Skip to main content

Assess Linux Security with cnspec

cnspec assesses your Linux assets for misconfigurations that put your organization at risk. You can evaluate a Linux asset for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

For a list of Linux resources you can test, read Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.


To test a Linux asset with cnspec, you must have:

Assess Linux security with policy-based scanning

The Linux Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Linux security best practices.

To scan a local machine using the Linux Security by Mondoo policy, run:

cnspec scan

To scan a remote machine using the Linux Security by Mondoo policy, run:

cnspec scan ssh user@HOST

For HOST, substitute the hostname of the remote Linux asset.

cnspec finds the default policy for Linux and runs a scan based on that policy. It returns a report summarizing the scan results.

To learn more about the command, read cnspec scan.

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Learn more

cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It's also a great way to interact with both local and remote targets on the fly. To learn more, read Create Checks in cnspec Shell.