Enterprise Modules

Table of Contents

Overview

The ora_secured Puppet module is a powerful security solution that helps you ensure your Oracle databases are compliant with the CIS benchmarks. ora_secured implements all the necessary security controls outlined in the CIS benchmark for Oracle Databases. This means that you can rest assured that your databases are adhering to the highest security standards. This module will help you:

  • Sleep better at night knowing your data in your databases is more secure.
  • Feel confident that you're doing everything possible to protect your data in your databases.
  • Save time on Oracle database security management.
  • Face the auditor with much confidence
  • Automate the application of security best practices for your databases.
  • Easily upgrade to new versions and stay up to date with the latest security recommendations.

Whether you are an individual, a small business owner, or a large enterprise, ora_secured is the perfect solution to keep your Linux systems safe and secure. ora_secured can be used as a standalone solution with Puppet, or it can integrate seamlessly with the InControl console. This gives you the flexibility to use the product in the way that best suits your needs.

We understand that every organization has unique security requirements, and that's why we've made it easy for you to customize ora_secured to your specific needs. The module is highly configurable, allowing you to tailor it to your organization's security policies and procedures.

In addition to enforcing security configuration (what Puppet normaly does), ora_secured includes a set of classes that are designed for validating the configuration of your systems, without changing them. This powerful tool provides you with detailed information on where your systems are not adhering to the CIS benchmark. This information is critical in helping you identify and remediate any compliance issues.

We understand the importance of having a security solution that supports all recent Oracle database versions. That is why ora_secured is designed to be compatible with all major Linux distributions, including Red Hat, OracleLinux, Ubuntu, CentOS, Debian, and SUSE. The current version of ora_secured supports Red Hat and OracleLinux. Support for other Linux distributions is planned for Q2 2023.

At this point in time it supports the following CIS benchmarks:

With ora_secured, you can rest easy knowing that your Oracle databses are compliant with the highest security standards.

Want to try?

You don't want to read about it, but really want to try it? You can! You can explore our Puppet modules for Oracle by checking out our playgrounds. Here we guide you around in some of the functionality of our modules.

License

This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.

You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.

Check the License for details.

Description

This Puppet module contains all the Puppet code to enforce CIS compliance on your Oracle databases. We have further built upon The CIS compliance baseline for Oracle to provide you with a means of verifying if your Oracle database comply with these controls. Our team has implemented mechanisms that allow you to conduct checks on your databases using our module, called ora_secured. These checks include a comprehensive set of security measures to ensure that your databases are compliant with the Oracle CIS benchmark.

If the check detects non-compliance on any or all of your databases, our module includes Puppet code to address this and ensure that all of your databases comply with the Oracle Database CIS benchmark. This feature enables you to maintain a high level of security and meet regulatory requirements with minimal effort.

Moreover, the reports generated from these checks can be obtained through the InControl Console Application. These reports provide detailed information on the checks performed and the status of compliance for each system.

We believe that our module and the InControl Console Application will enable you to maintain a secure and compliant environment for your systems.

Check the documentation here

Benefits of InControl integration

What are the benefits of integrating with InControl? By providing a centralized location, the InControl console helps users manage and track compliance and vulnerability issues with ease. InControl receives reports from linux_secured and other security modules, offering an integrated view and management system for compliance and vulnerabilities not only for Linux, but also for Windows, Oracle databases, Microsoft SQLServer, Postgres, IBM DB2 databases, and cloud environments.

InControl

Overall, InControl is an essential tool for organizations seeking to maintain regulatory compliance and ensure the security and reliability of their systems and infrastructure. Its advanced algorithms, user-friendly design, and customizable alerts and notifications make it a perfect solution for organizations of all sizes and industries.

Setup

Requirements

The ora_secured module requires:

  • Puppet module enterprisemodules-easy_type installed.
  • Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
  • Oracle 12 higher
  • A valid Oracle license
  • A valid Enterprise Modules license for usage.
  • Runs on most Linux systems.
  • Runs on Solaris

Installing the ora_secured module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/ora_secured'               ,'x.x.x'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-ora_secured

Usage

The scope of securing your Oracle database is enormous. The number of security controls in the CIS benchmark is huge. This might make you think that it is not easy to get started, but actually, it is very simple.

Enabling CIS for your database

To enable the CIS benchmark on your database, you just have to add this line to your puppet code:

ora_secured::apply_cis{'DB1':
  product_version  => 'db19c',
  doc_version => 'V1.0.0'
}

This will activate the CIS benchmark V1.0.0 for Oracle 19c on your databases DB1. The ora_secured puppet module takes care of checking all of the security settings in the benchmark and ensuring they are set in a secure way.

Skipping some controls

The scope of the CIS benchmark for Oracle is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn't work anymore. So you need to customize the controls you want to enable.

There are four ways the ora_secured module allows you to skip controls.

  1. Add a list of controls to skip when calling the ora_secured defined type.
  2. Add ora_secured::controls::name_of_the_control: skip to your hiera data. This will skip the control on ALL databases.
  3. Add ora_secured::controls::name_of_the_control::dbname: skip to your hiera data. This will skip the control on the database with sid dbname.
  4. Add an entry with the content name_of_the_control to the array value ora_secured::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard ora_secured code.

Method 2 and 3 are a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 4 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.

Reference

Here you can find some more information regarding this puppet module:

Here are related blog posts:

Limitations

This module runs on Solaris and most Linux versions. It requires a puppet version 5 or higher. The module does NOT run on windows systems.