homebloghow compliance enforcement modules work

A closer look at how Puppet’s new Compliance Enforcement Modules work

Compliance Enforcement Modules

Since we launched Puppet Comply last year, we’ve been working hard to build out the solution’s capabilities so that we can provide our customers with more options in implementing a continuous compliance program, and become more proactive and efficient in how they manage compliance.

A key activity in any strong continuous compliance program is remediation. First, you remediate the compliance failures you find by defining your compliance policy-as-code, then you apply that code to all relevant nodes. Sounds simple, right? In theory, perhaps. In practice, however, it’s not so clear-cut.

Let’s take the example of a compliance benchmark from the Center for Internet Security (CIS), a globally recognized organization providing benchmarks for securing IT systems and data. The CIS benchmark for Microsoft Windows Server 2019 contains more than 350 secure configuration recommendations for system hardening. Making sense of and translating these compliance standards into code can pose significant and costly challenges for organizations—not to mention continuously keeping code up to date with new benchmark versions.

That is why we are very excited to launch Puppet’s new Compliance Enforcement Modules! Our Compliance Enforcement Modules, or CEM, as announced by my colleague, Alex Hin, in his recent blog post are now available to customers as a subscription. The modules are created, updated, and fully supported by Puppet, allowing you to get up and running more quickly with your continuous compliance program and to stay truly, fully up to date with the latest benchmark versions.

What are Compliance Enforcement Modules anyway?

Compliance Enforcement Modules, or CEM, are Puppet modules specifically designed to implement CIS Benchmark recommendations as Puppet code. Within CEM there are two distinct modules, cem_linux and cem_windows, which currently enforce CIS benchmark recommendations across a range of Linux and Windows operating systems using a combination of Puppet code, tasks, and plans. CEM content currently includes:

cem_windowsWindows 10CIS Level 1 - Corporate Enterprise
Windows Server 2019CIS Level 1 - Member Server
Windows Server 2016CIS Level 1 - Member Server
cem_linuxRed Hat Enterprise Linux 8CIS Level 1 - Server
Red Hat Enterprise Linux 7CIS Level 1 - Server
CentOS Linux 7CIS Level 1 - Server

Our team is continuously working to expand our CEM content to include CIS across additional operating systems, profiles, and other technologies, as well as other compliance frameworks such as DISA STIG. Updates to existing module content, along with new content added, will be made available to all CEM subscribers to meet compliance requirements.

Getting started with CEM

Once you’ve subscribed, you’ll be able to get started by installing the module from the Puppet Forge.


Next, go ahead and configure the module. We recommend you use Hiera for this. For each recommendation enforced by cem_linux and cem_windows, we include default configuration values as recommended by CIS to help you get up and running faster.

Each CIS recommendation is implemented as its own class within CEM and comes with comprehensive configuration options. CEM can be configured to include all recommendation classes, or a subset using the configuration parameters ONLY and IGNORE. The configuration values contained within each recommendation class can also be customized.

CEM can be configured at the node level, or abstracted to the operating system level or any other abstraction level in your Hiera hierarchy.

In this example, I am configuring the cem_linux module to enforce ONLY CIS Level 1 Server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node:

cem linu module

Classifying nodes with CEM

Once you’ve set up your configuration, navigate to the Puppet Enterprise console to apply the CEM to your selected nodes.

Continuing with the CentOS 7 example, the easiest way to classify this node is to:

  • Create a node group for all *nix nodes.
  • Pin all relevant nodes, as well as your CentOS 7 node, to that node group.
  • Add the cem_linux module to that node group.
  • Run Puppet on those nodes to apply the modules.

Tasks and Plans in CEM for Linux

Within the CIS benchmarks for Linux, there are several recommendations that cannot be managed using desired state. Many of these recommendations would require site-specific information and could be damaging to a system if done in an automated fashion. For these recommendations, cem_linux includes a number of bolt tasks and plans that can be used to audit or configure specific configurations and existing states on nodes, such as duplicate user IDs. These tasks and plans are designed to run from Puppet Enterprise and can be scheduled like any other task or plan.

Classifying nodes

Running a scan

You’re all set! Time to go ahead and scan your nodes in Puppet Comply.


Getting to a compliant state and staying that way is a never-ending loop. Changes to compliance standards and regulatory requirements are inevitable and constant. Building a strong continuous compliance program, based on the three continuous activities of assessment, remediation, and enforcement is key.

Using Compliance Enforcement Modules will help your organization get to a compliant state and meet compliance regulations more quickly. Combining the assessment capabilities of Puppet Comply and the enforcement capabilities of Puppet Enterprise empowers your organization to tackle compliance proactively and holistically, and to be more compliant, more of the time.

Learn more