Mondoo
Docs
Operating Systems

Query AIX with cnspec

Query AIX systems and run custom security policies with cnspec.

Query your AIX systems with cnspec and apply your own security policies. cnspec exposes AIX users, groups, services, packages, SSH configuration, and file system metadata as queryable MQL resources, and you can wrap them in your own policies to enforce the controls that matter for your environment.

Prerequisites

To query an AIX system with cnspec, you must have:

Connect over SSH

cnspec connects to AIX systems remotely over SSH.

cnspec scan ssh user@HOST

To use an SSH key for authentication:

cnspec scan ssh user@HOST -i /path/to/identity_key

To scan using a specific port:

cnspec scan ssh user@HOST -p 2222

Apply a custom policy

Mondoo doesn't ship a default AIX security policy. Pass your own with --policy-bundle:

cnspec scan ssh user@HOST --policy-bundle my-aix-policy.mql.yaml

When a scan completes, cnspec prints a summary of the checks it ran, grouped by policy. Each check shows a pass or fail result, and the report ends with a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance.

Example checks

Open a cnspec shell to explore resources interactively:

cnspec shell ssh user@HOST

Ensure SSH root login is disabled

cnspec> sshd.config.params["PermitRootLogin"] == "no"
[ok] value: "no"

Ensure SSH password authentication is disabled

cnspec> sshd.config.params["PasswordAuthentication"] == "no"
[ok] value: "no"

Ensure no user has an empty password

cnspec> users.where( name != "nobody" ).all( password.empty == false )
[ok] value: true

Ensure the SSH service is running

cnspec> service("sshd").running
[ok] value: true

List all listening ports and their processes

cnspec> ports.listening { port protocol address process.executable }

Ensure strong SSH ciphers are configured

cnspec> sshd.config.ciphers.none( _ == "arcfour" || _ == "arcfour128" || _ == "arcfour256" )
[ok] value: true

Learn more

FreeBSD

Scan FreeBSD systems against security and compliance best practices with cnspec.

Atlassian

Query Atlassian Cloud Jira, Confluence, Admin, and SCIM with cnspec.

On this page

PrerequisitesConnect over SSHApply a custom policyExample checksEnsure SSH root login is disabledEnsure SSH password authentication is disabledEnsure no user has an empty passwordEnsure the SSH service is runningList all listening ports and their processesEnsure strong SSH ciphers are configuredLearn more