Is Mondoo an alternative to InSpec?

Why Mondoo indead of InSpec?

For me, testing infrastructure started with RSpec and ServerSpec. Then the [DevSec project] (https://dev-sec.io/) project taught me how to use these tests as compliance tests as well. A short time later, the developers behind that project joined Chef Inc. and developed InSpec. A test and policy tool that we have been using intensively with our customers to this day.

So we were very excited when we heard that the team behind InSpec had started a new project. Their new project is called Mondoo and focuses on Policy-As-Code.

If you are not yet familiar with Mondoo, checkout the official "Getting Started Guide": https://docs.mondoo.io/getstarted/overview

An experiment

As a long-term InSpec user, I am of course very interested in whether there is any overlap between InSpec and Mondoo in terms of functionality. In theory, could I move my InSpec-Test to Mondoo?

Mondoo should be able to test external systems via SSH. I want to find out!

No dependencies is an advantage

The big flaw in using InSpec is its dependency on Ruby. This is one of the features of Mondoo that makes me want to do this experiment the most. Mondoo is used as a single binary. No dependencies on programming languages ​​or the like. This of course makes installing this binary a lot easier.

Installing Mondoo

First, we need to install Mondoo on our workstation. Conveniently, the Mondoo team has created a simple installation script for their users: https://github.com/mondoolabs/mondoo/blob/master/install.sh

All we have to run in our terminal is the following command:

1bash -c "$(curl -sSL https://mondoo.io/install.sh)"

Note that I have not created a Mondoo account here beforehand. I intend to use Mondoo without the associated online service.

Of course, I would recommend everyone to set up a Mondoo account in order to be able to access the full range of functions. This is especially useful if you want to use Mondoo for Policy-As-Code as well.

So why not create an account now? I wanted to try to get as close to the InSpec experience as possible.

Writing your own policy

For this experiment I want to write my own policy that tests my target system via SSH. The Mondoo docs explain this process very well: https://mondoo.com/docs/cnspec/cnspec-policies/write/

I want to trigger a shell command on the target system that provides certain information in the stdout. I want to check this information automatically.

I decided to read out and check the version number of the target operating system. For me the target system is a RaspberryPi with Raspian 11. With the following command I get this information on the terminal (on the target system):

 1$ cat /etc/os-release
 2
 3PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
 4NAME="Raspbian GNU/Linux"
 5VERSION_ID="11"
 6VERSION="11 (bullseye)"
 7VERSION_CODENAME=bullseye
 8ID=raspbian
 9ID_LIKE=debian
10HOME_URL="http://www.raspbian.org/"
11SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
12BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

If the text Raspbian GNU / Linux 11 (bullseye) appears in the output of the command, this is a sign that everything is correct.

Mondoo gives us a great tool for that. With the query

1command('cat /etc/os-release').stdout == /11 (bullseye)/

Mondoo executes the command cat / etc / os-release on the target system and checks whether the regular expression11 (bullseye) appears in its output. If so, the query, aka our test, is successful.

If I incorporate the whole thing into a Mondo-Policy (my-policy.yaml), the result looks like this:

 1policies:
 2  - uid: os-check
 3    name: Check OS
 4    version: "1.0.0"
 5    specs:
 6      - asset_filter:
 7          query: platform.family.contains(_ == 'unix')
 8        data_queries:
 9          os-data-01:
10queries:
11  - uid:  os-data-01
12    title: Check for OS version
13    query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
14    docs:
15      desc: |
16        Raspian should be installed in version 11        
17      audit: Run the `cat /etc/os-release` command and verify that Raspian version is 11
18      remediation: |
19        Install latest version of Raspian.        

For comparison, this is what the same test looks like with InSpec:

1describe command('cat /etc/os-release') do
2  its('stdout') { should match /11 \(bullseye\)/ }
3end

Ausführen der Policy via SSH

All that is still missing is to execute the policy. I have replaced the username and the URL of my target system with USER and URL. You simply enter the data valid for your target system here:

1mondoo scan --incognito -t ssh://USER@URL ./my-policy.yml

The command runs in "incognito" mode. Mondoo does not connect to the Mondoo online service in this way.

The output shows us that the test was successful:

 1→ no configuration file provided
 2                        .-.
 3                        : :
 4,-.,-.,-. .--. ,-.,-. .-' : .--.  .--. ™
 5: ,. ,. :' .; :: ,. :' .; :' .; :' .; :
 6:_;:_;:_;`.__.':_;:_;`.__.'`.__.'`.__.'
 7
 8x could not initialize credentials for upstream connection error="cannot configure client authentication: cannot load retrieved key: AuthKey must be a valid .p8 PEM file"
 9→ discover related assets for 1 asset(s)
10→ resolved assets resolved-assets=1
11→ execute policies
12→ enabled incognito mode
13→ establish connection to asset raspberrypi (unknown)
14→ run policies for asset asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
15
16███████████████████████████████████████████████████████████████████████████ 100% raspberrypi
17
18→ send all results asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
19→ generate report asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
20→ scan complete asset=//assets.api.mondoo.app/spaces/incognito-local-execution/assets/21S5VOX7Lt7FeOSeuDCBuA9mH7R
21
22raspberrypi
23===========
24
25┌▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄┐
26│  _   _                     │
27│ | | | |  Unrated 0/100     │
28│ | |_| |  100% complete     │
29│  \___/                     │
30└────────────────────────────┘
31
32Url: https://console.mondoo.app/space/fleet/21S5VOX7Lt7FeOSeuDCBuA9mH7R?spaceId=incognito-local-execution
33
34Asset Policy 21S5VOX7Lt7FeOSeuDCBuA9mH7R
35----------------------------------------
36
37■  U   Check OS
38
39Check OS
40--------
41
42┌▄▄▄▄▄▄▄▄▄┐
43│  _   _  │  Policy:  Check OS
44│ | | | | │  Version: 1.0.0
45│ | |_| | │  Mrn:     //policy.api.mondoo.app/spaces/incognito-local-execution/policies/os-check
46│  \___/  │  Score:   0 (completion: 100%, via average score)
47└─────────┘
48
49
50no scored queries
51
52Data Queries:
53
54■ Title: Check for OS version
55  ID:    //policy.api.mondoo.app/spaces/incognito-local-execution/queries/os-data-01
56  Query: command('cat /etc/os-release').stdout == /11 \(bullseye\)/
57  Result:
58    [ok] value: "PRETTY_NAME=\"Raspbian GNU/Linux 11 (bullseye)\"
59    NAME=\"Raspbian GNU/Linux\"
60    VERSION_ID=\"11\"
61    VERSION=\"11 (bullseye)\"
62    VERSION_CODENAME=bullseye
63    ID=raspbian
64    ID_LIKE=debian
65    HOME_URL=\"http://www.raspbian.org/\"
66    SUPPORT_URL=\"http://www.raspbian.org/RaspbianForums\"
67    BUG_REPORT_URL=\"http://www.raspbian.org/RaspbianBugs\"
68    "
69
70
71Summary
72=======
73
74Asset Overview
75
76■  U   raspberrypi
77
78Aggregated Policy Overview

Conclusion

This experiment showed me that I could map my InSpec test with Mondoo. So if you don't want to operate two different tools, you could do all of it with Mondoo. The added value here is clearly that I can set up a Mondoo account and thus secure access to a large number of pre-written policies. This is reminiscent of Chief Compliance. A big advantage is that I only need the Mondoo binary and have no other dependencies. A disadvantage would be the larger amount of code I have to write to get the same result as InSpec.

I find Mondoo very exciting and will definitely keep an eye on it.

If you want to find out more about Mondoo, visit <mondoo.io>.