In this playground, we will show you how you can use Puppet to ensure CIS compliancy for your Oracle database.
The playground system
On the playground system, you will find an Oracle database. We have created it using the ora_profile module. The playground will guide you in your security customizations.
Working in the playground
Under this text, you see the working area. You can inspect the system and issue any command you like in the terminal. In the editor window, you can see the Puppet production environment. You can edit anything you wish. The documentation tab shows the documentation for the ora_secured module.
Beware
This system will self-destruct in about one hour. So please don’t use it to build or create anything you wish to keep!
Subjects in this playground
The playground contains the following sub paragraphs:
Applying CIS controls
Selecting version of CIS benchmark
Excluding controls
Enable some controls
Reading the output
Enable all controls
Re-run Puppet and check idempotency
Happy exploring!!
Applying CIS controls
In this section, we’ll show you how you can use Puppet to apply CIS controls to your Oracle server.
In the editor tab, go to the directory hierdata/nodes and open the file ora19.playground.enterprisemodules.com. This file contains all the node-specific data.
In the top file you see this:
role: role::secured_database
This is different than the other Oracle playgrounds that use the role role::database. The role secured_database adds the Puppet code to your node that ensures that ALL of the CIS controls for Oracle databases are applied to this database.
Selecting version of CIS benchmark
But there are many versions of Oracle and also many versions of the documents describing the CIS controls. How do we tell Puppet what to use?
Here you see that we want to use document version V1.0.0 for product version db19c of the controls on this system and apply them to database DB01.
Excluding controls
If you don’t specify anything else, Puppet will apply ALL controls to the selected Oracle database. Most of the times however, organisations need to customize the set of controls. Security people prefer working with exclusion lists. So everything is applied except the ones we explicitly exclude. If we scroll down in the yaml, we see the hiera key ora_profile::database::cis_controls::skip_list. This is an array of the controls that we want to skip, e.g. exclude.
Right now for teaching purposes, the list contains all available controls. So when we run Puppet, nothing will be secured.
Running Puppet.
Let do this:
puppet apply site.pp
Notice: Compiled catalog for ora19.playground.enterprisemodules.com in environment production in 1.41 seconds
Notice: Ensure DB software 19.0.0.0 EE in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB definition for database DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure Listener for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB service(s) DB01_APP
Notice: Ensure DB Startup for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Making sure database DB01 is secured.
Notice: Ensure Limit(s) for ora_profile::database::limits: */nofile,oracle/nofile,oracle/nproc,oracle/stack
Notice: Ensure Group(s) oinstall,dba,oper
Notice: Ensure User(s) oracle
Notice: Ensure Package(s) for ora_profile::database::packages: bc,binutils,elfutils-libelf.x86_64,compat-libcap1,compat-libstdc++-33.x86_64,e2fsprogs.x86_64,e2fsprogs-libs.x86_64,glibc.x86_64,glibc-devel.x86_64,ksh,libaio.x86_64,libaio-devel.x86_64,libX11.x86_64,libXau.x86_64,libXi.x86_64,libXtst.x86_64,libgcc.x86_64,libstdc++.x86_64,libstdc++-devel.x86_64,libxcb.x86_64,libXrender.x86_64,libXrender-devel.x86_64,make.x86_64,policycoreutils.x86_64,policycoreutils-python.x86_64,smartmontools.x86_64,sysstat.x86_64
Notice: Apply ora_secured CIS controls from db19c V1.0.0 on DB01.
Notice: /Stage[main]/Ora_profile::Database::Groups_and_users/Easy_type::Profile::Groups_and_users[ora_profile::database::groups_and_users]/User[oracle]/password: changed [redacted] to [redacted]
Notice: Applied catalog in 2.88 seconds
And you see no security changes..
Enable some controls
Now let’s enable some of the controls. Let’s take the first five controls and comment them out. Meaning they are no longer on the skip list and will be applied.
puppet apply site.pp
Notice: Compiled catalog for ora19.playground.enterprisemodules.com in environment production in 1.49 seconds
Notice: Ensure DB software 19.0.0.0 EE in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB definition for database DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure Listener for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB service(s) DB01_APP
Notice: Ensure DB Startup for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Making sure database DB01 is secured.
Notice: Ensure Limit(s) for ora_profile::database::limits: */nofile,oracle/nofile,oracle/nproc,oracle/stack
Notice: Ensure Group(s) oinstall,dba,oper
Notice: Ensure User(s) oracle
Notice: Ensure Package(s) for ora_profile::database::packages: bc,binutils,elfutils-libelf.x86_64,compat-libcap1,compat-libstdc++-33.x86_64,e2fsprogs.x86_64,e2fsprogs-libs.x86_64,glibc.x86_64,glibc-devel.x86_64,ksh,libaio.x86_64,libaio-devel.x86_64,libX11.x86_64,libXau.x86_64,libXi.x86_64,libXtst.x86_64,libgcc.x86_64,libstdc++.x86_64,libstdc++-devel.x86_64,libxcb.x86_64,libXrender.x86_64,libXrender-devel.x86_64,make.x86_64,policycoreutils.x86_64,policycoreutils-python.x86_64,smartmontools.x86_64,sysstat.x86_64
Notice: Apply ora_secured CIS controls from db19c V1.0.0 on DB01.
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_1_2::Db01/Ora_secured::Controls::Admin_restrictions_is_set_to_on[DB01]/File_line[admin_restrictions_is_set_to_on@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_1::Db01/Ora_secured::Controls::Audit_sys_operations_is_set_to_true[DB01]/Ora_secured::Internal::Parameter[AUDIT_SYS_OPERATIONS@DB01@uAGkMP]/Ora_init_param[SPFILE/AUDIT_SYS_OPERATIONS@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_2::Db01/Ora_secured::Controls::Audit_trail_is_set_to_db_xml_os_dbextended_or_xmlextended[DB01]/Ora_secured::Internal::Parameter[AUDIT_TRAIL@DB01@WlGDvs]/Ora_init_param[SPFILE/AUDIT_TRAIL@DB01]/value: value changed db to ["EXTENDED", "XML"]
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_3::Db01/Ora_secured::Controls::Global_names_is_set_to_true[DB01]/Ora_secured::Internal::Parameter[GLOBAL_NAMES@DB01@gAjPqJ]/Ora_init_param[SPFILE/GLOBAL_NAMES@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_4::Db01/Ora_secured::Controls::Os_roles_is_set_to_false[DB01]/Ora_secured::Internal::Parameter[OS_ROLES@DB01@aGEqKL]/Ora_init_param[SPFILE/OS_ROLES@DB01]/ensure: created
Notice: Applied catalog in 5.64 seconds
Reading the output
As you can see, Puppet applied some changes to the database. Let’s inspect one of these messages.
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_2::Db01/Ora_secured::Controls::Audit_trail_is_set_to_db_xml_os_dbextended_or_xmlextended[DB01]/Ora_secured::Internal::Parameter[AUDIT_TRAIL@DB01@WlGDvs]/Ora_init_param[SPFILE/AUDIT_TRAIL@DB01]/value: value changed db to ["EXTENDED", "XML"]
The Puppet notice message very explicitly tells you what is changed and why. The Db19c::V1_0_0::P2_2_2::Db01/ tells you what version of Oracle and CIS document were used to determine the baseline. The Audit_trail_is_set_to_db_xml_os_dbextended_or_xmlextended is a description of the CIS control. And Ora_init_param[SPFILE/AUDIT_TRAIL@DB01]/value: value changed db to ["EXTENDED", "XML"] tells us that the parameter AUDIT_TRAIL on the database DB01 has been changed from db to ["EXTENDED", "XML"]
Enable all controls
Let’s see what happens when we apply all CIS controls to the database.
Remove all of the data for the key ora_profile::database::cis_controls::skip_list either by commenting out or removing the lines.
Now run Puppet:
puppet apply site.pp
Here is some example output:
puppet apply site.pp
Alert: Scope(Ora_secured::Controls::Extproc_is_not_present_in_listener_ora[DB01]): Specified CIS rule is not yet automatically enforced.
Notice: Compiled catalog for ora19.playground.enterprisemodules.com in environment production in 3.74 seconds
Notice: Ensure DB software 19.0.0.0 EE in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB definition for database DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure Listener for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB service(s) DB01_APP
Notice: Ensure DB Startup for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Making sure database DB01 is secured.
Notice: Ensure Limit(s) for ora_profile::database::limits: */nofile,oracle/nofile,oracle/nproc,oracle/stack
Notice: Ensure Group(s) oinstall,dba,oper
Notice: Ensure User(s) oracle
Notice: Ensure Package(s) for ora_profile::database::packages: bc,binutils,elfutils-libelf.x86_64,compat-libcap1,compat-libstdc++-33.x86_64,e2fsprogs.x86_64,e2fsprogs-libs.x86_64,glibc.x86_64,glibc-devel.x86_64,ksh,libaio.x86_64,libaio-devel.x86_64,libX11.x86_64,libXau.x86_64,libXi.x86_64,libXtst.x86_64,libgcc.x86_64,libstdc++.x86_64,libstdc++-devel.x86_64,libxcb.x86_64,libXrender.x86_64,libXrender-devel.x86_64,make.x86_64,policycoreutils.x86_64,policycoreutils-python.x86_64,smartmontools.x86_64,sysstat.x86_64
Notice: Apply ora_secured CIS controls from db19c V1.0.0 on DB01.
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_3_2::Db01/Ora_secured::Controls::All_is_revoked_from_unauthorized_grantee_on_dba[DB01]/Ora_object_grant[PUBLIC->SYS.DBA_%@DB01]/permissions: revoked the READ right(s) on table DBA_AUTO_SEGADV_CTL and revoked the READ right(s) on table DBA_AUTO_SEGADV_SUMMARY and revoked the READ right(s) on table DBA_COL_PENDING_STATS and revoked the READ right(s) on table DBA_COL_USAGE_STATISTICS and revoked the READ right(s) on table DBA_DBFS_HS_FIXED_PROPERTIES and revoked the READ right(s) on table DBA_EDITIONING_VIEW_COLS and revoked the READ right(s) on table DBA_EDITIONING_VIEW_COLS_AE and revoked the READ right(s) on table DBA_EXPRESSION_STATISTICS and revoked the READ right(s) on table DBA_FLASHBACK_ARCHIVE and revoked the READ right(s) on table DBA_FLASHBACK_ARCHIVE_TABLES and revoked the READ right(s) on table DBA_FLASHBACK_ARCHIVE_TS and revoked the READ right(s) on table DBA_HEAT_MAP_SEGMENT and revoked the READ right(s) on table DBA_HEAT_MAP_SEG_HISTOGRAM and revoked the READ right(s) on table DBA_IND_PENDING_STATS and revoked the READ right(s) on table DBA_SR_PARTN_OPS and revoked the READ right(s) on table DBA_SR_STLOG_STATS and revoked the READ right(s) on table DBA_SYNC_CAPTURE_TABLES and revoked the READ right(s) on table DBA_TAB_HISTGRM_PENDING_STATS and revoked the READ right(s) on table DBA_TAB_PENDING_STATS and revoked the READ right(s) on table DBA_TAB_STAT_PREFS and revoked the READ right(s) on table DBA_TSTZ_TABLES and revoked the READ right(s) on table DBA_XMLSCHEMA_LEVEL_VIEW
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_14::Db01/Ora_secured::Controls::All_audit_option_on_sys_aud_is_enabled[DB01]/Ora_object_audit[SYS.AUD$@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_2_19::Db01/Ora_secured::Controls::Audsys_aud_unified_access_audit_is_enabled[DB01]/Ora_exec[create CIS_UNIFIED_AUDIT_POLICY on AUDSYS.AUD$UNIFIED@DB01]/statement: defined 'statement' as " CREATE AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY \n ACTIONS ALL\n on AUDSYS.AUD\$UNIFIED\n"
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_1::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_network_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[UTL_TCP@DB01]/Ora_object_grant[PUBLIC->SYS.UTL_TCP@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_1::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_network_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[UTL_SMTP@DB01]/Ora_object_grant[PUBLIC->SYS.UTL_SMTP@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_1::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_network_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[UTL_INADDR@DB01]/Ora_object_grant[PUBLIC->SYS.UTL_INADDR@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_1::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_network_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[UTL_HTTP@DB01]/Ora_object_grant[PUBLIC->SYS.UTL_HTTP@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_1::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_network_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[HTTPURITYPE@DB01]/Ora_object_grant[PUBLIC->SYS.HTTPURITYPE@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_1::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_network_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_LDAP@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_LDAP@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_2::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_file_system_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[UTL_FILE@DB01]/Ora_object_grant[PUBLIC->SYS.UTL_FILE@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_2::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_file_system_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_LOB@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_LOB@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_2::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_file_system_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_ADVISOR@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_ADVISOR@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_3::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_encryption_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_RANDOM@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_RANDOM@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_3::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_encryption_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_OBFUSCATION_TOOLKIT@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_OBFUSCATION_TOOLKIT@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_5::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_job_scheduler_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_SCHEDULER@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_SCHEDULER@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_5::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_job_scheduler_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_JOB@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_JOB@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_6::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_sql_injection_helper_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[OWA_UTIL@DB01]/Ora_object_grant[PUBLIC->SYS.OWA_UTIL@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_6::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_sql_injection_helper_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_XMLGEN@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_XMLGEN@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_6::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_sql_injection_helper_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_SQL@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_SQL@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P5_1_1_6::Db01/Ora_secured::Controls::Execute_is_revoked_from_public_on_sql_injection_helper_packages[DB01]/Ora_secured::Internal::Revoke_public_grants[DBMS_AW@DB01]/Ora_object_grant[PUBLIC->SYS.DBMS_AW@DB01]/permissions: revoked the EXECUTE right(s)
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_1::Db01/Ora_secured::Controls::User_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[USER@DB01]/Ora_statement_audit[USER@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_2::Db01/Ora_secured::Controls::Role_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[ROLE@DB01]/Ora_statement_audit[ROLE@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_3::Db01/Ora_secured::Controls::System_grant_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[SYSTEM GRANT@DB01]/Ora_statement_audit[SYSTEM GRANT@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_4::Db01/Ora_secured::Controls::Profile_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[PROFILE@DB01]/Ora_statement_audit[PROFILE@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_5::Db01/Ora_secured::Controls::Database_link_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[DATABASE LINK@DB01]/Ora_statement_audit[DATABASE LINK@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_6::Db01/Ora_secured::Controls::Public_database_link_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[PUBLIC DATABASE LINK@DB01]/Ora_statement_audit[PUBLIC DATABASE LINK@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_7::Db01/Ora_secured::Controls::Public_synonym_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[PUBLIC SYNONYM@DB01]/Ora_statement_audit[PUBLIC SYNONYM@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_8::Db01/Ora_secured::Controls::Synonym_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[SYNONYM@DB01]/Ora_statement_audit[SYNONYM@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_9::Db01/Ora_secured::Controls::Directory_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[DIRECTORY@DB01]/Ora_statement_audit[DIRECTORY@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_10::Db01/Ora_secured::Controls::Select_any_dictionary_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[SELECT ANY DICTIONARY@DB01]/Ora_statement_audit[SELECT ANY DICTIONARY@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_11::Db01/Ora_secured::Controls::Grant_any_object_privilege_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[GRANT ANY OBJECT PRIVILEGE@DB01]/Ora_statement_audit[GRANT ANY OBJECT PRIVILEGE@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_12::Db01/Ora_secured::Controls::Grant_any_privilege_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[GRANT ANY PRIVILEGE@DB01]/Ora_statement_audit[GRANT ANY PRIVILEGE@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_13::Db01/Ora_secured::Controls::Drop_any_procedure_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[DROP ANY PROCEDURE@DB01]/Ora_statement_audit[DROP ANY PROCEDURE@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_15::Db01/Ora_secured::Controls::Procedure_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[PROCEDURE@DB01]/Ora_statement_audit[PROCEDURE@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_16::Db01/Ora_secured::Controls::Alter_system_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[ALTER SYSTEM@DB01]/Ora_statement_audit[ALTER SYSTEM@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_17::Db01/Ora_secured::Controls::Trigger_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[TRIGGER@DB01]/Ora_statement_audit[TRIGGER@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_1_18::Db01/Ora_secured::Controls::Create_session_audit_option_is_enabled[DB01]/Ora_secured::Internal::Audit_option[CREATE SESSION@DB01]/Ora_statement_audit[CREATE SESSION@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P4_1::Db01/Ora_secured::Controls::All_default_passwords_are_changed[DB01]/Ora_user[SYSTEM@DB01]/password: changed to new value
Warning: Changing Oracle maintained user SYSTEM@DB01
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_6::Db01/Ora_secured::Controls::Remote_login_passwordfile_is_set_to_none[DB01]/Ora_secured::Internal::Parameter[REMOTE_LOGIN_PASSWORDFILE@DB01@IxAHlQ]/Ora_init_param[SPFILE/REMOTE_LOGIN_PASSWORDFILE@DB01]/value: value changed EXCLUSIVE to NONE
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_7::Db01/Ora_secured::Controls::Remote_os_authent_is_set_to_false[DB01]/Ora_secured::Internal::Parameter[REMOTE_OS_AUTHENT@DB01@HmTiIe]/Ora_init_param[SPFILE/REMOTE_OS_AUTHENT@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_8::Db01/Ora_secured::Controls::Remote_os_roles_is_set_to_false[DB01]/Ora_secured::Internal::Parameter[REMOTE_OS_ROLES@DB01@OWMEsa]/Ora_init_param[SPFILE/REMOTE_OS_ROLES@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_9::Db01/Ora_secured::Controls::Sec_case_sensitive_logon_is_set_to_true[DB01]/Ora_secured::Internal::Parameter[SEC_CASE_SENSITIVE_LOGON@DB01@OTjwDQ]/Ora_init_param[SPFILE/SEC_CASE_SENSITIVE_LOGON@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_10::Db01/Ora_secured::Controls::Sec_max_failed_login_attempts_is_3_or_less[DB01]/Ora_secured::Internal::Parameter[SEC_MAX_FAILED_LOGIN_ATTEMPTS@DB01@drGlVC]/Ora_init_param[SPFILE/SEC_MAX_FAILED_LOGIN_ATTEMPTS@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_11::Db01/Ora_secured::Controls::Sec_protocol_error_further_action_is_set_to_drop3[DB01]/Ora_secured::Internal::Parameter[SEC_PROTOCOL_ERROR_FURTHER_ACTION@DB01@hJavbP]/Ora_init_param[SPFILE/SEC_PROTOCOL_ERROR_FURTHER_ACTION@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_12::Db01/Ora_secured::Controls::Sec_protocol_error_trace_action_is_set_to_log[DB01]/Ora_secured::Internal::Parameter[SEC_PROTOCOL_ERROR_TRACE_ACTION@DB01@ReyfuW]/Ora_init_param[SPFILE/SEC_PROTOCOL_ERROR_TRACE_ACTION@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_13::Db01/Ora_secured::Controls::Sec_return_server_release_banner_is_set_to_false[DB01]/Ora_secured::Internal::Parameter[SEC_RETURN_SERVER_RELEASE_BANNER@DB01@STYvGJ]/Ora_init_param[SPFILE/SEC_RETURN_SERVER_RELEASE_BANNER@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_14::Db01/Ora_secured::Controls::Sql92_security_is_set_to_true[DB01]/Ora_secured::Internal::Parameter[SQL92_SECURITY@DB01@GVbHRc]/Ora_init_param[SPFILE/SQL92_SECURITY@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_15::Db01/Ora_secured::Controls::Trace_files_public_is_set_to_false[DB01]/Ora_secured::Internal::Parameter[_TRACE_FILES_PUBLIC@DB01@RpzSxj]/Ora_init_param[SPFILE/_TRACE_FILES_PUBLIC@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P2_2_16::Db01/Ora_secured::Controls::Resource_limit_is_set_to_true[DB01]/Ora_secured::Internal::Parameter[RESOURCE_LIMIT@DB01@qrRILo]/Ora_init_param[SPFILE/RESOURCE_LIMIT@DB01]/ensure: created
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/failed_login_attempts: failed_login_attempts changed 10 to 5
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/password_life_time: password_life_time changed 180 to 90
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/password_reuse_time: password_reuse_time changed 'UNLIMITED' to 365
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/password_reuse_max: password_reuse_max changed 'UNLIMITED' to 20
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/password_grace_time: password_grace_time changed 7 to 5
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/password_verify_function: password_verify_function changed 'NULL' to 'ORA12C_STRONG_VERIFY_FUNCTION'
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/sessions_per_user: sessions_per_user changed 'UNLIMITED' to 10
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[DEFAULT@DB01]/inactive_account_time: inactive_account_time changed 'UNLIMITED' to 120
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/failed_login_attempts: failed_login_attempts changed 10000000 to 5
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/password_life_time: password_life_time changed 'DEFAULT' to 90
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/password_reuse_time: password_reuse_time changed 'DEFAULT' to 365
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/password_reuse_max: password_reuse_max changed 'DEFAULT' to 20
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/password_lock_time: password_lock_time changed 'DEFAULT' to 1
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/password_grace_time: password_grace_time changed 'DEFAULT' to 5
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/password_verify_function: password_verify_function changed 'DEFAULT' to 'ORA12C_STRONG_VERIFY_FUNCTION'
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/sessions_per_user: sessions_per_user changed 'DEFAULT' to 10
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P3_1::Db01/Ora_secured::Controls::Failed_login_attempts_is_less_than_or_equal_to_5[DB01]/Ora_secured::Internal::Profile_setting[failed_login_attempts@DB01]/Ora_profile[GSM_PROF@DB01]/inactive_account_time: inactive_account_time changed 'DEFAULT' to 120
Notice: /Stage[main]/Ora_secured::Db19c::V1_0_0::P6_2_1::Db01/Ora_secured::Controls::Create_user_action_audit_is_enabled[DB01]/Ora_secured::Internal::Audit_policy[actions@DB01@create_user]/Ora_audit_policy[CIS_UNIFIED_AUDIT_POLICY@DB01]/ensure: created
Notice: Applied catalog in 45.42 seconds
First thing you see here is an Alert that one of the rules that is now enabled isn’t automatically enforced yet.
Furthermore you see that about 67 changes were triggered to secure the database using the CIS benchmark.
Re-run Puppet and check idempotency
What happens now if we run Puppet again:
puppet apply site.pp
The output should look following:
puppet apply site.pp
Notice: Compiled catalog for ora19.playground.enterprisemodules.com in environment production in 3.58 seconds
Notice: Ensure DB software 19.0.0.0 EE in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB definition for database DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure Listener for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Ensure DB service(s) DB01_APP
Notice: Ensure DB Startup for DB01 in /u01/app/oracle/product/19.0.0.0/db_home1
Notice: Making sure database DB01 is secured.
Notice: Ensure Limit(s) for ora_profile::database::limits: */nofile,oracle/nofile,oracle/nproc,oracle/stack
Notice: Ensure Group(s) oinstall,dba,oper
Notice: Ensure User(s) oracle
Notice: Ensure Package(s) for ora_profile::database::packages: bc,binutils,elfutils-libelf.x86_64,compat-libcap1,compat-libstdc++-33.x86_64,e2fsprogs.x86_64,e2fsprogs-libs.x86_64,glibc.x86_64,glibc-devel.x86_64,ksh,libaio.x86_64,libaio-devel.x86_64,libX11.x86_64,libXau.x86_64,libXi.x86_64,libXtst.x86_64,libgcc.x86_64,libstdc++.x86_64,libstdc++-devel.x86_64,libxcb.x86_64,libXrender.x86_64,libXrender-devel.x86_64,make.x86_64,policycoreutils.x86_64,policycoreutils-python.x86_64,smartmontools.x86_64,sysstat.x86_64
Notice: Apply ora_secured CIS controls from db19c V1.0.0 on DB01.
Notice: Applied catalog in 40.78 seconds
As you can see, no changes are (re)applied. The database is already secured.
You like it?
Do you like what you see here and want to test this on your own infrastructure? No problem. You can sign up for a free trial.
If you have any questions, don’t hesitate to contact us.