DEV Community

Robin Tatam for puppet

Posted on

Compliance Enforcement with Open Source Puppet

Establishing and maintaining a secure configuration baseline has been found in studies to be the most effective measure organisations of all sizes and maturity levels can take to protect against the top 5 cyber-attack types: malware, ransomware, web application hacking, insider privilege and misuse, and targeted intrusions (CIS Community Defence Model Version 2.0). Many industries mandate maintaining secure configuration baselines as part of their compliance standards, but the rest of us should still be security hardening and can benefit from these guidelines as well. Puppet’s Compliance Enforcement solution can help maintain these standards and it’s now also available for Open Source Puppet customers.

Implementing secure configuration standards like those outlined in the CIS benchmarks takes huge efforts. On average, CIS benchmarks for Linux-based systems contain 250 secure configuration recommendations; for Windows, the average is 350 recommendations. This effort also needs to be sustained over time to align with ongoing updates that CIS makes as recommendations evolve. While organizations understand the business and security value in implementing something like the CIS benchmarks, many struggle to balance business expectations to deliver faster without inadvertently contributing to tech debt in their manual efforts to achieve compliance and safeguard against security risk. The Compliance Enforcement solution can automate much of this tedium away, for both Puppet Enterprise and Open Source Puppet customers.

In this blog, we’ll explore the Compliance Enforcement solution and how it helps our customers. We’ll also talk about how you can get started with Compliance Enforcement, with insight into design patterns and examples you could adopt when deploying Compliance Enforcement in your Open Source Puppet environment.

Table of Contents

What is Compliance Enforcement?

Compliance Enforcement, a premium package from Puppet by Perforce, is a Puppet module that has translated CIS benchmarks secure configuration recommendations into Puppet code, letting customers quickly and efficiently enforce these recommendations using policy as code. The Compliance Enforcement package uses Puppet to help customers level up their system security by ensuring configurations are continuously in line with latest CIS recommendations and that any potentially dangerous misconfiguration is automatically remediated.

Access to Compliance Enforcement is available to both Open Source Puppet and Puppet Enterprise customers via a paid subscription.

Subscribers to Compliance Enforcement receive access to the two Compliance Enforcement modules, Compliance Enforcement for Linux (cem_linux) and Compliance Enforcement for Windows (cem_windows).

Screenshot

Getting Started with Compliance Enforcement

Once your subscription has been activated, log into your Forge account and generate a new API token at the bottom of your profile page.

Depending on how you intend to download modules, you can configure Puppet and r10k with this token, and that will grant you access to download the modules and all future updates for the duration of your subscription. It’s a good idea at this point to validate that you have all required module dependencies installed. If needed, you can read more setup instructions on the Forge.


 yaml
# bolt-project.yaml 
module-install:  
    forge: 
        authorization_token: 'Bearer <your API token>' 
        baseurl:[ https://forgeapi.puppet.com](https://forgeapi.puppet.com/) 


Enter fullscreen mode Exit fullscreen mode

Once you’ve downloaded and installed the modules, choose a module and a benchmark that you want to get started with. For the remainder for this blog, we'll review an example of using Compliance Enforcement for Linux (cem_linux) on a Rocky Linux 8 system.

Classifying nodes

Use roles and profiles to include the cem_linuxmodule in your system configuration. This approach gives you the most flexibility in how you want to deploy the module.


 puppet
class profile::base ( 
    Boolean $cem_enforced, 
) { 
  include profile::puppet_agent 
  case $facts['os']['family'] { 
    'windows': { 
        #include cem_windows 
        include profile:win_time 
    } 

    default: { 
        #Default is os.family == RedHat 8 and newer 
        include cem_linux 
        include profile::linux_time 
        if $cem_enforced { 
          include cem_linux 
      }
    } 
  } 
} 


Enter fullscreen mode Exit fullscreen mode

Configuration

Depending on your existing knowledge, learning about the CIS Benchmark you want to enforce is often a good place to start. You can find a list of benchmarks and associated recommendations (controls) in the cem_linux Reference on Puppet Forge. PDF versions of the benchmarks are also available for free download from the Center of Internet Security's website (https://www.cisecurity.org/cis-benchmarks). This will help you decide what benchmark control you want to enable, disable or custom configure to meet your organization’s specific requirements.

Once you decide what controls you want to enforce and how you want to enforce them, identify a test environment and go ahead and start configuring the module. We recommend you use Hiera for this. Using Hiera, Compliance Enforcement can be configured at the node level, at the operating system level or any other abstraction level in your Hiera hierarchy.

Compliance Enforcement can be configured to include all controls, or a subset using the configuration parameters ONLY and IGNORE. ONLY tells Puppet to include only the controls listed in your module configuration in the catalog. IGNORE tells Puppet to exclude the controls listed from the catalog. The configuration values contained within each individual control can also be customized.

Let’s look at a couple of configuration examples to get you started:

  1. The example below enforces only the CIS benchmark control "Ensure mounting of squashfs filesystems is disabled".

    
    yaml
    --- 
    profile::base::cem_enforced: true 
    cem_linux::benchmark: 'cis' 
    cem_linux::config: 
        profile: 'server' 
        level: '1' 
        only: 
            - ensure_mounting_of_squashfs_filesystems_is_disabled 
    

1. The example below enforces all the CIS benchmark controls except for the following two controls: "Ensure mounting of squashfs filesystems is disabled" and "Ensure password creation requirements are configured" and changes the default parameter for password length as recommended by CIS from 14 to 20.  

    ```

 yaml
    ---
    profile::base::cem_enforced: true 
    cem_linux::benchmark: 'cis' 
    cem_linux::config: 
        profile: 'server' 
        level: '1' 
        only: 
            - ensure_mounting_of_squashfs_filesystems_is_disabled 
            - ensure_password_creation_requirements_are_configured 
        control_configs:  
            ensure_password_creation_requirements_are_configured: 
                manage_pwquality: true 
                manage_pam_auth: true 
                minlen: 20 
                minclass: 4 
                faillock_args: ["preauth", "silent", "audit", "deny=5", "unlock_time=900"] 
                pwhistory_args: ["use_authtok", "remember=5", "retry=3"] 


Enter fullscreen mode Exit fullscreen mode

A recommended approach to rolling out Compliance Enforcement is to start at a node level, selecting a candidate node to test out a specific operating system benchmark, and testing controls in subsets building up to your desired level of enforcement. Once you are happy the node is hardened to your requirements, you can promote next tier in your Hiera hierarchy in your test environment, and once you are ready promote to production.

Want to learn more?

Come and talk to us in the Puppet Community Slack. Puppet team members are on hand and happy to answer any questions you have.

If you want to talk directly to a Puppet by Perforce sales representative about purchasing Compliance Enforcement, visit puppet.com to request a call back from our team.

Top comments (0)