Remove the CIS-CAT Pro Assessor from a node

In rare cases, you might want to remove the CIS-CAT Pro Assessor from a node. For example, you can remove the assessor to exclude the node from compliance scans if the node is no longer relevant or is expiring. You can also remove the assessor if the node has issues that are causing the assessor to malfunction.

To remove old versions of the CIS-CAT Pro Assessor without uninstalling it from the node, use the remove_assessor task in the Comply module. For more information on running tasks in Puppet Enterprise, see Running tasks in PE.

To remove the assessor:

  1. Declassify the node by taking the following actions:
    1. In the Puppet Enterprise console, click Node groups.
    2. Select the node group where the node is classified with a Security Compliance Management class.
    3. If the node is pinned to a rule, click the Rules tab. Select the node name and click Unpin. If the node is not pinned to a rule, remove the class from the entire node group by clicking the Classes tab. Then, select the scanner_source parameter and click Remove.
  2. On the command line of the node where the assessor is installed, run the appropriate command.

    On a Linux operating system, run the following command:

    rm -rf /opt/puppetlabs/comply/

    On a Microsoft Windows operating system, run the following command:

    Remove-Item –path C:\ProgramData\PuppetLabs\comply –recurse

  3. Update the facts in Puppet Enterprise by running Puppet.
  4. Retrieve the latest inventory from Puppet Enterprise by taking the following actions:
    1. In Security Compliance Management, click Settings.
    2. Click Refresh data.
Results
The assessor folder is removed along with the assessor JAR file and any backup copies of the JAR file. Because the node is declassified in Puppet Enterprise, Puppet does not reinstall the assessor during future runs. Declassified nodes are no longer visible to Security Compliance Management and are skipped in future compliance scans.
What to do next
Optionally, if you want to resume scans on the node, you must classify the node so that it is visible to Security Compliance Management and the assessor is reinstalled. For instructions, see Classify the nodes you want to scan.