The db2_secured module is the Puppet implementation of the Center for Internet Security (CIS) benchmark for IBM DB2 databases. This module will help you:
- Sleep better at night knowing your databases are more secure.
- Feel confident that you’re doing everything possible to protect your databases.
- Save time on IBM DB2 database security management.
- Automate the application of security best practices.
- Easily upgrade to new versions and stay up to date with the latest security recommendations.
The db2_secured module allows you to implement the CIS security baseline by adding just one line of puppet code.
What is a CIS Securty Benchmark
The CIS Security Benchmarks program provides well-defined, unbiased, and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements.
These benchmarks contain a precise, actionable set of measures for your DB2 database.
As I said before, the CIS also has a security baseline for DB2: CIS DB2 Database Server Benchmark. We have taken this baseline and Puppetized it for you to use. It is called the db2_secured and contains an implementation of all rules in the benchmark that describe a configuration setting inside of the database.
How does it work?
Very simple. To enforce all of the rules in the CIS DB2 benchmark, you just have to add the next puppet code to your Puppet manifest:
db2_secured::ensure_cis{ 'db2inst1/MYDB':}
On a Puppet run, the module will inspect all settings described in the CIS controls and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop, it will do nothing but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval), every 20 minutes, your database configuration is checked against the CIS benchmark and you can sleep well and be assured your data is safe.
Our modules are based on an annual subscription(an entitlement). When you purchase an entitlement:
- you are allowed to use the module on the named nodes you purchased the subscription for;
- you get full support on usage and any issues you have;
- we will guide you towards a working setup;
- Are allowed to use the latest and greatest version without any extra charge.
We will make sure the modules keep working with the latest versions of Puppet en the supporting products like Oracle IBM MQ or WebLogic.
We currently have the following licensing methods for you:
1) Free when used on VirtualBox
2) Per node per year subscription
3) Custom licensing
1. Free when used on VirtualBox
This module is Free when used on a VirtualBox testing machine. The software checks if you are using VirtualBox and allows usage. No need to get any licenses from us to get going. Just download the module from our own forge and get going. To download the module use:
puppet module install
--module_repository=http://forge.enterprisemodules.com
enterprisemodules-modulename
2. Per node per year subscription
Our basic licensing model requires a subscription per node. The subscription is valid for a year. To make this work, we need you to send us the node name of the system you want to use the module on. (Not the puppetmaster, but the system where the agent is running.). Based on this information we will send you a file containing the entitlement for your node(s). You can purchase the entitlement in the shop or you can contact us. After you have ordered this module, you will receive an entitlement file. This file contains the information needed to run the software on your Puppet machine (agents).
3. Custom licensing
Our license manager is very flexible. If you have special requirements, please contact us so we can discuss other options.
When you have questions about licensing, please contact us or check our licensing FAQ
The db2_secured module requires:
- Puppet version 5.0 or higher. Can be Puppet Enterprise or Puppet Open Source
- A license for the
db2_config module.
- DB2 10 or higher
- A valid DB2 license
- A valid entitlement for usage.
- Runs on most Linux systems.
- Windows systems are NOT supported
