CEM for Linux
You can deploy the Compliance Enforcement Module (CEM) for Linux to help ensure that your servers and workstations on Linux operating systems comply with security recommendations. You can enforce the controls that are specified by the Center for Internet Security (CIS). Alternatively, you can apply the standards published in the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG).
CEM for Linux supports the following operating systems: Red Hat Enterprise Linux 7 and 8, CentOS Linux 7, AlmaLinux 8, and Oracle Linux 7 and 8.
To take advantage of new features, fixes, and improvements, install the latest version of CEM. You can learn about the latest release by reviewing the Release notes. Then, to install CEM, follow the instructions in Installing CEM. By default, CEM runs automatically on any classified nodes and does not require configuration. However, if you want to configure CEM to meet your organization's requirements, follow the instructions in Configuring CEM.
-
Release notes
Review the release notes to learn about updates and resolved issues in the Compliance Enforcement Module (CEM) for Linux. -
Installing CEM
Before you install CEM, complete the preparation steps: review the system requirements, install and configure Puppet Enterprise (PE), and purchase CEM. Then, install CEM and classify the nodes on which you want to enforce compliance. -
Upgrading CEM
You can upgrade CEM for Linux to take advantage of the latest features, fixes, and improvements. -
Configuring CEM
Configuration of CEM is optional. If you installed CEM and assigned thecem_linux
class to one or more node groups in the Puppet Enterprise (PE) console, PE will run automatically and enforce the Center for Internet Security (CIS) Server Level 1 profile. However, if the default values leave your infrastructure in an undesirable state, or if you want to customize compliance to meet your organization's requirements, you can configure CEM. -
Auditing and querying issues identified during scans
In some cases, a CIS or DISA STIG compliance scan might identify an issue that you want to investigate and fix. To get started, you can run an audit or query. -
Reference: Benchmarks and controls
For help with configuring CEM, review the Reference topics on Puppet Forge.