ensure cis
Overview
defined type db2_secured::ensure_cis
Apply all DB2 database CIS control to the specified database
Here is an example showing how to enable the CIS bencgmark for your database.:
db2_secured::ensure_cis { 'db2inst1/DBNAME':
product_version => 'db10',
doc_version => 'V1.1.0',
}
When you don’t specify the doc_version
, puppet automatically uses the latest version for your current product_version
. If you also don’t specify a product_version
, Puppet will detect the version of DB2 running and use this to determine the product_version
. There is, however, one issue with the detection. On an initial run Puppet canot determine what the DB2 version is. In that case, the db2_secured defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of DB2 for specified sid is available.
When you want to skip certain controls, you can use the skip_list
.
db2_secured::ensure_cis { 'db2inst1/DBNAME':
product_version => 'db10',
doc_version => 'V1.1.0',
skip_list => [
'alter_database_link_action_audit_is_enabled',
'alter_role_action_audit_is_enabled',
]
}
When you have multiple database on your system and want to use the same database version and CIS document version, you can do this:
db2_secured::Ensure_cis {
product_version => 'db10',
doc_version => 'V1.1.0',
skip_list => [
'alter_database_link_action_audit_is_enabled',
'alter_role_action_audit_is_enabled',
]
}
db2_secured::ensure_cis {'DB1':}
db2_secured::ensure_cis {'DB2':}
Attributes
Attribute Name | Short Description |
---|---|
all_controls | This is an internal parameter. |
doc_version | The version of the CIS benchmark you want to apply to your database. |
nonpdb_controls | This is an internal parameter. |
product_version | The database version of the CIS benchmark you want to apply. |
skip_list | This is the list of controls that you want to skip. |
title | The database identifier to apply the control to. |
title
The database identifier to apply the control to.
All controls need an database identifier to apply the control to. Here is a simple example:
db2_secured::controls::control_name { 'db2inst1/MYDB':}
In this example, the string dbinst1
is the instance, the string MYDB
is the database to apply the control to.
Back to overview of ensure_cis
product_version
The database version of the CIS benchmark you want to apply. Although not very logical, you can apply an older (or newer) database version to your database.
If you also don’t specify a product_version
, Puppet will detect the version of DB2 running and use this to determine the product_version
. There is, however, one issue with the detection. On an initial run Puppet canot determine what the DB2 version is. In that case, the db2_secured defined type will skip applying the CIS benchmark and wait until (hopefully) the next run the version of DB2 for specified sid is available.
Type: Optional[String[1]]
Default:db2_secured::default_product_version($title)
Back to overview of ensure_cis
doc_version
The version of the CIS benchmark you want to apply to your database. When you don’t specify the doc_version
, puppet automatically uses the latest version for your current product_version
. Type: Optional[String[1]]
Default:db2_secured::default_doc_version($product_version, 'cis')
Back to overview of ensure_cis
all_controls
This is an internal parameter. This is the Hash containing all paragraphs from the selected CIS benchmark.
Back to overview of ensure_cis
nonpdb_controls
This is an internal parameter. It contains all of the controls that don’t run on a pluggable database.
Back to overview of ensure_cis
skip_list
This is the list of controls that you want to skip. By default this vale is empty, meaning db2_secured
will apply ALL controls. You must specifiy the name of the control. Here is an example on how to do this:
db2_secured { 'MYDB':
product_version => 'db19c',
doc_version => 'V1.0.0',
skip_list => [
'alter_database_link_action_audit_is_enabled',
'alter_role_action_audit_is_enabled',
]
}
Type: Array
Default:db2_secured::lookup_setting('skip_list', [])