Enforce CIS benchmarks

Puppet Comply provides visibility into your compliance status, but it cannot fix your failing nodes. Instead, you can use Puppet’s Compliance Enforcement Modules (CEM).

Available to premium content subscribers, CEM consists of two modules — cem_linux and cem_windows. These are supported Puppet modules developed specifically to bring your Puppet Enterprise (PE) managed nodes under CIS (Center for Internet Security) compliance.

By default, CEM enforces the latest CIS Level 1 benchmarks on your nodes, automating hundreds of operating system settings — the default profile depends on your operating system. You can also customize these configurations to suit your organization’s policies.

Tip: Starting with CEM for Linux 1.4.0, CEM also enforces the Security Technical Implementation Guides (STIG) developed by the US Defense Information Systems Agency (DISA). The DISA STIG standards, widely used by US government agencies, can be enforced by CEM on Red Hat Enterprise Linux 7 and 8 operating systems.

To get started with CEM, see Introducing the Compliance Enforcement Modules.