This document covers how to run Mondoo Client as a service on hosts in your environment.
Configure Mondoo as a service
When configured as a service, Mondoo Client will continuously assess hosts by running policies configured in Mondoo Platform. By default, every 60 minutes Mondoo Client service connects to your account in the platform, retrieves and validates the latest policies enabled for it, scans the host, and reports scan results back to the platform.
The following section covers how to run Mondoo as a service on Linux, macOS, and Windows hosts.
Mondoo Client installer places a systemd unit file at
/etc/systemd/system/mondoo.service during the installation process. However, the installer does not configure or enable the service.
Before starting Mondoo as a service, you should have already registered the host with your Mondoo Platform account.
Enable and start Mondoo as a service
sudo systemctl daemon-reload
sudo systemctl enable mondoo
sudo systemctl start mondoo
sudo systemctl status mondoo
Mondoo service logging
Mondoo Client service writes log events to the system logs. The following command can be used to tail Mondoo Client service logs on Linux hosts:
sudo journalctl -u mondoo -f
The default log level is
info but can be configured as defined in Mondoo Configuration options below
When installed on Windows, Mondoo Client registers with the Service Control Manager in Windows, but sets the default Startup Type to Manual and does not start the service.
Running as a service
Launch a PowerShell terminal as an administrator and run the following commands:
Before starting Mondoo Client as a service, you should have already registered the host with your Mondoo Platform account.
Set-Service -Name mondoo -StartupType Automatic
Set-Service -Name mondoo -Status Running
Get-Service mondoo | Select-Object -Property Name, StartType, Status
Mondoo Client service logging
Mondoo Client service writes logging events to the Windows Event Viewer Application logs. To view logs:
- Select the Start Menu and launch Event Viewer
- Expand Windows Logs
- Select Application to view application logs
- Use Find... to search for "Mondoo"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
You will need to replace "/path/to/mondoo" with the path to Mondoo Client on your host. You can validate this by opening a terminal and running
which mondoo. Also, ensure you specify the correct path to Mondoo Client config ("/etc/opt/mondoo/mondoo.yml" in the example above), which can be validated by opening a terminal and running
mondoo status. Additionally, you can adjust the scan frequency (60 minutes by default).
$ sudo launchctl load /Library/LaunchDaemons/com.mondoo.client.plist
To start, stop or check the status of the service, use the launchctl tool:
$ sudo launchctl start com.mondoo.client
$ sudo launchctl list | grep mondoo
- 1 com.mondoo.client
In addition to leveraging the platform service management system, Mondoo Client binary comes with the
mondoo serve command that can be used on any supported platform (Linux, Windows, macOS) to continuously run assessments of hosts.
Mondoo serve leverages the default configuration of the host if already registered.
Mondoo serve configuration options
|Scan interval in minutes (default 60)|
|Bind the server to an address (e.g. |
|The port to listen on (default 8990)|
|Bearer token used for http authentication|
--token are only used when container registry integrations are activated. See Harbor Interrogation Services for detailed setup.
Example: Run a scan with Mondoo serve every 15 minutes
mondoo serve -timer 15
Mondoo configuration options
Mondoo Client configuration is stored on the host at the following location:
- Linux -
- Windows -
Common Mondoo service configuration options: -->
|Agent Mondoo Resource Name, identifies the client|
|The url of Mondoo Platform, |
|Client's public certificate|
|Service log level: error, warn, info, debug, trace (default "info")|
|Service Account Mondoo Resource Name, identifies the service account|
|Client's private key used to sign requests send to Mondoo Platform|
|Space Mondoo Resource Name, identifies the space that the client belongs to|
|Annotations that display in the Mondoo Console |
# service account mrn
# agent mrn
# space mrn
# api endpoint
# pem-encoded certificate
# pem-encoded private key
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
# log level: error, warn, info, debug, trace
- key1: value1
- key2: value2
Mondoo inventory configuration define a list of targets that Mondoo Client should scan. The following example contains a ssh-based scan with annotations.
# linux with password authentication
- id: linux-ssh-with-password
- host: 192.168.5.89
- type: password