Secure your Oracle Database

Secure your Oracle database With more and more systems directly connected to the Internet, security becomes one of those things that keeps IT manager awake at night. The expertise required to secure your IT infrastructure is enormous. Puppet is one of the tools that can help you get a grip on the security settings of your IT environment. It allows you to codify the required settings of your IT infrastructure into sort of a blueprint. A blueprint that puppet enforces. Now Enterprise Modules also developed a blueprint for securing your database. By adding just one line to your blueprint, Puppet ensures your database is securely configured and stays that way.

Role of Puppet in IT security

Puppet recently published a white paper [“Maximizing IT Security with Configuration Management”). In the white paper, the describe the role and value of Puppet in the field of information security. They identify “Establish a Standard Operating Environment (SOE) and meet IT security standards.” as one of the main roles of Puppet.

What is the Standard

Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. To that question. Here is a quote from their site:

What is a CIS Security Benchmark

The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements.

The CIS has many benchmarks. It has benchmarks for Operating System settings, benchmarks for several Server based software packages, including Oracle database

These benchmarks contain a precise, actionable set of measures for your systems.

How to enforce?

So now we know what a secure configuration looks like. How do we ensure these settings are applied to our systems? Not only now but forever? And how do we see and report when somebody or something’s changed one of the settings, maybe by accident or maybe on purpose?

What about Puppet?

The Puppet way of setting up a system and maintain it is by describing the desired state of the system in sort of a blueprint. The Puppet agent can then look around on the system and see if there are any deviations between the desired state described in the blueprint and the real configuration of the system. Base on the request, Puppet can the either report this deviation or reset the system to its requested state. Thereby ensuring security is provided.

What about the database?

Like I said before, the CIS also has a security baseline for Oracle 12: CIS Oracle Database Server 12c Benchmark v2.0.0 . We have taken this baseline and Puppetized it for you to use. It is called the ora_secured and contains an implementation of all rules in the benchmark that describe a configuration setting inside of the database. At this point in time, 124 of the 129 rules are implemented, and 5 are not because they rely on settings outside of the database.

How does it work?

Very simple. To enforce all of the rules in the CIS Oracle benchmark you just have to add the next puppet code to your Puppet manifest:

ora_secured::ensure_cis{ 'DBNAME':}

On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop, it will do nothing, but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval) every 20 minutes your database configuration is checked against the CIS benchmark and you can sleep well and be assured your data is safe.

Get started

The Oracle Security Module module is an add-on to the ora_config module. Trying out our modules on a VirtualBox development environment is FREE. If you would like to test this out in your own IT infrastructure, check out the Oracle starter pack. As of now it also contains a set of entitlements for the Oracle Security module.