Forge Home

comply

compliance

26,632 downloads

222 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.19.0 (latest)
  • 2.18.2
  • 2.18.1
  • 2.18.0
  • 2.17.1
  • 2.17.0
  • 2.16.0
  • 2.15.0
  • 2.14.0
  • 2.13.0
  • 2.12.0
  • 2.11.1
  • 2.11.0
  • 2.10.0
  • 2.9.0
  • 2.8.0
  • 2.7.0
  • 2.6.0
  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.2
  • 2.2.1
  • 2.2.0
  • 2.1.0
  • 2.0.0
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.9.0
released Mar 14th 2024
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet > 6.24 < 8.0.0
  • , , , , , , , , , ,
Tasks:
  • backup_assessor
  • ciscat_scan

This module is licensed for use with Puppet Enterprise. You may also evaluate this module for up to 90 days.Learn More

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-comply', '2.19.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-comply
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-comply --version 2.19.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppetlabs/comply — version 2.19.0 Mar 14th 2024

Puppet Comply

Puppet Comply is a tool that assesses the infrastructure you manage with Puppet Enterprise against CIS Benchmarks — the best practices for securely configuring systems from the Center for Internet Security (CIS).

Installing

This Module is required by the Puppet Comply product and should only be used as per the complete install instructions

There are two workflows for using the Comply module:

Using Replicated to host the Assessor

This is the default recommend workflow for using Comply. Comply hosts a copy of the latest Assessor. This path enables you to configure once, and allow Comply to easily upgrade your Assessor when you do a product upgrade. You can configure the service hosting the Assessor via KOTS to use certificates generated on your PE instance. Then, mutual TLS enables a secure authenticated between your nodes and Comply.

To generate the certificates on your PE instance, run the following:

[root@pe-instance-01 ~]# puppetserver ca generate --certname comply.10.234.4.193.nip.io
Successfully saved private key for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/private_keys/comply.10.234.4.193.nip.io.pem
Successfully saved public key for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/public_keys/comply.10.234.4.193.nip.io.pem
Successfully submitted certificate request for comply.10.234.4.193.nip.io
Successfully saved certificate for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/certs/comply.10.234.4.193.nip.io.pem
Certificate for comply.10.234.4.193.nip.io was autosigned.

Then copy the ca.pem, public certificate and private key for your Comply instance to the KOTS config. Once deployed, the service will now be accessible to your nodes.

In order to keep you up to date, the version of the Assessor is embedded in the module. As such, when doing an upgrade of the Comply product, you should ensure that you have upgraded the module beforehand.

Using a privately hosted file

Alternatively, you can host the file privately elsewhere. If you choose this method, then use scanner_source parameter with the comply class. You may also need to disable the use_mtls paramter too. The version of the Assessor is inferred from the file name so for example if your scanner_source value was https://files.company.net/assessors/Assessor-CLI-v4.6.0.zip, Comply would infer this as being version 4.6.0 of the Assessor.

Configuration

By default, Comply will install various dependencies required in order for the module and the CIS Assessor to function. Should you wish to configure what Comply manages, see the reference for more details.

Obtaining the Product

Please get in touch with a Puppet Representative

Running Acceptance Tests

bundle exec rake litmus:tear_down;
bundle exec rake litmus:provision_list[release_checks]; #reduce hosts in provision.yaml if required
bundle exec rake litmus:install_agent[puppet7];
bundle exec rake litmus:install_module;
bundle exec rake litmus:acceptance:parallel; #bundle exec rake litmus:acceptance:rid-fraternity.delivery.puppetlabs.net