Puppet Class: pg_profile::database::cis_controls

Inherits:
pg_profile::database
Defined in:
manifests/database/cis_controls.pp

Summary

This class contains the actual code securing the database.

Overview

--

pg_profile::database::cis_controls

Here you can customize the security by specifying the CIS rules you *don’t* want to apply.

When these customizations aren’t enough, you can replace the class with your own class. See [pg_profile::secured_database](./secured_database.html) for an explanation on how to do this.

–++–

Parameters:

  • dbname (String[1])

    The name of the database you want to secure

  • product_version (Optional[String[1]])

    The database version of the CIS benchmark you want to apply. Although not very logical, you can apply an older (or newer) database version to your database. If you also don’t specify a ‘product_version`, Puppet will detect the version of Postgres running and use this to determine the `product_version`. There is, however, one issue with the detection. On an initial run Puppet canot determine what the Postgres version is. In that case, the ora_cis defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of Postgres for specified sid is available.

  • doc_version (Optional[String[1]])

    The version of the CIS benchmark you want to apply to your database. When you don’t specify the ‘doc_version`, puppet automatically uses the latest version for your current `db_version`.

  • skip_list (Optional[Array[String[1]]])

    This is the list of controls that you want to skip. By default this value is empty, meaning ‘ora_cis` will apply ALL controls. You must specify the name of the control.



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'manifests/database/cis_controls.pp', line 29

class pg_profile::database::cis_controls(
  String[1]                   $dbname,
  Optional[String[1]]         $product_version,
  Optional[String[1]]         $doc_version,
  Optional[Array[String[1]]]  $skip_list,
) inherits pg_profile::database {

  easy_type::debug_evaluation() # Show local variable on extended debug

  echo {"Making sure database ${dbname} is secured.":
    withpath => false,
  }

  pg_secured::ensure_cis { $dbname:
    product_version => $product_version,
    doc_version     => $doc_version,
    skip_list       => $skip_list,
  }
}