Configuring CEM

Configuration of CEM is optional. If you installed CEM and assigned the cem_linux class to one or more node groups in the Puppet Enterprise (PE) console, PE will run automatically and enforce the Center for Internet Security (CIS) Server Level 1 profile. However, if the default values leave your infrastructure in an undesirable state, or if you want to customize compliance to meet your organization's requirements, you can configure CEM.

For example, if a CIS control sets the maximum password age at 365 days, but your organization requires a password change every 90 days, you can configure CEM accordingly.

You configure CEM by using the Hiera tool in your control repository. For more information, see About Hiera and Getting started with Hiera.

For general information about CEM configuration options, see Overview of configuration options. For detailed information about CEM configuration options, see the Reference: Benchmarks and controls.

For configuration examples, see How to configure the module: Examples and guidelines.

CAUTION: CEM default settings are fully CIS compliant. Too much customization can cause your configuration to become non-compliant.