Enhance audit evidence and Data Safe scenario
Some checks failed
Repo Quality / structure (push) Has been cancelled

This commit is contained in:
2026-05-13 16:59:50 -03:00
parent db3d68af10
commit 4ab75ed578
6 changed files with 79 additions and 8 deletions

View File

@@ -76,7 +76,13 @@ Expected result before protection: `CARD_TOKEN` and other sensitive data may app
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
```
3. Generate activity and review the local audit trail:
3. Apply redaction to payment tokens for audit review:
```sql
@scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
```
4. Generate activity and review the local audit trail:
```sql
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
@@ -94,7 +100,7 @@ Expected result before protection: `CARD_TOKEN` and other sensitive data may app
Expected result after protection:
- `payment_operator` sees Brazil operational payment fields without `CARD_TOKEN`.
- `auditor` sees the data required for review.
- `auditor` sees the data required for review, with `CARD_TOKEN` partially redacted.
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
- Data Safe presents events, reports, and evidence for the customer.
@@ -115,4 +121,3 @@ Linux/macOS:
## Demo Details
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).

View File

@@ -61,13 +61,19 @@ Show how to turn access to sensitive data into auditable evidence using Unified
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
```
3. Generate activity and query the local audit trail:
3. Apply redaction to the payment token column:
```sql
@scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
```
4. Generate activity and query the local audit trail:
```sql
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
```
4. In OCI Data Safe:
5. In OCI Data Safe:
```text
Register Target Database
@@ -80,7 +86,7 @@ Show how to turn access to sensitive data into auditable evidence using Unified
## Expected Result After
- `payment_operator` sees operational Brazil payment fields without `card_token`.
- `auditor` sees the data required for review.
- `auditor` sees the data required for review, with `card_token` partially redacted.
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
- Data Safe collects and presents events in dashboards and reports.
@@ -97,4 +103,3 @@ Show how to turn access to sensitive data into auditable evidence using Unified
- Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html
- CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html

View File

@@ -14,5 +14,12 @@ GRANT CREATE SESSION TO audit_session_role;
GRANT audit_session_role TO audit_read_role;
GRANT audit_session_role TO payment_operator_role;
-- Vulnerable baseline: this broad legacy role simulates an operational payment
-- application that grants direct table access before DDS is enforced.
CREATE ROLE audit_legacy_broad_access_role;
GRANT SELECT ON dds_audit_payments TO audit_legacy_broad_access_role;
GRANT audit_legacy_broad_access_role TO audit_read_role;
GRANT audit_legacy_broad_access_role TO payment_operator_role;
GRANT DATA ROLE audit_read_role TO auditor;
GRANT DATA ROLE payment_operator_role TO payment_operator;

View File

@@ -13,11 +13,34 @@ PROMPT Review local audit trail. Data Safe should collect equivalent activity af
SELECT event_timestamp,
dbusername,
current_user,
client_program_name,
action_name,
object_schema,
object_name,
unified_audit_policies
unified_audit_policies,
return_code,
sql_text
FROM unified_audit_trail
WHERE object_name = 'DDS_AUDIT_PAYMENTS'
ORDER BY event_timestamp DESC
FETCH FIRST 20 ROWS ONLY;
PROMPT Detailed audit log for the latest DDS_AUDIT_PAYMENTS accesses.
SELECT event_timestamp,
dbusername,
current_user,
action_name,
object_schema,
object_name,
unified_audit_policies,
return_code,
system_privilege_used,
object_privileges,
sql_text
FROM unified_audit_trail
WHERE object_schema = 'ADMIN'
AND object_name = 'DDS_AUDIT_PAYMENTS'
ORDER BY event_timestamp DESC
FETCH FIRST 10 ROWS ONLY;

View File

@@ -0,0 +1,27 @@
WHENEVER SQLERROR EXIT SQL.SQLCODE
BEGIN
DBMS_REDACT.DROP_POLICY(
object_schema => 'ADMIN',
object_name => 'DDS_AUDIT_PAYMENTS',
policy_name => 'DDS_REDACT_CARD_TOKEN'
);
EXCEPTION
WHEN OTHERS THEN NULL;
END;
/
BEGIN
DBMS_REDACT.ADD_POLICY(
object_schema => 'ADMIN',
object_name => 'DDS_AUDIT_PAYMENTS',
policy_name => 'DDS_REDACT_CARD_TOKEN',
column_name => 'CARD_TOKEN',
function_type => DBMS_REDACT.PARTIAL,
function_parameters => 'VVVFVVVVFVVV,VVVFVVVVFVVV,*,4,7',
expression => '1=1',
policy_description => 'Masks payment card tokens in query results for audit demos.',
column_description => 'Card token is partially redacted; full value remains stored in the database.'
);
END;
/

View File

@@ -8,6 +8,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP AUDIT POLICY dds_security_admin_policy'; EXCEPTION
/
BEGIN EXECUTE IMMEDIATE 'SET USE DATA GRANTS ONLY ON dds_audit_payments DISABLED'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN DBMS_REDACT.DROP_POLICY(object_schema => 'ADMIN', object_name => 'DDS_AUDIT_PAYMENTS', policy_name => 'DDS_REDACT_CARD_TOKEN'); EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_read_all'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP DATA GRANT audit_payments_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;
@@ -22,6 +24,8 @@ BEGIN EXECUTE IMMEDIATE 'DROP DATA ROLE payment_operator_role'; EXCEPTION WHEN O
/
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_session_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP ROLE audit_legacy_broad_access_role'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER auditor'; EXCEPTION WHEN OTHERS THEN NULL; END;
/
BEGIN EXECUTE IMMEDIATE 'DROP END USER payment_operator'; EXCEPTION WHEN OTHERS THEN NULL; END;