cloud-init and Mondoo
This page covers how to use cloud-init to install cnspec on hosts to run policies as code.
If you deploy cnspec to machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Install cnspec using cloud-init
Most cloud environments support the configuration of an operating system during launch. cloud-init is the standard multi-distribution method for cross-platform cloud instance initialization. For Linux systems, cloud-init supports bash scripts.
Use Mondoo's Bash installer script for cloud-init. To deploy agents with cloud-init, you need a Mondoo registration token.
-
In the Mondoo console, navigate to the space in which you want to add hosts.
-
Copy the new token and paste it in this command in place of
your-api-token
:
#!/bin/bash
export MONDOO_REGISTRATION_TOKEN='your-api-token'
curl -sSL https://install.mondoo.com/sh | bash -s -- -u enable -s enable -t $MONDOO_REGISTRATION_TOKEN
cnspec performs the first scan about 30 seconds after the machine boots.
Example
This example installs cnspec on an AWS EC2 instance:
-
Save the code snippet above to
mondoo-cloudinit.sh
with a Mondoo registration token:Example cnspec install on an AWS EC2 instancecat > mondoo-cloudinit.sh << EOF
#!/bin/bash
export MONDOO_REGISTRATION_TOKEN='sample-token-CI6Ii8vYWdlbnRzABEL775kb28uYXBwL3NwYWNlcy9mcmllbmRseS1jb3JpLTY1NjU5Ni9zZXJ2aWNlYWNjb3VudHMvMnNqM21aSVhvczloZGxHQ0J2aE1kVVJ3N1g5IiwidHlwIjoiSldUIn0.eyJpYXQiOjE3Mzg5HANNAsImlzcyI6Im1vbmRvby9hbDEWEYuYmYiOjE3Mzg5NTUzMTUsInN1YiI6Ii8vYWdlbnRzLmFwaS5tb25kb28uYXBwL3NwYWNlcy9mcmllbmRseS1jb3JpLTY1NjU5Ni9zZXJ2aWNlYWNjb3VudHMvMnNqM21aSVhvczloZGxHQ0J2aE1kVVJ3N1g5In0.Xz_N4lRFQtu5RqoLRep7V_JGhZrOm_1s7_hrrnaKyqYT0bYyUhJXzno0_r8nJj_Z6w-GGZgC6DZutK2GkC-6pic3f2oU3YKPBxH5atBH7AEaQpcmCOSMOL42ErGzt4D'
curl -sSL https://install.mondoo.com/sh | bash -s -- -u enable -s enable -t $MONDOO_REGISTRATION_TOKEN
EOF -
Launch a new instance, substituting your region, image ID, security group IDs, and key name:
Example of new instance launchaws ec2 run-instances --region us-east-1 --image-id ami-0ad82abel06c911e --security-group-ids sg-904444f8 --count 1 --instance-type t2.micro --key-name stella --user-data file://mondoo-cloudinit.sh
You can see the results of the vulnerability scan in the Mondoo Console when the installation and scan are complete:
Once the machine is up and running, it reports vulnerabilities to Mondoo automatically.
To learn more about the AWS CLI , read Launch, List, and Terminate Amazon EC2 Instances and Running Commands on Your Linux Instance at Launch.
If you need to troubleshoot, review the log file /var/log/cloud-init-output.log
to see the cloud-init run output.