Enhance audit evidence and Data Safe scenario
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-13 16:59:50 -03:00
parent db3d68af10
commit 4ab75ed578
6 changed files with 79 additions and 8 deletions

View File

@@ -14,5 +14,12 @@ GRANT CREATE SESSION TO audit_session_role;
GRANT audit_session_role TO audit_read_role;
GRANT audit_session_role TO payment_operator_role;
-- Vulnerable baseline: this broad legacy role simulates an operational payment
-- application that grants direct table access before DDS is enforced.
CREATE ROLE audit_legacy_broad_access_role;
GRANT SELECT ON dds_audit_payments TO audit_legacy_broad_access_role;
GRANT audit_legacy_broad_access_role TO audit_read_role;
GRANT audit_legacy_broad_access_role TO payment_operator_role;
GRANT DATA ROLE audit_read_role TO auditor;
GRANT DATA ROLE payment_operator_role TO payment_operator;

View File

@@ -13,11 +13,34 @@ PROMPT Review local audit trail. Data Safe should collect equivalent activity af
SELECT event_timestamp,
dbusername,
current_user,
client_program_name,
action_name,
object_schema,
object_name,
unified_audit_policies
unified_audit_policies,
return_code,
sql_text
FROM unified_audit_trail
WHERE object_name = 'DDS_AUDIT_PAYMENTS'
ORDER BY event_timestamp DESC
FETCH FIRST 20 ROWS ONLY;
PROMPT Detailed audit log for the latest DDS_AUDIT_PAYMENTS accesses.
SELECT event_timestamp,
dbusername,
current_user,
action_name,
object_schema,
object_name,
unified_audit_policies,
return_code,
system_privilege_used,
object_privileges,
sql_text
FROM unified_audit_trail
WHERE object_schema = 'ADMIN'
AND object_name = 'DDS_AUDIT_PAYMENTS'
ORDER BY event_timestamp DESC
FETCH FIRST 10 ROWS ONLY;

View File

@@ -0,0 +1,27 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
BEGIN
DBMS_REDACT.DROP_POLICY(
object_schema => 'ADMIN',
object_name => 'DDS_AUDIT_PAYMENTS',
policy_name => 'DDS_REDACT_CARD_TOKEN'
);
EXCEPTION
WHEN OTHERS THEN NULL;
END;
/
BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => 'ADMIN',
object_name => 'DDS_AUDIT_PAYMENTS',
policy_name => 'DDS_REDACT_CARD_TOKEN',
column_name => 'CARD_TOKEN',
function_type => DBMS_REDACT.PARTIAL,
function_parameters => 'VVVFVVVVFVVV,VVVFVVVVFVVV,*,4,7',
expression => '1=1',
policy_description => 'Masks payment card tokens in query results for audit demos.',
column_description => 'Card token is partially redacted; full value remains stored in the database.'
);
END;
/

View File

@@ -8,6 +8,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION
/
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN DBMS_REDACT.DROP_POLICY(object_schema => 'ADMIN', object_name => 'DDS_AUDIT_PAYMENTS', policy_name => 'DDS_REDACT_CARD_TOKEN'); EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
@@ -22,6 +24,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN O
/
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_session_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_legacy_broad_access_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;