Basic concepts
The basic concepts include an overview of CEM and the security standards that it enforces. You can also learn about Hiera, a key-value store that is used to configure CEM.
Compliance Enforcement Modules
CEM is software that automatically enforces security standards on IT infrastructures. After CEM is installed and configured, you can run Puppet Enterprise (PE) or open source Puppet on your specified nodes, and CEM automatically enforces security controls.
Hiera
To configure CEM, you can use the Hiera key-value store. Hiera stores configuration data in a hierarchical structure in key-value pairs. For an introduction, see About Hiera.
Center for Internet Security (CIS)
The Center for Internet Security, Inc., is a nonprofit organization that strives to protect IT infrastructures through collaboration and innovation. Contributors to the organization include security experts from government, business, and academia who develop and maintain internationally recognized security standards. For more information, see Center for Internet Security.
CIS Benchmarks
CIS develops and maintains CIS Benchmarks, which are configuration recommendations for product families. For example, if your nodes run on the Microsoft Windows 10 Enterprise operating system, you can enforce the CIS Microsoft Windows 10 Enterprise Benchmark v2.0.0, Level 1. For an overview, see CIS Benchmarks. For a list of supported benchmarks, see Prepare to install the module.
CIS profiles and levels
Each CIS Benchmark has a profile, which consists of a level and an applicability.
- Level 1 is intended to be practical and prudent, providing a clear security benefit without inhibiting the use of the technology.
- Level 2 extends the Level 1 profile to provide additional protection for systems in which security is paramount. Level 2 can affect a system’s performance and usability while promoting enhanced security.
The applicability refers to the affected system component. For example, if a
benchmark has a profile of Level 1 – Member Server
,
the benchmark provides Level 1 (basic) security protections for servers.
CIS controls
Each CIS Benchmark consists of controls, which are also called recommendations or rules. Each control is a security safeguard. For example, a control might disable the use of Bluetooth communication technologies on the protected system because Bluetooth transmissions can be intercepted. Or a control might specify that passwords must consist of at least 14 characters.
1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
- Parameters: Configuration options, along with data types and default values.
- Supported Levels: The supported levels for the control, for example, Level 1.
-
Supported Profiles: The applicability of the control, for example,
member_server
. - Hiera Configuration Example: Snippet of code that can be used to configure the control in Hiera.
- Alternate Config IDs: The alternate config IDs for a control. If you configure the control in Hiera, you can use any of the listed config IDs. However, you cannot mix and match types within a configuration; you must use a single type of config ID.
- Resource: The name of the Puppet resource that enforces the control.
Level 1 – Member
Server
and specify only one control (for file system integrity), you
would enter the following
values:# control-repo/data/nodes/<node name>.yaml
cem_windows::benchmark: 'cis'
cem_windows::config:
profile: 'member_server'
level: '1'
only:
- 'ensure_filesystem_integrity_is_regularly_checked'