Assessing and remediating host misconfigurations is critical to maintaining a secure infrastructure. But with so many options available, it can be difficult to know where to start. That's where Mondoo's open-source solution, cnspec, comes in.
With cnspec, you can use the checks included in the CIS Benchmark for your host to get your initial assessment, and then customize the checks to suit your specific infrastructure needs. And because it's open-source, you can add resources to cover your business needs without waiting for others to prioritize them. This level of customization and control is one of the key benefits of using an open-source solution.
But cnspec isn't just customizable - it's also highly effective. It includes more than 4,000 checks for Windows, Mac, and Linux hosts, cloud environment configurations, GitHub orgs, Terraform, containers, kube clusters, DNS configuration, and more. And with new resources being added all the time, you can be sure that cnspec will always be up-to-date.
One of the best parts of cnspec is that it's agentless, which means there's no need to worry about a long-running process you forget about or special approval to install. Just download the package or binary and assess as needed.
Take, for example, the CIS recommendations for key exchange algorithms. According to their rules, the following algorithms are acceptable:
"ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256","diffie-hellman-group16-sha512","diffie-hellman-group18-sha512","diffie-hellman-group14-sha256","curve25519-sha256","curve25519-sha256@libssh.org"
With cnspec, testing your hosts for compliance with this rule is as simple as this one line:
sshd.config.kexs.containsOnly([“ecdh-sha2-nistp256”, “ecdh-sha2-nistp384”])
You can install the tool by running:
bash -c "$(curl -sSL https://install.mondoo.com/sh/cnspec)"
Scan with the default checks Mondoo has provided:
cnspec scan local or cnspec scan ssh user@host
Run a single check:
cnspec run local -c “check-here”
Check the vulnerabilities for your host:
cnspec vuln local
Use the shell to explore more:
cnspec shell local
And if you need to run these checks at scale, across everything, you can sign up for a free (forever) account on our SaaS to get the visualizations you need to make your life easy.
It's important to remember that assessing and remediating host misconfigurations is key to reducing risk in your infrastructure. With cnspec, you can easily and effectively do just that.