Puppet Class: db2_profile::database::cis_controls

Inherits:
db2_profile::database
Defined in:
manifests/database/cis_controls.pp

Summary

This class contains the actual code securing the database.

Overview

db2_profile::database::cis_controls

Here you can customize the security by specifying the CIS rules you *don’t* want to apply.

When these customizations aren’t enough, you can replace the class with your own class. See [db2_profile::secured_database](./secured_database.html) for an explanation on how to do this.

See the file “LICENSE” for the full license governing this code.

Parameters:

  • instance (String[1])

    The instance to use for the database.

  • database (String[1])

    The database name to use for the primary or standby database. this needs to be the same on the primary and standby nodes.

  • product_version (Optional[String[1]])

    The database version of the CIS benchmark you want to apply. Although not very logical, you can apply an older (or newer) database version to your database. If you also don’t specify a ‘product_version`, Puppet will detect the version of Postgres running and use this to determine the `product_version`. There is, however, one issue with the detection. On an initial run Puppet canot determine what the Postgres version is. In that case, the ora_cis defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of Postgres for specified sid is available.

  • doc_version (Optional[String[1]])

    The version of the CIS benchmark you want to apply to your database. When you don’t specify the ‘doc_version`, puppet automatically uses the latest version for your current `db_version`.

  • skip_list (Optional[Array[String[1]]])

    This is the list of controls that you want to skip. By default this value is empty, meaning ‘ora_cis` will apply ALL controls. You must specify the name of the control.



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
# File 'manifests/database/cis_controls.pp', line 33

class db2_profile::database::cis_controls (
  String[1]                   $database,
  Optional[String[1]]         $doc_version,
  String[1]                   $instance,
  Optional[String[1]]         $product_version,
  Optional[Array[String[1]]]  $skip_list
) inherits db2_profile::database {
  easy_type::debug_evaluation() # Show local variable on extended debug

  echo { "Making sure database ${database} at instance ${instance} is secured.":
    withpath => false,
  }

  db2_secured::ensure_cis { "${instance}/${database}":
    product_version => $product_version,
    doc_version     => $doc_version,
    skip_list       => $skip_list,
  }
}