Table of Contents

1. Overview
2. License
3. Description - What the module does and why it is useful
4. Setup

• Requirements
• Installing the ora_cis module

5. Usage - Configuration options and additional functionality
6. Reference - An under-the-hood peek at what the module is doing and how
7. Limitations - OS compatibility, etc.

Overview

This module allows you to secure your databases according to the CIS benchmarks. It is part of our family of Puppet modules to install, manage and secure Oracle databases with Puppet. Besides the ora_install module, this family also contains:

• ora_install For installing an Oracle database and other database related Oracle products
• ora_config For configuring every aspect of your Oracle database
• ora_rac To use Puppet to create and manage Oracle RAC installations.

License

This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.

You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.

Check the License for details.

Description

Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. CIS also has a security baseline for Oracle 12: CIS Oracle Database Server 12c Benchmark v2.0.0. We have taken this baseline and Puppetized it for you to use.

It is called the ora_cis and contains an implementation of all rules in the benchmark that describe a configuration setting inside of the database. At this point 124 of the 129 rules are implemented and 5 are not because they rely on settings outside of the database.

On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop, it will do nothing, but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval) every 20 minutes your database configuration is checked against the CIS benchmark and you can sleep well and be assured your data is safe.

Check the documentation here

Setup

Requirements

The ora_cis module requires:

• Puppet module enterprisemodules-easy_type installed.
• Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
• Oracle 12 higher
• A valid Oracle license
• A valid Enterprise Modules license for usage.
• Runs on most Linux systems.
• Runs on Solaris

Installing the ora_cis module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/ora_cis'               ,'3.x.x'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-ora_cis

Usage

The scope of securing your Oracle database is enormous. The number of security controls in the CIS benchmark is huge. This might make you think that it is difficult to get started, but actually, it is very simple.

Enabling CIS for your database

To enable the CIS benchmark on your database, you just have to add this line to your puppet code:

ora_cis {'DB1':
  db_version  => 'db19c',
  doc_version => 'V1.0.0'
}

This will activate the CIS benchmark V1.0.0 for Oracle 19c on your databases DB1. The ora_cis puppet module takes care of checking all of the security settings in the benchmark and ensuring they are set in a secure way.

Skipping some controls

The scope of the CIS benchmark for Oracle is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn't work anymore. So you need to customize the controls you want to enable.

There are four ways the ora_cis module allows you to skip controls.

1. Add a list of controls to skip when calling the ora_cis defined type.
2. Add ora_cis::controls::name_of_the_control: skip to your hiera data. This will skip the control on ALL databases.
3. Add ora_cis::controls::name_of_the_control::dbname: skip to your hiera data. This will skip the control on the database with sid dbname.
4. Add an entry with the content name_of_the_control to the array value ora_cis::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard ora_cis code.

Method 2 and 3 are a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 4 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.

Reference

Here you can find some more information regarding this puppet module:

• The ora_cis documentation

Here are a related blog posts:

• How to ensure you only use Oracle features you paid for
• Oracle 12.2 support added to our Oracle modules
• Secure your Oracle Database
• Manage Oracle containers with Puppet
• Manage your oracle users with Puppet
• Reaching into your Oracle Database with Puppet
• Manage your Oracle database schemas with Puppet
• Managing your Oracle database size with Puppet
• Using Puppet to manage Oracle

Limitations

This module runs on Solaris and most Linux versions. It requires a puppet version 5 or higher. The module does NOT run on windows systems.

History

21-04-2021 Version 3.2.0

• [secure_register_is_set_to_tcps_or_ipc] Initial implementation
• [secure_control_is_set_in_listener_ora] Initial implementation
• [admin_restrictions_is_set_to_on] Initial implementation
• [all_audit_option_on_sys_aud_is_enabled] Add delete auditing
• [audsys_aud_unified_access_audit_is_enabled] Fix implementation

16-04-2021 Version 3.1.0

• [apply] Initial implementation
• [audsys_aud_unified_access_audit_is_enabled] Improved operation on initial run
• [no_users_are_assigned_the_default_profile] Use ORA12C_STRONG_VERIFY_FUNCTION for CIS_PROFILE
• [ora_cis] Nor warning on pdb when control in skip list

13-04-2021 Version 3.0.0

• [release] Totaly new release with support for multiple versions of CIS benchmark for multiple db versions

21-12-2020 Version 2.20

• [release] Add puppet 7 support to metadata

19-09-2019 Version 2.1.2

• [release] Add AIX support to metadata
• [rule_2_2_5] Fix error when Oracle not yet installed

08-05-2019 Version 2.1.1

• [rule_2_2_5] Add check for Oracle 19. On Oracle 19 this is obsolete
• [core] Allow override of unsafe values in other manifest parts
• [develop] Update Gemfile with pdk

26-03-2019 Version 2.1.0

• [core] Add support for running in container and pluggable databases
• [r_3_9] Add support for names profiles only (only parameter)
• [r_3_8] Add support for names profiles only (only parameter)
• [r_3_6] Add support for names profiles only (only parameter)
• [r_3_5] Add support for names profiles only (only parameter)
• [r_3_4] Add support for names profiles only (only parameter)
• [r_3_3] Add support for names profiles only (only parameter)
• [r_3_2] Add support for names profiles only (only parameter)
• [r_3_1] Add support for names profiles only (only parameter)
• [core] Add support for managing only named profiles (only parameter)

20-09-2018 Version 2.0.0

• [core] Add support for Puppet 6
• [core] Add Puppet 6 unit tests

12-09-2018 Version 1.1.2

• [core] Add GSM_PROF to exclude list for profile operations
• [r_3_10] Remove GSM_PROF from the skip list

12-09-2018 Version 1.1.1

• [r_3_10] Add GSM_PROF to skip list

28-08-2018 Version 1.1.0

• [r_3_10] Add Oracle 18 support
• [facts] Fix duplicate resource error in Oracle18

10-08-2018 Version 1.0.11

• [facts] Generate empty facts when Oracle not running

10-08-2018 Version 1.0.10

• [core] Use scoped functions
• [facts] Only run facts when oracle is running.

15-06-2018 Version 1.0.9

• [release] Add explicit support for Suse Linux
• [r_1_2] Exclude XS$NULL from test

27-05-2018 Version 1.0.8

• [r_3_8] Fix when used on initial run.

26-05-2018 Version 1.0.7

• [r_2_2_14] Use internal value oracle uses in stead of CIS documented value
• [acceptance] Fix tests for r_4_5_3
• [rule 4.5.5] Use the new ora_config feature with wildcard tables
• [core] Fix metadata
• [core] Add support for running on Oracle 11

04-04-2018 Version 1.0.6

• [rules::r_4_5_7] Fix duplicate declaration
• [test] Update tested Puppet versions
• [core] Change Rakefile
• [sync] Apply module_sync changes
• [sync] Add .sync.yml file

27-02-2018 Version 1.0.5

• [tasks] Add apply_rule task
• [type] Add rule alias to check available rules
• [release] Fix link to license in readme

25-01-2018 Version 1.0.4

• [release] Change text of license
• [quality] Only check once every week

24-01-2018 Version 1.0.3

• [rule_4_5_7] Fixed implementation
• [rule_4_5_7] Fix implementation
• [rule_4_5_6] Fix implementation
• [rule_4_5_5] Fix implementation
• [facts] Fix facts return multiple values for same user
• [revoke_role_righs] Don’t use an array value
• [revoke_user_rights] Don’t use an array value
• [rule_4_4_3] revoke rights from both users and roles
• [rule_4_4_1] revoke rights from both users and roles
• [rule_4_4_4] revoke rights from both users and roles
• [rule_4_4_2] revoke rights from both users and roles
• [rule_4_3_6] revoke rights from both users and roles
• [core] Fixed type in parameter description
• [rule_4_7] Fixed implementation
• [quality] Add acceptance tests
• [quality] Add checks on metadata

19-01-2018 Version 1.0.2

• [core] Add license notice to files
• [README] Updated for publishing on the forge

09-02-2017 Version 1.0.1

• [functions] Fix calling of on_sid function