Basic configuration example
When you specify a compliance framework, SCE is
configured to provide rule enforcement and configuration for that framework. For example, to
enforce the Center for Internet Security (CIS) Server Level 1 benchmark for a node, you must
classify the node with the sce_linux
class, set the benchmark
parameter to cis,
and
run Puppet.
In the following example, SCE enforces the CIS
Level 1 server controls Ensure AIDE is
installed
and Ensure filesystem integrity is
regularly checked
on a CentOS 7 node:
- Add the following Hiera data to your
control repository,
control repo
:Copy# control-repo/data/nodes/<node name>.yaml
sce_linux::benchmark: 'cis'
sce_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked' - Classify the node with the
sce_linux
class. - Run Puppet.
This example is for CIS configuration. For information about configuring STIG controls, see Configure DISA STIG.
Some CIS recommendations require you to run a Puppet Bolt task. To determine which task to run, review the output of the Puppet debug logs.