Enforce CIS benchmarks

Puppet Comply provides visibility into your compliance status, but it cannot fix your failing nodes. Instead, you can use Puppet’s Compliance Enforcement Modules (CEM).

Available to premium content subscribers, CEM consists of two modules — cem_linux and cem_windows. These are supported Puppet modules developed specifically to bring your Puppet Enterprise (PE) managed nodes under CIS (Center for Internet Security) compliance.

By default, CEM enforces the latest CIS Level 1 benchmarks on your nodes, automating hundreds of operating system settings — the default profile depends on your operating system. You can also customize these configurations to suit your organization’s policies.

To get started with CEM, you need to add the Forge premium content API key to your primary Puppet server. For instructions, visit cem_linux or cem_windows on Puppet Forge.