Skip to main content

Assess Arista EOS Security with cnspec

cnspec assesses your Arista EOS network devices for misconfigurations that put your organization at risk. You can use MQL to write policies that define your Arista security standards. You also can write individual tests to run on the fly or include in automated tasks.

For a list of Arista EOS resources you can test, read Arista EOS Resource Pack Reference, Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.


To test an Arista EOS asset with cnspec, you must have:

Configure the security group

Mondoo relies on the Arista API to scan an Arista EOS device. To give Mondoo the access it needs, modify the security group to include HTTPS access. One quick way to do this is to allow "All Traffic" from your IP address only.

SSH to the device

Access the device using SSH. For DEVICE_PUBLIC_IP, substitute the public IP address of the device. For YOUR_KEY_PATH, substitute the path to your SSH key:


For information on SSH key access to Arista devices, read SSH login without password in the Arista community.

Configure the host for scanning

Change the device configuration to allow cnspec to successfully scan it. For NEW_SECRET, substitute a password of your choice:

localhost> enable
localhost# config t
localhost(config)# username admin secret NEW_SECRET
localhost(config)# management api http-commands
localhost(config-mgmt-api-http-cmds)# no shutdown
localhost(config-mgmt-api-http-cmds)# copy run start
Copy completed successfully.

Scan with cnspec

Use the cnspec scan command to scan the device. For DEVICE_PUBLIC_IP, substitute the device's public IP address:

cnspec scan arista DEVICE_PUBLIC_IP --ask-pass

Provide the password when prompted.

Learn more

cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with assets on the fly. To learn more, read Create Checks in cnspec Shell.