Assess macOS Security with cnspec
Assess macOS Security with cnspec
Rely on cnspec to ensure your macOS systems follow security best practices, such as verifying FileVault encryption, enforcing firewall settings, securing remote login and screen sharing, checking Gatekeeper status, managing software update policies, and auditing user account configurations.
Before you begin
- cnspec installed on your workstation
- Access to the target system (local or SSH)
Scan a macOS asset
Scan the local machine
To scan the machine cnspec is running on:
cnspec scanScan a remote machine over SSH
To scan a remote macOS machine using SSH:
cnspec scan ssh user@IP_ADDRESSTo use an SSH key for authentication:
cnspec scan ssh user@IP_ADDRESS -i /path/to/identity_keyUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure FileVault encryption is enabled
✕ Fail: Ensure the firewall is enabled
✓ Pass: Ensure remote login (SSH) is disabledAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
cnspec automatically detects the platform and applies Mondoo's out-of-the-box macOS Security policy, which covers FileVault, Gatekeeper, firewall, software updates, screen sharing, user accounts, and more. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
Run cnspec shell (or cnspec shell ssh user@IP_ADDRESS for remote systems) to open the cnspec interactive shell. From there you can make checks like the examples below.
Ensure FileVault encryption is enabled
cnspec> command('fdesetup status').stdout.contains("FileVault is On")
[ok] value: trueEnsure the firewall is enabled
cnspec> command('/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate').stdout.contains("enabled")
[ok] value: trueEnsure remote login (SSH) is disabled
cnspec> command('systemsetup -getremotelogin').stdout.contains("Remote Login: Off")
[ok] value: trueEnsure no user has an empty password
cnspec> users.where( name != "nobody" ).all( password.empty == false )
[ok] value: trueEnsure automatic software updates are enabled
cnspec> command('defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled').stdout.trim == "1"
[ok] value: trueList all listening ports and their processes
cnspec> ports.listening { port protocol address process.executable }These are just a few examples. The macOS Security policy includes dozens more checks covering Gatekeeper, software updates, screen sharing, user accounts, and more.
Continuously scan your fleet
To move beyond one-off scans, register cnspec with Mondoo Platform. You get continuous monitoring across your macOS fleet, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.
Learn more
-
To learn how to run ad hoc checks interactively, read Create Checks in cnspec Shell.
-
For a list of all the OS resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
-
To learn more about how MQL works, read Write Effective MQL.