Write Custom Policies

Introduction

Learn how to write custom security policies to meet the special needs of your organization

Policies are the specifications that cnspec uses when it scans an asset. cnspec compares an asset's configuration against the standards set in policies and calculates a score based on the comparison. Scores tell you how secure each asset is and let you track progress as you improve your security posture. To learn the concepts behind policies and policy bundles before you start authoring, read About Policies.

Start with hundreds of policies out of the box

You don't start from scratch. cnspec ships with dozens of free, open source Mondoo policy bundles, hundreds of checks in all, covering clouds, Kubernetes, operating systems, containers, SaaS platforms, and network devices. Mondoo Platform adds hundreds more policies, including certified CIS, NIST, and BSI benchmarks. Browse the open source set in Community Policies.

Then check anything you can imagine

The real power of cnspec is that you are not limited to those policies. Anything cnspec can see, you can check. A check is just an MQL expression over the same providers, resources, and fields that power every built-in policy. cnspec exposes more than 1,300 resources across dozens of providers, so you can evaluate practically any configuration, relationship, or piece of state in your infrastructure, from "no S3 bucket is public" to "every production host runs an approved kernel version." If you can query it, you can enforce it. The sky is the limit.

Write your own

This guide takes you from a one-check policy to advanced techniques, and shows you how to test every change locally before it affects anyone's score. You need cnspec installed and an asset to scan (your own machine works). Read the topics in order:

  1. Write Custom Policies
  2. Score Policies
  3. Preview Checks
  4. Reuse Queries and Checks
  5. Break up a Policy into Groups / Chapters
  6. Limit Target Assets with Filters
  7. Define Properties
  8. Make Policies Flexible with Variants
  9. Create Checks in cnspec Shell

The queries and checks that policies use to retrieve information from your infrastructure are written in MQL (Mondoo Query Language).

When your policy is ready, learn how to validate, upload, and manage it.

On this page