Skip to content
Untitled design-Aug-24-2022-05-35-46-93-PM
Victoria JeffreyJanuary 23, 20232 min read

Detect Host Misconfigurations with Open-Source, Agentless cnspec

detect-host-configurations-mondoo-cnspec-agentless

Assessing and remediating host misconfigurations is critical to maintaining a secure infrastructure. But with so many options available, it can be difficult to know where to start. That's where Mondoo's open-source solution, cnspec, comes in.

Get started with cnspec today.

With cnspec, you can use the checks included in the CIS Benchmark for your host to get your initial assessment, and then customize the checks to suit your specific infrastructure needs. And because it's open-source, you can add resources to cover your business needs without waiting for others to prioritize them. This level of customization and control is one of the key benefits of using an open-source solution.

But cnspec isn't just customizable - it's also highly effective. It includes more than 4,000 checks for Windows, Mac, and Linux hosts, cloud environment configurations, GitHub orgs, Terraform, containers, kube clusters, DNS configuration, and more. And with new resources being added all the time, you can be sure that cnspec will always be up-to-date.

One of the best parts of cnspec is that it's agentless, which means there's no need to worry about a long-running process you forget about or special approval to install. Just download the package or binary and assess as needed.

Take, for example, the CIS recommendations for key exchange algorithms. According to their rules, the following algorithms are acceptable:

"ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256","diffie-hellman-group16-sha512","diffie-hellman-group18-sha512","diffie-hellman-group14-sha256","curve25519-sha256","curve25519-sha256@libssh.org"

With cnspec, testing your hosts for compliance with this rule is as simple as this one line:

sshd.config.kexs.containsOnly([“ecdh-sha2-nistp256”, “ecdh-sha2-nistp384”])

You can install the tool by running:

bash -c "$(curl -sSL https://install.mondoo.com/sh/cnspec)"

Scan with the default checks Mondoo has provided:

cnspec scan local or cnspec scan ssh user@host

Run a single check:

cnspec run local -c “check-here”

Check the vulnerabilities for your host:

cnspec vuln local

Use the shell to explore more:

cnspec shell local

And if you need to run these checks at scale, across everything, you can sign up for a free (forever) account on our SaaS to get the visualizations you need to make your life easy.

It's important to remember that assessing and remediating host misconfigurations is key to reducing risk in your infrastructure. With cnspec, you can easily and effectively do just that.

Get started with cnspec today.

avatar

Victoria Jeffrey

Victoria Jeffrey (also known as vj) is an Engineering Manager/Software Engineer living near Denver, Colorado. She's been doing this coding and DevOps and security thing for over seven years now, and still loves every minute of it. Vj spends her free time hanging with her family, binging too much tv, and fulfilling her suburban mom obligations by going to pilates and trying to maintain a small herb garden.

RELATED ARTICLES

view raw