Overview of configuration options

Configuration options include top-level options, framework options, and Center for Internet Security (CIS)-specific options.

If you installed SCE and assigned the sce_windows class to a node group, the default profile is enforced. However, to customize the module to meet your organization's requirements, you can configure benchmarks by using Hiera. For more information, see Hiera.

When you use Hiera to specify configuration options, the configuration looks different from the configuration for other Puppet products. The reason is that the config variable receives a hash, and the key values in the hash control the SCE variables in the configuration.
The module's default settings are fully CIS compliant. Too much customization can cause your configurations to be noncompliant.

Find and set configuration options

You can find configuration options in the Reference on Puppet Forge. A control description starts with a config ID and name, for example:

1.1.1 - (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
The anatomy of a CIS control is as follows:
  • Parameters: Configuration options for a control, along with the data type and default value.
  • Supported Levels: The supported levels, for example, Level 1.
  • Supported Profiles: The applicability of the control. For example, a control with a profile of member_server is applicable to server components.
  • Hiera Configuration Example: Snippet of Hiera that can be used to configure a control.
  • Alternate Config IDs: The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the control_config hash.
  • Resource: The name of the Puppet resource that enforces the control.

Guidelines for specifying CIS config IDs

You can specify controls in the control_config hash by referencing the full control name, the control number, the normalized control name, or the normalized control number. You cannot mix and match these forms and must pick a single config ID form to use for your config. Full control names and control numbers are copied verbatim from the benchmarks and are case-sensitive. Normalized control names have lowercase letters and contain only alphanumeric characters and underscores. Normalized control numbers are always prefixed with a c and contain only numeric characters separated by underscores.

Example of alternative config IDs:

  • Full control name: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
  • Control number: 1.1.1
  • Normalized control name: ensure_enforce_password_history_is_set_to_24_or_more_passwords
  • Normalized number: c1_1_1

Top-level configuration options

These options are configured at the top level of the module.

In Hiera, these options are prefixed with sce_windows (previously cem_windows):

  • framework - Enum['cis'] - the compliance framework to use. SCE for Windows supports only cis. Default: cis.
  • config - Optional[Hash] - the location for all non-top-level configuration options. Default: undef.
  • allow_on_domain_controller: - Boolean - If sce_windows detects that it is running on a domain controller, SCE does not enforce controls and logs a warning to inform the user. In this way, SCE helps to prevent the enforcement of compliance settings on domain controllers that could negatively impact an entire domain. Default: false.
  • enable_long_paths - Boolean - Enables support for long path names in the Windows registry. Setting this option to false can cause issues with some Desired State Configuration (DSC) modules used in sce_windows. Default: true.
  • privileged_user - Optional[String] - If the Puppet agent does not run under a user with local administrator privileges, you must supply the name of a user with local administrator privileges. This is used by DSC to enforce a state on a machine. Default: undef.
  • privileged_password - Sensitive[Any] - If you specified a privileged user, use this option to specify a password for that user account. Default: undef.
  • allow_local_account_rdp - Boolean - By default, sce_windows disables remote desktop protocol (RDP) access for non-domain accounts. If you set this option to true, local accounts on the node can make RDP connections to the node. Default: false.

Framework configuration options

The framework configuration options are available as key-value pairs within the sce_windows::config: hash.

  • control_configs - Optional[Hash] — location for all rule-specific configurations. Default: undef.
  • only - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are included in the catalog. Takes precedence over the ignore: option. Default: undef.
  • ignore - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are not included in the catalog. If only: is specified, this option has no effect. Default: undef.

CIS-specific configuration options

The CIS-specific configuration options are available as key-value pairs within the sce_windows::config: hash. These options are applicable only to the CIS compliance framework.

  • profile - Optional[Enum['member_server', 'corporateenterprise']] — the name of the benchmark profile. corporateenterprise is supported only on Windows 10 Enterprise operating systems. Default for Windows Server operating systems: member_server. Default for Windows 10 Enterprise operating systems: corporate_enterprise.
  • level - Optional[Enum['1', '2']] — the name of the profile level. The only value supported by SCE is 1. Default: 1.