Manage Oracle 11, 12, 18 and 19 Security Baseline according to CIS benchmark

Enterprise Modules



740 latest version

4.4 quality score

Version information

  • 2.2.0 (latest)
  • 2.1.2
  • 2.1.1
  • 2.1.0
  • 2.0.0
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.11
  • 1.0.10
  • 1.0.9
  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.5
  • 1.0.4
released Dec 21st 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 8.0.0
  • AIX
  • apply_rule

Start using this module


enterprisemodules/ora_cis — version 2.2.0 Dec 21st 2020

Enterprise Modules

Table of Contents

  1. Overview
  2. License
  3. Description - What the module does and why it is useful
  4. Setup
  1. Usage - Configuration options and additional functionality
  2. Reference - An under-the-hood peek at what the module is doing and how
  3. Limitations - OS compatibility, etc.


This module allows you to secure your databases according to the CIS benchmarks. It is part of our family of Puppet modules to install, manage and secure Oracle databases with Puppet. Besides the ora_install module, this family also contains:

  • ora_install For installing an Oracle database and other database related Oracle products
  • ora_config For configuring every aspect of your Oracle database
  • ora_rac To use Puppet to create and manage Oracle RAC installations.


This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.

You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.

Check the License for details.


Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. CIS also has a security baseline for Oracle 12: CIS Oracle Database Server 12c Benchmark v2.0.0. We have taken this baseline and Puppetized it for you to use.

It is called the ora_cis and contains an implementation of all rules in the benchmark that describe a configuration setting inside of the database. At this point 124 of the 129 rules are implemented and 5 are not because they rely on settings outside of the database.

On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop, it will do nothing, but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval) every 20 minutes your database configuration is checked against the CIS benchmark and you can sleep well and be assured your data is safe.

Check the documentation here



The ora_cis module requires:

  • Puppet module enterprisemodules-easy_type installed.
  • Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
  • Oracle 11 higher
  • A valid Oracle license
  • A valid Enterprise Modules license for usage.
  • Runs on most Linux systems.
  • Runs on Solaris
  • Windows systems are NOT supported

Installing the ora_cis module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/ora_cis'               ,'1.0.x'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-ora_cis


To apply the security rules to your database, you can just add this line to your database:

ora_cis { 'DBNAME:'}

This is enough to apply ALL CIS rules to the specified database. If you want to, you can also customize the number of rules to apply to the system. Every CIS rule can be applied individually to the database.

ora_cis::rules::r_1_3 { 'DBSID':}

The module allows you to customize the rules


Here you can find some more information regarding this puppet module:

Here are a related blog posts:


This module runs on Solaris and most Linux versions. It requires a puppet version higher than 4. The module does NOT run on windows systems.