Why Mondoo indead of InSpec?
For me, testing infrastructure started with RSpec and ServerSpec. Then the [DevSec project] (https://dev-sec.io/) project taught me how to use these tests as compliance tests as well. A short time later, the developers behind that project joined Chef Inc. and developed InSpec. A test and policy tool that we have been using intensively with our customers to this day.
So we were very excited when we heard that the team behind InSpec had started a new project. Their new project is called Mondoo and focuses on Policy-As-Code.
If you are not yet familiar with Mondoo, checkout the official “Getting Started Guide”: https://docs.mondoo.io/getstarted/overview
An experiment
As a long-term InSpec user, I am of course very interested in whether there is any overlap between InSpec and Mondoo in terms of functionality. In theory, could I move my InSpec-Test to Mondoo?
Mondoo should be able to test external systems via SSH. I want to find out!
No dependencies is an advantage
The big flaw in using InSpec is its dependency on Ruby. This is one of the features of Mondoo that makes me want to do this experiment the most. Mondoo is used as a single binary. No dependencies on programming languages or the like. This of course makes installing this binary a lot easier.
Installing Mondoo
First, we need to install Mondoo on our workstation. Conveniently, the Mondoo team has created a simple installation script for their users: https://github.com/mondoolabs/mondoo/blob/master/install.sh
All we have to run in our terminal is the following command:
bash -c "$(curl -sSL https://mondoo.io/install.sh)"
Note that I have not created a Mondoo account here beforehand. I intend to use Mondoo without the associated online service.
Of course, I would recommend everyone to set up a Mondoo account in order to be able to access the full range of functions. This is especially useful if you want to use Mondoo for Policy-As-Code as well.
So why not create an account now? I wanted to try to get as close to the InSpec experience as possible.
Writing you own policy
For this experiment I want to write my own policy that tests my target system via SSH. The Mondoo docs explain this process very well: https://docs.mondoo.io/platform/policies/development
I want to trigger a shell command on the target system that provides certain information in the stdout. I want to check this information automatically.
I decided to read out and check the version number of the target operating system. For me the target system is a RaspberryPi with Raspian 11. With the following command I get this information on the terminal (on the target system):
$ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
If the text Raspbian GNU / Linux 11 (bullseye)
appears in the output of the command, this is a sign that everything is correct.
Mondoo gives us a great tool for that. With the query
command('cat /etc/os-release').stdout == /11 (bullseye)/
Mondoo executes the command cat / etc / os-release
on the target system and checks whether the regular expression11 (bullseye)
appears in its output. If so, the query, aka our test, is successful.
If I incorporate the whole thing into a Mondo-Policy (my-policy.yaml
), the result looks like this:
policies:
- uid: os-check
name: Check OS
version: "1.0.0"
specs:
- asset_filter:
query: platform.family.contains(_ == 'unix')
data_queries:
os-data-01:
queries:
- uid: os-data-01
title: Check for OS version
query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
docs:
desc: |
Raspian should be installed in version 11
audit: Run the `cat /etc/os-release` command and verify that Raspian version is 11
remediation: |
Install latest version of Raspian.
For comparison, this is what the same test looks like with InSpec:
describe command('cat /etc/os-release') do
its('stdout') { should match /11 \(bullseye\)/ }
end
Ausführen der Policy via SSH
All that is still missing is to execute the policy. I have replaced the username and the URL of my target system with USER
and URL
. You simply enter the data valid for your target system here:
mondoo scan --incognito -t ssh://USER@URL ./my-policy.yml
The command runs in “incognito” mode. Mondoo does not connect to the Mondoo online service in this way.
The output shows us that the test was successful:
→ no configuration file provided
.-.
: :
,-.,-.,-. .--. ,-.,-. .-' : .--. .--. ™
: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'
x could not initialize credentials for upstream connection error="cannot configure client authentication: cannot load retrieved key: AuthKey must be a valid .p8 PEM file"
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ execute policies
→ enabled incognito mode
→ establish connection to asset raspberrypi (unknown)
→ run policies for asset asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
███████████████████████████████████████████████████████████████████████████ 100% raspberrypi
→ send all results asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
→ generate report asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
→ scan complete asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
raspberrypi
===========
┌▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄┐
│ _ _ │
│ | | | | Unrated 0/100 │
│ | |_| | 100% complete │
│ \___/ │
└────────────────────────────┘
Url: https://console.mondoo.app/space/fleet/21S5VOX7Lt7FeOSeuDCBuA9mH7R?spaceId=incognito-local-execution
Asset Policy 21S5VOX7Lt7FeOSeuDCBuA9mH7R
----------------------------------------
■ U Check OS
Check OS
--------
┌▄▄▄▄▄▄▄▄▄┐
│ _ _ │ Policy: Check OS
│ | | | | │ Version: 1.0.0
│ | |_| | │ Mrn: //policy.api.mondoo.app/spaces/incognito-local-execution/policies/os-check
│ \___/ │ Score: 0 (completion: 100%, via average score)
└─────────┘
no scored queries
Data Queries:
■ Title: Check for OS version
ID: //policy.api.mondoo.app/spaces/incognito-local-execution/queries/os-data-01
Query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
Result:
[ok] value: "PRETTY_NAME=\"Raspbian GNU/Linux 11 (bullseye)\"
NAME=\"Raspbian GNU/Linux\"
VERSION_ID=\"11\"
VERSION=\"11 (bullseye)\"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL=\"http://www.raspbian.org/\"
SUPPORT_URL=\"http://www.raspbian.org/RaspbianForums\"
BUG_REPORT_URL=\"http://www.raspbian.org/RaspbianBugs\"
"
Summary
=======
Asset Overview
■ U raspberrypi
Aggregated Policy Overview
Conclusion
This experiment showed me that I could map my InSpec test with Mondoo. So if you don’t want to operate two different tools, you could do all of it with Mondoo. The added value here is clearly that I can set up a Mondoo account and thus secure access to a large number of pre-written policies. This is reminiscent of Chief Compliance. A big advantage is that I only need the Mondoo binary and have no other dependencies. A disadvantage would be the larger amount of code I have to write to get the same result as InSpec.
I find Mondoo very exciting and will definitely keep an eye on it.
If you want to find out more about Mondoo, visit

You want to learn more about this topic?
You don't learn pure knowledge from books and it is not available in capsule form. The most effective form of exercise is still with sparring partners and a guide. Therefore, our "Commandemy" brand offers training for the IT experts of tomorrow.
Become the undisputed king of code and take a look at our current courses now!
See current courses