Basic configuration example

When you specify a compliance framework, SCE is configured to provide rule enforcement and configuration for that framework. For example, to enforce the Center for Internet Security (CIS) Server Level 1 benchmark for a node, you must classify the node with the sce_linux class, set the benchmark parameter to cis, and run Puppet.

In the following example, SCE enforces the CIS Level 1 server controls Ensure AIDE is installed and Ensure filesystem integrity is regularly checked on a CentOS 7 node:

  1. Add the following Hiera data to your control repository, control repo:
    Copy
    # control-repo/data/nodes/<node name>.yaml
    sce_linux::benchmark: 'cis'
    sce_linux::config:
      profile: 'server'
      level: '1'
      only:
        - 'ensure_aide_is_installed'
        - 'ensure_filesystem_integrity_is_regularly_checked' 
  2. Classify the node with the sce_linux class.
  3. Run Puppet.

This example is for CIS configuration. For information about configuring STIG controls, see Configure DISA STIG.

Some CIS recommendations require you to run a Puppet Bolt task. To determine which task to run, review the output of the Puppet debug logs.