Mondoo
Docs

About Policies

Learn how cnspec uses policy as code to define, document, and enforce security requirements

A policy defines what cnspec checks when it scans a system. Each policy contains a set of checks, where each check verifies a specific security or configuration requirement. For example, one check might verify that SSH root login is disabled, while another ensures password expiration is configured.

Together, the checks in a policy form a security baseline that cnspec evaluates your systems against. In Mondoo, policies are expressed as highly readable code so that they both document your security requirements and automatically enforce them.

Policy as code

Traditional security policies and compliance frameworks are documents that describe guidelines but can't verify your systems follow them. Manually demonstrating compliance is time-intensive and error prone.

Policy as code solves this by expressing security requirements as executable code. The code serves two purposes: it documents the security guidelines and it tests your systems to ensure they follow those guidelines.

Policies and policy bundles

Each cnspec policy is a collection of checks that test for certain configuration settings. For example, the Mondoo Linux Security - Users and Groups policy includes these checks:

  • There are no users in the root group.
  • No duplicate user names exist.
  • All system accounts are non-login.

Policy bundles are YAML files that contain at least one policy. They group related policies. For example, the Mondoo Linux Security policy bundle contains a Configure SSH Server policy, a Logging policy, and other policies that define secure Linux practices.

Find policy bundles in the cnspec GitHub repo.

How cnspec uses policies

When cnspec scans a target, it refers to policies to learn what checks to make. By default, cnspec automatically detects the platform and selects the applicable policies:

cnspec scan local

If the local system is Windows, cnspec finds all policy bundles that apply to Windows and runs all the checks they contain.

You can also specify a custom policy bundle:

cnspec scan local --policy-bundle luna.mql.yaml

Instead of detecting the platform and selecting policies automatically, cnspec uses only the checks defined in luna.mql.yaml.

Learn more

  • To learn how to modify existing policies or write your own, read the Policy Authoring Guide.

  • To learn about applying policies across your infrastructure and storing your own policies, read Manage Policies.

YARA

Scan files for malware, secrets, and custom patterns using YARA rules with cnspec

Manage Policies

Create, validate, upload, and manage cnspec policies across your infrastructure

On this page

Policy as codePolicies and policy bundlesHow cnspec uses policiesLearn more