Mondoo
Docs

About Policies

Learn how cnspec uses policy as code to define, document, and enforce security requirements

A policy defines what cnspec checks when it scans an asset. Each policy contains a set of checks, where each check verifies a specific security or configuration requirement. For example, one check might verify that SSH root login is disabled, while another ensures password expiration is configured.

Together, the checks in a policy form a security baseline that cnspec evaluates your systems against. In Mondoo, policies are expressed as highly readable code so that they both document your security requirements and automatically enforce them.

Policy as code

Traditional security policies and compliance frameworks are documents that describe guidelines but can't verify your systems follow them. Manually demonstrating compliance is time-intensive and error prone.

Policy as code solves this by expressing security requirements as executable code. The code serves two purposes: it documents the security guidelines and it tests your systems to ensure they follow those guidelines.

Policies and policy bundles

Each cnspec policy is a collection of checks that test specific configuration settings. For example, the Mondoo Linux Security - Users and Groups policy includes checks that:

  • Verify no extra users belong to the root group
  • Verify no duplicate user names exist
  • Verify all system accounts are non-login

A policy bundle is a YAML file that contains one or more related policies. For example, the Mondoo Linux Security policy bundle contains a Configure SSH Server policy, a Logging policy, and other policies that together define secure Linux practices.

The cnspec GitHub repo ships over 40 ready-to-use policy bundles. Mondoo Platform offers many more.

How cnspec uses policies

When cnspec scans a target, it refers to policies to learn what checks to make. By default, cnspec detects the platform and selects the applicable policies automatically:

cnspec scan local

For example, if the local system is Windows, cnspec runs every check in every policy bundle that applies to Windows.

To run a specific bundle instead, pass it with --policy-bundle (or its short alias, -f):

cnspec scan local -f luna.mql.yaml

cnspec then uses only the checks defined in luna.mql.yaml and skips the platform defaults.

You can also pass a bundle URL, which is the easiest way to run policies straight from GitHub:

cnspec scan local -f https://example.com/linux.mql.yaml

Learn more

  • To run a saved bundle of queries (rather than checks) against an asset, read Run a Query Pack.
  • To learn how to modify existing policies or write your own, read the Policy Authoring Guide.
  • To learn how to apply policies across your infrastructure and store your own, read Manage Policies.
  • To browse open source policies from Mondoo and the community, read Community Policies.

Run a Query Pack

Query packs let you bundle multiple MQL queries together and run them against any asset with cnspec.

Manage Policies

Create, validate, upload, and manage cnspec policies across your infrastructure

On this page

Policy as codePolicies and policy bundlesHow cnspec uses policiesLearn more