Puppet. We use it to configure the OS from barebones Kickstart onwards, as well as continuously enforce the various security policies we need to be able to tell people that we comply with.
They are, we're not doing anything super fancy, mostly just pushing lots of templated config files, ensuring that particular packages are installed, and that services like fapolicyd and auditd are running.