From 4ab75ed57809f2b4905f126ba87772ccb02dfda1 Mon Sep 17 00:00:00 2001 From: Rodrigo Date: Wed, 13 May 2026 16:59:50 -0300 Subject: [PATCH] Enhance audit evidence and Data Safe scenario --- .../07-audit-evidence-data-safe/README.md | 11 +++++--- .../07-audit-evidence-data-safe/RUNBOOK.md | 13 ++++++--- .../sql/02_identities.sql | 7 +++++ .../sql/05_generate_activity.sql | 25 ++++++++++++++++- .../sql/06_redaction_policy.sql | 27 +++++++++++++++++++ .../sql/99_reset.sql | 4 +++ 6 files changed, 79 insertions(+), 8 deletions(-) create mode 100755 scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql diff --git a/scenarios/07-audit-evidence-data-safe/README.md b/scenarios/07-audit-evidence-data-safe/README.md index 5f7e494..45b7d06 100755 --- a/scenarios/07-audit-evidence-data-safe/README.md +++ b/scenarios/07-audit-evidence-data-safe/README.md @@ -76,7 +76,13 @@ Expected result before protection: `CARD_TOKEN` and other sensitive data may app @scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql ``` -3. Generate activity and review the local audit trail: +3. Apply redaction to payment tokens for audit review: + + ```sql + @scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql + ``` + +4. Generate activity and review the local audit trail: ```sql @scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql @@ -94,7 +100,7 @@ Expected result before protection: `CARD_TOKEN` and other sensitive data may app Expected result after protection: - `payment_operator` sees Brazil operational payment fields without `CARD_TOKEN`. -- `auditor` sees the data required for review. +- `auditor` sees the data required for review, with `CARD_TOKEN` partially redacted. - `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`. - Data Safe presents events, reports, and evidence for the customer. @@ -115,4 +121,3 @@ Linux/macOS: ## Demo Details See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md). - diff --git a/scenarios/07-audit-evidence-data-safe/RUNBOOK.md b/scenarios/07-audit-evidence-data-safe/RUNBOOK.md index 691bdbf..f2c973b 100755 --- a/scenarios/07-audit-evidence-data-safe/RUNBOOK.md +++ b/scenarios/07-audit-evidence-data-safe/RUNBOOK.md @@ -61,13 +61,19 @@ Show how to turn access to sensitive data into auditable evidence using Unified @scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql ``` -3. Generate activity and query the local audit trail: +3. Apply redaction to the payment token column: + + ```sql + @scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql + ``` + +4. Generate activity and query the local audit trail: ```sql @scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql ``` -4. In OCI Data Safe: +5. In OCI Data Safe: ```text Register Target Database @@ -80,7 +86,7 @@ Show how to turn access to sensitive data into auditable evidence using Unified ## Expected Result After - `payment_operator` sees operational Brazil payment fields without `card_token`. -- `auditor` sees the data required for review. +- `auditor` sees the data required for review, with `card_token` partially redacted. - `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`. - Data Safe collects and presents events in dashboards and reports. @@ -97,4 +103,3 @@ Show how to turn access to sensitive data into auditable evidence using Unified - Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html - CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html - Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html - diff --git a/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql b/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql index 840b9d7..cdd4c69 100755 --- a/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql +++ b/scenarios/07-audit-evidence-data-safe/sql/02_identities.sql @@ -14,5 +14,12 @@ GRANT CREATE SESSION TO audit_session_role; GRANT audit_session_role TO audit_read_role; GRANT audit_session_role TO payment_operator_role; +-- Vulnerable baseline: this broad legacy role simulates an operational payment +-- application that grants direct table access before DDS is enforced. +CREATE ROLE audit_legacy_broad_access_role; +GRANT SELECT ON dds_audit_payments TO audit_legacy_broad_access_role; +GRANT audit_legacy_broad_access_role TO audit_read_role; +GRANT audit_legacy_broad_access_role TO payment_operator_role; + GRANT DATA ROLE audit_read_role TO auditor; GRANT DATA ROLE payment_operator_role TO payment_operator; diff --git a/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql b/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql index e94e878..6de6acc 100755 --- a/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql +++ b/scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql @@ -13,11 +13,34 @@ PROMPT Review local audit trail. Data Safe should collect equivalent activity af SELECT event_timestamp, dbusername, + current_user, + client_program_name, action_name, object_schema, object_name, - unified_audit_policies + unified_audit_policies, + return_code, + sql_text FROM unified_audit_trail WHERE object_name = 'DDS_AUDIT_PAYMENTS' ORDER BY event_timestamp DESC FETCH FIRST 20 ROWS ONLY; + +PROMPT Detailed audit log for the latest DDS_AUDIT_PAYMENTS accesses. + +SELECT event_timestamp, + dbusername, + current_user, + action_name, + object_schema, + object_name, + unified_audit_policies, + return_code, + system_privilege_used, + object_privileges, + sql_text +FROM unified_audit_trail +WHERE object_schema = 'ADMIN' + AND object_name = 'DDS_AUDIT_PAYMENTS' +ORDER BY event_timestamp DESC +FETCH FIRST 10 ROWS ONLY; diff --git a/scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql b/scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql new file mode 100755 index 0000000..d216114 --- /dev/null +++ b/scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql @@ -0,0 +1,27 @@ +WHENEVER SQLERROR EXIT SQL.SQLCODE + +BEGIN + DBMS_REDACT.DROP_POLICY( + object_schema => 'ADMIN', + object_name => 'DDS_AUDIT_PAYMENTS', + policy_name => 'DDS_REDACT_CARD_TOKEN' + ); +EXCEPTION + WHEN OTHERS THEN NULL; +END; +/ + +BEGIN + DBMS_REDACT.ADD_POLICY( + object_schema => 'ADMIN', + object_name => 'DDS_AUDIT_PAYMENTS', + policy_name => 'DDS_REDACT_CARD_TOKEN', + column_name => 'CARD_TOKEN', + function_type => DBMS_REDACT.PARTIAL, + function_parameters => 'VVVFVVVVFVVV,VVVFVVVVFVVV,*,4,7', + expression => '1=1', + policy_description => 'Masks payment card tokens in query results for audit demos.', + column_description => 'Card token is partially redacted; full value remains stored in the database.' + ); +END; +/ diff --git a/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql b/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql index 818ccd8..fdf1ab4 100755 --- a/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql +++ b/scenarios/07-audit-evidence-data-safe/sql/99_reset.sql @@ -8,6 +8,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION / BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END; / +BEGIN DBMS_REDACT.DROP_POLICY(object_schema => 'ADMIN', object_name => 'DDS_AUDIT_PAYMENTS', policy_name => 'DDS_REDACT_CARD_TOKEN'); EXCEPTION WHEN OTHERS THEN NULL; END; +/ BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END; / BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END; @@ -22,6 +24,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN O / BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_session_role'; EXCEPTION WHEN OTHERS THEN NULL; END; / +BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_legacy_broad_access_role'; EXCEPTION WHEN OTHERS THEN NULL; END; +/ BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END; / BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;