Configuring SCE

If you installed the module and assigned the sce_linux or cem_linux class to one or more node groups, the Center for Internet Security (CIS) Server Level 1 profile is enforced automatically during the next Puppet run. However, if the default values leave your infrastructure in an undesirable state, or if you want to customize compliance to meet your organization's requirements, or you are transitioning from CEM to SCE v2.0.0 or later, you must complete configuration tasks.

Important: If you upgrade the module from a version earlier than v2.0.0 to v2.0.0 or later, you must replace cem_linux with sce_linux in your configuration files.

You might have to update the configuration to meet organizational requirements. For example, if a CIS control sets the maximum password age at 365 days, but your organization requires a password change every 90 days, you can configure SCE accordingly.

You must also configure SCE if you plan to enforce DISA STIG standards rather than a CIS Benchmark. Follow the instructions in Configure DISA STIG.

Caution: CIS and STIG controls are developed and maintained by security experts, and SCE implements the controls as code to help secure your configuration. SCE can make hundreds of changes to a system, and many of those changes are critical to components. Because every system environment is different, some of the default control settings might not be appropriate in all environments. For this reason, when you configure SCE or update a SCE configuration, test the configuration in a limited environment on one or two nodes and evaluate the results. Resolve any issues before implementing the configuration in a production environment. For a new installation, see Install and evaluate the module in a test environment. For an upgrade, see Prepare to upgrade the module.

For all types of configuration tasks, you can use the Hiera key-value store in your control repository. For more information, see About Hiera and Getting started with Hiera.

For general information about SCE configuration options, see Overview of configuration options. For detailed information about SCE configuration options, see the Reference.

For configuration examples, see How to configure the module: Examples and guidelines.