Install and evaluate the module in a test environment
In some cases, compliance controls can negatively impact services that run on nodes. To help avoid possible issues, install and evaluate CEM in a test environment before running CEM in a production environment.
-
Learn about the CIS Benchmark that you plan to enforce:
- For a list of supported CIS Benchmarks, see Prepare to install the module.
- For details about CIS Benchmarks and associated controls, see the CEM Windows Reference on Puppet Forge. You can also download benchmark information from the CIS Benchmarks List. If you are using CEM with Puppet Comply, you can view details about the benchmarks in Comply.
-
Make a list of any CIS controls that you plan to enable, disable, or configure
to meet your organization’s requirements.
For example, if a control specifies that a password must be changed every 60 days, but your organization requires a password change every 30 days, you can change the expected value for the associated control.Tip: For the sake of simplicity, some users review the controls and enable only a limited subset to meet their organization’s requirements.
-
Identify a test environment. Many users follow the instructions in Environments. You can also use any
alternative method that works for you:
- For Puppet Enterprise (PE), create a test
node group and then assign the
cem_linux
class to that node group. - For open source Puppet, follow the instructions in Classifying nodes. Ensure that the CEM module is included on the test nodes.
- For Puppet Enterprise (PE), create a test
node group and then assign the
- Download CEM from Puppet Forge. CEM is available as a subscription. For more information, see the Premium content page.
- If the host server is connected to the internet, install the module by following the instructions in Installing modules from the Forge by using an internet connection.
- If the host server is not connected to the internet, install the module by following the instructions in Installing modules from the Forge in an air-gapped environment.
-
Verify that the CEM module is
successfully installed in the test environment.
Tip: If the installation was successful, you can find
cem_windows
in the following directory:/etc/puppetlabs/code/environments/<environment_name>/modules/cem_windows
-
Implement any other configuration updates that you identified in Step 2. Take
the following actions:
- Specify the updates as described in Configuring CEM. Tip: You can simplify configuration by using the Hiera key-value store as described in Getting started with Hiera. For examples, see Basic configuration examples and Advanced configuration example.
- Ensure that the updates are deployed to the test environment. For example, if you are using Hiera and Code Manager, you must update the Hiera YAML files, commit the changes to the appropriate branch of your control repository, and trigger Code Manager. If you are using open source Puppet, you would follow the same procedure but trigger r10k.
- Specify the updates as described in Configuring CEM.
-
To detect and resolve any errors, take the following actions:
- Look for errors in Puppet runs in your test environment.
- If you detect errors, review and update your configuration. For help with configuration options, see the CEM Windows Reference.
- If the configuration is correct but errors persist, enable debug logging
on the Puppet primary server and
review the
puppetserver.log
file. For more information, see Puppet Server logging.Tip: In the log list, CEM errors are prefixed withCEM
orcem
. - Optionally, for additional insight into errors, enable tracing and debugging when you run the Puppet agent.
- If you are unable to resolve the errors, take one of the following
actions:
- PE users can post a question in the #compliance Slack channel in the Puppet Community or open a ticket with Puppet Support.
- Open source Puppet users can post a question in the #compliance Slack channel in the Puppet Community, open a ticket on the cem_issues webpage in GitHub, or open a ticket with Puppet Support. As an open source Puppet user, your options vary depending on the support package that you purchased with CEM.