Skipping some controls
The scope of the CIS benchmark for DB2 is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn’t work anymore. So you need to customize the controls you want to enable.
There are three ways the
db2_secured module allows you to skip controls.
- Add a list of controls to skip when calling the
db2_secured::controls::name_of_the_control: skipto your hiera data
- Add an entry with the content
name_of_the_controlto the array value
db2_secured::skip_listin your hiera data.
Method 1 is a good way to create your own baseline based on the standard
Method 2 is a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.
Method 3 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.
You can combine all of these methods to fit your use case.
Besides excluding some of the controls, you can also customize most of the controls to exclude some objects. As an example, we are going to customize control
password_lock_time_is_greater_than_or_equal_to_1. This control is about: Making sure the
PASSWORD_LOCK_TIME property of all DB2 profiles is equal or greater than 1.
Using a different value
The default value for this control is 1. But we want it to be at least 3. Just like with the overall
skip_list parameter, we have two options. Setting it for all databases and setting it for just one named database. For this example, we want to set it for all database. So here is the hiera data we need to do this:
If we only want to set it for one particular database we can do this:
excluding an object
Now we have set a very strict value for control
password_lock_time_is_greater_than_or_equal_to_1. But on database
TEST we want two DB2 profiles to be excluded from this control. Here is the
yaml code to do this:
db2_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::test::exclude: - test_profile1 - test_profile2
By excluding we mean that the control doesn’t inspect and change these DB2 profile. This also means that your puppet code can contain other code that will set this value.
Whenever there is something to exclude or there is a preferred value to set, the same pattern applies.
Writing your own class
Besides setting these values in hiera, you can also write your own security class and include just the controls you want. All the controls are regular puppet defined types and you can use them like any other puppet code.