With more and more systems directly connected to the Internet, having the right security settings on those systems becomes an important issue. Tackle this issue, we need to answer at least two questions:
- What configuration settings are needed to make my systems secure?
- How do I make and keep my system secure
What is secure?
Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. To that question. Here is a quote from their site:
These benchmarks contain a precise, actionable set of measures for your systems.
How to enforce?
So now we know what a secure configuration looks like. How do we ensure these settings are applied to our systems? Not only now but forever? And how do we see and report when somebody or something’s changed one of the settings, maybe by accident or maybe on purpose?
What about Puppet?
The Puppet way of setting up a system and maintain it, is by describing the desired state of the system in sort of a blueprint. The Puppet agent can then look around on the system and see if there are any deviations between the desired state described in the blueprint and the real configuration of the system. Base on the request, Puppet can the either report this deviation or reset the system to its requested state. Thereby ensuring security is provided.
What about the database?
Like I said before, the CIS also has a security baseline for Oracle 12: CIS Oracle Database Server 12c Benchmark v2.0.0 . We have taken this baseline and Puppetized it for you to use. It is called the
ora_cis and contains an implementation of all rules in the benchmark that describe a configuration setting inside of the database. At this point in time 124 of the 129 rules are implemented and 5 are not because they rely on settings outside of the database.
How does it work?
Very simple. To enforce all of the rules in the CIS Oracle benchmark you just have to add the next puppet code to your Puppet manifest:
On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a
noop, it will do nothing, but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval) every 20 minutes your database configuration is checked against the CIS benchmark and you can sleep well and be assured your data is safe.