79 lines
2.3 KiB
Markdown
Executable File
79 lines
2.3 KiB
Markdown
Executable File
# Runbook - 04 View Bypass MAC
|
|
|
|
## Objective
|
|
|
|
Show that views and alternate access paths can bypass poorly designed controls, and that `USE DATA GRANTS ONLY` enforces Mandatory Access Control on the protected object.
|
|
|
|
## Security Value
|
|
|
|
- Prevents bypass through legacy views.
|
|
- Enforces a consistent policy across the base table and views.
|
|
- Helps customers with many reports, synonyms, views, and BI tools.
|
|
|
|
## Prerequisites
|
|
|
|
- Oracle AI Database compatible with Oracle Deep Data Security.
|
|
- SQLcl or SQL*Plus.
|
|
|
|
## Before - Vulnerable Environment
|
|
|
|
1. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/99_reset.sql
|
|
```
|
|
|
|
2. Create the table, view, data, and personas:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/00_schema.sql
|
|
@scenarios/04-view-bypass-mac/sql/01_seed_data.sql
|
|
@scenarios/04-view-bypass-mac/sql/02_identities.sql
|
|
```
|
|
|
|
3. Simulate a legacy view that returns all data:
|
|
|
|
```sql
|
|
SELECT account_id, account_name, owner_name, region, balance
|
|
FROM dds_mac_accounts_view
|
|
ORDER BY account_id;
|
|
```
|
|
|
|
## Expected Result Before
|
|
|
|
- The view may expose accounts owned by other users.
|
|
- The alternate access path does not honor the intended base table policy.
|
|
|
|
## After - Applying Deep Data Security
|
|
|
|
1. Apply data grants and enable MAC:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Query the table and the view:
|
|
|
|
```sql
|
|
@scenarios/04-view-bypass-mac/sql/04_test_queries.sql
|
|
```
|
|
|
|
## Expected Result After
|
|
|
|
- The base table returns only the account owned by the current end user.
|
|
- The view returns the same restricted rows.
|
|
- The broad view data grant cannot bypass the base table policy when MAC is enabled.
|
|
|
|
## Demo Evidence
|
|
|
|
- Table and view results before and after.
|
|
- SQL statement `SET USE DATA GRANTS ONLY ON dds_mac_accounts ENABLED`.
|
|
- Explanation that MAC removes inconsistencies across access paths.
|
|
|
|
## Official References
|
|
|
|
- SET USE DATA GRANTS ONLY: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/set-use-data-grants-only.html
|
|
- Fine-Grained Data Authorization - Mandatory Access Control: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/fine-grained-data-authorization.html
|
|
- Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html
|
|
|