The ora_cis module is a security settings product. It allows you to apply the Center for Inter Security Oracle12 baseline to your Oracle database with just 1 line of description in your Puppet manifest. Because every organisation has diferent security requirements, the ora_cis allows you to easily adjust the settings of ora_cis. Just a few lines of hiera code allows you to change the way the security rules are applied. This Puppet module is an add-on to the ora_config, so to run this module, you’ll need an entitlement for the ora_config too. For more information checkout the sections below of take a look at the documentation site for this module here
ora_cis module allows you implement the CIS security baseline by adding just one line of puppet code.
The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements.
These benchmarks contain a precise, actionable set of measures for your Oracle database.
Like I said before, the CIS also has a security baseline for Oracle 12: CIS Oracle Database Server 12c Benchmark v2.0.0
. We have taken this baseline and Puppetized it for you to use. It is called the
ora_cis and contains an implementation of all rules in the benchmark that describe a configuration setting inside of the database. At this point in time 124 of the 129 rules are implemented and 5 are not because they rely on settings outside of the database.
Very simple. To enforce all of the rules in the CIS Oracle benchmark you just have to add the next puppet code to your Puppet manifest:
On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a
noop, it will do nothing, but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval) every 20 minutes your database configuration is checked against the CIS benchmark and you can sleep well and be assured your data is safe.
Our modules are based on an annual subscription(an entitlement). When you purchase an entitlement:
We will make sure the modules keep working with the latest versions of Puppet en the supporting products like Oracle IBM MQ or WebLogic.
We currently have the following licensing methods for you:
1) Free when used on VirtualBox
2) Per node per year subscription
3) Custom licensing
This module is Free when used on a VirtualBox testing machine. The software checks if you are using VirtualBox and allows usage. No need to get any licenses from us to get going. Just download the module from our own forge and get going. To download the module use:
puppet module install --module_repository=http://forge.enterprisemodules.com enterprisemodules-modulename
Our basic licensing model requires a subscription per node. The subscription is valid for a year. To make this work, we need you to send us the node name of the system you want to use the module on. (Not the puppetmaster, but the system where the agent is running.). Based on this information we will send you a file containing the entitlement for your node(s). You can purchase the entitlement in the shop or you can contact us. After you have ordered this module, you will receive an entitlement file. This file contains the information needed to run the software on your Puppet machine (agents).
Our license manager is very flexible. If you have special requirements, please contact us so we can discuss other options.
ora_cis module requires: