Enforce CIS benchmarks
Puppet Comply provides visibility into your compliance status, but it cannot fix your failing nodes. Instead, you can use Puppet’s Compliance Enforcement Modules (CEM).
Available to premium content subscribers, CEM consists of two
cem_windows. These are supported Puppet
modules developed specifically to bring your Puppet Enterprise (PE)
managed nodes under CIS (Center for Internet Security) compliance.
By default, CEM enforces the latest CIS Level 1 benchmarks on your nodes, automating hundreds of operating system settings — the default profile depends on your operating system. You can also customize these configurations to suit your organization’s policies.