Configuring SCE

If you installed SCE and assigned the sce_windows (previously cem_windows) class to one or more node groups, the Center for Internet Security (CIS) Server Level 1 profile is enforced automatically during the next Puppet run. However, if the default values leave your infrastructure in an undesirable state, or if you want to customize compliance to meet your organization's requirements, or you are transitioning from CEM to SCE v2.0.0 or later, you must complete configuration tasks.

If you are upgrading the module from a version earlier than v2.0.0 to v2.0.0 or later, you must replace cem_windows with sce_windows in your configuration files.

You might have to update the configuration to meet organizational requirements. For example, if a CIS control sets the maximum password age at 365 days, but your organization requires a password change every 90 days, you can configure the module accordingly.

Incorrect configuration of SCE can cause operational or security issues. SCE can make hundreds of changes to a system, and many of those changes are critical to components. For this reason, before you update the configuration, test the planned updates on one or two nodes. Evaluate the results and resolve any issues before implementing your configuration updates in a production environment. For instructions, see Install and evaluate the module in a test environment.

As an alternative, you can implement the SCE default settings, which are fully CIS compliant. However, depending on the complexities of your system environment, some default settings might not be appropriate. For this reason, to help ensure a secure configuration, review any controls and settings that you plan to implement and validate the controls in limited testing before implementing them in production.

You configure SCE by using the Hiera key-value store in your control repository. For more information, see About Hiera and Getting started with Hiera.

For general information about configuration options, see Overview of configuration options.

For detailed information about configuration options, see the Reference.

For configuration examples, see How to configure the module: Instructions and examples.