Defined Type: ora_secured::controls::no_users_are_assigned_the_default_profile

Defined in:
manifests/controls/no_users_are_assigned_the_default_profile.pp

Summary

Upon creation database users are assigned to the `DEFAULT` profile unless

Overview

ora_secured::controls::no_users_are_assigned_the_default_profile

otherwise specified. No users should be assigned to that profile.

## Skipping

To deliberately skip this control (e.g. meaning don’t use Puppet to enforce this setting), we provide you with three ways:

1) Add ‘ora_secured::controls::no_users_are_assigned_the_default_profile: skip` to your hiera data. This will skip this control for ALL databases. 2) Add `ora_secured::controls::no_users_are_assigned_the_default_profile::dbname: skip` to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content `no_users_are_assigned_the_default_profile` to the array value `ora_secured::skip_list` in your hiera data.

## Benchmarks

This control is used in the following benchmarks:

  • [Oracle Database 12c CIS V3.0.0](/docs/ora_secured/cis/db12c_V3.0.0.html) - paragraph 4.4

  • [Oracle Database 18c CIS V1.0.0](/docs/ora_secured/cis/db18c_V1.0.0.html) - paragraph 4.4

  • [Oracle Database 19c CIS V1.0.0](/docs/ora_secured/cis/db19c_V1.0.0.html) - paragraph 4.4

See the file “LICENSE” for the full license governing this code.

Parameters:

  • title

    The SID to apply the control to. All controls need an SID to apply the control to. Here is a simple example: “‘ puppet ora_secured::controls::control_name { ’DBSID’:} “‘ In this example, the string DBSID is the sid to apply the control to.

  • exclude (Array) (defaults to: ora_secured::lookup_setting('exclude',[]))

    The objects to exclude from the control actions.

  • profile_name (Optional[String]) (defaults to: ora_secured::lookup_setting('profile_name', undef))

    The name of the profile to create and to assign when a default profile is specified.



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'manifests/controls/no_users_are_assigned_the_default_profile.pp', line 43

define ora_secured::controls::no_users_are_assigned_the_default_profile(
  Array            $exclude      = ora_secured::lookup_setting('exclude',[]),
  Optional[String] $profile_name = ora_secured::lookup_setting('profile_name', undef)
){
  $sid = $title
  ora_secured_setup { "no_users_are_assigned_the_default_profile on ${sid}":
    ensure => 'present'
  }

  if $profile_name == undef and ora_config::on_sid($::ora_users_with_default_profile, $sid) != [] {
    if  ora_config::is_root_db($sid) {
      $use_profile = 'C##CIS_BASELINE'
    } else {
      $use_profile = 'CIS_BASELINE'
    }
    #
    # On Oracle 12 and Oracle 18 you MUST have at least one limit specified when you create
    # a profile. So that is when we create a profile, we specify these values. These
    # are the default values of the CIS benchmark. When a customer uses other values
    # They will be assigned to the customer specified values on the next pass of puppet.
    #
    ora_profile { "${use_profile}@${sid}":
      ensure                   => 'present',
      failed_login_attempts    => 5,
      inactive_account_time    => 120,
      password_grace_time      => 5,
      password_life_time       => 90,
      password_lock_time       => 1,
      password_reuse_max       => 20,
      password_reuse_time      => 365,
      sessions_per_user        => 10,
      password_verify_function => 'ORA12C_STRONG_VERIFY_FUNCTION',
    }
  } else {
    $use_profile = $profile_name
  }
  $control_excludes = ora_config::on_sid($::ora_maintained_users,$sid)
  $users_to_check = ora_config::on_sid($::ora_users_with_default_profile,$sid) - $control_excludes - $exclude - [$use_profile]
  $users_to_check.each |$user| {
    $full_name = "Ora_user[${user}@${sid}]profile"
    resource_value { $full_name:
      value        => $use_profile,
      allow_create => true,
    }
  }
}