How to achieve CIS Compliance with Puppet
CIS compliance with Puppet
Security compliance is the new black. Everyone is talking about it. Everyone is writing about it. Hopefully everyone is doing something about it, but it's a big lift for organizations. Compliance can mean adhering to departmental and company standards; it can mean well-defined regulatory standards like HIPAA, GDPR, and others. Compliance can mean adopting a standardized set of recommended protocols for cyber security.
If compliance isn't on your radar right now, it should be. It's definitely on someone's mind in your organization. The days of “trust in the firewall” are long gone; every organization should adopt standard security best practices.
Fortunately there's a well-defined set of standards available: CIS Benchmarks. CIS is a not-for-profit organization that develops and maintains best practices in relation to cyber security. The CIS Benchmarks have been adopted by many organizations as the standard to implement.
CIS publishes these recommendations, grouped under Benchmarks, and you can download them for free from the CIS website. There is a significant number of published Benchmarks—over 50 as of this writing. The Benchmarks define security best practices for platforms from mobile devices to operating systems, network devices, virtualization platforms, and middleware. Each Benchmark recommends a specific set of security recommendations called Controls. A Control is a specific action: a setting or practice. Any given Benchmark can have dozens or hundreds of Controls.
Implementing CIS Benchmarks can be daunting because of the sheer number of Controls under each Benchmark, the necessity of assessing if the Control is appropriate for a given server, and the scale at which these Controls need to be deployed in a modern IT estate. After deployment, keeping current with Benchmark updates, remediating drift, and demonstrating compliance can seem like a Herculean task. Fortunately, Puppet has a solution to implement, maintain, and document CIS compliance easily.
The CIS suite from Puppet
Puppet's suite of products offers a three step approach to ensuring and proving CIS Benchmark compliance:
Puppet Comply: Puppet Comply includes the CIS scanner to determine compliance on each managed node in your Puppet estate. Puppet Comply allows you to scan against each CIS Benchmark, and to customize Benchmarks to assess real-work implementations of Benchmarks, including recommended Controls that simply aren't practical (e.g. a legacy system where telnet is required). This allows you to document and track accepted exceptions to specific Controls and demonstrate compliance against these tailored Benchmarks. Puppet Comply also provides a console showing your current compliance against the Benchmark, so you can prioritize which Controls to implement, making the biggest impact on your compliance status.
Puppet Enterprise: Puppet Enterprise (PE) implements the Compliance Enforcement Modules (CEM) (below), allowing you to define groups of managed nodes and apply the appropriate Benchmark to each group. Puppet Enterprise assures nodes stay in compliance as each managed node is continuously monitored and any deviation from the expected configuration is remediated and reported on. Puppet Enterprise allows you visibility into node status, drift, and current configuration from a unified web console.
Puppet Compliance Enforcement Modules (CEM): Puppet Compliance Enforcement Modules simplify enforcing CIS Benchmarks by providing pre-written, modular Puppet policy as code to declaratively enforce CIS compliance. Each Control is implemented as a class in CEM. Updates to Benchmarks are simple and provided by Puppet on a regular cadence, ensuring that your compliance profile is always up to date.
How Compliance Enforcement Modules make compliance simple
With the introduction of our Compliance Enforcement Modules, enforcing compliance can be checked off as a simple task. The modularity of the CEM implementation allows very specific configuration of Benchmarks, ensuring all necessary Controls are enforced, and that inappropriate/unnecessary Controls are not. Each Benchmark Control can be included in a machine’s configuration without any dependencies on other Controls.
As an example, CIS RHEL 8/CentOS 8 Benchmark recommends disabling DHCP. (Control 2.2.15 - Ensure DHCP Server is not enabled). Obviously you may have specific servers that provide DHCP services to your network. Fortunately, Puppet Compliance Enforcement Modules allow you to ignore selected Control classes entirely via the $ignore parameter. The $ignore parameter takes an array of Control class names and does not load them into the catalog. To not load this class, you would add [‘ensure_dhcp_server_is_not_enabled’] as the value of the $ignore parameter.
Paired together, our Compliance Enforcement Modules and Puppet Comply's ability to customize existing Benchmarks allow for more accurate reporting of compliance for documented exceptions. Comply's custom profiles let you enforce or bypass specific benchmark suggestions, e.g. DNS should be running on a DNS server and the scan shouldn't report that as a vulnerability. Comply lets you define multiple custom profiles to suit specific configurations with accurate reporting.
Benchmark standards are written in Puppet’s human-readable DSL. Presenting the code, along with Puppet’s logs showing enforcement, demonstrates a solid chain of compliance enforcement.
Audit readiness is a breeze
Puppet’s approach to CIS compliance allows for both continuous compliance enforcement and continuous audit readiness. Since the Benchmark standards are included in each managed node’s catalog, enforcement is ongoing. Drift is reported as a corrective change and can be reported on through the Puppet console. Updates to the enforced Benchmarks are reported as intentional changes, allowing both differentiation from remediation and confirmation when updated Controls were applied.
Example: Puppet’s CEM code is easy to read, using plain English descriptions. In the example below you can see that “DHCP” is being set to ‘disabled’.
Similarly, since each Control is defined as part of Puppet’s policy as code and stored on the Puppet server, proving compliance during an audit is simple.