Install cnspec on Linux
Install and configure cnspec on major Linux distributions including Ubuntu, Debian, RHEL, Amazon Linux, and SUSE.
This page covers package-based installs of cnspec for the most common Linux distributions and their derivatives:
- Amazon Linux
- Debian
- Fedora
- Red Hat Enterprise Linux (RHEL)
- SUSE Linux Enterprise Server (SLES) and openSUSE
- Ubuntu
Don't see your distribution here? cnspec can still scan 75+ Linux distributions over SSH, cloud volume scans, or container scans without needing to be installed on the target.
Quick start
To install cnspec using the automated install script:
bash -c "$(curl -sSL https://install.mondoo.com/sh)"To register cnspec with Mondoo Platform during installation, set a registration token first:
export MONDOO_REGISTRATION_TOKEN="<your token from console.mondoo.com>"
bash -c "$(curl -sSL https://install.mondoo.com/sh)"For manual installation using package managers or for troubleshooting, read on.
Prerequisites
Before you install cnspec, the host needs:
- Outbound internet access from the terminal
- Reachability to Mondoo Platform endpoints (see below)
- A clock synchronized via NTP
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Confirm internet access
Check internet connectivity from the terminal:
curl -I https://mondoo.comIf you get the status 200 OK and the website's headers, your internet connection is working.
If you have a proxy setting in your environment, you might need to configure it in the terminal:
export http_proxy='http://proxyServerAddress:proxyPort'
export https_proxy='https://proxyServerAddress:proxyPort'To make this configuration permanent, set the proxy in system-wide configuration files such as /etc/bashrc, /etc/profile, or files in /etc/profile.d/.
Confirm access to Mondoo systems
Be sure you can reach these endpoints from the terminal:
install.mondoo.com Port 443/https
releases.mondoo.com Port 443/https
eu.api.mondoo.com Port 443/https
us.api.mondoo.com Port 443/https
registry.api.mondoo.com Port 443/httpsIf your organization's region is US, you must be able to access us.api.mondoo.com. If your region is EU, you must be able to access eu.api.mondoo.com.
To check connectivity, use the curl command as shown above.
Synchronize your system clock
Make sure your system clock is in sync with NTP or internet time. To check the current synchronization status:
ntpq -pInstall cnspec on Linux
Option A: Install using the automated install script
The install script (shown above in Quick start) handles every supported Linux distribution. If you set MONDOO_REGISTRATION_TOKEN before running it, cnspec also registers with Mondoo Platform and writes /etc/opt/mondoo/mondoo.yml.
To get a registration token:
- Log into the Mondoo Console.
- In the left navigation, under Integrations, select Add New Integration.
- Under Server and Endpoint Security, pick your operating system. The console gives you a one-line install command with the token already filled in. Run it in your terminal.
Option B: Install manually using a package manager
curl --retry 3 --retry-delay 10 -sSL https://releases.mondoo.com/debian/pubkey.gpg | gpg --dearmor --output /usr/share/keyrings/mondoo-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/mondoo-archive-keyring.gpg] https://releases.mondoo.com/debian/ stable main" | tee /etc/apt/sources.list.d/mondoo.list# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
apt update && apt install -y mondoocurl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/yum.repos.d/mondoo.repo# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
dnf install -y mondoocurl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/yum.repos.d/mondoo.repo# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
yum install -y mondoocurl --silent --location https://releases.mondoo.com/rpm/mondoo.repo | tee /etc/zypp/repos.d/mondoo.repo# export MONDOO_REGISTRATION_TOKEN="<YOUR_TOKEN_HERE>"
zypper -n --gpg-auto-import-keys install mondooVerify the installation
The installation adds two binaries to the machine: cnspec and mondoo. To find their location:
which cnspec
which mondooDepending on your distribution, these are typically in /usr/bin/ (Debian Linux/Ubuntu) or /bin/ (RHEL/Fedora).
Configuration file
If you registered during installation, the installer creates a configuration file at /etc/opt/mondoo/mondoo.yml. This file contains the certificate, private key, API endpoint, and space address derived from the registration token.
Verify that cnspec is properly configured and registered:
cnspec statusRe-register cnspec
If you encounter an issue with the registration token, you can re-register cnspec:
cnspec login --token $MONDOO_REGISTRATION_TOKEN --config /etc/opt/mondoo/mondoo.ymlRun cnspec as a service
The package installs a systemd unit at /etc/systemd/system/cnspec.service but doesn't enable or start it. To turn it on so cnspec scans on a recurring schedule and reports back to Mondoo Platform, follow Run cnspec as a service and use the Linux tab.
To run a one-off scan manually instead:
cnspec scan localIf cnspec finds a configuration file (mondoo.yml), it loads the policies enabled for this asset's space. Otherwise, it scans against Mondoo's free, open source policies.
Proxy configuration
You can configure a proxy during registration or in the configuration file.
Set a proxy during registration
cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy 'http://1.1.1.1:8080' --config '/etc/opt/mondoo/mondoo.yml'Set a proxy in the configuration file
Add this line to /etc/opt/mondoo/mondoo.yml:
api_proxy: http://1.1.1.1:8080