Skip to main content

Query Linux

cnquery provides the answers you need about your Linux assets. For example, you can retrieve the distribution, user information, or security settings.

For a list of Linux resources you can query, read Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.


To explore a Linux asset with cnquery, you must have:

Query a Linux asset

To answer any question about your environment, use cnquery's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnquery and learning MQL.

To launch a shell into your local Linux environment, enter:

cnquery shell

To launch a shell into a remote Linux environment, enter:

cnquery shell ssh user@HOST

For HOST, substitute the hostname of the remote Linux asset.

Discover capabilities with the help command

Once inside the shell, use the help command to learn what Linux resources you can query. This command lists all the operating system resources:

help os

From the resulting list, you can drill down further. For example, enter this command to list the OS update information you can retrieve:

help os.update

You can also learn about available Linux resources in the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.

Get simple answers in the shell

Now that you know how to discover what's possible with cnquery, let's run some actual queries in the shell.

This query asks the hostname:

cnquery returns the pretty hostname: "luna-ubuntu-05"

This query asks the name of the operating system:

Query users

To request a list of all users on a machine, enter this query in the shell:


Request full details in results

For a more detailed report, you can specify that you want all fields:

users { * }

For every user, cnquery provides information about their settings.

Specify fields to include in results

If you're interested in only some details, specify the fields you want in braces. For example, this query asks for each user's name, group, and whether it's enabled:

users { name group enabled }

Filter results

You can filter results based on any fields. Specify the criteria using the where function and standard boolean operators.

For example, this filters results based on group name:

users.where( == "admins") { name uid }

cnquery returns all users in the admins group. It includes the name and UID for each user.

Learn more about querying Linux

Analyze your environment with query packs

Mondoo makes these core Linux query packs available in GitHub:

To run one of these purpose-built collections of Linux-specific queries:

  1. In Mondoo's cnquery-packs GitHub repo, go to the core directory and find the Linux query pack you want to run.

  2. Download the YAML file to a local directory and, in your terminal, move to that directory.

  3. Use the cnquery scan command, specifying the file and the query pack:

cnquery scan -f mondoo-linux-incident-response.mql.yaml --querypack mondoo-incident-response-linux

You can also create your own query packs to meet your specific needs. To learn more about query packs, read Run a Query Pack.