Install and evaluate the module in a test environment

In some cases, compliance controls can negatively impact services that run on nodes. To help avoid possible issues, install and evaluate SCE in a test environment before running SCE in a production environment.

  1. Learn about the CIS Benchmark that you plan to enforce:
    • For a list of supported CIS Benchmarks, see System requirements.
    • For details about CIS Benchmarks and associated controls, see the Reference on Puppet Forge. You can also download benchmark information from the CIS Benchmarks List. If you are using SCE with Security Compliance Management (formerly known as Puppet Comply), you can view details about the benchmarks in Security Compliance Management.
  2. Make a list of any CIS controls that you plan to enable, disable, or configure to meet your organization’s requirements.
    For example, if a control specifies that a password must be changed every 60 days, but your organization requires a password change every 30 days, you can change the expected value for the associated control.
    For the sake of simplicity, some users review the controls and enable only a limited subset to meet their organization’s requirements.
  3. Identify a test environment. Many users follow the instructions in Environments. You can also use any alternative method that works for you:
    • For Puppet Enterprise (PE), create a test node group and then assign the sce_windows class to that node group.
    • For open source Puppet, follow the instructions in Classifying nodes. Ensure that the SCE module is included on the test nodes.
  4. Download SCE from Puppet Forge. For more information, see the Premium content page.
  5. If the host server is connected to the internet, install the module by following the instructions in Installing modules from the Forge by using an internet connection.
  6. If the host server is not connected to the internet, install the module by following the instructions in Installing modules from the Forge in an air-gapped environment.
  7. Verify that the SCE module is successfully installed in the test environment.
    If the installation was successful, you can find sce_windows in the following directory:
    /etc/puppetlabs/code/environments/<environment_name>/modules/sce_windows
  8. Implement any other configuration updates that you identified in Step 2. Take the following actions:
    1. Specify the updates as described in Configuring SCE.

      Tip:  You can simplify configuration by using the Hiera key-value store as described in Getting started with Hiera. For examples, see Basic configuration examples and Advanced configuration example.

    2. Ensure that the updates are deployed to the test environment. For example, if you are using Hiera and Code Manager, you must update the Hiera YAML files, commit the changes to the appropriate branch of your control repository, and trigger Code Manager. If you are using open source Puppet, you would follow the same procedure but trigger r10k.
  9. To detect and resolve any errors, take the following actions:
    1. Look for errors in Puppet runs in your test environment.
    2. If you detect errors, review and update your configuration. For help with configuration options, see the Reference.
    3. If the configuration is correct but errors persist, enable debug logging on the Puppet primary server and review the puppetserver.log file. For more information, see Puppet Server logging.
      In the logs, SCE log entries are prefixed with SCE. CEM log entries are prefixed with CEM or cem.
    4. Optionally, for additional insight into errors, enable tracing and debugging when you run the Puppet agent.
    5. If you are unable to resolve the errors, take one of the following actions: