Overview

defined type db2_secured::ensure_cis

Apply all DB2 database CIS control to the specified database

Here is an example showing how to enable the CIS bencgmark for your database.:

db2_secured::ensure_cis { 'db2inst1/DBNAME':
  product_version => 'db10',
  doc_version     => 'V1.1.0',
}

When you don’t specify the doc_version, puppet automatically uses the latest version for your current product_version. If you also don’t specify a product_version, Puppet will detect the version of DB2 running and use this to determine the product_version. There is, however, one issue with the detection. On an initial run Puppet canot determine what the DB2 version is. In that case, the db2_secured defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of DB2 for specified sid is available.

When you want to skip certain controls, you can use the skip_list.

db2_secured::ensure_cis { 'db2inst1/DBNAME':
  product_version => 'db10',
  doc_version     => 'V1.1.0',
  skip_list       => [
    'alter_database_link_action_audit_is_enabled',
    'alter_role_action_audit_is_enabled',
  ]
}

When you have multiple database on your system and want to use the same database version and CIS document version, you can do this:

db2_secured::Ensure_cis {
  product_version => 'db10',
  doc_version     => 'V1.1.0',
  skip_list       => [
    'alter_database_link_action_audit_is_enabled',
    'alter_role_action_audit_is_enabled',
  ]
}

db2_secured::ensure_cis {'DB1':}
db2_secured::ensure_cis {'DB2':}

Attributes

Attribute Name Short Description
all_controls This is an internal parameter.
doc_version The version of the CIS benchmark you want to apply to your database.
nonpdb_controls This is an internal parameter.
product_version The database version of the CIS benchmark you want to apply.
skip_list This is the list of controls that you want to skip.
title The database identifier to apply the control to.

title

The database identifier to apply the control to.

All controls need an database identifier to apply the control to. Here is a simple example:

db2_secured::controls::control_name { 'db2inst1/MYDB':}

In this example, the string dbinst1 is the instance, the string MYDB is the database to apply the control to.

Back to overview of ensure_cis

product_version

The database version of the CIS benchmark you want to apply. Although not very logical, you can apply an older (or newer) database version to your database.

If you also don’t specify a product_version, Puppet will detect the version of DB2 running and use this to determine the product_version. There is, however, one issue with the detection. On an initial run Puppet canot determine what the DB2 version is. In that case, the db2_secured defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of DB2 for specified sid is available.

Type: Optional[String[1]]

Default:db2_secured::default_product_version($title)

Back to overview of ensure_cis

doc_version

The version of the CIS benchmark you want to apply to your database. When you don’t specify the doc_version, puppet automatically uses the latest version for your current product_version. Type: Optional[String[1]]

Default:db2_secured::default_doc_version($product_version, 'cis')

Back to overview of ensure_cis

all_controls

This is an internal parameter. This is the Hash containing all paragraphs from the selected CIS benchmark.

Back to overview of ensure_cis

nonpdb_controls

This is an internal parameter. It contains all of the controls that don’t run on a pluggable database.

Back to overview of ensure_cis

skip_list

This is the list of controls that you want to skip. By default this vale is empty, meaning db2_secured will apply ALL controls. You must specifiy the name of the control. Here is an example on how to do this:

db2_secured { 'MYDB':
  product_version  => 'db19c',
  doc_version => 'V1.0.0',
  skip_list   => [
    'alter_database_link_action_audit_is_enabled',
    'alter_role_action_audit_is_enabled',
  ]
}

Type: Array

Default:db2_secured::lookup_setting('skip_list', [])

Back to overview of ensure_cis