Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Do you know how to enforce compliance?
Regulations change, and remediation becomes complicated and time-consuming when things do change. Here we will explore how Compliance Modules can help you and your team save time and effort for a task that challenges even the most on-top-of-it organization.
Compliance Enforcement Modules, or CEM, are modules specifically designed to implement CIS Benchmark recommendations as code. This means that you move closer to relevant regulations and security policies without sacrificing time and manual effort.
You can enforce compliance by making sure your internal policies are up-to-date and actively enforced through strategies like policy as code.
A key activity in any strong continuous compliance program is remediation. First, you remediate the compliance failures you find by defining your compliance policy-as-code, then you apply that code to all relevant nodes. Sounds simple, right? In theory, perhaps. In practice, however, it’s not so clear-cut.
Let’s take the example of a compliance benchmark from the Center for Internet Security (CIS), a globally recognized organization providing benchmarks for securing IT systems and data. The CIS benchmark for Microsoft Windows Server 2019 contains more than 350 secure configuration recommendations for system hardening. Making sense of and translating these compliance standards into code can pose significant and costly challenges for organizations—not to mention continuously keeping code up to date with new benchmark versions.
Compliance Enforcement Modules, or CEM, are Puppet modules specifically designed to implement CIS Benchmark recommendations as Puppet code. Within CEM there are two distinct modules, cem_linux and cem_windows, which currently enforce CIS benchmark recommendations across a range of Linux and Windows operating systems using a combination of Puppet code, tasks, and plans. CEM content currently includes:
CIS Level 1 - Corporate Enterprise
Windows Server 2019
CIS Level 1 - Member Server
Windows Server 2016
Red Hat Enterprise Linux 8
CIS Level 1 - Server
Red Hat Enterprise Linux 7
CentOS Linux 7
Our team is continuously working to expand our CEM content to include CIS across additional operating systems, profiles, and other technologies, as well as other compliance frameworks such as DISA STIG. Updates to existing module content, along with new content added, will be made available to all CEM subscribers to meet compliance requirements.
We’ve been working on some pretty cool stuff since we launched Puppet Comply last year. Lots of great feedback has come in, and we’re thankful for every opportunity we get to show our customers how we can help. This feedback comes in many forms, but one of the things we’ve heard time and time again is that achieving compliance is still hard.
Has compliance ever been easy?
We’ve talked about the number of regulations that people are trying to adhere to, plus the ever-changing landscape of infrastructure. These things that continue to change keep us on our toes, and the truth is: they take up a lot of our precious time.
Understanding our priorities has become a really important aspect of our lives. What is the most important thing for me to tackle right now? What is going to have the most impact? Do I really need to spend time on that?
Compliance Enforcement Modules are specifically designed to remediate and enforce compliance issues against CIS benchmarks. By applying these modules to your nodes, you can automatically move into compliance and stay there. This is a turnkey solution designed for accelerating time-to-value by providing you with compliance-as-code.
Our customers have told us time and time again that they are strapped for time, resources, and expertise to do this themselves. Here’s how we give them time back.
Once you’ve subscribed, you’ll be able to get started by installing the module from the Puppet Forge.
Next, go ahead and configure the module. We recommend you use Hiera for this. For each recommendation enforced by cem_linux and cem_windows, we include default configuration values as recommended by CIS to help you get up and running faster.
Each CIS recommendation is implemented as its own class within CEM and comes with comprehensive configuration options. CEM can be configured to include all recommendation classes, or a subset using the configuration parameters ONLY and IGNORE. The configuration values contained within each recommendation class can also be customized.
CEM can be configured at the node level, or abstracted to the operating system level or any other abstraction level in your Hiera hierarchy.
In this example, I am configuring the cem_linux module to enforce ONLY CIS Level 1 Server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node:
Once you’ve set up your configuration, navigate to the Puppet Enterprise console to apply the CEM to your selected nodes.
Continuing with the CentOS 7 example, the easiest way to classify this node is to:
Within the CIS benchmarks for Linux, there are several recommendations that cannot be managed using desired state. Many of these recommendations would require site-specific information and could be damaging to a system if done in an automated fashion. For these recommendations, cem_linux includes a number of bolt tasks and plans that can be used to audit or configure specific configurations and existing states on nodes, such as duplicate user IDs. These tasks and plans are designed to run from Puppet Enterprise and can be scheduled like any other task or plan.
You’re all set! Time to go ahead and scan your nodes in Puppet Comply.
Getting to a compliant state and staying that way is a never-ending loop. Changes to compliance standards and regulatory requirements are inevitable and constant. Building a strong continuous compliance program, based on the three continuous activities of assessment, remediation, and enforcement is key.
Using Compliance Enforcement Modules will help your organization get to a compliant state and meet compliance regulations more quickly. Combining the assessment capabilities of Puppet Comply and the enforcement capabilities of Puppet Enterprise empowers your organization to tackle compliance proactively and holistically, and to be more compliant, more of the time.
You have more important things to focus on. Let Puppet help you achieve your compliance goals.
Start Automating Compliance Today
Product Marketing Manager, Puppet by Perforce
Charles Sanders is a Product Marketing Manager at Puppet by Perforce.
Principal Engineering Product Manager
Alex Hin, Principal Engineering Product Manager