cnspec System Requirements
Minimum operating system versions, CPU architectures, PowerShell version, and access rights cnspec needs to install and scan a local host.
This page describes what a host needs to install cnspec and scan its local operating system. It covers supported operating system versions, CPU architectures, the minimum PowerShell version on Windows, and the access rights a local scan requires.
These requirements apply only to hosts where you install cnspec to scan themselves. To scan a remote target over SSH, WinRM, a cloud API, or a container image, cnspec runs from your workstation or a CI runner and nothing needs to be installed on the target. For the full list of what cnspec can reach remotely, see Supported Scan Targets.
Supported operating systems
Mondoo builds and tests cnspec on the platforms below. cnspec ships as a single static binary, so it has no runtime dependencies beyond the operating system itself.
| Edition | Tested versions |
|---|---|
| Windows client | 10, 11 |
| Windows Server | 2016, 2019, 2022, 2025 |
PowerShell 5.1 or later is required. The Windows installer declares #Requires -Version 5, so it stops with an error on any host running an older PowerShell. Check the installed version before you install:
$PSVersionTable.PSVersionLegacy Windows Server releases are a common cause of failed installs. Windows Server 2012 ships with PowerShell 3.0 and Windows Server 2012 R2 ships with PowerShell 4.0, both below the required minimum. These versions are also outside the tested matrix above. To install cnspec on them, first install Windows Management Framework 5.1 to bring PowerShell up to 5.1, then run the installer.
TLS 1.2 must be enabled so the installer can reach Mondoo's download and API endpoints. It is enabled by default on modern Windows, and the install pages explain how to confirm or enable it.
cnspec on Linux is largely distribution independent. The Linux binaries are statically linked with no external library dependencies, so they run on any distribution with a supported CPU architecture and a reasonably modern kernel (Linux 3.2 or later). You do not need a specific distribution or release to run cnspec.
What the scan can read depends less on the distribution than on which standard utilities are present. cnspec reads most operating system state directly from files, and shells out to common system tools for the rest:
- A package manager (
dpkg,rpm, orapk) for installed-package and patch checks systemctlorservicefor service statemountandlsblkfor filesystem and block-device checksgetentfor users and groups
These tools are present by default on the distribution that provides them. If one is missing, only the checks that depend on it are affected; the rest of the scan still runs. The automated install script additionally needs curl and tar.
Mondoo validates cnspec and its policies against these distributions:
| Distribution | Validated versions |
|---|---|
| Alpine | 3.10 - 3.23 |
| AlmaLinux | 8, 9, 10 |
| Amazon Linux | 1, 2, 2023 |
| Arch Linux | Rolling |
| CentOS | 6, 7, 8, Stream |
| Debian | 8, 9, 10, 11, 12, 13 |
| Fedora | 30 - 43 |
| openSUSE | Leap 15, Leap 16 |
| Oracle Linux | 6, 7, 8, 9, 10 |
| Photon Linux | 2, 3, 4, 5 |
| Red Hat Enterprise Linux | 6, 7, 8, 9, 10 |
| Rocky Linux | 8, 9, 10 |
| SUSE Linux Enterprise | 12, 15, 16 |
| Ubuntu | 18.04, 20.04, 22.04, 24.04, 26.04 |
A distribution that isn't listed here usually still works; the table reflects what Mondoo tests, not a hard requirement to run cnspec. You can also scan any Linux host remotely over SSH, as a cloud volume, or as a container image without installing cnspec on the target.
cnspec runs natively on both Intel and Apple silicon Macs, and Mondoo publishes a signed, notarized universal package that supports both. Use a current or recent macOS release.
Supported CPU architectures
| Operating system | Architectures |
|---|---|
| Windows | amd64 (64-bit x86), arm64 (64-bit ARM) |
| Linux | amd64, arm64, 386 (32-bit x86); arm, ppc64le, and s390x as standalone binaries |
| macOS | amd64 (Intel), arm64 (Apple silicon), plus a universal package |
The automated install scripts detect amd64, arm64, and 386. For the additional Linux architectures, download the matching binary directly from releases.mondoo.com and follow the standalone binary instructions.
Access rights for a local scan
A local scan reads protected operating system configuration, so it needs elevated privileges to return complete results. The table below summarizes what each platform requires.
- Installing: the package manager and the automated install script require
root, or a user withsudo. - Scanning: run
cnspec scan localasrootor withsudo. A full scan reads files such as/etc/shadowand/etc/sudoersthat are only readable byroot. Without elevated privileges, the checks that depend on those files return no data. When you run cnspec as a service, the systemd unit runs asrootby default.
- Installing: the installer declares
#Requires -RunAsAdministrator. Run it from an elevated PowerShell or Command Prompt, or with an administrator account through MSI or Chocolatey. - Scanning locally: run
cnspec scan localfrom an elevated terminal so it can read protected registry keys and system configuration. - Scanning remotely: cnspec connects to a remote Windows host over WinRM, which listens on port
5986for HTTPS (the default) or5985for HTTP. Use an account with administrator privileges, for examplecnspec scan winrm Administrator@HOST --ask-pass.
- Installing: the universal
.pkgand the automated install script requiresudo. - Scanning: run
cnspec scan localwithsudoto read protected files. Some data, such as Time Machine preferences, is gated by macOS Full Disk Access even forroot. Grant Full Disk Access to the terminal (or to the cnspec service) when you need those checks.
Network requirements
To install cnspec and report results to Mondoo Platform, the host needs outbound access on port 443 to Mondoo's install, release, API, and registry endpoints, and a clock kept in sync with NTP. Each install guide lists the exact endpoints and includes connectivity checks: