Run cnspec as a service

Configure cnspec to run as a system service that automatically scans hosts and reports results to Mondoo Platform.

Run cnspec as a system service to assess a host on a recurring schedule and stream the results back to Mondoo Platform without anyone running a command.

How the service works

Once enabled, the cnspec service runs in serve mode. By default, every 60 minutes it:

Connects to your space in Mondoo Platform.
Pulls the latest enabled policies.
Scans the host.
Reports the results back to the platform.

You can change the interval, the configuration path, and the log level. See cnspec configuration options below.

Configure cnspec to run as a service

The installation places a systemd unit file at /etc/systemd/system/cnspec.service. However, it does not register or enable the service.

Before starting cnspec as a service, you should have already registered the host with your Mondoo Platform account.

Enable and start cnspec as a service

1. Reload systemd daemon and load the cnspec.service unit file

sudo systemctl daemon-reload

2. Enable cnspec to run during startup

sudo systemctl enable cnspec

3. Start cnspec service

sudo systemctl start cnspec

4. Check the status of cnspec

sudo systemctl status cnspec

cnspec service logging

cnspec service writes log events to the system logs. You can use this command to tail cnspec service logs on Linux hosts:

Tail cnspec service logs

sudo journalctl -u cnspec -f

The default log level is info, but can be configured as defined in cnspec configuration options below.

When installed on Windows, the mondoo package automatically registers with the Service Control Manager in Windows, but sets the default Startup Type to Manual and does not start the service.

Windows Default Service

Mondoo service logging

Mondoo service writes logging events to the Windows Event Viewer Application logs. To view logs:

Windows Event Viewer showing Application logs

Select the Start Menu and launch Event Viewer
Expand Windows Logs
Select Application to view application logs
Use Find... to search for "cnspec"

If you installed cnspec using the PKG installer, a launchd service is created automatically. If you installed cnspec using Homebrew, you can manually create the service plist file at /Library/LaunchDaemons/com.mondoo.client.plist:

Create the com.mondoo.client.plist file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.mondoo.client</string>
	<key>ProgramArguments</key>
	<array>
		<string>/path/to/cnspec</string>
		<string>serve</string>
		<string>-t</string>
		<string>60</string>
		<string>--config</string>
		<string>/etc/opt/mondoo/mondoo.yml</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

You must replace "/path/to/cnspec" with the path to cnspec on your host. You can validate this by opening a terminal and running which cnspec. Also, ensure you specify the correct path to Mondoo Platform config ("/etc/opt/mondoo/mondoo.yml" in the example above), which can be validated by opening a terminal and running cnspec status. Additionally, you can adjust the scan frequency (60 minutes by default).

Load the Launchd Service

sudo launchctl load /Library/LaunchDaemons/com.mondoo.client.plist

To start, stop or check the status of the service, use the launchctl tool:

$ sudo launchctl start com.mondoo.client
$ sudo launchctl list | grep cnspec
-	1	com.mondoo.client

cnspec serve

In addition to leveraging the platform service management system, cnspec includes the cnspec serve command, which you can use on any supported platform (Linux, Windows, macOS) to continuously run assessments of hosts.

If the host is already registered, cnspec serve uses the existing configuration.

Set a custom scan interval

Use the --timer flag to set a scan interval in minutes. The default is 60. For example, this runs a scan with cnspec serve every 15 minutes:

cnspec serve --timer 15

cnspec configuration options

cnspec configuration is stored on the host at this location:

Linux and macOS: /etc/opt/mondoo/mondoo.yml
Windows: C:\ProgramData\Mondoo\mondoo.yml

Common cnspec service configuration options:

Name	Description
`agent_mrn`	Agent Mondoo resource name, identifies the client
`api_endpoint`	The URL of Mondoo Platform (`https://us.api.mondoo.com` is the default)
`certificate`	Client's public certificate
`loglevel`	Service log level: error, warn, info, debug, trace (default is info)
`mrn`	Service Account Mondoo resource name, which identifies the service account
`private_key`	Client's private key used to sign requests sent to Mondoo Platform
`space_mrn`	Space Mondoo resource name, identifies the space that the client belongs to
`annotations`	Annotations that display in the Mondoo Console `console.mondoo.com`

mondoo.yml

# service account mrn
mrn: //agents.api.mondoo.app/spaces/spacex/serviceaccounts/1utIs5XUQ8XayfB6yiQNTLOqPlD
# agent mrn
agent_mrn: //agents.api.mondoo.app/spaces/spacex/agents/1utIqsjg3YSAF8hMMIhg8tBsTPP
# space mrn
space_mrn: //captain.api.mondoo.app/spaces/spacex
# api endpoint
api_endpoint: https://us.api.mondoo.com
# pem-encoded certificate
certificate: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
# pem-encoded private key
private_key: |
  -----BEGIN PRIVATE KEY-----
  ...
  -----END PRIVATE KEY-----
# log level: error, warn, info, debug, trace
loglevel: info
# tags
annotations:
  key1: value1
  key2: value2

cnspec inventory

You can define multiple scan targets, credentials, and discovery options in an inventory file. To learn more, read Remote scanning with inventory files.

To execute cnspec with an inventory file:

cnspec scan --inventory-file ./inventory.yml