Beginner’s guide to Security Compliance Management

Welcome to the Beginner’s guide to Security Compliance Management! As a new user, you'll need to perform some initial installation and configuration tasks, and then we'll show you how to use the core features of Security Compliance Management.

You're just a few steps away from enforcing compliant configurations across your infrastructure. Before you begin, we recommend familiarizing yourself with our terminology and Security Compliance Management overview.

Step 1: Install and configure Security Compliance Management

Use the main documentation to install and configure Security Compliance Management. If you have completed these steps, proceed to step 2.

Step 2: Set desired compliance

Desired compliance is the benchmark and profile that you to assign to a particular node. It is what is scanned on that node by default. Most of the time, you only need to set this once for your nodes.

Based on fact information from Puppet Enterprise, Security Compliance Management automatically assigns an appropriate benchmark for each operating system, along with a Level 1 profile, to nodes that have not been set. Accepting this option is the quickest way to get up and running with desired compliance.

Alternatively, you can manually choose your own benchmark and profiles. For more information, see Manually set desired compliance.

Step 3: Run a CIS scan

You are now ready to run a scan.

This topic describes how to run an initial ad hoc scan.
  1. In Security Compliance Management, click Scan reports or Scan schedules, and then Run an ad hoc scan.
  2. In the drop-down menu, select Desired compliance or Custom.
    If you have not set desired compliance, follow the instructions in Setting desired compliance.
  3. If you selected Custom, select a benchmark from the Benchmark drop-down menu, then select an option from the Profile drop-down menu. To use a custom profile for this scan, select the Use an associated custom profile? option and choose the relevant option from the Custom profile drop-down menu.
  4. Click Next to see the nodes selected for scanning. Use the drop-down menus to filter nodes by operating system, environment, or node group.
    To scan only a subset of nodes, deselect any nodes that you want to exclude.
    Debug mode: By default, assessor logs are set to WARN level. To troubleshoot an issue, you can set the logging level to DEBUG for the scan by clicking Run in debug mode. The assessor logs can then be retrieved from the individual node.

    On Linux and macOS platforms the assessor log is located at:

    /opt/puppetlabs/comply/Assessor-CLI/logs/assessor-cli.log

    On Windows the assessor log is located at:

    C:/ProgramData/PuppetLabs/comply/Assessor-CLI/logs/assessor-cli.log

    Note that scanning in debug mode increases the size of the assessor log file significantly.

  5. Click Scan.
    You are taken to the Activity feed, which lists each scan. Scans are run as a task in Puppet Enterprise. Click the scan name to see the scan report, or click the job ID to be taken to Puppet Enterprise.
  6. Optionally, to review the results of your scan, navigate to the Compliance Dashboard page.
    See Scan results for a description of the scan data.
Results
Congratulations! You've completed the Beginner’s guide to Security Compliance Management. You're now familiar with the core features and know how to run CIS scans with Security Compliance Management. To find out how you can enforce and automate CIS benchmarks on your failing nodes, see Enforce CIS and STIG best practices.