Release notes

Review the release notes to learn about updates and resolved issues in the Compliance Enforcement Module (CEM) for Windows.

v1.2.3

Released 25 October 2022

  • Added
    • Added a Puppet Bolt task, cem_delete_securitypolicy_inf, to use for error resolution. The Bolt task resolves a corruption error that can affect the temporary file that is used by Desired State Configuration (DSC) to manage the local security policy:
      • The error is indicated by the following message in the Puppet run log:
        Index operation failed; the array index evaluated to null
      • To resolve the error, run the cem_delete_securitypolicy_inf task and re-run Puppet on the affected node.
  • Changed
    • The product documentation was revised to improve usability and retrievability:
      • The change log was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The change log was renamed to Release notes.
      • The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The CEM topics are now available on Puppet Docs, starting with Introducing the Compliance Enforcement Modules.
      • The Reference and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
  • Fixed
    • Fixed an error that prevented catalog retrieval from Puppet Enterprise (PE) during Continuous Delivery for Puppet Enterprise pipeline runs. This error occurred when the impact analysis tool was used to set up a temporary environment, which was then deleted. The _FILE_ variable continued to point to the deleted environment. As a result, the Puppet run returned an error message: Could not retrieve catalog from remote server.

v1.2.2

Released 10 August 2022

Fixed
  • Fixed typos in Microsoft Windows firewall logging paths managed by the following controls:
    • CIS Windows 10
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2016
      • 9.1.5
      • 9.2.5
      • 9.3.7
    • CIS Windows Server 2019
      • 9.1.5
      • 9.2.5
      • 9.3.7
  • Fixed an issue that could cause the following controls to not be enforced:
    • CIS Windows 10
      • 18.9.17.2
      • 18.9.64.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.72.1
      • 18.9.75.1
      • 18.9.103.1
    • CIS Windows Server 2016
      • 18.9.45.10.1
    • CIS Windows Server 2019
      • 18.9.41.1
      • 18.9.45.1
      • 18.9.47.11.1
      • 18.9.65.3.10.1
      • 18.9.65.3.10.2
      • 18.9.65.3.2.1
      • 18.9.65.3.3.1
      • 18.9.65.3.3.3
      • 18.9.65.3.3.4
      • 18.9.67.2
      • 18.9.72.1
      • 18.9.89.1
      • 18.9.90.3
      • 18.9.102.2.2
      • 18.9.103.1
      • 18.9.47.5.1.2

v1.2.1

Released 31 May 2022

Fixed
  • Fixed a bug related to profile configuration on Microsoft Windows 10 nodes.

v1.2.0

Released 24 May 2022

  • Changed
    • Updated the Center for Internet Security (CIS) Windows Server 2019 Benchmark to version 1.3.0.
  • Fixed
    • Resolved issues leading to scan failures for the following CIS controls on Windows Server 2019:
      • 9.3.7
      • 9.2.5
      • 9.1.5
      • 18.9.108.4.1
      • 18.9.65.3.9.1
      • 18.8.3.1
      • 18.8.21.5
      • 18.5.21.1
      • 18.4.x
      • 18.2.1

v1.1.2

Released 12 May 2022

  • Changed
    • Updated the minimum required version of the dsc/auditpolicydsc module to 1.4.0-0-4. That dependency contains bug fixes and features required by cem_windows. Update your Puppetfile accordingly.
  • Fixed
    • Updated the default value for the Windows Attack Surface Reduction (ASR) rules to Audit instead of Block.
      • While the value of Audit is not CIS-compliant, setting the ASR rules to Block prevented the Puppet agent from successfully configuring the node.
      • If you see Puppet run errors like Could not evaluate: undefined method []' for nil:NilClass when enforcing CEM, manually set the Windows ASR rules to Audit. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
    • Fixed an issue that applied more controls to a node than required by the configured profile and level.
    • Fixed an issue that caused controls that should be ignored to be applied. This issue occurred when the controls were mapped to a parameter of a resource that was not ignored.
    • Fixed several issues related to configuration backward-compatibility.
    Upgrade requirement: To ensure that the updates in this release take effect, you might have to restart the pe-puppetserver service on your Puppet primary server after Code Manager deploys the new code.

v1.1.1

Released 7 April 2022

  • Changed
  • Fixed
    • Fixed several instances in which configurations from versions previous to v1.1.0 were not recognized. The v1.1.1 configuration is backward compatible with versions prior to v1.1.0.
    • Fixed an issue that required the cem_windows module to exist in the same environment as the Puppet primary server. You can now deploy the module to a different environment than your primary server. The module will be operational.
    • Fixed incorrect Puppet Strings in init.pp file.

v1.1.0

Released 24 March 2022

  • Added
    • The documentation was updated to list the controls that will be reported as failed or unknown in Comply after cem_windows is applied.
      Tip: A failed or unknown status is reported because the CIS-CAT Pro Assessor looks for registry keys that are configured by Microsoft Group Policy Objects rather than keys that are set locally by the cem_windows user. The CIS Windows benchmarks are designed to work only for domain-joined systems. At the time of the v1.1.0 release, CIS was working on Windows benchmarks for a standalone system to resolve the issue.
  • Changed
    • Updated the CIS Windows 10 Benchmark to v1.12.0 to match the latest benchmark version released with Comply 2.4.0.
    • The cem_windows module was updated to implement a new architecture. The new architecture, applied in the background, provides more flexibility for system configuration. For details, see the readme file.

v1.0.7

Released 16 December 2021

  • Removed
    • Removed unnecessary resource defaults in two Windows Server 2016 control classes.

v1.0.6

Released 16 December 2021

  • Removed
    • Removed unnecessary resource defaults in Windows Server 2016 control classes.

v1.0.5

Released 8 December 2021

  • Fixed
    • Fixed non-idempotent Desired State Configuration (DSC) resources.
    • Fixed the registry key for Windows 10 CIS control 1.1.6. Now, this control will be properly configured.

v1.0.4

Released 7 December 2021

  • Added
    • In the readme file, added a link to premium content installation instructions. To use CEM, you must be a premium content subscriber.
  • Fixed
    • Fixed an issue that caused values for the dsc_accountpolicy parameter to be set incorrectly.

v1.0.3

Released 13 October 2021

  • Fixed
    • Fixed the default value for CIS control 2.3.1.1 to align with the expected value provided by CIS.
    • Fixed the cem_windows::allow_local_account_rdp parameter so that it works as intended.

v1.0.2

Released 11 October 2021

  • Fixed
    • Fixed firewall profiles to align with the CIS specification.

v1.0.1

Released 30 September 2021

  • Fixed

Known issues and limitations

The current release includes known issues and limitations. In most cases, workarounds are provided.

  • After an upgrade, you might have to restart Puppet Server or the pe-puppetserver service. Starting with v1.1.0, CEM for Windows implements a new architecture. If you upgrade CEM from v1.0.7 or earlier to v1.1.0 or later, and you encounter errors, try restarting the pe-puppetserver service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server.
  • You might have to manually set Windows Attack Surface Reduction (ASR) rules to Audit. In cem_windows releases prior to v1.1.2, a default value of Block was set in the module to comply with CIS guidelines. However, the Block value prevented the Puppet agent from successfully configuring the node. For this reason, the default value was changed to Audit, which is not CIS compliant. If you see Puppet run errors like Could not evaluate: undefined method []' for nil:NilClass when enforcing CEM, manually set the Windows ASR rules to Audit. To learn more about Windows ASR rules, see Attack surface reduction rules overview.
  • Some controls can fail scans. During a Comply scan, you might see error messages about CIS recommended guidelines that are not enforced. These error messages are triggered by bugs in the CIS-CAT Pro Assessor that is bundled with Comply. CEM correctly enforces these settings. The following controls are affected:
    • 1.1.5 - Windows Server 2016 and Windows Server 2019
    • 1.1.6 - Windows Server 2016 and Windows Server 2019
    • 2.3.10.7 - Windows Server 2016
    • 18.2.1 - Windows Server 2019
    • 18.4.1 - Windows Server 2016 and Windows Server 2019
    • 18.4.8 - Windows Server 2016
    • 18.4.9 - Windows Server 2016 and Windows Server 2019
    • 18.4.12 - Windows Server 2016
    • 18.8.21.5 - Windows Server 2016
    • 18.9.47.5.1.2 - Windows Server 2019
    • 18.9.62.3.9.1 - Windows Server 2016
  • Puppet runs are not idempotent. If you see Desired State Configuration (DSC) resources showing corrective changes in a Puppet run, for example, Unknown feature "custom_isync", you are running an incompatible version of Puppet. CEM for Windows requires that Puppet agents at the version 6 level must be v6.23.0 or later, and agents at the version 7 level must be v7.8.0 or later.
  • If the Puppet agent fails to upgrade when you use the puppetlabs/puppet_agent module, restart the computer or virtual machine where the Puppet agent is running to help ensure that updates are applied.
  • If you use remote desktop protocol (RDP) to access nodes, users who are members of the groups Guests and local accounts will not be able to log in by default. To provide access to these groups, set the cem_windows::allow_local_account_rdp parameter to true.
  • If non-admin users cannot log in to nodes, the issue might be related to event logs. By default, Windows Event Log does not clear events. When the event log of a node is full, only administrators can log in. To clear the event logs manually, find the specific recommendation in your compliance framework and configure the setting. In the Windows registry, locate the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application:Retention
    Then, set the Retention value to 0.
  • You cannot disable Windows Remote Management (WinRM). The WinRM service is required for the DSC modules and cannot be disabled.

Controls ignored by default to prevent operational issues

Some controls are ignored by default to prevent operational issues. However, you can enable the controls if necessary.

  • 2.3.1.1 (Ensure 'Accounts: Administrator account status' is set to 'Disabled') - If this control is applied, it can cause non-idempotent runs. The control can also cause Puppet run failures if you attempt to run Puppet manually while logged in as Administrator.

  • 2.3.1.5 (Configure 'Accounts: Rename administrator account') - If this control is applied, it can cause non-idempotent runs. The control can also cause Puppet run failures if you attempt to run Puppet manually while logged in as Administrator.

To enable controls ignored by default, create an ignore config that doesn't include the controls. For example, the following configuration ignores control 1.1.1, thus overriding the default ignore list:

cem_windows::config:
  ignore:
    - 'c1_1_1'

The following configuration removes all controls from the ignore list:

cem_windows::config:
  ignore: []