Skipping some controls

The scope of the CIS benchmark for DB2 is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn’t work anymore. So you need to customize the controls you want to enable.

There are three ways the db2_secured module allows you to skip controls.

  1. Add a list of controls to skip when calling the db2_secured defined type.
  2. Add db2_secured::controls::name_of_the_control: skip to your hiera data
  3. Add an entry with the content name_of_the_control to the array value db2_secured::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard db2_secured code.

Method 2 is a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 3 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.

Customizing controls

Besides excluding some of the controls, you can also customize most of the controls to exclude some objects. As an example, we are going to customize control password_lock_time_is_greater_than_or_equal_to_1. This control is about: Making sure the PASSWORD_LOCK_TIME property of all DB2 profiles is equal or greater than 1.

Using a different value

The default value for this control is 1. But we want it to be at least 3. Just like with the overall skip_list parameter, we have two options. Setting it for all databases and setting it for just one named database. For this example, we want to set it for all database. So here is the hiera data we need to do this:

db2_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::preferred_value: 3

If we only want to set it for one particular database we can do this:

db2_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::db1::preferred_value: 3

excluding an object

Now we have set a very strict value for control password_lock_time_is_greater_than_or_equal_to_1. But on database TEST we want two DB2 profiles to be excluded from this control. Here is the yaml code to do this:

db2_secured::controls::password_lock_time_is_greater_than_or_equal_to_1::test::exclude:
  - test_profile1
  - test_profile2

By excluding we mean that the control doesn’t inspect and change these DB2 profile. This also means that your puppet code can contain other code that will set this value.

Customization pattern

Whenever there is something to exclude or there is a preferred value to set, the same pattern applies.

Writing your own class

Besides setting these values in hiera, you can also write your own security class and include just the controls you want. All the controls are regular puppet defined types and you can use them like any other puppet code.