x

Menu

Is Mondoo an alternative to InSpec?

published in: DevOps Date: November 26, 2021
Jürgen Brüder, Senior IT-Consultant

About the author

Jürgen Brüder is a Senior IT-Consultant for Infralovers and an IT-Trainer for Commandemy. He was the CTO of the Austrian based big-data startup Xeer and was also active as a consultant for various companies. Twitter LinkedIn

See all articles by this author

Why Mondoo indead of InSpec?

For me, testing infrastructure started with RSpec and ServerSpec. Then the [DevSec project] (https://dev-sec.io/) project taught me how to use these tests as compliance tests as well. A short time later, the developers behind that project joined Chef Inc. and developed InSpec. A test and policy tool that we have been using intensively with our customers to this day.

So we were very excited when we heard that the team behind InSpec had started a new project. Their new project is called Mondoo and focuses on Policy-As-Code.

If you are not yet familiar with Mondoo, checkout the official “Getting Started Guide”: https://docs.mondoo.io/getstarted/overview

An experiment

As a long-term InSpec user, I am of course very interested in whether there is any overlap between InSpec and Mondoo in terms of functionality. In theory, could I move my InSpec-Test to Mondoo?

Mondoo should be able to test external systems via SSH. I want to find out!

No dependencies is an advantage

The big flaw in using InSpec is its dependency on Ruby. This is one of the features of Mondoo that makes me want to do this experiment the most. Mondoo is used as a single binary. No dependencies on programming languages ​​or the like. This of course makes installing this binary a lot easier.

Installing Mondoo

First, we need to install Mondoo on our workstation. Conveniently, the Mondoo team has created a simple installation script for their users: https://github.com/mondoolabs/mondoo/blob/master/install.sh

All we have to run in our terminal is the following command:

bash -c "$(curl -sSL https://mondoo.io/install.sh)"

Note that I have not created a Mondoo account here beforehand. I intend to use Mondoo without the associated online service.

Of course, I would recommend everyone to set up a Mondoo account in order to be able to access the full range of functions. This is especially useful if you want to use Mondoo for Policy-As-Code as well.

So why not create an account now? I wanted to try to get as close to the InSpec experience as possible.

Writing you own policy

For this experiment I want to write my own policy that tests my target system via SSH. The Mondoo docs explain this process very well: https://docs.mondoo.io/platform/policies/development

I want to trigger a shell command on the target system that provides certain information in the stdout. I want to check this information automatically.

I decided to read out and check the version number of the target operating system. For me the target system is a RaspberryPi with Raspian 11. With the following command I get this information on the terminal (on the target system):

$ cat /etc/os-release

PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

If the text Raspbian GNU / Linux 11 (bullseye) appears in the output of the command, this is a sign that everything is correct.

Mondoo gives us a great tool for that. With the query

command('cat /etc/os-release').stdout == /11 (bullseye)/

Mondoo executes the command cat / etc / os-release on the target system and checks whether the regular expression11 (bullseye) appears in its output. If so, the query, aka our test, is successful.

If I incorporate the whole thing into a Mondo-Policy (my-policy.yaml), the result looks like this:

policies:
  - uid: os-check
    name: Check OS
    version: "1.0.0"
    specs:
      - asset_filter:
          query: platform.family.contains(_ == 'unix')
        data_queries:
          os-data-01:
queries:
  - uid:  os-data-01
    title: Check for OS version
    query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
    docs:
      desc: |
        Raspian should be installed in version 11
      audit: Run the `cat /etc/os-release` command and verify that Raspian version is 11
      remediation: |
        Install latest version of Raspian.

For comparison, this is what the same test looks like with InSpec:

describe command('cat /etc/os-release') do
  its('stdout') { should match /11 \(bullseye\)/ }
end

Ausführen der Policy via SSH

All that is still missing is to execute the policy. I have replaced the username and the URL of my target system with USER and URL. You simply enter the data valid for your target system here:

mondoo scan --incognito -t ssh://USER@URL ./my-policy.yml

The command runs in “incognito” mode. Mondoo does not connect to the Mondoo online service in this way.

The output shows us that the test was successful:

→ no configuration file provided
                        .-.
                        : :
,-.,-.,-. .--. ,-.,-. .-' : .--.  .--. ™
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'

x could not initialize credentials for upstream connection error="cannot configure client authentication: cannot load retrieved key: AuthKey must be a valid .p8 PEM file"
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ execute policies
→ enabled incognito mode
→ establish connection to asset raspberrypi (unknown)
→ run policies for asset asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R

███████████████████████████████████████████████████████████████████████████ 100% raspberrypi

→ send all results asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
→ generate report asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
→ scan complete asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R

raspberrypi
===========

┌▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄┐
│  _   _                     │
│ | | | |  Unrated 0/100     │
│ | |_| |  100% complete     │
│  \___/                     │
└────────────────────────────┘

Url: https://console.mondoo.app/space/fleet/21S5VOX7Lt7FeOSeuDCBuA9mH7R?spaceId=incognito-local-execution

Asset Policy 21S5VOX7Lt7FeOSeuDCBuA9mH7R
----------------------------------------

■  U   Check OS

Check OS
--------

┌▄▄▄▄▄▄▄▄▄┐
│  _   _  │  Policy:  Check OS
│ | | | | │  Version: 1.0.0
│ | |_| | │  Mrn:     //policy.api.mondoo.app/spaces/incognito-local-execution/policies/os-check
│  \___/  │  Score:   0 (completion: 100%, via average score)
└─────────┘


no scored queries

Data Queries:

■ Title: Check for OS version
  ID:    //policy.api.mondoo.app/spaces/incognito-local-execution/queries/os-data-01
  Query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
  Result:
    [ok] value: "PRETTY_NAME=\"Raspbian GNU/Linux 11 (bullseye)\"
    NAME=\"Raspbian GNU/Linux\"
    VERSION_ID=\"11\"
    VERSION=\"11 (bullseye)\"
    VERSION_CODENAME=bullseye
    ID=raspbian
    ID_LIKE=debian
    HOME_URL=\"http://www.raspbian.org/\"
    SUPPORT_URL=\"http://www.raspbian.org/RaspbianForums\"
    BUG_REPORT_URL=\"http://www.raspbian.org/RaspbianBugs\"
    "


Summary
=======

Asset Overview

■  U   raspberrypi

Aggregated Policy Overview

Conclusion

This experiment showed me that I could map my InSpec test with Mondoo. So if you don’t want to operate two different tools, you could do all of it with Mondoo. The added value here is clearly that I can set up a Mondoo account and thus secure access to a large number of pre-written policies. This is reminiscent of Chief Compliance. A big advantage is that I only need the Mondoo binary and have no other dependencies. A disadvantage would be the larger amount of code I have to write to get the same result as InSpec.

I find Mondoo very exciting and will definitely keep an eye on it.

If you want to find out more about Mondoo, visit .