Defined Type: ora_secured::controls::password_verify_function_is_set_for_all_profiles

Defined in:
manifests/controls/password_verify_function_is_set_for_all_profiles.pp

Summary

The `PASSWORD_VERIFY_FUNCTION` determines password settings requirements when a

Overview

ora_secured::controls::password_verify_function_is_set_for_all_profiles

user password is changed at the SQL command prompt. It should be set for all profiles. Note that this setting does not apply for users managed by the Oracle password file.

## Skipping

To deliberately skip this control (e.g. meaning don’t use Puppet to enforce this setting), we provide you with three ways:

1) Add ‘ora_secured::controls::password_verify_function_is_set_for_all_profiles: skip` to your hiera data. This will skip this control for ALL databases. 2) Add `ora_secured::controls::password_verify_function_is_set_for_all_profiles::dbname: skip` to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content `password_verify_function_is_set_for_all_profiles` to the array value `ora_secured::skip_list` in your hiera data.

## Benchmarks

This control is used in the following benchmarks:

  • [Oracle Database 12c CIS V3.0.0](/docs/ora_secured/cis/db12c_V3.0.0.html) - paragraph 3.7

  • [Oracle Database 18c CIS V1.0.0](/docs/ora_secured/cis/db18c_V1.0.0.html) - paragraph 3.7

  • [Oracle Database 19c CIS V1.0.0](/docs/ora_secured/cis/db19c_V1.0.0.html) - paragraph 3.7

See the file “LICENSE” for the full license governing this code.

Parameters:

  • title

    The SID to apply the control to. All controls need an SID to apply the control to. Here is a simple example: “‘ puppet ora_secured::controls::control_name { ’DBSID’:} “‘ In this example, the string DBSID is the sid to apply the control to.

  • exclude (Array) (defaults to: ora_secured::lookup_setting('exclude',[]))

    The objects to exclude from the control actions.

  • only (Array) (defaults to: ora_secured::lookup_setting('only', []))

    The list of object to only apply the control to.

  • preferred_value (String) (defaults to: ora_secured::lookup_setting('preferred_value','ORA12C_STRONG_VERIFY_FUNCTION'))

    The preferred value to use. Some controls allow multiple values. The control implement a default value, but when you want an other value, you can use this parameter.



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
# File 'manifests/controls/password_verify_function_is_set_for_all_profiles.pp', line 49

define ora_secured::controls::password_verify_function_is_set_for_all_profiles(
  Array   $exclude         = ora_secured::lookup_setting('exclude',[]),
  Array   $only            = ora_secured::lookup_setting('only', []),
  String  $preferred_value = ora_secured::lookup_setting('preferred_value','ORA12C_STRONG_VERIFY_FUNCTION'),
){
  $sid = $title
  $oracle_version = ora_config::on_sid($facts['ora_version'], $sid)[0]
  if $oracle_version == undef {
    debug 'Rule needs a running Oracle to determine Oracle version.'
  } else {
    ora_secured_setup { "password_verify_function_is_set_for_all_profiles on ${sid}":
      ensure => 'present'
    }
    -> ora_secured::internal::profile_setting{"password_verify_function@${sid}":
      value   => $preferred_value,
      exclude => $exclude,
      only    => $only,
    }
  }
}