Skip to main content

Running Mondoo as a service

This document covers how to run Mondoo Client as a service on hosts in your environment.

Configure Mondoo as a service​

When configured as a service, Mondoo Client will continuously assess hosts by running policies configured in Mondoo Platform. By default, every 60 minutes Mondoo Client service connects to your account in the platform, retrieves and validates the latest policies enabled for it, scans the host, and reports scan results back to the platform.

The following section covers how to run Mondoo as a service on Linux, macOS, and Windows hosts.

Mondoo Client installer places a systemd unit file at /etc/systemd/system/mondoo.service during the installation process. However, the installer does not configure or enable the service.


Before starting Mondoo as a service, you should have already registered the host with your Mondoo Platform account.

Enable and start Mondoo as a service​

1. Reload systemd daemon and load the mondoo.service unit file
sudo systemctl daemon-reload
2. Enable Mondoo Client to run during startup
sudo systemctl enable mondoo
3. Start Mondoo Client service
sudo systemctl start mondoo
4. Check the status of Mondoo Client
sudo systemctl status mondoo

Mondoo service logging​

Mondoo Client service writes log events to the system logs. The following command can be used to tail Mondoo Client service logs on Linux hosts:

Tail Mondoo Client service logs
sudo journalctl -u mondoo -f

The default log level is info but can be configured as defined in Mondoo Configuration options below

Mondoo serve​

In addition to leveraging the platform service management system, Mondoo Client binary comes with the mondoo serve command that can be used on any supported platform (Linux, Windows, macOS) to continuously run assessments of hosts.


Mondoo serve leverages the default configuration of the host if already registered.

Mondoo serve configuration options​

--timerScan interval in minutes (default 60)
-b, --bindBind the server to an address (e.g. unix://file.sock,
-p, --portThe port to listen on (default 8990)
--tokenBearer token used for http authentication

The --bind, --port and --token are only used when container registry integrations are activated. See Harbor Interrogation Services for detailed setup.

Example: Run a scan with Mondoo serve every 15 minutes​

mondoo serve -timer 15

Mondoo configuration options​

Mondoo Client configuration is stored on the host at the following location:

  • Linux - /etc/opt/mondoo/mondoo.yml
  • Windows - C:\ProgramData\Mondoo\mondoo.yml

Common Mondoo service configuration options: -->

agent_mrnAgent Mondoo Resource Name, identifies the client
api_endpointThe url of Mondoo Platform, is the default configuration
certificateClient's public certificate
loglevelService log level: error, warn, info, debug, trace (default "info")
mrnService Account Mondoo Resource Name, identifies the service account
private_keyClient's private key used to sign requests send to Mondoo Platform
space_mrnSpace Mondoo Resource Name, identifies the space that the client belongs to
annotationsAnnotations that display in the Mondoo Console
# service account mrn
mrn: //
# agent mrn
agent_mrn: //
# space mrn
space_mrn: //
# api endpoint
# pem-encoded certificate
certificate: |
# pem-encoded private key
private_key: |
# log level: error, warn, info, debug, trace
loglevel: info
# tags
- key1: value1
- key2: value2

Mondoo inventory​

Mondoo inventory configuration define a list of targets that Mondoo Client should scan. The following example contains a ssh-based scan with annotations.

apiVersion: v1
kind: Inventory
name: mondoo-ssh-inventory
environment: production
# linux with password authentication
- id: linux-ssh-with-password
- host:
backend: ssh
- type: password
user: mondoo
password: mondoo
key: value