A closer look at how Puppet’s new Compliance Enforcement Modules work

Compliance Enforcement Modules

Since we launched Puppet Comply last year, we’ve been working hard to build out the solution’s capabilities so that we can provide our customers with more options in implementing a continuous compliance program, and become more proactive and efficient in how they manage compliance.

A key activity in any strong continuous compliance program is remediation. First, you remediate the compliance failures you find by defining your compliance policy-as-code, then you apply that code to all relevant nodes. Sounds simple, right? In theory, perhaps. In practice, however, it’s not so clear-cut.

Let’s take the example of a compliance benchmark from the Center for Internet Security (CIS), a globally recognized organization providing benchmarks for securing IT systems and data. The CIS benchmark for Microsoft Windows Server 2019 contains more than 350 secure configuration recommendations for system hardening. Making sense of and translating these compliance standards into code can pose significant and costly challenges for organizations—not to mention continuously keeping code up to date with new benchmark versions.

That is why we are very excited to launch Puppet’s new Compliance Enforcement Modules! Our Compliance Enforcement Modules, or CEM, as announced by my colleague, Alex Hin, in his recent blog post are now available to customers as a subscription. The modules are created, updated, and fully supported by Puppet, allowing you to get up and running more quickly with your continuous compliance program and to stay truly, fully up to date with the latest benchmark versions.

What are Compliance Enforcement Modules anyway?

Compliance Enforcement Modules, or CEM, are Puppet modules specifically designed to implement CIS Benchmark recommendations as Puppet code. Within CEM there are two distinct modules, cem_linux and cem_windows, which currently enforce CIS benchmark recommendations across a range of Linux and Windows operating systems using a combination of Puppet code, tasks, and plans. CEM content currently includes:

ModuleOSProfilecem_windowsWindows 10CIS Level 1 - Corporate EnterpriseWindows Server 2019CIS Level 1 - Member ServerWindows Server 2016CIS Level 1 - Member Servercem_linuxRed Hat Enterprise Linux 8CIS Level 1 - ServerRed Hat Enterprise Linux 7CIS Level 1 - ServerCentOS Linux 7CIS Level 1 - Server

Our team is continuously working to expand our CEM content to include CIS across additional operating systems, profiles, and other technologies, as well as other compliance frameworks such as DISA STIG. Updates to existing module content, along with new content added, will be made available to all CEM subscribers to meet compliance requirements.

Getting started with CEM

Once you’ve subscribed, you’ll be able to get started by installing the module from the Puppet Forge.

Configuration

Next, go ahead and configure the module. We recommend you use Hiera for this. For each recommendation enforced by cem_linux and cem_windows, we include default configuration values as recommended by CIS to help you get up and running faster.

Each CIS recommendation is implemented as its own class within CEM and comes with comprehensive configuration options. CEM can be configured to include all recommendation classes, or a subset using the configuration parameters ONLY and IGNORE. The configuration values contained within each recommendation class can also be customized.

CEM can be configured at the node level, or abstracted to the operating system level or any other abstraction level in your Hiera hierarchy.

In this example, I am configuring the cem_linux module to enforce ONLY CIS Level 1 Server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node: