Forge Home

comply

pdk
tasks
compliance

10,069 downloads

293 latest version

5.0 quality score

Version information

  • 2.2.0 (latest)
  • 2.1.0
  • 2.0.0
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.9.0
released Nov 18th 2021
This version is compatible with:
  • Puppet Enterprise 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet > 6.20 < 8.0.0
  • AmazonLinux
    ,
    CentOS
    ,
    Debian
    ,
    OracleLinux
    ,
    OSX
    ,
    RedHat
    ,
    SLES
    ,
    windows
    ,
    Ubuntu
Tasks:
  • backup_assessor
  • ciscat_scan

You'll need Puppet Enterprise to use this module. You may also evaluate this module with Puppet Bolt for up to 90 days.Learn More

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-comply', '2.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-comply
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-comply --version 2.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppetlabs/comply — version 2.2.0 Nov 18th 2021

Puppet Comply

Puppet Comply is a tool that assesses the infrastructure you manage with Puppet Enterprise against CIS Benchmarks — the best practices for securely configuring systems from the Center for Internet Security (CIS).

Installing

This Module is required by the Puppet Comply product and should only be used as per the complete install instructions

There are two workflows for using the Comply module:

Using Replicated to host the Assessor

This is the default recommend workflow for using Comply. Comply hosts a copy of the latest Assessor. This path enables you to configure once, and allow Comply to easily upgrade your Assessor when you do a product upgrade. You can configure the service hosting the Assessor via KOTS to use certificates generated on your PE instance. Then, mutual TLS enables a secure authenticated between your nodes and Comply.

To generate the certificates on your PE instance, run the following:

[root@pe-instance-01 ~]# puppetserver ca generate --certname comply.10.234.4.193.nip.io
Successfully saved private key for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/private_keys/comply.10.234.4.193.nip.io.pem
Successfully saved public key for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/public_keys/comply.10.234.4.193.nip.io.pem
Successfully submitted certificate request for comply.10.234.4.193.nip.io
Successfully saved certificate for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/certs/comply.10.234.4.193.nip.io.pem
Certificate for comply.10.234.4.193.nip.io was autosigned.

Then copy the ca.pem, public certificate and private key for your Comply instance to the KOTS config. Once deployed, the service will now be accessible to your nodes.

In order to keep you up to date, the version of the Assessor is embedded in the module. As such, when doing an upgrade of the Comply product, you should ensure that you have upgraded the module beforehand.

Using a privately hosted file

Alternatively, you can host the file privately elsewhere. If you choose this method, then use scanner_source parameter with the comply class. You may also need to disable the use_mtls paramter too. The version of the Assessor is inferred from the file name so for example if your scanner_source value was https://files.company.net/assessors/Assessor-CLI-v4.6.0.zip, Comply would infer this as being version 4.6.0 of the Assessor.

Configuration

By default, Comply will install various dependencies required in order for the module and the CIS Assessor to function. Should you wish to configure what Comply manages, see the reference for more details.

Obtaining the Product

Please get in touch with a Puppet Representative