Apply CIS Benchmarks to a new Puppet Enterprise installation

To ensure that the Compliance Enforcement Module (CEM) for Linux can enforce Center for Internet Security (CIS) Benchmarks or STIG standards after a new installation of Puppet Enterprise (PE), you must update the CEM configuration. The configuration update helps to ensure that CEM can work on a PE primary server without issues that might be caused by default log rotation rules.

Add the following Hiera data to your control repository, control_repo.

cem_linux::config: 
  control_configs: 
    ensure_logrotate_is_configured: 
      rules: 
        puppetserver: 
          path: 
            - '/var/log/puppetlabs/puppetserver/puppetserver.log' 
            - '/var/log/puppetlabs/puppetserver/pcp-broker.log' 
            - '/var/log/puppetlabs/puppetserver/puppetserver-access.log' 
            - '/var/log/puppetlabs/puppetserver/puppetserver-daemon.log' 
            - '/var/log/puppetlabs/puppetserver/puppetserver-status.log' 
            - '/var/log/puppetlabs/puppetserver/code-manager-access.log' 
            - '/var/log/puppetlabs/puppetserver/file-sync-access.log' 
            - '/var/log/puppetlabs/puppetserver/masterhttp.log' 
          create_owner: 'puppet' 
          create_group: 'puppet'