Skip to main content

cloud-init and Mondoo

This page covers how to use cloud-init to install cnspec on hosts to run policies as code.

note

If you deploy cnspec to machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.

Install cnspec using cloud-init

Most cloud environments support the configuration of an operating system during launch. cloud-init is the standard multi-distribution method for cross-platform cloud instance initialization. For Linux systems, cloud-init supports bash scripts.

Use Mondoo's Bash installer script for cloud-init. To deploy agents with cloud-init, you need a Mondoo registration token.

  1. In the Mondoo console, navigate to the space in which you want to add hosts.

  2. Create a new API token.

  3. Copy the new token and paste it in this command in place of your-api-token:

Install cnspec using cloud-init
#!/bin/bash
export MONDOO_REGISTRATION_TOKEN='your-api-token'
curl -sSL https://install.mondoo.com/sh | bash -s -- -u enable -s enable -t $MONDOO_REGISTRATION_TOKEN

cnspec performs the first scan about 30 seconds after the machine boots.

Example

This example installs cnspec on an AWS EC2 instance:

  1. Save the code snippet above to mondoo-cloudinit.sh with a Mondoo registration token:

    Example cnspec install on an AWS EC2 instance
    cat > mondoo-cloudinit.sh << EOF
    #!/bin/bash
    export MONDOO_REGISTRATION_TOKEN='sample-token-CI6Ii8vYWdlbnRzABEL775kb28uYXBwL3NwYWNlcy9mcmllbmRseS1jb3JpLTY1NjU5Ni9zZXJ2aWNlYWNjb3VudHMvMnNqM21aSVhvczloZGxHQ0J2aE1kVVJ3N1g5IiwidHlwIjoiSldUIn0.eyJpYXQiOjE3Mzg5HANNAsImlzcyI6Im1vbmRvby9hbDEWEYuYmYiOjE3Mzg5NTUzMTUsInN1YiI6Ii8vYWdlbnRzLmFwaS5tb25kb28uYXBwL3NwYWNlcy9mcmllbmRseS1jb3JpLTY1NjU5Ni9zZXJ2aWNlYWNjb3VudHMvMnNqM21aSVhvczloZGxHQ0J2aE1kVVJ3N1g5In0.Xz_N4lRFQtu5RqoLRep7V_JGhZrOm_1s7_hrrnaKyqYT0bYyUhJXzno0_r8nJj_Z6w-GGZgC6DZutK2GkC-6pic3f2oU3YKPBxH5atBH7AEaQpcmCOSMOL42ErGzt4D'
    curl -sSL https://install.mondoo.com/sh | bash -s -- -u enable -s enable -t $MONDOO_REGISTRATION_TOKEN
    EOF

  2. Launch a new instance, substituting your region, image ID, security group IDs, and key name:

    Example of new instance launch
    aws ec2 run-instances --region us-east-1 --image-id  ami-0ad82abel06c911e --security-group-ids sg-904444f8 --count 1 --instance-type t2.micro --key-name stella --user-data file://mondoo-cloudinit.sh

You can see the results of the vulnerability scan in the Mondoo Console when the installation and scan are complete:

See agent in console

Once the machine is up and running, it reports vulnerabilities to Mondoo automatically.

To learn more about the AWS CLI , read Launch, List, and Terminate Amazon EC2 Instances and Running Commands on Your Linux Instance at Launch.

If you need to troubleshoot, review the log file /var/log/cloud-init-output.log to see the cloud-init run output.