Forge Home


Manage Oracle 11, 12, 18 and 19 Security Baseline according to CIS benchmark


792 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 4.4.0 (latest)
  • 4.3.0
  • 4.2.0
  • 4.1.0
  • 4.0.7
  • 4.0.6
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.0
released Feb 22nd 2023
This version is compatible with:
  • Puppet Enterprise 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
  • Puppet >= 5.0.0 < 8.0.0
  • , , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'enterprisemodules-ora_secured', '4.4.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add enterprisemodules-ora_secured
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install enterprisemodules-ora_secured --version 4.4.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



enterprisemodules/ora_secured — version 4.4.0 Feb 22nd 2023

Enterprise Modules

Table of Contents

  1. Overview
  2. License
  3. Description - What the module does and why it is useful
  4. Setup
  1. Usage - Configuration options and additional functionality
  2. Reference - An under-the-hood peek at what the module is doing and how
  3. Limitations - OS compatibility, etc.


This module allows you to secure your databases according to the CIS benchmark. We are also adding other security frameworks.

It is part of our family of Puppet modules to install, manage and secure Oracle databases with Puppet. Besides this module, this family also contains:

  • ora_install For installing an Oracle database and other database related Oracle products
  • ora_config For configuring every aspect of your Oracle database
  • ora_profile The ora_profile module allows an easy path from first simple installation to a fully customized Enterprise setup.

All of these modules support Oracle versions 11, 12, 18 and 19.

Want to try?

You don't want to read about it, but really want to try it? You can! You can explore our Puppet modules for Oracle by checking out our playgrounds. Here we guide you around in some of the functionality of our modules.


This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.

You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.

Check the License for details.


Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Center for Internet Security (CIS) is one of the means to get an answer. CIS also has a security baseline for Oracle 12: CIS Oracle Database Server 12c Benchmark v2.0.0. We have taken this baseline and Puppetized it for you to use.

It is called ora_secured and contains an implementation of all rules in the CIS benchmark that describe a configuration setting inside of the database.

On a Puppet run, the module will inspect all settings described in the CIS rules and apply changes to them if they deviate from the standard. (If you have started the Puppet run with a noop, it will do nothing but report all changes that would have been made. ). All changes will be reported to the Puppet master and on the console, you get an overview of the changes. Because the Puppet agent runs every 20 minutes (or different if you set it to a different interval), every 20 minutes, your database configuration is checked against the CIS benchmark, and you can sleep well and be assured your data is safe.

Check the documentation here



The ora_secured module requires:

  • Puppet module enterprisemodules-easy_type installed.
  • Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
  • Oracle 12 higher
  • A valid Oracle license
  • A valid Enterprise Modules license for usage.
  • Runs on most Linux systems.
  • Runs on Solaris

Installing the ora_secured module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/ora_secured'               ,'x.x.x'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-ora_secured


The scope of securing your Oracle database is enormous. The number of security controls in the CIS benchmark is huge. This might make you think that it is not easy to get started, but actually, it is very simple.

Enabling CIS for your database

To enable the CIS benchmark on your database, you just have to add this line to your puppet code:

  product_version  => 'db19c',
  doc_version => 'V1.0.0'

This will activate the CIS benchmark V1.0.0 for Oracle 19c on your databases DB1. The ora_secured puppet module takes care of checking all of the security settings in the benchmark and ensuring they are set in a secure way.

Skipping some controls

The scope of the CIS benchmark for Oracle is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn't work anymore. So you need to customize the controls you want to enable.

There are four ways the ora_secured module allows you to skip controls.

  1. Add a list of controls to skip when calling the ora_secured defined type.
  2. Add ora_secured::controls::name_of_the_control: skip to your hiera data. This will skip the control on ALL databases.
  3. Add ora_secured::controls::name_of_the_control::dbname: skip to your hiera data. This will skip the control on the database with sid dbname.
  4. Add an entry with the content name_of_the_control to the array value ora_secured::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard ora_secured code.

Method 2 and 3 are a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 4 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.


Here you can find some more information regarding this puppet module:

Here are related blog posts:


This module runs on Solaris and most Linux versions. It requires a puppet version 5 or higher. The module does NOT run on windows systems.