Assess Tailscale Security with cnspec

Rely on cnspec to ensure your Tailscale tailnet follows security best practices, such as verifying device compliance, checking access control policies, and auditing user configurations.

Before you begin

Before you start, install cnspec.

Give cnspec access to your Tailscale tailnet

cnspec connects to Tailscale using an API access token. To create one:

1. Log in to the Tailscale admin console.
2. Navigate to Settings > Keys.
3. Generate a new API access token.
4. Copy the token value.

To test access, open a cnspec shell:

cnspec shell tailscale --token YOUR_TOKEN

You can also set the TAILSCALE_TOKEN environment variable to omit the --token flag:

export TAILSCALE_TOKEN=YOUR_TOKEN
cnspec shell tailscale

Scan your Tailscale tailnet

To scan your Tailscale tailnet:

cnspec scan tailscale --token YOUR_TOKEN

Connection options

Example checks

Run cnspec shell tailscale --token YOUR_TOKEN to open the cnspec interactive shell. From there you can make checks like the examples below.

Ensure all devices are authorized

cnspec> tailscale.devices.all(authorized == true)
[ok] value: true

Ensure key expiry is enabled on all devices

cnspec> tailscale.devices.all(keyExpiryDisabled == false)
[ok] value: true

Ensure all devices are running the latest client

cnspec> tailscale.devices.all(updateAvailable == false)
[ok] value: true

Ensure no devices have tailnet lock errors

cnspec> tailscale.devices.all(tailnetLockError == "")
[ok] value: true

Ensure no users are idle

cnspec> tailscale.users.none(status == "idle")
[ok] value: true

List devices with their details

cnspec> tailscale.devices { name os addresses lastSeenAt }

Learn more

• To learn more about how the MQL query language works, read Write Effective MQL.

• Explore the complete Mondoo Tailscale Resource Pack Reference.