Manage cnspec Providers
cnspec can assess the security of dozens of different platforms, from AWS to Windows hosts. Providers are the components of cnspec that allow it to evaluate specific platforms. When you download and install cnspec, you don't download or install any providers. Instead, when you run a cnspec command, cnspec automatically downloads and installs the provider(s) you need. This approach saves you download time, memory, and disk space. Each time you use cnspec, it ensures that you have the latest version of the necessary provider(s).
For example, suppose you download cnspec and install it on a Linux workstation. There are no providers installed on the workstation. When you run cnspec scan to assess local security, cnspec checks and finds that the provider it needs, the operating systems (os) provider isn't present. cnspec automatically downloads and installs the os provider and then runs the scan. The os provider remains on your workstation for the next time you use cnspec for your operating system.
Continuing the example, suppose you then run cnspec shell aws to run some checks against your AWS account settings. cnspec downloads and installs the aws provider and opens the shell. The aws provider remains on your workstation for the next time you use cnspec for AWS.
Most users don't need to think about providers. cnspec manages them for you. However, there are some situations where you might want to manage providers yourself:
-
Containers
-
Read-only mode
-
Air-gapped environments
Provider considerations for containers
By default, when you spin up a container with cnspec installed and run any cnspec command, cnspec retrieves the latest version of the providers it needs. When the container is destroyed, the providers are destroyed. Therefore, the next time you spin up a container based on the same image, the download and installation repeat.
You can eliminate the unnecessary processing by:
-
Installing the provider(s) on the image. To learn how, read Install, update, and remove providers below.
-
Turning off provider auto-update. To learn how, read Turn off provider auto-update below.
Provider considerations for read-only mode
Some security situations dictate that cnspec must not be allowed to write to the machine on which it's installed. cnspec does operate in read-only mode, however, it can't download and install the providers it needs. Therefore, when you install cnspec on a machine on which cnspec won't have write access, you must also install the provider. To learn how, read Install, update, and remove providers below.
If you install cnspec in an environment where it can't automatically update providers, you're responsible for installing provider updates.
To prevent error messages from displaying when you run commands in read-only mode, turn off provider auto-update. To learn how, read Turn off provider auto-update below.
Provider considerations air-gapped environments
In an air-gapped environment, cnspec can't download the providers needed to scan or test the system. Therefore, when you install cnspec to an air-gapped machine, you must also install the provider. To learn how, read Install, update, and remove providers below.
If you install cnspec in an air-gapped environment, you're responsible for installing provider updates.
To prevent error messages from displaying when you run commands, turn off provider auto-update.
Turn off provider auto-update
By default, each time you run a cnspec command, cnspec downloads and installs the latest version of the provider needed to execute the command (unless the latest version of the provider is already installed). You can change this behavior by disabling auto-update for cnspec.
If you disable auto-update, cnspec doesn't check whether the latest version of the necessary provider is installed. It uses the version of the necessary provider that is currently installed. If the provider isn't installed, the command fails.
Turn off provider auto-update for all cnspec commands and Mondoo scans
To never automatically update providers, set the auto-update value in the cnspec configuration file to false.
On a Linux or macOS host, cnspec configuration is stored in one of these locations:
-
/etc/opt/mondoo/mondoo.ymlconfigures cnspec for all user accounts. -
~/.config/mondoo/mondoo.ymlconfigures cnspec for a single user.
On a Windows host, cnspec configuration is stored in one of these locations:
-
C:\ProgramData\mondoo\mondoo.ymlconfigures cnspec for all users. -
C:\Users\{username}\.config\mondoo\mondoo.ymlconfigures cnspec for a single user.
To configure cnspec to never update providers, set the configuration:
auto-update: false
If you disable auto-update, be sure to check regularly for new versions of providers. To learn more, read Install, update, and remove providers below.
Turn provider auto-update on or off for a single cnspec command
To skip checking for, downloading, and installing the latest provider just once (for a single cnspec command), add the '--auto-update=false' flag to the command. For example, this scans the local machine without updating to the latest provider:
cnspec scan --auto-update=false
The command line flag overrides the mondoo.yml config file setting.
Install, update, and remove providers
You can download the latest versions of providers at https://releases.mondoo.com/providers/. Past versions are always available at the same location.
These are the available cnspec providers:
| Provider | Target |
|---|---|
| ansible | Ansible IaC code |
| arista | Arista network devices |
| atlassian | Atlassian Cloud |
| aws | Amazon Web Services |
| azure | Microsoft Azure |
| cloudformation | AWS CloudFormation |
| equinix | Equinix Metal |
| gcp | Google Cloud |
| github | GitHub |
| gitlab | GitLab |
| google-workspace | Google Workspace |
| ipmi | Intelligent Platform Management Interface |
| k8s | Kubernetes |
| ms365 | Microsoft 365 |
| network | Hosts |
| oci | Oracle Cloud Infrastructure |
| okta | Okta |
| opcua | OPC Unified Architecture |
| os | Operating systems |
| shodan | Shodan Search Engine |
| slack | Slack |
| snowflake | Snowflake |
| terraform | HashiCorp Terraform IaC code |
| vcd | VMware Cloud Director |
| vsphere | VMware vSphere |
To learn what providers are installed, run:
cnspec providers
For help on the providers subcommand, run:
cnspec providers -h
Manually install a provider
To install a provider, run:
cnspec providers install NAME
For NAME, substitute the provider name (as shown in the table above). For example:
cnspec providers install k8s
For help on manual provider installation, run:
cnquery providers install -h
To install a provider from a file, run:
cnspec providers install -f PATH
For PATH, substitute the path and name of the provider file. For example:
cnspec providers install -f providers/os/dist/os.tar.xz
To install a provider from a URL, run:
cnspec providers install --url URL
For URL, substitute the location and name of the provider file. For example:
cnspec providers install --url https://releases.mondoo.com/providers/os/9.0.7/os_9.0.7_linux_arm.tar.xz
Manually update providers
To update to the latest version of all installed providers, run:
cnspec providers update
To update to the latest version of a specific provider, run:
cnspec providers update NAME
For NAME, substitute the name of the provider (as shown in the table above). For example:
cnspec providers update vsphere
Remove providers
To remove a provider, run:
cnspec providers remove NAME
For NAME, substitute the name of the provider you want to uninstall. For example:
cnspec providers remove terraform