Puppet Release Announcement | Security Compliance Enforcement for Linux 2.6.0

[Puppet Product Updates]

SCE for Linux Release Notes

Demo Security Compliance Enforcement

We are excited to announce that Security Compliance Enforcement (SCE) for Linux version 2.6.0 is now available.

This release helps customers adopt the latest Ubuntu LTS while maintaining continuous compliance and delivers operational and troubleshooting improvements that make SCE easier to run and support at scale. SCE 2.6.0 continues to focus on shrinking attack surfaces by automatically enforcing industry‑recognized security baselines across modern Linux estates.

Enforce CIS Benchmarks on Ubuntu 24.04 LTS

Support for Ubuntu 24.04 LTS has been one of the most requested enhancements from SCE customers.

With this release, customers can now enforce the latest CIS Benchmark for Ubuntu 24.04 (v1.0.0) using SCE for Linux, with support for both:

• Level 1 profiles for broad, low‑impact security hardening
• Level 2 profiles for more restrictive, security‑focused environments

Ubuntu is widely used across cloud infrastructure, platform services, and Kubernetes nodes. By extending SCE support to Ubuntu 24.04, customers can standardize on the newest Ubuntu LTS without delaying upgrades or introducing compliance gaps. This enables teams to maintain a consistent security posture across both new and existing Linux systems.

Better Day‑to‑Day Visibility and Troubleshooting

SCE 2.6.0 introduces improvements aimed at simplifying operations and reducing troubleshooting friction in real‑world environments.

• Enhanced logging visibility
  SCE now sends most of its logs directly to the Puppet agent run log, instead of the Puppet primary server log. This allows operators to troubleshoot SCE behavior by simply running the Puppet agent in debug mode, making it easier to diagnose enforcement issues during normal operations.
• Improved insight into mounted file systems
  The custom fact sce_mount_info has been updated to provide visibility into all mounted file systems, not just those listed in /etc/fstab. This reduces configuration blind spots and improves enforcement accuracy, especially in dynamic or cloud‑based environments.
  As in previous releases, SCE can continue to manage USB devices, with clearer informational messaging when mounts are detected but not explicitly configured.

Together, these updates improve transparency into enforcement activity and make it easier for teams to understand what SCE is enforcing, where, and why.

Reliability and Usability Improvements

This release also includes fixes and refinements that improve overall reliability. Puppet run failures on systems that do not have the rsyslog package installed, have been resolved, eliminating an unnecessary source of disruption during enforcement runs.

Availability

Customers with an active SCE subscription can download Security Compliance Enforcement for Linux 2.6.0 from the Puppet Forge and begin enforcing CIS benchmarks on Ubuntu 24.04 immediately.

This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.