December 28, 2021

CIS Compliance: How to Automate Compliance with CIS Benchmarks

Security & Compliance
Products & Services

Center for Internet Security (CIS) compliance is critical for today's teams. In this blog, you'll learn:

Back to top

What is CIS Compliance?

The definition of CIS compliance is the act of meeting cybersecurity standards from the Center for Internet Security (CIS). CIS compliance means establishing baseline configurations to protect systems and data from cyberattacks and other forms of IT risk.

CIS compliance is measured in CIS Benchmarks, which are specific security configurations recommended by the Center for Internet Security.

Back to top

Why is CIS Compliance Important?

CIS compliance is important because it helps strengthen cybersecurity to protect data and IT systems from risk. Additionally, some auditors check for CIS compliance and impose restrictions, fines, and other penalties for noncompliance with CIS Benchmarks.

CIS compliance is important because passing an audit is hard — whether you’re in retail, healthcare, finance, or honestly, any industry that values security. Most organizations these days are faced with regulatory standards that must be enforced, which bring both technical and business challenges that are difficult to overcome.

👉 Get smarter about compliance — download a FREE white paper: The Path to Continuous Compliance and Better Security

Compliance is one of the biggest pains to deal with, but also one of the most important things to get right. It gets tricky because there are so many rules to enforce and often there are just as many exceptions to keep track of. Every team has a special server or a benchmark that doesn’t apply, and making sense of it all is difficult.

Infrastructure teams I talk to are often struggling to keep up with the last-minute scans sent over by security teams, and coordination becomes a big challenge. They’re stuck dealing with the vast number of machines that are outside of compliance and are sometimes forced to manually reconcile exceptions and build out one-off fixes that we all know don't scale.

🗃Looking for more? Don't miss our comprehensive Compliance Management 101 >>

If organizations don't adhere to these standards, they can be charged with hefty fines or, in the worst cases, even jail time. Increased business demands and pressure to reduce costs, especially in the current environment, force IT organizations to address these standards via shortcuts or exceptions that end up being time-consuming, high-risk, and costly.

According to a report from Ponemon Institute, “The average cost for organizations that experience non-compliance problems is $14.82 million, a 45 percent increase from 2011.”

Back to top

Do You Need CIS Compliance?

Any organization that uses IT, regardless of size or industry, can benefit from CIS compliance. Some organizations in high-risk industries require proof of CIS compliance, like government agencies and contractors.

If compliance isn't on your radar right now, it should be. It's definitely on someone's mind in your organization. The days of “trust in the firewall” are long gone; every organization should adopt standard security best practices.

Fortunately there's a well-defined set of standards available: CIS Benchmarks. CIS is a not-for-profit organization that develops and maintains best practices in relation to cyber security. The CIS Benchmarks have been adopted by many organizations as the standard to implement.

CIS publishes these recommendations, grouped under Benchmarks, and you can download them for free. There are a significant number of published Benchmarks — over 50 as of this writing. The Benchmarks define security best practices for platforms from mobile devices to operating systems, network devices, virtualization platforms, and middleware. Each Benchmark recommends a specific set of security recommendations called Controls. A Control is a specific action: a setting or practice. Any given Benchmark can have dozens or hundreds of Controls.

Implementing CIS Benchmarks can be daunting because of the sheer number of Controls under each Benchmark, the necessity of assessing if the Control is appropriate for a given server, and the scale at which these Controls need to be deployed in a modern IT estate. After deployment, keeping current with Benchmark updates, remediating drift, and demonstrating compliance can seem like a Herculean task. Fortunately, Puppet has a solution to implement, maintain, and document CIS compliance easily.

Back to top

How to Get (and Stay) Compliant with CIS Benchmarks Fast with Puppet

CIS Compliance Service

Our new CIS compliance service offering, available today for Puppet Enterprise and open source Puppet users, is a great example of how we’re bringing this to life. We took a team of experts, looked through our success stories from customers who have used Puppet for compliance efforts (including some of the world’s largest financial institutions), and combined what we learned with some of our own tooling to map CIS benchmarks with Puppet data. The result is an end-to-end solution for enforcing CIS benchmarks.

The CIS compliance service will help organizations ensure they are both secure and equipped to pass audits quickly and easily. Through this service, we’ll help you identify where you are out of compliance and, more importantly, work with you to ensure your systems are conforming to their standards and empower you to be prepared for the future. Our experts at Puppet can help ensure you are enforcing CIS standards across your systems and address gaps as they are identified.

CIS Product Suite

Puppet's suite of products offers a three step approach to ensuring and proving CIS Benchmark compliance:

Puppet Comply

Puppet Comply includes the CIS scanner to determine compliance on each managed node in your Puppet estate. Puppet Comply allows you to scan against each CIS Benchmark, and to customize Benchmarks to assess real-work implementations of Benchmarks, including recommended Controls that simply aren't practical (e.g. a legacy system where telnet is required). This allows you to document and track accepted exceptions to specific Controls and demonstrate compliance against these tailored Benchmarks. Puppet Comply also provides a console showing your current compliance against the Benchmark, so you can prioritize which Controls to implement, making the biggest impact on your compliance status.

Puppet Enterprise

Puppet Enterprise (PE) implements pre-packaged IaC modules called Compliance Enforcement, allowing you to define groups of managed nodes and apply the appropriate Benchmark to each group. Puppet Enterprise ensures that nodes stay in compliance as each managed node is continuously monitored, and any deviation from the expected configuration is remediated and reported. Puppet Enterprise allows you visibility into node status, drift, and current configuration from a unified web console.

Puppet Compliance Enforcement

Puppet Compliance Enforcement simplifies CIS Benchmarks enforcement by providing pre-written, modular Puppet policy as code to declaratively enforce CIS compliance. Each supported CIS control is implemented as a class in Puppet. Updates to Benchmarks are simple and provided by Puppet on a regular cadence, ensuring that your compliance profile is always up to date.

Back to top

How to Enforce CIS Compliance with Puppet

With Compliance Enforcement, enforcing compliance can be checked off as a simple task. The fact that Compliance Enforcement comes in the form of modules for Open Source Puppet and Puppet Enterprise allows very specific configuration of Benchmarks, ensuring all necessary Controls are enforced, and that inappropriate/unnecessary Controls are not. Each Benchmark Control can be included in a machine’s configuration without any dependencies on other Controls.

As an example, CIS RHEL 8/CentOS 8 Benchmark recommends disabling DHCP. (Control 2.2.15 - Ensure DHCP Server is not enabled). Obviously you may have specific servers that provide DHCP services to your network. Fortunately, Puppet Compliance Enforcement allows you to ignore selected Control classes entirely via the $ignore parameter. The $ignore parameter takes an array of Control class names and does not load them into the catalog. To not load this class, you would add [‘ensure_dhcp_server_is_not_enabled’] as the value of the $ignore parameter.

Paired together, Puppet Comply and Compliance Enforcement let you customize existing Benchmarks for more accurate reporting of compliance for documented exceptions. Comply's custom profiles let you enforce or bypass specific benchmark suggestions, e.g. DNS should be running on a DNS server and the scan shouldn't report that as a vulnerability. Comply lets you define multiple custom profiles to suit specific configurations with accurate reporting.

Benchmark standards are written in Puppet’s human-readable DSL. Presenting the code, along with Puppet’s logs showing enforcement, demonstrates a solid chain of compliance enforcement.

Audit Readiness is a Breeze

Puppet’s approach to CIS compliance allows for both continuous compliance enforcement and continuous audit readiness. Since the Benchmark standards are included in each managed node’s catalog, enforcement is ongoing. Drift is reported as a corrective change and can be reported on through the Puppet console. Updates to the enforced Benchmarks are reported as intentional changes, allowing both differentiation from remediation and confirmation when updated Controls were applied.

Example: Puppet’s compliance code is easy to read, using plain English descriptions. In the example below you can see that “DHCP” is being set to ‘disabled’.

class cem_linux::benchmarks::cis::controls::ensure_dccp_is_disabled (
  Boolean $enforced = true,
  Hash $config = {},
) {
  if $enforced {
    class { 'cem_linux::utils::network::disable_dccp':
      target  => dig($config, 'target'),
      content => dig($config, 'content'),

Similarly, since each Control is defined as part of Puppet’s policy as code and stored on the Puppet server, proving compliance during an audit is simple.

Back to top

Get Started with Puppet for CIS Compliance

See for yourself how Puppet makes CIS compliance easy.



Learn More

This blog was originally published in two parts on May 17, 2020 and December 28, 2021. It has since been consolidated and updated for relevance. 

Back to top