|
| 1 | +# cnquery Query Packs |
| 2 | + |
| 3 | +Query packs are pre-built collections of queries written in [MQL (Mondoo Query Language)](https://mondoo.com/docs/mql/home/) that help you gather information from your infrastructure for asset inventory, incident response, and security assessments. These packs are designed to work with cnquery, the open-source, cloud-native tool that answers every question about your infrastructure. |
| 4 | + |
| 5 | +## What are Query Packs? |
| 6 | + |
| 7 | +Query packs contain structured queries that: |
| 8 | + |
| 9 | +- **Inventory assets** across cloud providers, operating systems, and applications |
| 10 | +- **Support incident response** by gathering critical system information |
| 11 | +- **Assess security posture** through targeted data collection |
| 12 | +- **Standardize data gathering** across different platforms and environments |
| 13 | + |
| 14 | +Each query pack is tailored for specific platforms and use cases, making it easy to get started with infrastructure assessment without writing queries from scratch. |
| 15 | + |
| 16 | +## Available Query Packs |
| 17 | + |
| 18 | +### Asset Inventory Packs |
| 19 | + |
| 20 | +- **AWS** (`mondoo-aws-inventory.mql.yaml`) - Comprehensive AWS account and resource inventory |
| 21 | +- **Azure** (`mondoo-azure-inventory.mql.yaml`) - Azure subscription and service inventory |
| 22 | +- **GCP** (`mondoo-gcp-inventory.mql.yaml`) - Google Cloud Platform resource discovery |
| 23 | +- **Kubernetes** (`mondoo-kubernetes-inventory.mql.yaml`) - Container orchestration platform inventory |
| 24 | +- **Linux** (`mondoo-linux-inventory.mql.yaml`) - Linux system and package inventory |
| 25 | +- **macOS** (`mondoo-macos-inventory.mql.yaml`) - macOS system information gathering |
| 26 | +- **Windows** (`mondoo-windows-inventory.mql.yaml`) - Windows system and application inventory |
| 27 | +- **VMware** (`mondoo-vmware-inventory.mql.yaml`) - VMware infrastructure inventory |
| 28 | +- **GitHub** (`mondoo-github-inventory.mql.yaml`) - GitHub organization and repository inventory |
| 29 | +- **Shodan** (`mondoo-shodan-inventory.mql.yaml`) - Internet-facing asset discovery |
| 30 | +- **DNS** (`mondoo-dns-inventory.mql.yaml`) - DNS configuration and record inventory |
| 31 | +- **Email** (`mondoo-email-inventory.mql.yaml`) - Email system configuration |
| 32 | +- **Slack** (`mondoo-slack-inventory.mql.yaml`) - Slack workspace inventory |
| 33 | +- **Terraform** (`mondoo-terraform-inventory.mql.yaml`) - Infrastructure as code inventory |
| 34 | + |
| 35 | +### Incident Response Packs |
| 36 | + |
| 37 | +- **AWS** (`mondoo-aws-incident-response.mql.yaml`) - AWS security event investigation |
| 38 | +- **Linux** (`mondoo-linux-incident-response.mql.yaml`) - Linux system forensics and analysis |
| 39 | +- **macOS** (`mondoo-macos-incident-response.mql.yaml`) - macOS security incident analysis |
| 40 | +- **Windows** (`mondoo-windows-incident-response.mql.yaml`) - Windows security investigation |
| 41 | +- **Kubernetes** (`mondoo-kubernetes-incident-response.mql.yaml`) - Container security analysis |
| 42 | +- **VMware** (`mondoo-vmware-incident-response.mql.yaml`) - VMware security assessment |
| 43 | +- **GitHub** (`mondoo-github-incident-response.mql.yaml`) - GitHub security event analysis |
| 44 | +- **Google Workspace** (`mondoo-googleworkplace-incident-response.mql.yaml`) - Workspace security investigation |
| 45 | +- **Okta** (`mondoo-okta-incident-response.mql.yaml`) - Identity provider security analysis |
| 46 | +- **OpenSSL** (`mondoo-openssl-incident-response.mql.yaml`) - SSL/TLS security assessment |
| 47 | +- **SSL/TLS Certificates** (`mondoo-ssl-tls-certificate-incident-response.mql.yaml`) - Certificate security analysis |
| 48 | + |
| 49 | +### Specialized Packs |
| 50 | + |
| 51 | +- **Asset Count** (`mondoo-asset-count.mql.yaml`) - Simple asset counting across platforms |
| 52 | +- **Windows Operational** (`mondoo-windows-operational-inventory.mql.yaml`) - Windows operational data |
| 53 | + |
| 54 | +## Usage |
| 55 | + |
| 56 | +### Basic Usage |
| 57 | + |
| 58 | +Run a query pack against your infrastructure: |
| 59 | + |
| 60 | +```bash |
| 61 | +cnquery scan -f mondoo-aws-inventory.mql.yaml |
| 62 | +``` |
| 63 | + |
| 64 | +### Target Specific Assets |
| 65 | + |
| 66 | +Run against specific targets: |
| 67 | + |
| 68 | +```bash |
| 69 | +# Local system |
| 70 | +cnquery scan local -f mondoo-linux-inventory.mql.yaml |
| 71 | + |
| 72 | +# Remote SSH |
| 73 | +cnquery scan ssh user@hostname -f mondoo-linux-incident-response.mql.yaml |
| 74 | + |
| 75 | +# AWS account |
| 76 | +cnquery scan aws -f mondoo-aws-inventory.mql.yaml |
| 77 | + |
| 78 | +# Kubernetes cluster |
| 79 | +cnquery scan k8s -f mondoo-kubernetes-inventory.mql.yaml |
| 80 | +``` |
| 81 | + |
| 82 | +### Output Formats |
| 83 | + |
| 84 | +Export results in different formats: |
| 85 | + |
| 86 | +```bash |
| 87 | +# JSON output |
| 88 | +cnquery scan -f mondoo-aws-inventory.mql.yaml --output json |
| 89 | + |
| 90 | +# YAML output |
| 91 | +cnquery scan -f mondoo-aws-inventory.mql.yaml --output yaml |
| 92 | + |
| 93 | +# Compact output |
| 94 | +cnquery scan -f mondoo-aws-inventory.mql.yaml --output compact |
| 95 | +``` |
| 96 | + |
| 97 | +## Query Pack Structure |
| 98 | + |
| 99 | +Each query pack is a YAML file that contains: |
| 100 | + |
| 101 | +- **Metadata**: Name, version, author, and licensing information |
| 102 | +- **Platform filters**: Automatic targeting based on asset type |
| 103 | +- **Queries**: MQL queries organized by purpose |
| 104 | +- **Documentation**: Descriptions and usage guidance |
| 105 | + |
| 106 | +Example structure: |
| 107 | + |
| 108 | +```yaml |
| 109 | +packs: |
| 110 | + - uid: example-pack |
| 111 | + name: Example Query Pack |
| 112 | + version: 1.0.0 |
| 113 | + queries: |
| 114 | + - uid: example-query |
| 115 | + title: Example Query |
| 116 | + mql: asset.name |
| 117 | +``` |
| 118 | +
|
| 119 | +## Creating Custom Query Packs |
| 120 | +
|
| 121 | +1. **Start with an existing pack** as a template |
| 122 | +2. **Define your queries** using MQL syntax |
| 123 | +3. **Add appropriate filters** for target platforms |
| 124 | +4. **Test thoroughly** across your target environments |
| 125 | +5. **Document your pack** with clear descriptions |
| 126 | +
|
| 127 | +For MQL syntax and available resources, see the [MQL documentation](https://mondoo.com/docs/mql/home/). |
| 128 | +
|
| 129 | +## Contributing |
| 130 | +
|
| 131 | +We welcome contributions from the community! Query packs are maintained collaboratively with support from the Mondoo team. |
| 132 | +
|
| 133 | +### How to Contribute |
| 134 | +
|
| 135 | +1. **Fork the repository** and create a feature branch |
| 136 | +2. **Add or modify query packs** following existing patterns |
| 137 | +3. **Test your changes** against relevant target systems |
| 138 | +4. **Submit a pull request** with a clear description of your changes |
| 139 | +
|
| 140 | +For detailed contribution guidelines, see our [Contributing Guide](https://github.com/mondoohq/.github/blob/master/CONTRIBUTING.md). |
| 141 | +
|
| 142 | +### Community Support |
| 143 | +
|
| 144 | +- **GitHub Discussions**: Join the [Mondoo Community](https://github.com/orgs/mondoohq/discussions) to collaborate on policy as code and security automation |
| 145 | +- **Issues**: Report bugs or request features through GitHub Issues |
| 146 | +- **Documentation**: Help improve documentation and examples |
| 147 | +
|
| 148 | +## License |
| 149 | +
|
| 150 | +Query packs are licensed under BUSL-1.1. See individual pack files for specific licensing information. |
| 151 | +
|
| 152 | +## Support |
| 153 | +
|
| 154 | +For questions about cnquery or query packs: |
| 155 | +
|
| 156 | +- 📚 [Documentation](https://mondoo.com/docs/) |
| 157 | +- 💬 [Community Discussions](https://github.com/orgs/mondoohq/discussions) |
| 158 | +- 🐛 [Report Issues](https://github.com/mondoohq/cnquery/issues) |
0 commit comments