        - Use secure practices for package installations to maintain system integrity: Remove any insecure options such as `--nogpgcheck`, `--no-check-certificate`, `--no-gpg-check`, and similar flags.
   - uid: mondoo-docker-security-no-insecure-certificate-validation-apt
     title: Don’t disable certificate validation in APT
     impact: 100
@@ -114,7 +112,7 @@ queries:
         Disabling certificate validation can expose the container to man-in-the-middle attacks and other security risks.
       remediation: |
         - Review the `CMD` or `ENTRYPOINT` commands in your Dockerfile and any scripts executed within the container.
-        - Avoid using `curl` with `--insecure` or `-k` options. 
+        - Avoid using `curl` with `--insecure` or `-k` options.
         - Ensure that proper SSL certificate validation is enabled for all `curl` operations.
   - uid: mondoo-docker-security-no-insecure-certificate-validation-wget
     title: Don’t disable certificate validation in Wget
@@ -139,7 +137,7 @@ queries:
         as it grants elevated permissions that can be exploited if not handled properly.
         By avoiding `sudo`, you ensure that all commands run with the default user privileges, which enhances the security of the container.
       remediation: |
-        - Review the Dockerfile and remove any instances of `sudo`. 
+        - Review the Dockerfile and remove any instances of `sudo`.
         - Ensure that all commands are executed with the least privileges required.
         - Configure containers to operate with non-root users where possible, and avoid privilege escalation techniques.
   - uid: mondoo-docker-security-no-gpg-skip-yum
@@ -212,4 +210,4 @@ queries:
       desc: |
         Ensure that Dockerfiles use the `apt-get` CLI instead of `apt`. The `apt-get` CLI provides more predictable behavior in scripting contexts and is generally preferred for use in Dockerfiles for its consistency and reliability.
       remediation: |
-        Review the Dockerfile `RUN` instructions to replace any `apt` commands with `apt-get`. This ensures that package management operations are performed using the recommended and more stable CLI.
+        Review the Dockerfile `RUN` instructions to replace any `apt` commands with `apt-get`. This ensures that package management operations are performed using the recommended and more stable CLI.

core/mondoo-edr-policy.mql.yaml

@@ -20,7 +20,7 @@ policies:
         By implementing this policy, we take a proactive approach to instill confidence in our security posture and reinforce our commitment to safeguarding sensitive data, critical assets, and the integrity of our digital infrastructure.
 
         Additionally, it is highly recommended that antivirus signatures are updated daily to ensure protection against the latest threats. For instance, Windows Defender signatures can be updated using the following PowerShell command:
-  
+
         ```powershell
         Update-MpSignature
         ```
@@ -86,9 +86,9 @@ queries:
   - uid: mondoo-edr-policy-ensure-edr-agent-is-installed-macos
     filters: asset.platform == 'macos'
     mql: |
-      package('Falcon').installed || 
-      package('SentinelOne Extensions').installed || 
-      package('ESET Endpoint Security').installed || 
+      package('Falcon').installed ||
+      package('SentinelOne Extensions').installed ||
+      package('ESET Endpoint Security').installed ||
       file('/Library/Ossec').exists ||
       ['Cortex XDR', 'Cortex XDR Agent'].all(package(_).installed)
   - uid: mondoo-edr-policy-ensure-edr-agent-is-installed-linux

core/mondoo-email-security.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         This policy bundle verifies best practices for authenticating email messages using security protocols such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).
 
         ### Running the Policy

core/mondoo-gcp-security.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |-
-        ## Overview
-
         The Mondoo Google Cloud Security policy provides guidance for establishing minimum recommended security and operational best practices for Google Cloud.
 
         ## Remote scan
@@ -712,4 +710,4 @@ queries:
       )
   - uid: gcp-storage-cloud-storage-buckets-uniform-bucket-level-access-enabled-single
     filters: asset.platform == "gcp-storage-bucket"
-    mql: gcp.storage.bucket.iamConfiguration.UniformBucketLevelAccess.enabled == true
+    mql: gcp.storage.bucket.iamConfiguration.UniformBucketLevelAccess.enabled == true

core/mondoo-github-best-practices.mql.yaml

@@ -18,16 +18,6 @@ policies:
 
         The Mondoo GitHub Repository Best Practices policy provides assessments of public and private GitHub repositories to ensure a minimum recommended operational best practices.
 
-        ## About remote scanning
-
-        Remote scans with cnspec provide on demand security assessments of infrastructure and services without the need to install any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets.
-
-        A complete list of providers can be found by running this command:
-
-        ```bash
-        cnspec scan --help
-        ```
-
         ### cnspec GitHub provider
 
         This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command:

core/mondoo-github-security.mql.yaml

@@ -14,20 +14,8 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         The Mondoo GitHub Organization Security policy provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations.
 
-        ## About remote scanning
-
-        Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets.
-
-        A complete list of providers can be found by running this command:
-
-        ```bash
-        cnspec scan --help
-        ```
-
         ### cnspec GitHub provider
 
         This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running this command:
@@ -105,16 +93,6 @@ policies:
 
         GitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments.
 
-        ## About remote scanning
-
-        Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets.
-
-        A complete list of providers can be found by running this command:
-
-        ```bash
-        cnspec scan --help
-        ```
-
         ### cnspec GitHub Provider
 
         This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command:

core/mondoo-gitlab-security.mql.yaml

@@ -14,20 +14,8 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         The Mondoo GitLab Security policy offers guidance on establishing minimum recommended security best practices for GitLab groups and projects.
 
-        ## Remote scan
-
-        Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
-
-        A complete list of providers can be found by running this command:
-
-        ```bash
-        cnspec scan --help
-        ```
-
         ### Prerequisites
 
         Remote scans of GitLab require a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group and projects you plan to scan.

core/mondoo-http-security.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |
-        ## Overview
-
         The Mondoo HTTP Security policy includes checks for ensuring the security of HTTP headers.
 
         ## Remote scan
@@ -131,4 +129,4 @@ queries:
         The Public-Key-Pins header is deprecated and should not be used anymore.
     refs:
       - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#public-key-pins-hpkp
-        title: OWASP HTTP Security Response Headers Cheat Sheet
+        title: OWASP HTTP Security Response Headers Cheat Sheet

core/mondoo-kubernetes-best-practices.mql.yaml

@@ -14,8 +14,6 @@ policies:
         email: [email protected]
     docs:
       desc: |-
-        ## Overview
-
         The Mondoo Kubernetes Best Practices policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices.
 
         ## Remote scan