Overview of configuration options
Configuration options include top-level options, framework options, and Center for Internet Security (CIS)-specific options.
If you installed CEM and assigned the
cem_windows
class to a node group in the PE console, the default profile is automatically
enforced. However, to customize CEM to meet your
organization's requirements, you can configure benchmarks by using the Hiera tool. For more information, see Hiera.
Find and set configuration options
You can find the configuration options for a specific control in the Reference: Benchmarks and controls. The reference is divided into sections, with each section representing a benchmark. In those benchmarks, you will see each control listed with several subsections:
- Parameters: Configuration options for a control, along with the data type and default value.
- Supported Levels: The supported levels for a CIS control.
- Supported Profiles: The supported profiles for a CIS control.
- Hiera Configuration Example: Snippet of Hiera that can be used to configure a control.
-
Alternate Config IDs: The alternate config IDs for a control. Any of
these config IDs, along with the full control name, can be used as a key in the
control_config
hash. - Resource: The name of the Puppet resource that enforces the control.
Guidelines for specifying config IDs
You can specify controls in the control_config
hash by referencing
the full control name, the control number, the normalized control name, or the
normalized control number. You cannot mix and match these forms and must pick
a single config ID form to use for your config. Full control names and control
numbers are copied verbatim from the benchmarks and are case-sensitive. Normalized
control names have lowercase letters and contain only alphanumeric characters and
underscores. Normalized control numbers are always prefixed with a
c
and contain only numeric characters separated by
underscores.
Example of alternate config IDs:
- Full control name:
(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
- Control number:
1.1.1
- Normalized control name:
ensure_enforce_password_history_is_set_to_24_or_more_passwords
- Normalized number:
c1_1_1
Top-level configuration options
These options are configured at the top level of the module.
In Hiera, these options are prefixed with
cem_windows:
-
framework
-Enum['cis']
- the compliance framework to use. CEM supports onlycis
. Default:cis
. -
config
-Optional[Hash]
- the location for all non-top-level configuration options. Default:undef
. -
allow_on_domain_controller:
-Boolean
- Ifcem_windows
detects that it is running on a domain controller, CEM does not enforce controls and logs a warning to inform the user. In this way, CEM helps to prevent the enforcement of compliance settings on domain controllers that could negatively impact an entire domain. Default:false
. -
enable_long_paths
-Boolean
- Enables support for long path names in the Windows registry. Setting this option tofalse
can cause issues with some Desired State Configuration (DSC) modules used incem_windows
. Default:true
. -
privileged_user
-Optional[String]
- If the Puppet agent does not run under a user with local administrator privileges, you must supply the name of a user with local administrator privileges. This is used by DSC to enforce a state on a machine. Default:undef
. -
privileged_password
-Sensitive[Any]
- If you specified a privileged user, use this option to specify a password for that user account. Default:undef
. -
allow_local_account_rdp
-Boolean
- By default,cem_windows
disables remote desktop protocol (RDP) access for non-domain accounts. If you set this option totrue
, local accounts on the node can make RDP connections to the node. Default:false
.
Framework configuration options
The framework configuration options are available as key-value pairs within the
cem_windows::config:
hash.
-
control_configs
-Optional[Hash]
— location for all rule-specific configurations. Default:undef
. -
only
-Optional[Array[String]]
— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp
). The classes specified here are included in the catalog. Takes precedence over theignore:
option. Default:undef
. -
ignore
-Optional[Array[String]]
— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp
). The classes specified here are not included in the catalog. Ifonly:
is specified, this option has no effect. Default:undef
.
CIS-specific configuration options
The CIS-specific configuration options are available as key-value pairs within the
cem_windows::config:
hash. These options are applicable only to the CIS
compliance framework.
-
profile
-Optional[Enum['member_server', 'corporateenterprise']]
— the name of the benchmark profile.corporateenterprise
is supported only on Windows 10 Enterprise operating systems. Default for Windows Server operating systems:member_server
. Default for Windows 10 Enterprise operating systems:corporate_enterprise
. -
level
-Optional[Enum['1', '2']]
— the name of the profile level. The only value supported by CEM is1
. Default:1
.
For more details about configuration options, see Reference: Benchmarks and controls.