https://www.puppet.com/community logo
Join Slack
Powered by
# compliance
  • r

    RyChannel

    01/06/2025, 2:21 PM
    @David SandilandsClearing out those logs didn't seem to actually help the runtime at all either
  • d

    David Sandilands

    01/06/2025, 2:32 PM
    @RyChannel I got an update from one of our SEs who knows Windows well "He was on the right track with ConfigurationMode option per Microsoft's documentation: https://learn.microsoft.com/en-us/powershell/dsc/managing-nodes/metaconfig?view=dsc-1.1 The slowness is normal unfortunately, I'm curious if their org has PowerShell Transcription enabled via Group Policy or something."
  • r

    RyChannel

    01/06/2025, 2:56 PM
    That would be a CIS control setting that 😄
  • r

    RyChannel

    01/06/2025, 3:50 PM
    I think some of our issue is PE reporting metrics that we don't understand, the other part being, that if an agent is ran from the PE console, it takes a lot longer than if puppet agent -t is run from the server. It doesn't make any sense to us.
    d
    c
    • 3
    • 4
  • r

    RyChannel

    01/06/2025, 4:51 PM
    Turning it off didn't help
  • r

    RyChannel

    01/08/2025, 2:48 PM
    It'd be really cool if we could export/import Custom Profiles in SCM
  • s

    spp

    01/08/2025, 2:54 PM
    You can export them: https://help.puppet.com/scm/current/Content/UserGuide/SCM/custom_profiles_export.htm. Import is a different question...
    r
    • 2
    • 1
  • r

    RyChannel

    01/10/2025, 2:08 PM
    Export doesn’t actually seem to work anyway. Page is just stuck at loading data…
  • m

    Mike Loseke

    01/13/2025, 7:46 PM
    Is there a target release for SCE support of RHEL9 DISA STIG?
  • s

    spp

    01/13/2025, 8:27 PM
    Our STIG compliance is based on CIS STIG benchmark. There is not currently an available CIS benchmark for RHEL9 STIG. Last I heard, there was a draft benchmark in progress, but no release date established. Until they release a benchmark, we can't write an SCE enforcement.
    t hanks 1
  • c

    CVQuesty

    01/13/2025, 9:41 PM
    CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0.pdf
    CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0.pdf
    h
    • 2
    • 6
  • c

    CVQuesty

    01/13/2025, 9:41 PM
    I wouldn’t put it up here were it not free to dwnload. 🙂
  • r

    RyChannel

    01/16/2025, 2:26 PM
    This is weird. Seems the control for fixing log file perms just randomly stopped working
  • r

    RyChannel

    01/16/2025, 2:31 PM
    Oh dumb it was the name_filter. Apparently it’s excluding everything
  • r

    RyChannel

    01/16/2025, 3:29 PM
    Which is odd
  • r

    RyChannel

    01/16/2025, 3:29 PM
    It’s a fairly specific regex
  • r

    RyChannel

    01/16/2025, 3:43 PM
    Ugh forget what I said. It working fine. Puppet fixed it right after I audited it so when I ran puppet it didn’t appear to do anything
  • j

    Jacob Wade

    02/24/2025, 10:31 PM
    I am new to SCM/comply. I am trying to run puppet agent on some hosts I want to be scanned, but they are complaining about a checksum mismatch on Assessor-CLI-4.43.0.zip. Anybody have any thoughts on that? Notice: /Stage[main]/Comply:ScannersCiscat/Exec[Assessor CLI 4.43.0.zip]/returns executed successfully (corrective) Error: Download file checksum mismatch (expected: b165c4fda3bfa1dccd5d17016486f2207b5842c46aecbb8807b1a47552a5e229 actual: 9f88ff4faa3b9ae03a95c2dfb4d84ada7c8daf07f2622be1149d4447719c383d) Error: /Stage[main]/Comply:ScannersCiscat/Archive[Assessor CLI 4.43.0.zip]/ensure change from (sha256)9f88ff4faa3b9ae03a95c2dfb4d84ada7c8daf07f2622be1149d4447719c383d to (sha256)b165c4fda3bfa1dccd5d17016486f2207b5842c46aecbb8807b1a47552a5e229 failed: Download file checksum mismatch (expected: b165c4fda3bfa1dccd5d17016486f2207b5842c46aecbb8807b1a47552a5e229 actual: 9f88ff4faa3b9ae03a95c2dfb4d84ada7c8daf07f2622be1149d4447719c383d) N I am using version 3.3.0 of the comply module
    m
    s
    e
    • 4
    • 10
  • c

    Chandler Hagan

    03/05/2025, 6:09 PM
    Hi, I am installing SCM on a RHEL 8 server. I have installed bolt and run
    bolt plan run complyadm::install
    . The podman containers all look to be up, however I am unable to access the UI. Checking the network settings of the container, I see it is set to bridge mode. Am i missing some sort of configuration? Firewalld is disabled so I don't think its the firewall
  • s

    spp

    03/05/2025, 6:56 PM
    Hey, @Chandler Hagan, have you opened a support ticket on this yet? They have the best tools and resources to help you troubleshoot your issue.
    c
    • 2
    • 1
  • r

    RyChannel

    03/07/2025, 3:30 PM
    Are there any plans for implementing SAML SSO on SCM
    c
    • 2
    • 5
  • r

    RyChannel

    04/08/2025, 3:40 PM
    Any SCM updates coming soon? Our vulnerability scanner is screaming about the old version of Java in the assessor on all nodes
    s
    • 2
    • 1
  • k

    kenyon

    05/05/2025, 7:48 PM
    We made a ticket (01380412) about a bug in
    sce_linux::utils::packages::linux::auditd
    but the response from support seems wrong. That class has an (undocumented) parameter
    $manage_auditd_rulesd
    which to me seems clearly intended to be used for enabling full management of the directory
    /etc/audit/rules.d
    , meaning that unmanaged files will be purged. That parameter defaults to
    false
    . The bug is that setting that parameter to
    true
    only sets
    purge => true
    on the
    file
    resource, and the
    recurse
    attribute is missing. From the docs,
    purge
    only makes sense when `recurse => true`: https://github.com/puppetlabs/puppet/blob/e227c27540975c25aa22d533a52424a9d2fc886a/references/types/file.md?plain=1#L492-L493 But the response from support was that this is intentional: "The
    sce_linux
    module is designed to manage only the files it creates and does not purge others to avoid accidentally removing any custom configurations you may have in the same directory. Our team has intentionally chosen not to remove unmanaged files to prevent potential issues." This response from support doesn't make sense because you can't accidentally remove custom configurations when the default value for the parameter is
    false
    , you have to intentionally set it to
    true
    . It is pretty clear that the parameter was intended to allow for purging unmanaged files, otherwise the parameter is useless. There is no other way to accomplish this, since the
    file
    resource in
    sce_linux
    is managing the directory, we can't also manage the directory in our own code. Can we get this ticket reevaluated?
    c
    • 2
    • 2
  • r

    RyChannel

    05/06/2025, 2:41 PM
    I think we've made the call to stop using sce_windows, agent runs take too long to run because of the DSC slowness that we can't get any answers about
    h
    • 2
    • 4
  • o

    Omar Morales

    05/15/2025, 9:15 PM
    Hi all, I am new to SCM and I was wondering if there is a way to manage a node's compliance profile using code so that our team could automatically apply a profile, whether that be at the point of syncing from Puppet Enterprise or after or any time after. We just had 1k+ nodes added to the inventory in SCM and as far as I can tell, the best way I can go about assigning all of those nodes the correct profile is by navigating to the inventory, filtering based on node groups, and bulk editing them that way. I do see that there is this API endpoint
    /v1/manage-default-desired-compliance
    but if I'm not mistaken all this would do is change the default compliance for hosts added to the inventory during a sync, which is not what I'm necessarily looking for. Seems like these profiles have to be managed manually but if anyone was able to accomplish setting these profiles using some kind of automation, I would love to hear how you did it.
    👀 1
    h
    • 2
    • 2
  • r

    RyChannel

    05/27/2025, 3:45 PM
    We might have figured out why SCE_windows is so slow. Still testing but timing showing up in PE are promising. We disabled PowerShell Script Block logging and PowerShell Transcriptions
  • r

    RyChannel

    05/28/2025, 2:49 PM
    Never mind... those DSC resources are still just as slow. PE Agent times are inconsistent and we can see those inconsistencies before the change was made too.
    h
    • 2
    • 1
  • r

    RyChannel

    06/03/2025, 8:45 PM
    So it seems that SCE_Windows 2.0 and Puppet Agent 8.12.0 don't get along
    h
    • 2
    • 5
  • r

    RyChannel

    06/12/2025, 2:18 PM
    It looks like SCE is continuing to corrupt our redhat.repo files. Seen it more frequently lately. Not sure why its happening on some servers and not others but it seems like it makes changes to some repos to enable gpgcheck and then after that can't read the file anymore
  • r

    RyChannel

    06/12/2025, 2:19 PM
    I'm guessing Subscription manager and Puppet end up trying to edit the file at the same time and just destroy it. Anyone have any solutions to this or do I just need to stop forcing the gpgpcheck?
    m
    • 2
    • 1