Forge Home


Manage DB2 V10 and V11 Security Baseline according to CIS benchmark


246 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.0 (latest)
  • 0.4.0
  • 0.3.0
  • 0.2.0
  • 0.0.0
released Jun 8th 2023
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
  • Puppet >= 5.0.0 < 9.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'enterprisemodules-db2_secured', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add enterprisemodules-db2_secured
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install enterprisemodules-db2_secured --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



enterprisemodules/db2_secured — version 1.0.0 Jun 8th 2023

Enterprise Modules

Table of Contents


The db2_secured Puppet module is a powerful security solution that helps you ensure your IBM DB2 databases are compliant with the CIS benchmarks. db2_secured implements all the necessary security controls outlined in the CIS benchmark for IBM DB2 Databases. This means that you can rest assured that your databases are adhering to the highest security standards. This module will help you:

  • Sleep better at night knowing your data in your databases is more secure.
  • Feel confident that you're doing everything possible to protect your data in your databases.
  • Save time on IBM DB2 database security management.
  • Face the auditor with much confidence
  • Automate the application of security best practices for your databases.
  • Easily upgrade to new versions and stay up to date with the latest security recommendations.

Whether you are an individual, a small business owner, or a large enterprise, db2_secured is the perfect solution to keep your IBM DB2 databases safe and secure. db2_secured can be used as a standalone solution with Puppet, or it can integrate seamlessly with the InControl console. This gives you the flexibility to use the product in the way that best suits your needs.

We understand that every organization has unique security requirements, and that's why we've made it easy for you to customize db2_secured to your specific needs. The module is highly configurable, allowing you to tailor it to your organization's security policies and procedures.

In addition to enforcing security configuration (what Puppet normaly does), db2_secured includes a set of classes that are designed for validating the configuration of your systems, without changing them. This powerful tool provides you with detailed information on where your systems are not adhering to the CIS benchmark. This information is critical in helping you identify and remediate any compliance issues.

We understand the importance of having a security solution that supports all recent IBM DB2 database versions. That is why db2_secured is designed to be compatible with recent IBM DB2 versions, including version 10 and 11.

At this point in time it supports the following CIS benchmarks:

With db2_secured, you can rest easy knowing that your IBM DB2 databases are compliant with the highest security standards.


This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.

You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.

Check the License for details.


This Puppet module contains all the Puppet code to enforce CIS compliance on your IBM DB2 databases. We have further built upon The CIS compliance baseline for IBM DB2 version 10 or provide you with a means of verifying if your IBM DB2 database comply with these controls. Our team has implemented mechanisms that allow you to conduct checks on your databases using our module, called [db2_secured](/shop/products/incontrol-IBM DB2)version 10 orThese checks include a comprehensive set of security measures to ensure that your databases are compliant with the IBM DB2 version 10 orS benchmark.

If the check detects non-compliance on any or all of your databases, our module includes Puppet code to address this and ensure that all of your databases comply with the IBM DB2 Database CIS benchmark. This feature enables you to maintain a high level of security and meet regulatory requirements with minimal effort.

Moreover, the reports generated from these checks can be obtained through the InControl Console Application. These reports provide detailed information on the checks performed and the status of compliance for each system.

We believe that our module and the InControl Console Application will enable you to maintain a secure and compliant environment for your systems.

Check the documentation here

Benefits of InControl integration

What are the benefits of integrating with InControl? By providing a centralized location, the InControl console helps users manage and track compliance and vulnerability issues with ease. InControl receives reports from linux_secured and other security modules, offering an integrated view and management system for compliance and vulnerabilities not only for Linux, but also for Windows, Oracle databases, Microsoft SQLServer, Postgres, IBM DB2 databases, and cloud environments.


Overall, InControl is an essential tool for organizations seeking to maintain regulatory compliance and ensure the security and reliability of their systems and infrastructure. Its advanced algorithms, user-friendly design, and customizable alerts and notifications make it a perfect solution for organizations of all sizes and industries.



The db2_secured module requires:

  • Puppet module enterprisemodules-easy_type installed.
  • Puppet version 7.0 or higher. Can be Puppet Enterprise or Puppet Open Source
  • IBM DB2 version 10 or higher
  • A valid IBM DB2 license
  • A valid Enterprise Modules license for usage.
  • Runs on most Linux systems.

Installing the db2_secured module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/db2_secured'               ,'x.x.x'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-db2_secured


The scope of securing your IBM DB2 database is enormous. The number of security controls in the CIS benchmark is huge. This might make you think that it is not easy to get started, but actually, it is very simple.

Enabling CIS for your database

To enable the CIS benchmark on your database, you just have to add this line to your puppet code:

  product_version  => 'db11',
  doc_version => 'V1.0.0'

This will activate the CIS benchmark V1.0.0 for DB2 Version 11 on your databases DB1. The db2_secured puppet module takes care of checking all of the security settings in the benchmark and ensuring they are set in a secure way.

Skipping some controls

The scope of the CIS benchmark for IBM DB2 is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn't work anymore. So you need to customize the controls you want to enable.

There are four ways the db2_secured module allows you to skip controls.

  1. Add a list of controls to skip when calling the db2_secured defined type.
  2. Add db2_secured::controls::name_of_the_control: skip to your hiera data. This will skip the control on ALL databases.
  3. Add db2_secured::controls::name_of_the_control::dbname: skip to your hiera data. This will skip the control on the database with sid dbname.
  4. Add an entry with the content name_of_the_control to the array value db2_secured::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard db2_secured code.

Method 2 and 3 are a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 4 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.


Here you can find some more information regarding this puppet module:


This module runs on Linux versions. It requires a puppet version 7 or higher. The module does NOT run on windows systems.