This project contains security and operational best-practice policies (as code) for use with cnspec.
We've organized them into these directories:
- core - Core policies contain baseline security and operational best-practice checks for various scan targets. Core policies are maintained by Mondoo and have strict quality requirements.
- extra - Extra policies are a mix of community- and Mondoo-maintained policy bundles that are outside Mondoo's core support tier.
- community - Community policies are primarily maintained by the community with the support of the Mondoo team. Community policies may move to extra or core over time.
The latest version of the policies in this repository requires cnspec v8+
cnspec scan {TARGET} -f core/{POLICY_NAME}.mql.yaml
Examples:
# Linux
cnspec scan local -f core/mondoo-linux-security.mql.yaml
# macOS
cnspec scan local -f core/mondoo-macos-security.mql.yaml
# Windows
cnspec scan local -f core/mondoo-windows-security.mql.yaml
With the Open Security Registry
cnspec scan {TARGET} --policy mondoohq/{POLICY_UID}
Examples:
# Linux
cnspec scan local --policy mondoohq/mondoo-linux-security
# macOS
cnspec scan local --policy mondoohq/mondoo-macos-security
# Windows
cnspec scan local --policy mondoohq/mondoo-windows-security
Join the Mondoo Community GitHub Discussions to collaborate on policy as code and security automation.
Additional certified security and compliance policies can be found in the Policy Hub on Mondoo Platform. Sign up for a free account to view the list of policies available.