How to Enforce Compliance With Compliance Modules

Do you know how to enforce compliance?

Regulations change, and remediation becomes complicated and time-consuming when things do change. Here we will explore how Compliance Modules can help you and your team save time and effort for a task that challenges even the most on-top-of-it organization. 

Table of Contents:

• What Are Compliance Modules?
• How Compliance Modules Save You Time
• How to Enforce Compliance With Puppet
• Continuing to Enforce Compliance

What Are Compliance Modules?

Compliance Enforcement Modules, or CEM, are modules specifically designed to implement CIS Benchmark recommendations as code. This means that you move closer to relevant regulations and security policies without sacrificing time and manual effort. 

A key activity in any strong continuous compliance program is remediation. First, you remediate the compliance failures you find by defining your compliance policy-as-code, then you apply that code to all relevant nodes. Sounds simple, right? In theory, perhaps. In practice, however, it’s not so clear-cut.

Let’s take the example of a compliance benchmark from the Center for Internet Security (CIS), a globally recognized organization providing benchmarks for securing IT systems and data. The CIS benchmark for Microsoft Windows Server 2019 contains more than 350 secure configuration recommendations for system hardening. Making sense of and translating these compliance standards into code can pose significant and costly challenges for organizations—not to mention continuously keeping code up to date with new benchmark versions.

Compliance Enforcement Modules, or CEM, are Puppet modules specifically designed to implement CIS Benchmark recommendations as Puppet code. Within CEM there are two distinct modules, cem_linux and cem_windows, which currently enforce CIS benchmark recommendations across a range of Linux and Windows operating systems using a combination of Puppet code, tasks, and plans. CEM content currently includes:

Our team is continuously working to expand our CEM content to include CIS across additional operating systems, profiles, and other technologies, as well as other compliance frameworks such as DISA STIG. Updates to existing module content, along with new content added, will be made available to all CEM subscribers to meet compliance requirements.

How Compliance Modules Save You Time

We’ve been working on some pretty cool stuff since we launched Puppet Comply last year. Lots of great feedback has come in, and we’re thankful for every opportunity we get to show our customers how we can help. This feedback comes in many forms, but one of the things we’ve heard time and time again is that achieving compliance is still hard.

Has compliance ever been easy?

We’ve talked about the number of regulations that people are trying to adhere to, plus the ever-changing landscape of infrastructure. These things that continue to change keep us on our toes, and the truth is: they take up a lot of our precious time.

Understanding our priorities has become a really important aspect of our lives. What is the most important thing for me to tackle right now? What is going to have the most impact? Do I really need to spend time on that?

Compliance Enforcement Modules are specifically designed to remediate and enforce compliance issues against CIS benchmarks. By applying these modules to your nodes, you can automatically move into compliance and stay there. This is a turnkey solution designed for accelerating time-to-value by providing you with compliance-as-code.

Our customers have told us time and time again that they are strapped for time, resources, and expertise to do this themselves. Here’s how we give them time back.

How to Enforce Compliance With Puppet

Once you’ve subscribed, you’ll be able to get started by installing the module from the Puppet Forge.

Configuration

Next, go ahead and configure the module. We recommend you use Hiera for this. For each recommendation enforced by cem_linux and cem_windows, we include default configuration values as recommended by CIS to help you get up and running faster.

Each CIS recommendation is implemented as its own class within CEM and comes with comprehensive configuration options. CEM can be configured to include all recommendation classes, or a subset using the configuration parameters ONLY and IGNORE. The configuration values contained within each recommendation class can also be customized.

CEM can be configured at the node level, or abstracted to the operating system level or any other abstraction level in your Hiera hierarchy.

In this example, I am configuring the cem_linux module to enforce ONLY CIS Level 1 Server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node:

Classifying Nodes With CEM

Once you’ve set up your configuration, navigate to the Puppet Enterprise console to apply the CEM to your selected nodes.

Continuing with the CentOS 7 example, the easiest way to classify this node is to:

• Create a node group for all *nix nodes.
• Pin all relevant nodes, as well as your CentOS 7 node, to that node group.
• Add the cem_linux module to that node group.
• Run Puppet on those nodes to apply the modules.

Tasks and Plans in CEM for Linux

Within the CIS benchmarks for Linux, there are several recommendations that cannot be managed using desired state. Many of these recommendations would require site-specific information and could be damaging to a system if done in an automated fashion. For these recommendations, cem_linux includes a number of bolt tasks and plans that can be used to audit or configure specific configurations and existing states on nodes, such as duplicate user IDs. These tasks and plans are designed to run from Puppet Enterprise and can be scheduled like any other task or plan.

Running a Scan

You’re all set! Time to go ahead and scan your nodes in Puppet Comply.

Continuing to Enforce Compliance

Getting to a compliant state and staying that way is a never-ending loop. Changes to compliance standards and regulatory requirements are inevitable and constant. Building a strong continuous compliance program, based on the three continuous activities of assessment, remediation, and enforcement is key.

Using Compliance Enforcement Modules will help your organization get to a compliant state and meet compliance regulations more quickly. Combining the assessment capabilities of Puppet Comply and the enforcement capabilities of Puppet Enterprise empowers your organization to tackle compliance proactively and holistically, and to be more compliant, more of the time.

You have more important things to focus on. Let Puppet help you achieve your compliance goals.

Learn More

• Learn how to foster a culture of joint accountability for compliance across your organization.
• Watch the webinar: Balancing Security and Compliance with Rapid Innovation
• Read about CentOS 8 EOL or check out our CentOS EOL podcast episode
• How to enforce CIS compliance with Puppet
• Puppet and compliance: how it led to Puppet Comply

Start Automating Compliance Today