Introducing the Compliance Enforcement Modules

The Puppet Compliance Enforcement Modules (CEM) were developed to enforce the secure configuration of IT infrastructures and thus protect operations and data. You can use CEM with Puppet Enterprise (PE) or open source Puppet. You can enforce the Center for Internet Security (CIS) compliance rules, which embody internationally recognized standards. You can also enforce the Security Technical Implementation Guides (STIGs) developed by the US Defense Information Systems Agency (DISA). DISA STIG standards are implemented by many US government agencies.

Important: In May 2024, CEM was renamed to Security Compliance Enforcement (SCE). For information about the SCE modules, including new features and fixes, see the Release notes for Linux and the Release notes for Windows.

After you install and configure CEM, PE or open source Puppet runs on any classified nodes without user intervention to enforce compliance. By default, CEM enforces CIS rules for the Level 1 profile. However, you can enforce a variety of security standards and levels, depending on the operating system of the nodes where your servers and workstations are installed. For a list of supported standards for Linux nodes, see Prepare to install the module. For a list of supported standards for Microsoft Windows nodes, see Prepare to install the module.

The following sections provide instructions for installing CEM and customizing the configuration settings, if necessary, to meet your organization’s requirements.

Separate documentation is provided for Linux nodes and for Windows nodes:

To manage Linux nodes, see CEM for Linux.
To manage Windows nodes, see CEM for Windows.