Install and evaluate the module in a test environment

In some cases, compliance controls can negatively impact services that run on nodes. To help avoid possible issues, install and evaluate SCE in a test environment before running SCE in a production environment.

  1. Learn about the CIS Benchmark or STIG standard that you plan to enforce:
    • For a list of supported CIS Benchmarks and STIG standards, see System requirements.
    • If you plan to enforce CIS Benchmarks, you can find a list of benchmarks and associated controls in the Reference on Puppet Forge. You can also download benchmark information from the CIS Benchmarks List. If you are using SCE with Security Compliance Management, you can view details about the benchmarks in Security Compliance Management (formerly known as Puppet Comply).
    • If you plan to enforce STIG controls, you can find a list of guides and associated controls in the Reference on Puppet Forge. For more detailed information about STIG controls, go to the STIG Viewer.
  2. Make a list of any CIS or STIG controls that you plan to enable, disable, or configure to meet your organization’s requirements.
    For example, if a control specifies that a password must be changed every 60 days, but your organization requires a password change every 30 days, you can change the expected value for the associated control.
    For the sake of simplicity, some users review the controls and enable only a limited subset to meet their organization’s requirements.
  3. Identify a test environment. Many users follow the instructions in Environments. You can also use any alternative method that works for you:
    • For Puppet Enterprise, create a test node group and then assign the sce_linux class to that node group.
    • For open source Puppet, follow the instructions in Classifying nodes. Ensure that the SCE module is included on the test nodes.
  4. Download SCE from Puppet Forge. For more information, see the Premium content page.
  5. If the host server is connected to the internet, install the module by following the instructions in Installing modules from the Forge by using an internet connection.
  6. If the host server is not connected to the internet, install the module by following the instructions in Installing modules from the Forge in an air-gapped environment.
  7. Verify that the SCE module is successfully installed in the test environment.
    If the installation was successful, you can find sce_linux in the following directory:
    /etc/puppetlabs/code/environments/<environment_name>/modules/sce_linux
  8. If you plan to implement a CIS Benchmark at Level 2, ensure that the level is set to 2 in the control repository. (CIS Benchmarks are set to Level 1 by default, but Level 2 must be specified manually.) You can simplify configuration by using the Hiera key-value store as described in Getting started with Hiera. For instructions about specifying the CIS Benchmark level, see Basic configuration example.
  9. If you plan to implement STIG controls, configure STIG. Follow the instructions in Configure DISA STIG.
  10. Implement any other configuration updates that you identified in Step 2. Take the following actions:
    1. Specify the updates as described in Find and set configuration options.
    2. Ensure that the updates are deployed to the test environment. For example, if you are using Hiera and Code Manager, you must update the Hiera YAML files, commit the changes to the appropriate branch of your control repository, and trigger Code Manager. If you are using open source Puppet, you would follow the same procedure but trigger r10k.
  11. To detect and resolve any errors, take the following actions:
    1. Look for errors in Puppet runs in your test environment.
    2. If you detect errors, review and update your configuration. For help with configuration options, see the Reference.
    3. If the configuration is correct but errors persist, enable debug logging on the Puppet primary server and review the puppetserver.log file. For more information, see Puppet Server logging.
      In the logs, SCE log entries are prefixed with SCE. CEM log entries are prefixed with CEM or cem.
    4. Optionally, for additional insight into errors, enable tracing and debugging when you run the Puppet agent.
    5. If you are unable to resolve the errors, take one of the following actions: