You can export them: https://help.puppet.com/scm/current/Content/UserGuide/SCM/custom_profiles_export.htm. Import is a different question...

Export doesn’t actually seem to work anyway. Page is just stuck at loading data…

Is there a target release for SCE support of RHEL9 DISA STIG?

Our STIG compliance is based on CIS STIG benchmark. There is not currently an available CIS benchmark for RHEL9 STIG. Last I heard, there was a draft benchmark in progress, but no release date established. Until they release a benchmark, we can't write an SCE enforcement.

CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0.pdf

I wouldn’t put it up here were it not free to dwnload. 🙂

This is weird. Seems the control for fixing log file perms just randomly stopped working

Oh dumb it was the name_filter. Apparently it’s excluding everything

Which is odd

It’s a fairly specific regex

Ugh forget what I said. It working fine. Puppet fixed it right after I audited it so when I ran puppet it didn’t appear to do anything

I am new to SCM/comply. I am trying to run puppet agent on some hosts I want to be scanned, but they are complaining about a checksum mismatch on Assessor-CLI-4.43.0.zip. Anybody have any thoughts on that? Notice: /Stage[main]/Comply:ScannersCiscat/Exec[Assessor CLI 4.43.0.zip]/returns executed successfully (corrective) Error: Download file checksum mismatch (expected: b165c4fda3bfa1dccd5d17016486f2207b5842c46aecbb8807b1a47552a5e229 actual: 9f88ff4faa3b9ae03a95c2dfb4d84ada7c8daf07f2622be1149d4447719c383d) Error: /Stage[main]/Comply:ScannersCiscat/Archive[Assessor CLI 4.43.0.zip]/ensure change from (sha256)9f88ff4faa3b9ae03a95c2dfb4d84ada7c8daf07f2622be1149d4447719c383d to (sha256)b165c4fda3bfa1dccd5d17016486f2207b5842c46aecbb8807b1a47552a5e229 failed: Download file checksum mismatch (expected: b165c4fda3bfa1dccd5d17016486f2207b5842c46aecbb8807b1a47552a5e229 actual: 9f88ff4faa3b9ae03a95c2dfb4d84ada7c8daf07f2622be1149d4447719c383d) N I am using version 3.3.0 of the comply module

Hi, I am installing SCM on a RHEL 8 server. I have installed bolt and run

bolt plan run complyadm::install

. The podman containers all look to be up, however I am unable to access the UI. Checking the network settings of the container, I see it is set to bridge mode. Am i missing some sort of configuration? Firewalld is disabled so I don't think its the firewall

Hey, @Chandler Hagan, have you opened a support ticket on this yet? They have the best tools and resources to help you troubleshoot your issue.

Are there any plans for implementing SAML SSO on SCM

Any SCM updates coming soon? Our vulnerability scanner is screaming about the old version of Java in the assessor on all nodes

We made a ticket (01380412) about a bug in

sce_linux::utils::packages::linux::auditd

but the response from support seems wrong. That class has an (undocumented) parameter

$manage_auditd_rulesd

which to me seems clearly intended to be used for enabling full management of the directory

/etc/audit/rules.d

, meaning that unmanaged files will be purged. That parameter defaults to

false

. The bug is that setting that parameter to

true

only sets

purge => true

on the

file

resource, and the

recurse

attribute is missing. From the docs,

purge

only makes sense when `recurse => true`: https://github.com/puppetlabs/puppet/blob/e227c27540975c25aa22d533a52424a9d2fc886a/references/types/file.md?plain=1#L492-L493 But the response from support was that this is intentional: "The

sce_linux

module is designed to manage only the files it creates and does not purge others to avoid accidentally removing any custom configurations you may have in the same directory. Our team has intentionally chosen not to remove unmanaged files to prevent potential issues." This response from support doesn't make sense because you can't accidentally remove custom configurations when the default value for the parameter is

false

, you have to intentionally set it to

true

. It is pretty clear that the parameter was intended to allow for purging unmanaged files, otherwise the parameter is useless. There is no other way to accomplish this, since the

file

resource in

sce_linux

is managing the directory, we can't also manage the directory in our own code. Can we get this ticket reevaluated?

I think we've made the call to stop using sce_windows, agent runs take too long to run because of the DSC slowness that we can't get any answers about

Hi all, I am new to SCM and I was wondering if there is a way to manage a node's compliance profile using code so that our team could automatically apply a profile, whether that be at the point of syncing from Puppet Enterprise or after or any time after. We just had 1k+ nodes added to the inventory in SCM and as far as I can tell, the best way I can go about assigning all of those nodes the correct profile is by navigating to the inventory, filtering based on node groups, and bulk editing them that way. I do see that there is this API endpoint

/v1/manage-default-desired-compliance

but if I'm not mistaken all this would do is change the default compliance for hosts added to the inventory during a sync, which is not what I'm necessarily looking for. Seems like these profiles have to be managed manually but if anyone was able to accomplish setting these profiles using some kind of automation, I would love to hear how you did it.

We might have figured out why SCE_windows is so slow. Still testing but timing showing up in PE are promising. We disabled PowerShell Script Block logging and PowerShell Transcriptions

Never mind... those DSC resources are still just as slow. PE Agent times are inconsistent and we can see those inconsistencies before the change was made too.

So it seems that SCE_Windows 2.0 and Puppet Agent 8.12.0 don't get along

It looks like SCE is continuing to corrupt our redhat.repo files. Seen it more frequently lately. Not sure why its happening on some servers and not others but it seems like it makes changes to some repos to enable gpgcheck and then after that can't read the file anymore

I'm guessing Subscription manager and Puppet end up trying to edit the file at the same time and just destroy it. Anyone have any solutions to this or do I just need to stop forcing the gpgpcheck?

I'm seeing an issue with the

sce_mass_mount_opts

type fail when trying to update any entry in /etc/fstab (RHEL9, stig). The error I'm getting for all of these controls is basically:

Error: Could not set 'present' on ensure: comparison of NilClass with 14 failed (file: /etc/puppetlabs/puppetserver/code/environments/production/modules/sce_linux/manifests/utils/partitions/non_root_local_options.pp, line: 40)

fstab entries look like the below for all mounts:

UUID=0979b5f9-8ca7-49c4-98de-2058d6cd76c1  /tmp  xfs  defaults  0  0
/dev/mapper/rootvg-auditlv /var/log/audit xfs defaults 0 0

@CVQuesty has left the channel

In SCM is there a way to manually trigger a refresh of the inventory from PE? The docs just mentions changing the polling interval (default 24 hrs)

is there a Jira issue already for the

warning: already initialized constant PAM_POSITION_ALIASES

that comes from

lib/puppet/provider/sce_pam/augeas.rb

when you also use puppet-augeasproviders_pam (that file

augeas.rb

is a copy of https://github.com/voxpupuli/puppet-augeasproviders_pam/blob/master/lib/puppet/provider/pam/augeas.rb)?

@Peter danis has left the channel

hi, is there anyone familiar with puppet SCM ? Iam a newbie and just started to explore puppet for its Security Compliance Mangement. Ijust installed an agent to my windows server 2022 and when i run puppet agent -t, I get this error Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Resource Statement, Class[Puppet_enterprise:RepoConfig] parameter 'platform_tag' expects a String value, got Undef (file: /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/repo.pp, line: 50, column: 5) on node win-9rh4dov61s7 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run it does not happen when i install agent on ubuntu server