Here is a list of all controls implemented in this puppet module. The link takes you to the documentation of the implementation class.

1 Installation and Patches

1.1 Install the latest fix packs (Not Scored)
1.2 Use IP address rather than hostname (Scored)
1.3 Leverage the least privilege principle (Not Scored)
1.4 Use non-default account names (Scored)
1.5 Configure DB2 to use non-standard ports (Not Scored)
1.6 Creating the database with the RESTERICTIVE clause (Not Scored)

2 DB2 Directory and File Permissions

2.1 Secure DB2 Runtime Library (Scored)
2.2 Secure the database container directory (Scored)
2.3 Set umask value for DB2 admin user .profile file (Scored)
2.4 Verify the groups within the DB2_GRP_LOOKUP environment variable are appropriate (Windows only) (Not Scored)
2.5 Verify the domains within the DB2DOMAINLIST environment variable are appropriate (Windows only) (Not Scored)

3 DB2 Configurations

3.1 DB2 Instance Parameter Settings
3.1.1 Enable audit buffer (Scored)
3.1.2 Encrypt user data across the network (Scored)
3.1.3 Require explicit authorization for cataloging (Scored)
3.1.4 Disable datalinks support (Scored)
3.1.5 Secure permissions for default database file path (Scored)
3.1.6 Set diagnostic logging to capture errors and warnings (Scored)
3.1.7 Secure permissions for all diagnostic logs (Scored)
3.1.8 Require instance name for discovery requests (Scored)
3.1.9 Disable instance discoverability (Scored)
3.1.10 Authenticate federated users at the instance level (Scored)
3.1.11 Set maximum connection limits (Scored)
3.1.12 Set administrative notification level (Scored)
3.1.13 Enable server-based authentication (Scored)
3.1.14 Set failed archive retry delay (Scored)
3.1.15 Auto-restart after abnormal termination (Scored)
3.1.16 Disable database discovery (Scored)
3.1.17 Secure permissions for the primary archive log location (Scored)
3.1.18 Secure permissions for the secondary archive log location (Scored)
3.1.19 Secure permissions for the tertiary archive log location (Scored)
3.1.20 Secure permissions for the log mirror location (Scored)
3.1.21 Establish retention set size for backups (Scored)
3.1.22 Set archive log failover retry limit (Scored)
3.2 Database Manager Configuration parameters
3.2.1 TCP/IP service name - svcename (Scored)
3.2.2 SSL service name - ssl_svcename (Scored)
3.2.3 Authentication type for incoming connections at the server - srvcon_auth (Scored)
3.2.4 Database Manager Configuration parameter: trust_allclnts (Not Scored)
3.2.5 Database Manager Configuration parameter: trust_clntauth (Not Scored)

4 Row and Column Access Control (RCAC)

4.1 Review Organization’s Policies against DB2 RCAC Policies (Not Scored)
4.2 Secure SECADM Authority (Not Scored)
4.3 Review Users, Groups, and Roles (Not Scored)
4.4 Review Row Permission logic according to policy (Not Scored)
4.5 Review Column Mask logic according to policy (Not Scored)

5 Database Maintenance

5.1 Enable Backup Redundancy (Not Scored)
5.2 Protecting Backups (Not Scored)
5.3 Enable Automatic Database Maintenance (Scored)

6 Securing Database Objects

6.1 Restrict Access to SYSCAT.AUDITPOLICIES (Scored)
6.2 Restrict Access to SYSCAT.AUDITUSE (Scored)
6.3 Restrict Access to SYSCAT.DBAUTH (Scored)
6.4 Restrict Access to SYSCAT.COLAUTH (Scored)
6.5 Restrict Access to SYSCAT.EVENTS (Scored)
6.6 Restrict Access to SYSCAT.EVENTTABLES (Scored)
6.7 Restrict Access to SYSCAT.ROUTINES (Scored)
6.8 Restrict Access to SYSCAT.INDEXAUTH (Scored)
6.9 Restrict Access to SYSCAT.PACKAGEAUTH (Scored)
6.10 Restrict Access to SYSCAT.PACKAGES (Scored)
6.11 Restrict Access to SYSCAT.PASSTHRUAUTH (Scored)
6.12 Restrict Access to SYSCAT.SECURITYPOLICIES (Scored)
6.14 Restrict Access to SYSCAT.SURROGATEAUTHIDS (Scored)
6.15 Restrict Access to SYSCAT.ROLEAUTH (Scored)
6.16 Restrict Access to SYSCAT.ROLES (Scored)
6.17 Restrict Access to SYSCAT.ROUTINEAUTH (Scored)
6.18 Restrict Access to SYSCAT.SCHEMAAUTH (Scored)
6.19 Restrict Access to SYSCAT.SCHEMATA (Scored)
6.20 Restrict Access to SYSCAT.SEQUENCEAUTH (Scored)
6.21 Restrict Access to SYSCAT.STATEMENTS (Scored)
6.22 Restrict Access to SYSCAT.TABAUTH (Scored)
6.23 Restrict Access to SYSCAT.TBSPACEAUTH (Scored)
6.24 Restrict Access to Tablespaces (Scored)
6.25 Restrict Access to SYSCAT.MODULEAUTH (Scored)
6.26 Restrict Access to SYSCAT.VARIABLEAUTH (Scored)
6.27 Restrict Access to SYSCAT.WORKLOADAUTH (Scored)
6.28 Restrict Access to SYSCAT.XSROBJECTAUTH (Scored)
6.29 Restrict Access to SYSCAT.AUTHORIZATIONIDS (Scored)
6.30 Restrict Access to SYSIBMADM.OBJECTOWNERS (Scored)
6.31 Restrict Access to SYSIBMADM.PRIVILEGES (Scored)

7 DB2 Authorities

7.1 Secure SYSADM authority (Scored)
7.2 Secure SYSCTRL authority (Scored)
7.3 Secure SYSMAINT Authority (Scored)
7.4 Secure SYSMON Authority (Scored)
7.5 Secure SECADM Authority (Scored)
7.6 Secure DBADM Authority (Scored)
7.7 Secure SQLADM Authority (Scored)
7.8 Secure DATAACCESS Authority (Scored)
7.9 Secure ACCESSCTRL Authority (Scored)
7.10 Secure WLMADM authority (Scored)
7.11 Secure CREATAB Authority (Scored)
7.12 Secure BINDADD Authority (Scored)
7.13 Secure CONNECT Authority (Scored)
7.14 Secure LOAD Authority (Scored)
7.15 Secure EXTERNALROUTINE Authority (Scored)
7.16 Secure QUIESCECONNECT Authority (Scored)

8 DB2 Roles

8.1 Review Roles (Scored)
8.2 Review Role Members (Scored)
8.3 Nested Roles (Scored)
8.4 Review Roles granted to PUBLIC (Scored)
8.5 Review Role Grantees with WITH ADMIN OPTION (Scored)

9 General Policy and Procedures

9.1 Start and Stop DB2 Instance (Not Scored)
9.2 Remove Unused Schemas (Not Scored)
9.3 Review System Tablespaces (Scored)
9.4 Remove Default Databases (Scored)
9.5 Enable SSL communication with LDAP server (Scored)
9.6 Secure the permission of the IBMLDAPSecurity.ini file (Scored)
9.7 Secure the permission of the SSLconfig.ini file (Scored)
9.8 Ensure Trusted Contexts are enabled (Not Scored)
9.9 Secure plug-in library locations (Not Scored)
9.10 Ensure that security plug-in support for two-part user IDs is enabled (Not Scored)
9.11 Ensure permissions on communication exit library locations (Not Scored)
9.12 Ensure audit policies are enabled within the database (Not Scored)