Assess Linux Security with cnspec
Assess Linux Security with cnspec
Rely on cnspec to ensure your Linux systems follow security best practices, such as hardening kernel parameters, securing SSH configuration, enforcing file system permissions, configuring audit logging, managing user accounts and groups, and verifying that unnecessary services are disabled.
Before you begin
- cnspec installed on your workstation
- Access to the target system (local or SSH)
Scan a Linux asset
Scan the local machine
To scan the machine cnspec is running on:
cnspec scanScan a remote machine over SSH
To scan a remote Linux machine using SSH with password authentication:
cnspec scan ssh user@HOSTTo use an SSH key for authentication:
cnspec scan ssh user@HOST -i /path/to/identity_keyTo scan using a specific port:
cnspec scan ssh user@HOST -p 2222Scan a Docker container
To scan a running Docker container:
cnspec scan docker CONTAINER_IDUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure SSH root login is disabled
✕ Fail: Ensure IP forwarding is disabled
✓ Pass: Ensure no user has an empty passwordAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
cnspec automatically detects the platform and applies Mondoo's out-of-the-box Linux Security policy, which covers kernel hardening, SSH configuration, file permissions, audit logging, user accounts, and more. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
Run cnspec shell (or cnspec shell ssh user@HOST for remote systems) to open the cnspec interactive shell. From there you can make checks like the examples below.
Ensure SSH root login is disabled
cnspec> sshd.config.params["PermitRootLogin"] == "no"
[ok] value: "no"Ensure IP forwarding is disabled
cnspec> kernel.parameters["net.ipv4.ip_forward"] == 0
[ok] value: 0Ensure no user has an empty password
cnspec> users.where( name != "nobody" ).all( password.empty == false )
[ok] value: trueEnsure no world-writable files exist in /etc
cnspec> file("/etc").permissions.other_writeable == false
[ok] value: falseEnsure the audit daemon is running
cnspec> service("auditd").running
[ok] value: trueList all listening ports and their processes
cnspec> ports.listening { port protocol address process.executable }These are just a few examples. The Linux Security policy includes dozens more checks covering kernel hardening, file permissions, audit logging, and more.
Continuously scan your fleet
To move beyond one-off scans, register cnspec with Mondoo Platform. You get continuous monitoring across your Linux fleet, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.
Learn more
-
To learn how to run ad hoc checks interactively, read Create Checks in cnspec Shell.
-
For a list of all the OS resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
-
To learn more about how MQL works, read Write Effective MQL.