Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
- Puppet >= 5.0.0 < 8.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'enterprisemodules-db2_secured', '0.0.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- License
- Description
- Setup
- Usage
- Enabling CIS for your database
- Skipping some controls
- Reference
- Limitations
Overview
This module allows you to secure your databases according to the CIS benchmark. We are also adding other security frameworks.
It is part of our family of Puppet modules to install, manage and secure DB2 databases with Puppet. Besides this module, this family also contains:
- db2_install For installing an DB2 database and other database related DB2 products
- db2_config For configuring every aspect of your DB2 database
- db2_profile The db2_profile module allows an easy path from first simple installation to a fully customized Enterprise setup.
All of these modules support DB2 versions 10 and 11.
License
This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.
You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.
Check the License for details.
Description
Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. CIS also has a security baseline for DB2. We have taken this baseline and Puppetized it for you to use.
It is called db2_secured
and contains an implementation of all rules in the CIS benchmark that describe a configuration setting inside of the database.
On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop
, it will do nothing but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval), every 20 minutes, your database configuration is checked against the CIS benchmark, and you can sleep well and be assured your data is safe.
Check the documentation here
Setup
Requirements
The db2_secured
module requires:
- Puppet module
enterprisemodules-easy_type
installed. - Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
- DB2 10 higher
- A valid DB2 license
- A valid Enterprise Modules license for usage.
- Runs on most Linux systems.
Installing the db2_secured module
To install these modules, you can use a Puppetfile
mod 'enterprisemodules/db2_secured' ,'x.x.x'
Then use the librarian-puppet
or r10K
to install the software.
You can also install the software using the puppet module
command:
puppet module install enterprisemodules-db2_secured
Usage
The scope of securing your DB2 database is enormous. The number of security controls in the CIS benchmark is huge. This might make you think that it is not easy to get started, but actually, it is very simple.
Enabling CIS for your database
To enable the CIS benchmark on your database, you just have to add this line to your puppet code:
db2_secured::apply_cis { 'db2inst1/DB1':
product_version => 'db11',
doc_version => 'V1.0.0.draft'
}
This will activate the CIS benchmark V1.1.0 draft for DB2 version 11 on your databases DB1
on database instance db2inst1
. The db2_secured
puppet module takes care of checking all of the security settings in the benchmark and ensuring they are set in a secure way.
Skipping some controls
The scope of the CIS benchmark for DB2 is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn't work anymore. So you need to customize the controls you want to enable.
There are four ways the db2_secured
module allows you to skip controls.
- Add a list of controls to skip when calling the
db2_secured
defined type. - Add
db2_secured::controls::name_of_the_control: skip
to your hiera data. This will skip the control on ALL databases. - Add
db2_secured::controls::name_of_the_control::dbname: skip
to your hiera data. This will skip the control on the database with siddbname
. - Add an entry with the content
name_of_the_control
to the array valuedb2_secured::skip_list
in your hiera data.
Method 1 is a good way to create your own baseline based on the standard db2_secured
code.
Method 2 and 3 are a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.
Method 4 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.
You can combine all of these methods to fit your use case.
Reference
Here you can find some more information regarding this puppet module:
Limitations
This module runs on most Linux versions. It requires a puppet version 5 or higher. The module does NOT run on windows systems.
Dependencies
- enterprisemodules/easy_type (>= 2.28.0 < 3.0.0)
- enterprisemodules/db2_config (>= 0.1.0 < 1.0.0)
Enterprise Modules License d.d. January 2018 This license (“License”) governs the terms and conditions under which db2_secured module (“the Software”) is licensed by Enterprise Modules B.V, a limited liability company in the Netherlands, registered in the Dutch Chamber of Commerce: 63689537 (“Licensor”), to the user of the Software (“Licensee”). Article 1. Grant of license 1.1 Licensor hereby grants to Licensee the right to use the Software for its internal business purposes. 1.2 The license granted in the previous paragraph is limited to the use on VirtualBox Virtual machines. For further use a commercial license must be directly obtained from Licensor. Article 2. License limitations 2.1 All right, title and interest to the Software, the accompanying documentation and all modifications and extensions thereto rest and remain with Licensor. Licensee only has the rights and permissions explicitly granted by this License or granted in writing otherwise. Licensee shall not use, copy, modify, distribute or publish the Software in any other manner. Nothing in this License is intended to, and shall not be construed to, transfer to Licensee any rights in intellectual property developed by Licensor. 2.2 In particular, Licensee shall not: a) provide copies of the Software to third parties, including to entities controlling, controlled by or under common control with Licensee; b) sublicense the Software or otherwise make available the Software to such third parties, including by rental, Software-as-a-Service models or otherwise; c) remove indications of Licensor as copyright holder of the Software or to remove or render illegible any part thereof. 2.3 The Software comprises third-party open source software. The respective third-party rights holders grant Licensee the rights indicated in the applicable open source licenses. These licenses can be found in the documentation. The License does not apply to this open source software, and nothing in this License shall be construed as a limitation of any right granted under an open source license. Article 3. Trademark 3.1 This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Software. Article 4. Limitation of Liability 4.1 Licensor provides the Software on an "AS IS" basis, and expressly disclaims all conditions, representations or warranties, express or implied, including without limitation any implied warranties of merchantability, fitness for a particular purpose, and non-infringement of third party rights regarding the Software. Licensor is solely responsible for determining the appropriateness of using the Software and assume any risks associated arising out of or in connection with the Software and this License. 4.2 Licensor shall not be liable for any damages, including consequential, special, punitive and/or incidental damages or fines imposed by regulatory bodies, arising out of or in connection with the Software and this License. 4.3 Licensee shall release, defend, indemnify and hold harmless Licensor from and against any and all claims, damages and liability arising in connection with the Software, including from claims, damages or liability from customers of Licensee. Article 5. Miscellaneous 5.1 Licensor reserves the right to change any or all parts of this License without prior notice. 5.2 The law of the Netherlands governs this License and the terms and conditions therein. 5.3 Any disputes arising between Licensor and Licensee in connection with the License will be settled by the competent courts in the Netherlands for the principal place of business of the Licensor.