Mondoo
Docs
SaaS

Assess Tailscale Security with cnspec

Secure and enforce policy for your Tailscale tailnet

Rely on cnspec to ensure your Tailscale tailnet follows security best practices, such as verifying device compliance, checking access control policies, and auditing user configurations.

Prerequisites

To test your Tailscale tailnet with cnspec, you must have:

Give cnspec access to your Tailscale tailnet

cnspec connects to Tailscale using an API access token. To create one:

  1. Log in to the Tailscale admin console.
  2. Navigate to Settings > Keys.
  3. Generate a new API access token.
  4. Copy the token value.

To test access, open a cnspec shell:

cnspec shell tailscale --token YOUR_TOKEN

You can also set the TAILSCALE_API_KEY environment variable to omit the --token flag:

export TAILSCALE_API_KEY=YOUR_TOKEN
cnspec shell tailscale

Using OAuth client credentials

For OAuth authentication:

cnspec shell tailscale --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRET

You can also set these environment variables:

  • TAILSCALE_OAUTH_CLIENT_ID
  • TAILSCALE_OAUTH_CLIENT_SECRET
  • TAILSCALE_TAILNET (optional, for specifying the tailnet)

Scan your Tailscale tailnet

To scan your Tailscale tailnet:

cnspec scan tailscale --token YOUR_TOKEN

Connection options

OptionDescription
--tokenTailscale API access token

Explore your Tailscale tailnet

Run cnspec shell tailscale --token YOUR_TOKEN to open the cnspec interactive shell.

Retrieve the tailnet name

cnspec> tailscale.tailnet
tailscale.tailnet: "example.com"

List all devices

cnspec> tailscale.devices
tailscale.devices: [
  0: tailscale.device name="laptop-1"
  1: tailscale.device name="server-prod"
  ...
]

List all users

cnspec> tailscale.users
tailscale.users: [
  0: tailscale.user loginName="user@example.com"
  ...
]

Retrieve configured DNS nameservers

cnspec> tailscale.nameservers
tailscale.nameservers: [
  0: "100.100.100.100"
  ...
]

Example security checks

Ensure all devices are authorized

cnspec> tailscale.devices.all(authorized == true)
[ok] value: true

Ensure key expiry is enabled on all devices

cnspec> tailscale.devices.all(keyExpiryDisabled == false)
[ok] value: true

Ensure all devices are running the latest client

cnspec> tailscale.devices.all(updateAvailable == false)
[ok] value: true

Ensure no devices have tailnet lock errors

cnspec> tailscale.devices.all(tailnetLockError == "")
[ok] value: true

Ensure no users are idle

cnspec> tailscale.users.none(status == "idle")
[ok] value: true

List devices with their details

cnspec> tailscale.devices { name os addresses lastSeenAt }

Learn more

Snowflake

Secure and enforce policy for your Snowflake accounts

Ansible

Scan Ansible playbooks for security misconfigurations using cnspec.

On this page

PrerequisitesGive cnspec access to your Tailscale tailnetUsing OAuth client credentialsScan your Tailscale tailnetConnection optionsExplore your Tailscale tailnetRetrieve the tailnet nameList all devicesList all usersRetrieve configured DNS nameserversExample security checksEnsure all devices are authorizedEnsure key expiry is enabled on all devicesEnsure all devices are running the latest clientEnsure no devices have tailnet lock errorsEnsure no users are idleList devices with their detailsLearn more