cnspec Provisioner
Type: cnspec
Packer plugin cnspec by Mondoo scans Linux and Windows machine images for vulnerabilities and security misconfigurations. The plugin retrieves CVE data from Mondoo, which is updated daily with the latest CVEs and advisories. Additionally, cnspec runs security scans using cnspec-policies to uncover common misconfigurations that open your hosts to the risk of attack.
Basic Example
Configuration Reference
Optional Parameters:
host_alias
(string) - The alias by which the host should be known. Defaults todefault
.user
(string) - Theuser
set for your communicator. Defaults to theuser
set by packer.local_port
(uint) - The port on which to attempt to listen for SSH connections. This value is a starting point. The provisioner will attempt listen for SSH connections on the first available of ten ports, starting atlocal_port
. A system-chosen port is used whenlocal_port
is missing or empty.ssh_host_key_file
(string) - The SSH key that will be used to run the SSH server on the host machine to forward commands to the target machine. packer connects to this server and will validate the identity of the server using the system known_hosts. The default behavior is to generate and use a onetime key.ssh_authorized_key_file
(string) - The SSH public key of the packerssh_user
. The default behavior is to generate and use a onetime key.use_sftp
(bool) - packer's SFTP proxy is not reliable on some unix/linux systems, therefore we recommend to use scp as default for packer proxydebug
(bool) - Sets the log level toDEBUG
asset_name
(string) - The asset name passed to Mondoo Platform. Defaults to the hostname of the instance.on_failure
(string) - Configure behavior whether packer should fail ifscan_threshold
is not met. Ifscan_threshold
configuration is omitted, the threshold is set to0
and builds will pass regardless of what score is returned. Ifscore_threshold
is set to a value, andon_failure = "continue"
builds will continue regardless of what score is returned.labels
(map[string]string) - Configure an optional map of labels for the asset data in Mondoo Platform.annotations
(map[string]string) - Configure an optional map ofkey/val
annotations for the asset data in Mondoo Platform.incognito
(bool) - Configures incognito mode. Defaults totrue
. When set to false, scan results will not be sent to the Mondoo platform.policies
([]string) - A list of policies to be executed (requires incognito mode).policybundle
(string) - A path to local policy bundle file.sudo
(*SudoConfig) - Run mondoo scan with--sudo
. Defaults to none.winrm_user
(string) - Configure WinRM user. Defaults touser
set by the packer communicator.winrm_password
(string) - Configure WinRM user password. Defaults topassword
set by the packer communicator.use_proxy
(bool) - Use proxy to connect to host to scan. This configuration will fall-back to packer proxy for cases where the provisioner cannot access the target directly NOTE: we have seen cases with the vsphere builderoutput
(string) - Set output format: summary, full, yaml, json, csv, compact, report, junit (default "compact")score_threshold
(int) - An integer value to set thescore_threshold
of mondoo scans. Defaults to0
which results in a passing score regardless of what scan results are returned.mondoo_config_path
(string) - The path to the mondoo client config. Defaults to$HOME/.config/mondoo/mondoo.yml
SudoConfig
active
(bool) - Active
Get Started with cnspec
If you are new to cnspec, check out Get started with cnspec.
Packer plugin cnspec tutorial
Check out the Packer tutorials on the Mondoo documentation site:
- Building secure AMIs with Mondoo and Packer
- Building secure VM images in Google Cloud with cnspec and HashiCorp Packer
Sample Packer Templates
You can find example Packer templates in the examples directory in this repository.