Basic configuration examples

When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the Center for Internet Security (CIS) Server Level 1 benchmark for a node, you must classify the node with the cem_windows class, set the benchmark parameter to cis, and run Puppet. To learn more about CEM configuration, see the following examples.

Example 1

In the following example, CEM applies only the following controls on a Windows 10 node: 'c1_1_1' and 'c2_3_1_1'.
  1. Add the following Hiera data to your control repository, control repo:
    # control-repo/data/nodes/<node name>.yaml 
    cem_windows::benchmark: 'cis' 
    cem_windows::config: 
      profile: 'member_server' 
      level: '1' 
      only: 
        - 'c1_1_1' 
        - 'c2_3_1_1' 
  2. Classify the node with the cem_windows class.
  3. Run Puppet.

Example 2

In the following example, CEM applies all controls in the configured benchmark and profile on a Windows 10 node except for the following controls: 'c1_1_1' and 'c2_3_1_1'.
  1. Add the following Hiera data to your control repository, control repo:
    # control-repo/data/nodes/<node name>.yaml 
    cem_windows::benchmark: 'cis' 
    cem_windows::config: 
      profile: 'member_server' 
      level: '1' 
      ignore: 
        - 'c1_1_1' 
        - 'c2_3_1_1' 
  2. Classify the node with the cem_windows class.
  3. Run Puppet.