Translate lab documentation to English
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled

This commit is contained in:
Rodrigo Pace
2026-05-08 14:50:52 -03:00
parent cde150b705
commit 52bf971b8b
33 changed files with 939 additions and 702 deletions

View File

@@ -1,29 +1,29 @@
# Runbook - 04 View Bypass MAC
## Objetivo
## Objective
Demonstrar que views e caminhos alternativos de acesso podem contornar controles mal desenhados, e que `USE DATA GRANTS ONLY` aplica Mandatory Access Control no objeto protegido.
Show that views and alternate access paths can bypass poorly designed controls, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object.
## Valor De Seguranca
## Security Value
- Evita bypass por views legadas.
- Aplica politica uniforme em tabela base e views.
- Ajuda clientes com muitos relatorios, synonyms, views e ferramentas BI.
- Prevents bypass through legacy views.
- Enforces a consistent policy across the base table and views.
- Helps customers with many reports, synonyms, views, and BI tools.
## Pre-Requisitos
## Prerequisites
- Banco Oracle AI Database compativel com Oracle Deep Data Security.
- SQLcl ou SQL*Plus.
- Oracle AI Database compatible with Oracle Deep Data Security.
- SQLcl or SQL*Plus.
## Antes - Ambiente Vulneravel
## Before - Vulnerable Environment
1. Limpe o cenario:
1. Reset the scenario:
```sql
@scenarios/04-view-bypass-mac/sql/99_reset.sql
```
2. Crie tabela, view, dados e personas:
2. Create the table, view, data, and personas:
```sql
@scenarios/04-view-bypass-mac/sql/00_schema.sql
@@ -31,7 +31,7 @@ Demonstrar que views e caminhos alternativos de acesso podem contornar controles
@scenarios/04-view-bypass-mac/sql/02_identities.sql
```
3. Simule uma view legada que retorna todos os dados:
3. Simulate a legacy view that returns all data:
```sql
SELECT account_id, account_name, owner_name, region, balance
@@ -39,38 +39,38 @@ Demonstrar que views e caminhos alternativos de acesso podem contornar controles
ORDER BY account_id;
```
## Resultado Esperado Antes
## Expected Result Before
- A view pode expor contas de outros donos.
- O acesso por caminho alternativo nao respeita a mesma intencao da politica da tabela base.
- The view may expose accounts owned by other users.
- The alternate access path does not honor the intended base table policy.
## Depois - Aplicando Deep Data Security
## After - Applying Deep Data Security
1. Aplique data grants e habilite MAC:
1. Apply data grants and enable MAC:
```sql
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
```
2. Execute a consulta na tabela e na view:
2. Query the table and the view:
```sql
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
```
## Resultado Esperado Depois
## Expected Result After
- A tabela base retorna somente a conta do usuario final.
- A view retorna o mesmo subconjunto autorizado.
- O data grant amplo na view nao consegue furar a politica da tabela base quando MAC esta habilitado.
- The base table returns only the account owned by the current end user.
- The view returns the same restricted rows.
- The broad view data grant cannot bypass the base table policy when MAC is enabled.
## Evidencias Para Demo
## Demo Evidence
- Resultado da tabela e da view antes/depois.
- SQL `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`.
- Explicacao de que MAC remove inconsistencias entre caminhos de acesso.
- Table and view results before and after.
- SQL statement `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`.
- Explanation that MAC removes inconsistencies across access paths.
## Referencias Oficiais
## Official References
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html