Configuring CEM
Configuration of CEM is optional. If you
installed CEM and assigned the cem_windows
class to one or more node groups in the Puppet Enterprise (PE)
console, PE will run automatically and enforce the default
compliance profile on the classified nodes. However, if the default values leave your
infrastructure in an undesirable state, or if you want to customize compliance to meet your
organization's requirements, you can configure CEM.
By default, CEM for Windows enforces the Level 1 Member Server profile on classified Windows Server 2016 and Windows Server 2019 nodes, and the Level 1 Corporate Enterprise profile on classified Windows 10 Enterprise nodes.
You can customize the settings. For example, if a CIS control sets the maximum password age at 365 days, but your organization requires a password change every 90 days, you can configure CEM accordingly.
You configure CEM by using the Hiera tool in your control repository. For more information, see About Hiera and Getting started with Hiera.
For general information about configuration options, see Overview of configuration options.
For detailed information about configuration options, see the Reference: Benchmarks and controls.
For configuration examples, see How to configure the module: Examples and guidelines.
-
Overview of configuration options
Configuration options include top-level options, framework options, and Center for Internet Security (CIS)-specific options. -
How to configure the module: Examples and guidelines
The following examples demonstrate the use of CEM in a production environment.