Configure rules that rely on site-specific information

Some Center for Internet Security (CIS) rules require information that is specific to a customer site. You can use Puppet Bolt tasks to configure these rules. For more information about Puppet Bolt, see Welcome to Puppet Bolt.

By using Puppet Enterprise (PE), you can run Puppet Bolt tasks and plans to audit or configure specific parts of a node. To run Puppet Bolt tasks, open the PE console and select the Tasks menu. Then, select cem_linux.

You can also use open source Puppet to run Puppet Bolt tasks and plans. If you are using open source Puppet, run Puppet Bolt tasks from the command line:
  1. Install Puppet Development Kit (PDK) and Bolt.
  2. In the root of the CEM directory, run the pdk bundle exec rake 'spec_prep' command. This command downloads the required dependencies as RSpec fixtures, and then creates a symbolic link from the module directory to the fixtures directory.
  3. Run the tasks on one or more hosts. For example:
    bolt task run comply_enforcement_module::audit_unowned_files_and_directories -t $nodefqdn --modulepath spec/fixtures/modules
    You must add the --modulepath spec/fixtures/modules option to Puppet Bolt commands. Otherwise, Puppet Bolt is not able to find the tasks and plans.