Secure Proxmox VE with cnspec
Scan Proxmox VE clusters against security and compliance best practices with cnspec.
Scan your Proxmox Virtual Environment (Proxmox VE) cluster to find security risks before they become incidents. cnspec evaluates nodes, virtual machines, storage pools, networks, firewall rules, users, API tokens, and pending package updates — all without installing agents on your infrastructure.
Prerequisites
To scan Proxmox VE with cnspec, you must have:
- cnspec installed on your workstation
- A Proxmox VE 7.x or 8.x cluster
- A Proxmox API token with at least the
PVEAuditorrole - Network access from your workstation to the Proxmox API on port 8006
- The QEMU Guest Agent installed inside any VM whose pending updates you want to query
Authenticate
Create an API token in Proxmox VE:
-
Log in to the Proxmox VE web UI as a user with permission to manage tokens.
-
Navigate to Datacenter > Permissions > API Tokens.
-
Add a new token for a user that has at least the
PVEAuditorrole on/. -
Copy the resulting token value. cnspec expects the full token string in this form:
PVEAPIToken=user@realm!tokenid=secretFor example:
PVEAPIToken=root@pam!cnspec=00000000-1111-2222-3333-444444444444
Verify with a quick Proxmox VE check
Confirm that cnspec can reach your Proxmox VE cluster:
cnspec run proxmox \
--host https://192.168.1.10:8006 \
--token 'PVEAPIToken=user@realm!tokenid=secret' \
-c 'proxmox.cluster.name != empty'If your Proxmox host uses a self-signed certificate, add --insecure (or -k) to skip TLS verification.
Scan Proxmox VE
Scan your Proxmox VE cluster:
cnspec scan proxmox \
--host https://192.168.1.10:8006 \
--token 'PVEAPIToken=user@realm!tokenid=secret'Scan with the Mondoo Proxmox VE Security policy
Mondoo maintains an out-of-the-box Proxmox VE Security policy that checks node configuration, user and group permissions, VM and container settings, firewall rules, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Proxmox", and add the policy. All future scans of your Proxmox VE clusters automatically evaluate against it. To learn more, read Manage Policies.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan proxmox \
--host https://192.168.1.10:8006 \
--token 'PVEAPIToken=user@realm!tokenid=secret' \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-proxmox-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Explore and test checks interactively
Open a cnspec shell to discover resources and try out checks:
cnspec shell proxmox \
--host https://192.168.1.10:8006 \
--token 'PVEAPIToken=user@realm!tokenid=secret'Cluster overview
cnspec> proxmox.cluster { name quorate nodeCount version }List nodes with hardware information
cnspec> proxmox.nodes { name cpuModel cpuCores memTotal kernelVersion pveVersion }Inspect running services on each node
cnspec> proxmox.nodes { name services.where(state == "running") { name } }List virtual machines
cnspec> proxmox.vms { id name status bios agent tags networks { model bridge } }Find VMs with pending security updates
cnspec> proxmox.vms.where(status == "running") {
name
updates.where(severity == "security" && upgradable == true) { name newVersion }
}Storage capacity overview
cnspec> proxmox.storages { id type usagePercent total }Audit users and their API tokens
cnspec> proxmox.users { id tokens { id expire privsep } }Inspect VM firewall rules
cnspec> proxmox.vms { name firewallRules { pos action proto dest dport } }Learn more
- Proxmox Resource Pack Reference — every Proxmox VE resource and field cnspec can query
- Write Effective MQL — guide to authoring checks and queries