124 lines
3.2 KiB
Markdown
Executable File
124 lines
3.2 KiB
Markdown
Executable File
# 07 - Audit Evidence With Data Safe
|
|
|
|
## Objective
|
|
|
|
Show how to turn access to sensitive data into audit evidence using Unified Audit and OCI Data Safe.
|
|
|
|
## What This Lab Shows
|
|
|
|
Before the controls are applied, a payments table can be queried without a clear evidence trail for the customer. Afterward, Oracle Deep Data Security restricts data by persona and Unified Audit/Data Safe help show who accessed what.
|
|
|
|
## Personas
|
|
|
|
- `payment_operator`: payment operations user.
|
|
- `auditor`: auditor.
|
|
- `dds_audit_analyst`: technical analysis account.
|
|
|
|
## Where To Run The Commands
|
|
|
|
Run SQL commands from the repository root:
|
|
|
|
```powershell
|
|
cd C:\Users\rodrigo\Documents\Codex\oracle-deep-data-security-lab
|
|
```
|
|
|
|
Connect to the database with SQLcl or SQL*Plus:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
The Data Safe portion must be performed in the OCI Console under Oracle Data Safe.
|
|
|
|
## Step By Step - Before, Vulnerable Environment
|
|
|
|
1. Connect to the database:
|
|
|
|
```bash
|
|
sql "<connect_string>"
|
|
```
|
|
|
|
2. Reset the scenario:
|
|
|
|
```sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/99_reset.sql
|
|
```
|
|
|
|
3. Create the sensitive table, data, and personas:
|
|
|
|
```sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/00_schema.sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/02_identities.sql
|
|
```
|
|
|
|
4. Run a broad payments query:
|
|
|
|
```sql
|
|
SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag
|
|
FROM dds_audit_payments
|
|
ORDER BY payment_id;
|
|
```
|
|
|
|
Expected result before protection: `CARD_TOKEN` and other sensitive data may appear for users with broad access, and the evidence is not organized for audit review.
|
|
|
|
## Step By Step - After, With Deep Data Security And Auditing
|
|
|
|
1. Apply the data grants:
|
|
|
|
```sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql
|
|
```
|
|
|
|
2. Create the Unified Audit policies:
|
|
|
|
```sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql
|
|
```
|
|
|
|
3. Apply redaction to payment tokens for audit review:
|
|
|
|
```sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql
|
|
```
|
|
|
|
4. Generate activity and review the local audit trail:
|
|
|
|
```sql
|
|
@scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql
|
|
```
|
|
|
|
4. In the OCI Console, open Oracle Data Safe and perform:
|
|
|
|
```text
|
|
Security Center > Data Safe
|
|
Target Databases > Register Target Database
|
|
Activity Auditing > Start Audit Trail
|
|
Activity Auditing > Reports or Events
|
|
```
|
|
|
|
Expected result after protection:
|
|
|
|
- `payment_operator` sees Brazil operational payment fields without `CARD_TOKEN`.
|
|
- `auditor` sees the data required for review, with `CARD_TOKEN` partially redacted.
|
|
- `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`.
|
|
- Data Safe presents events, reports, and evidence for the customer.
|
|
|
|
## Optional Automated Execution
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 07-audit-evidence-data-safe -ConnectString "<connect_string>"
|
|
```
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 07-audit-evidence-data-safe "<connect_string>"
|
|
```
|
|
|
|
## Demo Details
|
|
|
|
See the complete walkthrough, evidence, and official references in [RUNBOOK.md](RUNBOOK.md).
|