Introducing Security Compliance Enforcement

The Puppet^® Security Compliance Enforcement (SCE) modules apply security controls across IT infrastructures. The controls help to maintain secure configurations, thus protecting systems and data.

If you have Puppet Enterprise (PE)^® or Puppet Core installed, you can deploy SCE to enforce the Center for Internet Security (CIS) compliance rules, which embody internationally recognized standards. You can also enforce the Security Technical Implementation Guides (STIGs) developed by the US Defense Information Systems Agency (DISA). DISA STIG standards are implemented by many US government agencies.

After SCE is installed and configured, either in PE or Puppet Core, Puppet automatically enforces your chosen security controls on nodes you classify under SCE to help ensure continuous compliance without manual intervention. By default, SCE enforces CIS rules for the Level 1 profile. However, you can enforce a variety of security standards and levels, depending on the operating system of the nodes where your servers and workstations are installed. For a list of supported standards for Linux nodes, see System requirements. For a list of supported standards for Microsoft Windows nodes, see System requirements.

Instructions are provided for installing SCE and customizing the configuration settings, if necessary, to meet your organization’s requirements.

Separate instructions are provided for Linux and Windows operating systems:

To manage Linux nodes, see SCE for Linux.
To manage Windows nodes, see SCE for Windows.

The SCE modules were previously known as the Compliance Enforcement Modules (CEM). To access previously published documentation, see Introducing the Compliance Enforcement Modules.