Security Compliance Management release notes

These are the new features, enhancements, and resolved issues for the Security Compliance Management (SCM) 3.x release series.

Security Compliance Management 3.0.0

Released 7 May 2024.

New in this release:

  • Security Compliance Management is now included in the full Puppet Enterprise suite. The Puppet Enterprise license now covers the full Puppet Enterprise suite, which includes Security Compliance Management (formerly Puppet Comply®) and Continuous Delivery. If you have installed Puppet Enterprise, you can separately install and use the other parts of the suite. Additionally, by purchasing the Puppet Enterprise Advanced license, you can unlock the following premium features:
    • Security Compliance Enforcement (formerly CEM)
    • Advanced Impact Analysis capabilities within Continuous Delivery
  • Bolt-based Security Compliance Management installer. The new Puppet Bolt- based installer for Security Compliance Management allows you to install, upgrade, and configure SCM through an easy wizard. For more information, visit Install Security Compliance Management. If you are on an air-gapped environment where SSH access is not permitted to the target node, visit Install Security Compliance Management on a host without SSH access.
  • Migrate Security Compliance Management 2.x to a 3.x installation. To upgrade to the Security Compliance Management 3.x series from a version in the 2.x series, see Migrate from Security Compliance Management 2.x to 3.x.
  • CIS-CAT Pro Assessor v4.41.0. Security Compliance Management 3.0.0 contains the CIS-CAT Pro Assessor v4.41.0.
  • Benchmarks updated in this release:
    • Debian Linux 11 Benchmark v2.0.0
    • Microsoft Windows 10 Stand-alone Benchmark v3.0.0
    • Microsoft Windows Server 2016 Benchmark v3.0.0
    • Microsoft Windows Server 2019 Benchmark v3.0.0
    • Microsoft Windows Server 2022 Benchmark v3.0.0
    • Ubuntu Linux 18.04 LTS Benchmark v2.2.0
    • Ubuntu Linux 22.04 LTS Benchmark v2.0.0

Resolved in this release:

  • Unable to reset the desired compliance when a node changes operating systems. Fixed an issue where you could not change the desired compliance after changing the OS on a node. You can now reset the desired compliance on a node when the OS of the node changes.

Security fixes in this release:

  • Resolved security vulnerabilities present in embedded, third-party dependencies of the CIS-CAT Pro Assessor v4.41.0:
    • PostgreSQL updated to v42.7.2.
    • xmlsec updated to v4.0.1.
    • cxf-core-updated to v3.5.8.
    • bouncycastle updated to v1.78.

For upgrade instructions, see Upgrading.