September 29, 2021

How to Enforce Compliance with Compliance Modules

Products & Services
Security & Compliance

Do you know how to enforce compliance?

Regulations change, and remediation becomes complicated and time-consuming when things do change. Here we will explore how Compliance Modules can help you and your team save time and effort for a task that challenges even the most on-top-of-it organization. 

Back to top

What are Compliance Modules?

Compliance modules are blocks of code you can apply to your automation tool to enforce security baselines for compliance. Compliance Enforcement for Puppet Enterprise utilizes premium Puppet modules to implement CIS and DISA STIG recommendations as code.

Compliance modules can either be manually written, which is a time-consuming process for IT and infrastructure development teams, or implemented automatically with pre-written blocks of code in Puppet. Using Compliance Enforcement in Puppet Enterprise means that you move closer to relevant regulations and security policies without sacrificing time and manual effort. 

Back to top

How to Enforce Compliance?

Avoid costly fines and reputational damage with actively enforced, up-to-date internal policies. Leverage policy as code for a fail-safe approach.

A key activity in any strong continuous compliance program is remediation. First, you remediate the compliance failures you find by defining your compliance policy-as-code, then you apply that code to all relevant nodes. Sounds simple, right? In theory, perhaps. In practice, however, it’s not so clear-cut.

👉 Get started enforcing continuous compliance today — try Puppet Enterprise for free on up to 10 nodes >>

Let’s take the example of a compliance benchmark from the Center for Internet Security (CIS), a globally recognized organization providing benchmarks for securing IT systems and data. The CIS benchmark for Microsoft Windows Server 2019 contains more than 350 secure configuration recommendations for system hardening. Making sense of and translating these compliance standards into code can pose significant and costly challenges for organizations—not to mention continuously keeping code up to date with new benchmark versions.

Puppet Compliance Enforcement uses Puppet modules specifically designed to implement CIS Benchmark recommendations as Puppet code. There are two distinct modules, cem_linux and cem_windows, which currently enforce CIS benchmark recommendations across a range of Linux and Windows operating systems using a combination of Puppet code, tasks, and plans. Puppet Compliance Enforcement content currently includes:





Windows 10

CIS Level 1 - Corporate Enterprise


Windows Server 2019

CIS Level 1 - Member Server


Windows Server 2016

CIS Level 1 - Member Server


Red Hat Enterprise Linux 8

CIS Level 1 - Server


Red Hat Enterprise Linux 7

CIS Level 1 - Server


CentOS Linux 7

CIS Level 1 - Server

Our team is continuously working to expand our compliance content to include enforcement for more frameworks across additional operating systems, profiles, and other technologies. Because frameworks change often, Puppet Enterprise users with Compliance Enforcement receive regular updates to existing module content as each supported framework and regulation is updated.

Back to top

How Compliance Modules Save You Time

We’ve been working on some pretty cool stuff since we launched Puppet Comply last year. Lots of great feedback has come in, and we’re thankful for every opportunity we get to show our customers how we can help. This feedback comes in many forms, but one of the things we’ve heard time and time again is that achieving compliance is still hard.

Has compliance ever been easy?

We’ve talked about the number of regulations that people are trying to adhere to, plus the ever-changing landscape of infrastructure. These things that continue to change keep us on our toes, and the truth is: they take up a lot of our precious time.

Understanding our priorities has become a really important aspect of our lives. What is the most important thing for me to tackle right now? What is going to have the most impact? Do I really need to spend time on that?

Puppet Compliance Enforcement is specifically designed to remediate and enforce compliance issues against CIS benchmarks. By applying these modules to your nodes, you can automatically move into compliance and stay there. This is a turnkey solution designed for accelerating time-to-value by providing you with compliance-as-code.

Our customers have told us time and time again that they are strapped for time, resources, and expertise to do this themselves. Here’s how we give them time back.

Back to top

How to Enforce Compliance With Puppet

Once you’ve subscribed, you’ll be able to get started by installing the module from the Puppet Forge.


Next, go ahead and configure the module. We recommend you use Hiera for this. For each recommendation enforced by cem_linux and cem_windows, we include default configuration values as recommended by CIS to help you get up and running faster.

Each CIS recommendation is implemented as its own class and comes with comprehensive configuration options. Puppet Compliance Enforcement can be configured to include all recommendation classes, or a subset using the configuration parameters ONLY and IGNORE. The configuration values contained within each recommendation class can also be customized.

CEM can be configured at the node level, or abstracted to the operating system level or any other abstraction level in your Hiera hierarchy.

In this example, I am configuring the cem_linux module to enforce ONLY CIS Level 1 Server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node:

 CentOS 7 node

Classifying Nodes with Puppet's Compliance Enforcement Modules

Once you’ve set up your configuration, navigate to the Puppet Enterprise console to apply the compliance modules to your selected nodes.

Continuing with the CentOS 7 example, the easiest way to classify this node is to:

  • Create a node group for all *nix nodes.
  • Pin all relevant nodes, as well as your CentOS 7 node, to that node group.
  • Add the cem_linux module to that node group.
  • Run Puppet on those nodes to apply the modules.
Classifying nodes with CEM

Tasks and Plans in Puppet Compliance Enforcement for Linux

Within the CIS benchmarks for Linux, there are several recommendations that cannot be managed using desired state. Many of these recommendations would require site-specific information and could be damaging to a system if done in an automated fashion. For these recommendations, cem_linux includes a number of bolt tasks and plans that can be used to audit or configure specific configurations and existing states on nodes, such as duplicate user IDs. These tasks and plans are designed to run from Puppet Enterprise and can be scheduled like any other task or plan.

Tasks and Plans in CEM for Linux

Running a Scan

You’re all set! Time to go ahead and scan your nodes in Puppet Comply.

Scan nodes in Puppet Comply
Back to top

Continuing to Enforce Compliance

Getting to a compliant state and staying that way is a never-ending loop. Changes to compliance standards and regulatory requirements are inevitable and constant. Building a strong continuous compliance program, based on the three continuous activities of assessment, remediation, and enforcement is key.

Using Puppet Compliance Enforcement will help your organization get to a compliant state and meet compliance regulations more quickly. Combining the assessment capabilities of Puppet Comply and the enforcement capabilities of Puppet Enterprise empowers your organization to tackle compliance proactively and holistically, and to be more compliant, more of the time.

You have more important things to focus on. Let Puppet help you achieve your compliance goals.

Learn More

Start Automating Compliance Today

Back to top