Introducing Security Compliance Enforcement

Starting with v2.0.0, the Puppet^® Compliance Enforcement Modules (CEM) were renamed to Security Compliance Enforcement (SCE). If you have Puppet Enterprise (PE)^® or Puppet Core installed, you can deploy SCE to enforce the secure configuration of IT infrastructures and thus protect operations and data. You can enforce the Center for Internet Security (CIS) compliance rules, which embody internationally recognized standards. You can also enforce the Security Technical Implementation Guides (STIGs) developed by the US Defense Information Systems Agency (DISA). DISA STIG standards are implemented by many US government agencies.

After SCE is installed and configured, either in PE or Puppet Core, Puppet automatically enforces your chosen security controls on nodes you classify under SCE to help ensure continuous compliance without manual intervention. By default, SCE enforces CIS rules for the Level 1 profile. However, you can enforce a variety of security standards and levels, depending on the operating system of the nodes where your servers and workstations are installed. For a list of supported standards for Linux nodes, see System requirements. For a list of supported standards for Microsoft Windows nodes, see System requirements.

Instructions are provided for installing SCE and customizing the configuration settings, if necessary, to meet your organization’s requirements.

Separate instructions are provided for Linux and Windows operating systems:

• To manage Linux nodes, see SCE for Linux.
• To manage Windows nodes, see SCE for Windows.