Install cnspec on Linux

cnspec supports all major Linux distributions and their derivatives:

• Amazon Linux
• Debian Linux
• Fedora
• Red Hat Enterprise Linux (RHEL)
• SUSE Linux Enterprise Server (SLES) and openSUSE
• Ubuntu

Quick start

To install cnspec using the automated install script:

bash -c "$(curl -sSL https://install.mondoo.com/sh)"

To register cnspec with Mondoo Platform during installation, set a registration token first:

export MONDOO_REGISTRATION_TOKEN="<your token from console.mondoo.com>"
bash -c "$(curl -sSL https://install.mondoo.com/sh)"

For manual installation using package managers or for troubleshooting, read on.

Prerequisites

Before you install cnspec, you must:

• Have internet access from the terminal
• Have access to Mondoo Platform endpoints
• Have a synchronized system clock

Note: If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.

Confirm internet access

Check internet connectivity from the terminal:

curl -I https://mondoo.com

If you get the status 200 OK and the website's headers, your internet connection is working.

If you have a proxy setting in your environment, you might need to configure it in the terminal:

export http_proxy='http://proxyServerAddress:proxyPort'
export https_proxy='https://proxyServerAddress:proxyPort'

To make this configuration permanent, set the proxy in system-wide configuration files such as /etc/bashrc, /etc/profile, or files in /etc/profile.d/.

Confirm access to Mondoo systems

Be sure you can reach these endpoints from the terminal:

install.mondoo.com                  Port 443/https
releases.mondoo.com                 Port 443/https
eu.api.mondoo.com                   Port 443/https
us.api.mondoo.com                   Port 443/https
registry.api.mondoo.com             Port 443/https

If your organization's region is US, you must be able to access us.api.mondoo.com. If your region is EU, you must be able to access eu.api.mondoo.com.

To check connectivity, use the curl command as shown above.

Synchronize your system clock

Make sure your system clock is in sync with NTP or internet time. To check the current synchronization status:

ntpq -p

Install cnspec on Linux

Option A: Install using the automated install script

If you set the MONDOO_REGISTRATION_TOKEN environment variable before running the install script, cnspec automatically registers with Mondoo Platform and creates the mondoo.yml configuration file.

To retrieve a registration token:

1. Log into the Mondoo Console.

2. Create a new integration for your Linux machine:

   • If this is your first time logging in, select the BROWSE INTEGRATIONS button.
   • If you've accessed the console before, in the side navigation bar, under INTEGRATIONS, select Add New Integration. Under Server and Endpoint Security, select your operating system.

3. Copy the installation command including the registration token and run it in your terminal.

Option B: Install manually using a package manager

curl --retry 3 --retry-delay 10 -sSL https://releases.mondoo.com/debian/pubkey.gpg | gpg --dearmor --output /usr/share/keyrings/mondoo-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/mondoo-archive-keyring.gpg] https://releases.mondoo.com/debian/ stable main" | tee /etc/apt/sources.list.d/mondoo.list

# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
apt update && apt install -y mondoo

curl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/yum.repos.d/mondoo.repo

# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
dnf install -y mondoo

curl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/yum.repos.d/mondoo.repo

# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
yum install -y mondoo

curl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/zypp/repos.d/mondoo.repo

# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
zypper -n --gpg-auto-import-keys install mondoo

Verify the installation

The installation adds three binaries to the machine: cnspec, cnquery, and mondoo. To find their location:

which cnspec
which cnquery

Depending on your distribution, these are typically in /usr/bin/ (Debian Linux/Ubuntu) or /bin/ (RHEL/Fedora).

Configuration file

If you registered during installation, the installer creates a configuration file at /etc/opt/mondoo/mondoo.yml. This file contains the certificate, private key, API endpoint, and space address derived from the registration token.

Verify that cnspec is properly configured and registered:

cnspec status

Re-register cnspec

If you encounter an issue with the registration token, you can re-register cnspec:

cnspec login --token $MONDOO_REGISTRATION_TOKEN --config /etc/opt/mondoo/mondoo.yml

Enable and start cnspec as a service

On systemd-based distributions, the installation creates a cnspec service. Enable and start it:

systemctl daemon-reload
systemctl enable cnspec.service
systemctl start cnspec.service

The service runs cnspec in serve mode, which performs a local scan every hour based on the policies enabled for this machine's space in Mondoo Platform. You can view the results in the Mondoo Console.

To run a scan manually:

cnspec scan local

If cnspec finds a configuration file (mondoo.yml), it loads the policies enabled for this machine's space. If it doesn't find a configuration file, it scans based on Mondoo's free, open source policies.

To learn more about managing the cnspec service, read Run cnspec as a service.

Proxy configuration

You can configure a proxy during registration or in the configuration file.

Set a proxy during registration

cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy 'http://1.1.1.1:8080' --config '/etc/opt/mondoo/mondoo.yml'

Set a proxy in the configuration file

Add this line to /etc/opt/mondoo/mondoo.yml:

api_proxy: http://1.1.1.1:8080

Learn more

• Register cnspec
• Run cnspec as a service
• Update cnspec
• Uninstall cnspec