Basic configuration example

When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the Center for Internet Security (CIS) Server Level 1 benchmark for a node, you must classify the node with the cem_linux class, set the benchmark parameter to cis, and run Puppet.

In the following example, CEM enforces the CIS Level 1 server controls Ensure AIDE is installed and Ensure filesystem integrity is regularly checked on a CentOS 7 node:
  1. Add the following Hiera data to your control repository, control repo:
    # control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  only:
    - 'ensure_aide_is_installed'
    - 'ensure_filesystem_integrity_is_regularly_checked'
  2. Classify the node with the cem_linux class.
  3. Run Puppet.

This example is for CIS configuration. For information about configuring STIG controls, see Configure DISA STIG.

Some CIS recommendations require you to run a Puppet Bolt task. To determine which task to run, review the output of the Puppet debug logs.