Install and evaluate the module in a test environment

In some cases, compliance controls can negatively impact services that run on nodes. To help avoid possible issues, install and evaluate CEM in a test environment before running CEM in a production environment.

  1. Learn about the CIS Benchmark that you plan to enforce:
    • For a list of supported CIS Benchmarks, see Prepare to install the module.
    • For details about CIS Benchmarks and associated controls, see the CEM Windows Reference on Puppet Forge. You can also download benchmark information from the CIS Benchmarks List. If you are using CEM with Puppet Comply, you can view details about the benchmarks in Comply.
  2. Make a list of any CIS controls that you plan to enable, disable, or configure to meet your organization’s requirements.
    For example, if a control specifies that a password must be changed every 60 days, but your organization requires a password change every 30 days, you can change the expected value for the associated control.
    Tip: For the sake of simplicity, some users review the controls and enable only a limited subset to meet their organization’s requirements.
  3. Identify a test environment. Many users follow the instructions in Environments. You can also use any alternative method that works for you:
    • For Puppet Enterprise (PE), create a test node group and then assign the cem_linux class to that node group.
    • For open source Puppet, follow the instructions in Classifying nodes. Ensure that the CEM module is included on the test nodes.
  4. Download CEM from Puppet Forge. CEM is available as a subscription. For more information, see the Premium content page.
  5. If the host server is connected to the internet, install the module by following the instructions in Installing modules from the Forge by using an internet connection.
  6. If the host server is not connected to the internet, install the module by following the instructions in Installing modules from the Forge in an air-gapped environment.
  7. Verify that the CEM module is successfully installed in the test environment.
    Tip: If the installation was successful, you can find cem_windows in the following directory:
    /etc/puppetlabs/code/environments/<environment_name>/modules/cem_windows
  8. Implement any other configuration updates that you identified in Step 2. Take the following actions:
    1. Specify the updates as described in Configuring CEM.
      Tip: You can simplify configuration by using the Hiera key-value store as described in Getting started with Hiera. For examples, see Basic configuration examples and Advanced configuration example.
    2. Ensure that the updates are deployed to the test environment. For example, if you are using Hiera and Code Manager, you must update the Hiera YAML files, commit the changes to the appropriate branch of your control repository, and trigger Code Manager. If you are using open source Puppet, you would follow the same procedure but trigger r10k.
  9. To detect and resolve any errors, take the following actions:
    1. Look for errors in Puppet runs in your test environment.
    2. If you detect errors, review and update your configuration. For help with configuration options, see the CEM Windows Reference.
    3. If the configuration is correct but errors persist, enable debug logging on the Puppet primary server and review the puppetserver.log file. For more information, see Puppet Server logging.
      Tip: In the log list, CEM errors are prefixed with CEM or cem.
    4. Optionally, for additional insight into errors, enable tracing and debugging when you run the Puppet agent.
    5. If you are unable to resolve the errors, take one of the following actions: