Enhance audit evidence and Data Safe scenario
Some checks failed
Repo Quality / structure (push) Has been cancelled
Some checks failed
Repo Quality / structure (push) Has been cancelled
This commit is contained in:
@@ -76,7 +76,13 @@ Expected result before protection: `CARD_TOKEN` and other sensitive data may app
|
|||||||
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
|
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Generate activity and review the local audit trail:
|
3. Apply redaction to payment tokens for audit review:
|
||||||
|
|
||||||
|
```sql
|
||||||
|
@scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Generate activity and review the local audit trail:
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
|
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
|
||||||
@@ -94,7 +100,7 @@ Expected result before protection: `CARD_TOKEN` and other sensitive data may app
|
|||||||
Expected result after protection:
|
Expected result after protection:
|
||||||
|
|
||||||
- `payment_operator` sees Brazil operational payment fields without `CARD_TOKEN`.
|
- `payment_operator` sees Brazil operational payment fields without `CARD_TOKEN`.
|
||||||
- `auditor` sees the data required for review.
|
- `auditor` sees the data required for review, with `CARD_TOKEN` partially redacted.
|
||||||
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
|
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
|
||||||
- Data Safe presents events, reports, and evidence for the customer.
|
- Data Safe presents events, reports, and evidence for the customer.
|
||||||
|
|
||||||
@@ -115,4 +121,3 @@ Linux/macOS:
|
|||||||
## Demo Details
|
## Demo Details
|
||||||
|
|
||||||
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|
||||||
|
|
||||||
|
|||||||
@@ -61,13 +61,19 @@ Show how to turn access to sensitive data into auditable evidence using Unified
|
|||||||
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
|
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Generate activity and query the local audit trail:
|
3. Apply redaction to the payment token column:
|
||||||
|
|
||||||
|
```sql
|
||||||
|
@scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Generate activity and query the local audit trail:
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
|
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
|
||||||
```
|
```
|
||||||
|
|
||||||
4. In OCI Data Safe:
|
5. In OCI Data Safe:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
Register Target Database
|
Register Target Database
|
||||||
@@ -80,7 +86,7 @@ Show how to turn access to sensitive data into auditable evidence using Unified
|
|||||||
## Expected Result After
|
## Expected Result After
|
||||||
|
|
||||||
- `payment_operator` sees operational Brazil payment fields without `card_token`.
|
- `payment_operator` sees operational Brazil payment fields without `card_token`.
|
||||||
- `auditor` sees the data required for review.
|
- `auditor` sees the data required for review, with `card_token` partially redacted.
|
||||||
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
|
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
|
||||||
- Data Safe collects and presents events in dashboards and reports.
|
- Data Safe collects and presents events in dashboards and reports.
|
||||||
|
|
||||||
@@ -97,4 +103,3 @@ Show how to turn access to sensitive data into auditable evidence using Unified
|
|||||||
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
|
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
|
||||||
- CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html
|
- CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html
|
||||||
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html
|
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html
|
||||||
|
|
||||||
|
|||||||
@@ -14,5 +14,12 @@ GRANT CREATE SESSION TO audit_session_role;
|
|||||||
GRANT audit_session_role TO audit_read_role;
|
GRANT audit_session_role TO audit_read_role;
|
||||||
GRANT audit_session_role TO payment_operator_role;
|
GRANT audit_session_role TO payment_operator_role;
|
||||||
|
|
||||||
|
-- Vulnerable baseline: this broad legacy role simulates an operational payment
|
||||||
|
-- application that grants direct table access before DDS is enforced.
|
||||||
|
CREATE ROLE audit_legacy_broad_access_role;
|
||||||
|
GRANT SELECT ON dds_audit_payments TO audit_legacy_broad_access_role;
|
||||||
|
GRANT audit_legacy_broad_access_role TO audit_read_role;
|
||||||
|
GRANT audit_legacy_broad_access_role TO payment_operator_role;
|
||||||
|
|
||||||
GRANT DATA ROLE audit_read_role TO auditor;
|
GRANT DATA ROLE audit_read_role TO auditor;
|
||||||
GRANT DATA ROLE payment_operator_role TO payment_operator;
|
GRANT DATA ROLE payment_operator_role TO payment_operator;
|
||||||
|
|||||||
@@ -13,11 +13,34 @@ PROMPT Review local audit trail. Data Safe should collect equivalent activity af
|
|||||||
|
|
||||||
SELECT event_timestamp,
|
SELECT event_timestamp,
|
||||||
dbusername,
|
dbusername,
|
||||||
|
current_user,
|
||||||
|
client_program_name,
|
||||||
action_name,
|
action_name,
|
||||||
object_schema,
|
object_schema,
|
||||||
object_name,
|
object_name,
|
||||||
unified_audit_policies
|
unified_audit_policies,
|
||||||
|
return_code,
|
||||||
|
sql_text
|
||||||
FROM unified_audit_trail
|
FROM unified_audit_trail
|
||||||
WHERE object_name = 'DDS_AUDIT_PAYMENTS'
|
WHERE object_name = 'DDS_AUDIT_PAYMENTS'
|
||||||
ORDER BY event_timestamp DESC
|
ORDER BY event_timestamp DESC
|
||||||
FETCH FIRST 20 ROWS ONLY;
|
FETCH FIRST 20 ROWS ONLY;
|
||||||
|
|
||||||
|
PROMPT Detailed audit log for the latest DDS_AUDIT_PAYMENTS accesses.
|
||||||
|
|
||||||
|
SELECT event_timestamp,
|
||||||
|
dbusername,
|
||||||
|
current_user,
|
||||||
|
action_name,
|
||||||
|
object_schema,
|
||||||
|
object_name,
|
||||||
|
unified_audit_policies,
|
||||||
|
return_code,
|
||||||
|
system_privilege_used,
|
||||||
|
object_privileges,
|
||||||
|
sql_text
|
||||||
|
FROM unified_audit_trail
|
||||||
|
WHERE object_schema = 'ADMIN'
|
||||||
|
AND object_name = 'DDS_AUDIT_PAYMENTS'
|
||||||
|
ORDER BY event_timestamp DESC
|
||||||
|
FETCH FIRST 10 ROWS ONLY;
|
||||||
|
|||||||
27
scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
Executable file
27
scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
Executable file
@@ -0,0 +1,27 @@
|
|||||||
|
WHENEVER SQLERROR EXIT SQL.SQLCODE
|
||||||
|
|
||||||
|
BEGIN
|
||||||
|
DBMS_REDACT.DROP_POLICY(
|
||||||
|
object_schema => 'ADMIN',
|
||||||
|
object_name => 'DDS_AUDIT_PAYMENTS',
|
||||||
|
policy_name => 'DDS_REDACT_CARD_TOKEN'
|
||||||
|
);
|
||||||
|
EXCEPTION
|
||||||
|
WHEN OTHERS THEN NULL;
|
||||||
|
END;
|
||||||
|
/
|
||||||
|
|
||||||
|
BEGIN
|
||||||
|
DBMS_REDACT.ADD_POLICY(
|
||||||
|
object_schema => 'ADMIN',
|
||||||
|
object_name => 'DDS_AUDIT_PAYMENTS',
|
||||||
|
policy_name => 'DDS_REDACT_CARD_TOKEN',
|
||||||
|
column_name => 'CARD_TOKEN',
|
||||||
|
function_type => DBMS_REDACT.PARTIAL,
|
||||||
|
function_parameters => 'VVVFVVVVFVVV,VVVFVVVVFVVV,*,4,7',
|
||||||
|
expression => '1=1',
|
||||||
|
policy_description => 'Masks payment card tokens in query results for audit demos.',
|
||||||
|
column_description => 'Card token is partially redacted; full value remains stored in the database.'
|
||||||
|
);
|
||||||
|
END;
|
||||||
|
/
|
||||||
@@ -8,6 +8,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION
|
|||||||
/
|
/
|
||||||
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
/
|
/
|
||||||
|
BEGIN DBMS_REDACT.DROP_POLICY(object_schema => 'ADMIN', object_name => 'DDS_AUDIT_PAYMENTS', policy_name => 'DDS_REDACT_CARD_TOKEN'); EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
|
/
|
||||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
/
|
/
|
||||||
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
@@ -22,6 +24,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN O
|
|||||||
/
|
/
|
||||||
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_session_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_session_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
/
|
/
|
||||||
|
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_legacy_broad_access_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
|
/
|
||||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
/
|
/
|
||||||
BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
|
||||||
|
|||||||
Reference in New Issue
Block a user