Basic configuration example

When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the Center for Internet Security (CIS) Server Level 1 benchmark for a node, you must classify the node with the cem_linux class, set the benchmark parameter to cis, and run Puppet.

In the following example, CEM enforces the CIS Level 1 server recommendations Ensure AIDE is installed and Ensure filesystem integrity is regularly checked on a CentOS 7 node:
  1. Add the following Hiera data to your control repository, control repo:
    # control-repo/data/nodes/<node name>.yaml
    cem_linux::benchmark: 'cis'
    cem_linux::config:
      profile: 'server'
      level: '1'
      only:
        - 'ensure_aide_is_installed'
        - 'ensure_filesystem_integrity_is_regularly_checked' 
  2. Classify the node with the cem_linux class.
  3. Run Puppet.

Some CIS recommendations require you to run a Bolt task. To determine which task to run, review the output of the Puppet debug logs.