mondoo.client
Mondoo Package Ansible Role
Overview
This role helps you install cnquery and cnspec on Linux and Windows servers.
Here's what it does:
- Installs the approved
cnqueryandcnspecprograms - Registers these programs with the Mondoo Platform
- Activates the
cnspecservice on both Linux and Windows
It works with the following systems:
- Amazon Linux
- Debian
- Red Hat Enterprise Linux and its variants (CentOS/AlmaLinux/Rocky Linux)
- SUSE and openSUSE
- Ubuntu
- Windows 10, 11, 2016, 2019, 2022
You can find this role on Ansible Galaxy: Mondoo/Client role.
Requirements
- Ansible version must be greater than 2.5
Role Variables
| Name | Default Value | Description |
|---|---|---|
registration_token_retrieval |
manual |
manual means you need to set registration_token yourself |
registration_token |
n/a | Set the Mondoo Platform Registration Token manually for registering cnquery and cnspec |
force_registration |
false | Forces re-registration every time the role runs |
Dependencies
This role does not require any other roles.
Example: Apply Ansible Playbook to Amazon EC2 Linux Instance
Here’s how to use the Mondoo Package role to install cnquery and cnspec on multiple instances:
- Create a new
hostsinventory. Add your host to the group.
[linux_hosts]
54.172.7.243 ansible_user=ec2-user
- Create a
playbook.ymland change theregistration_token:
---
- hosts: linux_hosts
become: yes
roles:
- role: ansible-mondoo
vars:
registration_token: "changeme"
Additional variables you can use:
| variable | description |
|---|---|
force_registration: true |
Set to true to re-register cnquery and cnspec |
ensure_managed_client: true |
Ensures that the client is managed in Mondoo |
proxy_env['https_proxy'] |
Set the proxy for cnspec client |
annotations |
Add tags for the node |
update_linux_enabled |
Enable Linux update task via cron job |
update_linux_cron_day |
Set update interval in days (example: */3 for every 3 days) |
update_linux_cron_hour |
Define the hour for the update task |
update_linux_cron_minute |
Define the minute for the update task |
update_windows_enabled |
Enable Windows update task via scheduled task |
update_windows_interval |
Set update interval in days for Windows |
update_windows_time |
Define the time for the Windows update task |
timer |
Set the scan interval in minutes (default is 60) |
splay |
Set delay for scan timing |
---
- hosts: linux_hosts
become: yes
roles:
- role: ansible-mondoo
vars:
registration_token: "changeme"
force_registration: true
ensure_managed_client: true
annotations: "[email protected],env=production"
For Proxy Setup
If you need to use cnspec behind a proxy:
---
- hosts: linux_hosts
become: yes
vars:
proxy_env:
http_proxy: "http://192.168.56.1:3128"
https_proxy: "http://192.168.56.1:3128"
roles:
- role: ansible-mondoo
vars:
registration_token: "changeme"
force_registration: true
ensure_managed_client: true
environment: "{{proxy_env}}"
For Windows Update Task
To enable updates on Windows:
---
- hosts: windows_hosts
become: yes
roles:
- role: ansible-mondoo
vars:
registration_token: "changeme"
force_registration: true
ensure_managed_client: true
update_windows_enabled: true
update_windows_interval: "1"
update_windows_time: "15:04"
For Linux Update Task
To enable updates on Linux:
---
- hosts: linux_hosts
become: yes
roles:
- role: ansible-mondoo
vars:
registration_token: "changeme"
force_registration: true
ensure_managed_client: true
update_linux_enabled: true
update_linux_cron_day: "*"
update_linux_cron_hour: "11"
update_linux_cron_minute: "40"
Running the Playbook
- Download the mondoo role from GitHub or Ansible Galaxy:
# from GitHub
ansible-galaxy role install git+https://github.com/mondoohq/ansible-mondoo.git
# or from Ansible Galaxy
ansible-galaxy install mondoo.client
- Apply the playbook:
ansible-playbook -i hosts playbook.yml
- Check the results on the Mondoo Console.
Applying Ansible Playbook to Amazon EC2 Windows Instance
If you're using Windows, follow the Ansible documentation for WinRM setup or SSH setup.
- Create a new
hostsinventory. Add your host to the group.
[windows_hosts]
123.123.247.76 ansible_port=5986 ansible_connection=winrm ansible_user=Administrator ansible_password=changeme ansible_shell_type=powershell ansible_winrm_server_cert_validation=ignore
Or using SSH:
3.235.247.76 ansible_port=22 ansible_connection=ssh ansible_user=admin ansible_shell_type=cmd
- Create a
playbook.yml:
For Windows, turn off become:
- hosts: windows_hosts
roles:
- role: ansible-mondoo
vars:
registration_token: "changeme"
force_registration: false
- Run the playbook as previously shown.
Testing
To test the role, you need to install dependencies:
pip install molecule
pip install docker
pip install 'molecule-plugins[docker]'
Run the following commands for testing:
molecule reset
image=geerlingguy/docker-ubuntu2204-ansible molecule converge
image=geerlingguy/docker-ubuntu2204-ansible molecule verify
molecule login --host ubuntu
molecule destroy
For linting, use:
pip3 install ansible-lint
ansible-lint
Author
Mondoo, Inc
FAQ
Common Errors:
- Error related to HTTPSHandler: Install the required Python packages by running:
sudo zypper install python python2-urllib3 python3 python3-urllib3
Error with ansible.legacy.setup on Windows: Switch the shell type from
powershelltocmdif using older Win32-OpenSSH versions.Error about jmespath installation: Install jmespath:
pip install jmespath
- Testing on unsupported OS: Print available facts with the following snippet in your playbook:
- name: Print all available facts
ansible.builtin.debug:
var: ansible_facts
Join the Community!
Join the Mondoo Community on GitHub Discussions to collaborate on code and security automation.
Informazioni sul progetto
Install and configure cnquery and cnspec
Installa
ansible-galaxy install mondoo.clientLicenza
other
Download
12.4k
Proprietario
Cloud-Native Security & Vulnerability Management