Overview of configuration options

Configuration options include top-level options, framework options, and Center for Internet Security (CIS)-specific options.

If you installed CEM and assigned the cem_windows class to a node group in the PE console, the default profile is automatically enforced. However, to customize CEM to meet your organization's requirements, you can configure benchmarks by using the Hiera tool. For more information, see Hiera.

CAUTION: CEM's default settings are fully CIS compliant. Too much customization can cause your configurations to be noncompliant.
Controls ignored by default: Controls 2.3.1.1 and 2.3.1.5 are ignored by default because of non-idempotent and Puppet run issues. For details and configuration options, see Controls ignored by default to prevent operational issues.

Find and set configuration options

You can find the configuration options for a specific control in the Reference: Benchmarks and controls. The reference is divided into sections, with each section representing a benchmark. In those benchmarks, you will see each control listed with several subsections:

  • Parameters: Configuration options for a control, along with the data type and default value.
  • Supported Levels: The supported levels for a CIS control.
  • Supported Profiles: The supported profiles for a CIS control.
  • Hiera Configuration Example: Snippet of Hiera that can be used to configure a control.
  • Alternate Config IDs: The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the control_config hash.
  • Resource: The name of the Puppet resource that enforces the control.

Guidelines for specifying config IDs

You can specify controls in the control_config hash by referencing the full control name, the control number, the normalized control name, or the normalized control number. You cannot mix and match these forms and must pick a single config ID form to use for your config. Full control names and control numbers are copied verbatim from the benchmarks and are case-sensitive. Normalized control names have lowercase letters and contain only alphanumeric characters and underscores. Normalized control numbers are always prefixed with a c and contain only numeric characters separated by underscores.

Example of alternate config IDs:

  • Full control name: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
  • Control number: 1.1.1
  • Normalized control name: ensure_enforce_password_history_is_set_to_24_or_more_passwords
  • Normalized number: c1_1_1

Top-level configuration options

These options are configured at the top level of the module.

In Hiera, these options are prefixed with cem_windows:

  • framework - Enum['cis'] - the compliance framework to use. CEM supports only cis. Default: cis.
  • config - Optional[Hash] - the location for all non-top-level configuration options. Default: undef.
  • allow_on_domain_controller: - Boolean - If cem_windows detects that it is running on a domain controller, CEM does not enforce controls and logs a warning to inform the user. In this way, CEM helps to prevent the enforcement of compliance settings on domain controllers that could negatively impact an entire domain. Default: false.
  • enable_long_paths - Boolean - Enables support for long path names in the Windows registry. Setting this option to false can cause issues with some Desired State Configuration (DSC) modules used in cem_windows. Default: true.
  • privileged_user - Optional[String] - If the Puppet agent does not run under a user with local administrator privileges, you must supply the name of a user with local administrator privileges. This is used by DSC to enforce a state on a machine. Default: undef.
  • privileged_password - Sensitive[Any] - If you specified a privileged user, use this option to specify a password for that user account. Default: undef.
  • allow_local_account_rdp - Boolean - By default, cem_windows disables remote desktop protocol (RDP) access for non-domain accounts. If you set this option to true, local accounts on the node can make RDP connections to the node. Default: false.

Framework configuration options

The framework configuration options are available as key-value pairs within the cem_windows::config: hash.

  • control_configs - Optional[Hash] — location for all rule-specific configurations. Default: undef.
  • only - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are included in the catalog. Takes precedence over the ignore: option. Default: undef.
  • ignore - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are not included in the catalog. If only: is specified, this option has no effect. Default: undef.

CIS-specific configuration options

The CIS-specific configuration options are available as key-value pairs within the cem_windows::config: hash. These options are applicable only to the CIS compliance framework.

  • profile - Optional[Enum['member_server', 'corporateenterprise']] — the name of the benchmark profile. corporateenterprise is supported only on Windows 10 Enterprise operating systems. Default for Windows Server operating systems: member_server. Default for Windows 10 Enterprise operating systems: corporate_enterprise.
  • level - Optional[Enum['1', '2']] — the name of the profile level. The only value supported by CEM is 1. Default: 1.

For more details about configuration options, see Reference: Benchmarks and controls.