177 lines
5.9 KiB
Markdown
Executable File
177 lines
5.9 KiB
Markdown
Executable File
# Oracle Deep Data Security Lab
|
|
|
|
Internal enablement kit for demonstrating Oracle Deep Data Security in realistic enterprise data security scenarios: AI agents, prompt injection, shared application accounts, ad hoc BI, PII access, view bypass, legacy app modernization, RAG/vector retrieval, and audit evidence.
|
|
|
|
The goal is to let any team member deploy a secure OCI foundation, install lab scenarios, run positive and negative tests, and collect evidence in a repeatable way.
|
|
|
|
## Quick View
|
|
|
|
```text
|
|
terraform/ Secure-by-default OCI infrastructure
|
|
scenarios/ Independent SQL labs and runbooks
|
|
scripts/ Bootstrap, validation, execution, and reset automation
|
|
docs/ Architecture, demo, and operations guides
|
|
apps/ Placeholder for Spring Boot app, AI agent, and BI simulator
|
|
```
|
|
|
|
## Included Scenarios
|
|
|
|
| ID | Scenario | Objective |
|
|
| --- | --- | --- |
|
|
| 01 | AI Prompt Injection | Show that the database limits data even when an AI agent generates broad or malicious SQL. |
|
|
| 02 | Shared App Account | Show end-user data enforcement even when a technical application account is used. |
|
|
| 03 | PII Row/Column/Cell | Show row, column, and cell-level controls for personal data and salary. |
|
|
| 04 | View Bypass / MAC | Show Mandatory Access Control with `USE DATA GRANTS ONLY`. |
|
|
| 05 | Legacy App AI Extension | Show AI modernization without rewriting all legacy application authorization logic. |
|
|
| 06 | RAG Vector Classified Docs | Show RAG/vector search returning only authorized chunks by classification. |
|
|
| 07 | Audit Evidence With Data Safe | Show access evidence with Unified Audit and OCI Data Safe validation guidance. |
|
|
|
|
Each scenario includes a `RUNBOOK.md` with a before/after demo flow, expected evidence, and official references.
|
|
|
|
## Scenario Execution Guides
|
|
|
|
Use these links to open the step-by-step demo guide for each scenario. Each runbook explains the vulnerable baseline, the commands to apply Oracle Deep Data Security, the expected protected result, and the official references.
|
|
|
|
| ID | Scenario | Step-by-step guide |
|
|
| --- | --- | --- |
|
|
| 01 | AI Prompt Injection | [RUNBOOK.md](scenarios/01-ai-prompt-injection/RUNBOOK.md) |
|
|
| 02 | Shared App Account | [RUNBOOK.md](scenarios/02-shared-app-account/RUNBOOK.md) |
|
|
| 03 | PII Row/Column/Cell | [RUNBOOK.md](scenarios/03-pii-row-column-cell/RUNBOOK.md) |
|
|
| 04 | View Bypass / MAC | [RUNBOOK.md](scenarios/04-view-bypass-mac/RUNBOOK.md) |
|
|
| 05 | Legacy App AI Extension | [RUNBOOK.md](scenarios/05-legacy-app-ai-extension/RUNBOOK.md) |
|
|
| 06 | RAG Vector Classified Docs | [RUNBOOK.md](scenarios/06-rag-vector-classified-docs/RUNBOOK.md) |
|
|
| 07 | Audit Evidence With Data Safe | [RUNBOOK.md](scenarios/07-audit-evidence-data-safe/RUNBOOK.md) |
|
|
|
|
## Prerequisites
|
|
|
|
- OCI tenancy with permission to create networking, Autonomous Database, optional Vault, and optional Compute resources.
|
|
- Terraform 1.6 or later.
|
|
- OCI CLI configured, or OCI provider authentication variables.
|
|
- SQLcl, SQL*Plus, or another compatible Oracle client.
|
|
- Access to an Oracle AI Database version compatible with Oracle Deep Data Security.
|
|
|
|
## 7-Step Execution
|
|
|
|
1. Clone the repository.
|
|
|
|
2. Copy the example Terraform variables file.
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
cp terraform/envs/demo/terraform.tfvars.example terraform/envs/demo/terraform.tfvars
|
|
```
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
Copy-Item terraform\envs\demo\terraform.tfvars.example terraform\envs\demo\terraform.tfvars
|
|
```
|
|
|
|
3. Edit `terraform/envs/demo/terraform.tfvars` with your OCIDs, region, and database parameters.
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
vi terraform/envs/demo/terraform.tfvars
|
|
```
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
notepad terraform\envs\demo\terraform.tfvars
|
|
```
|
|
|
|
4. Validate the infrastructure.
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
chmod +x scripts/*.sh
|
|
./scripts/validate-terraform.sh
|
|
```
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\validate-terraform.ps1
|
|
```
|
|
|
|
5. Deploy the infrastructure.
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
cd terraform/envs/demo
|
|
terraform init
|
|
terraform plan -out tfplan
|
|
terraform apply tfplan
|
|
cd ../../..
|
|
```
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
Set-Location terraform\envs\demo
|
|
terraform init
|
|
terraform plan -out tfplan
|
|
terraform apply tfplan
|
|
Set-Location ..\..\..
|
|
```
|
|
|
|
6. Install a scenario.
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 01-ai-prompt-injection "<connect_string>"
|
|
```
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 01-ai-prompt-injection -ConnectString "<connect_string>"
|
|
```
|
|
|
|
7. Run tests and reset when needed.
|
|
|
|
Linux/macOS:
|
|
|
|
```bash
|
|
./scripts/run-scenario.sh 05-legacy-app-ai-extension "<connect_string>"
|
|
./scripts/reset-scenario.sh 05-legacy-app-ai-extension "<connect_string>"
|
|
```
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
|
|
powershell -ExecutionPolicy Bypass -File .\scripts\reset-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
|
|
```
|
|
|
|
## Secure Defaults
|
|
|
|
- Database deployed in a private subnet.
|
|
- No public IP on the database.
|
|
- Dedicated NSGs for application and database access.
|
|
- mTLS required for Autonomous Database connectivity.
|
|
- Secrets kept out of Git.
|
|
- Optional Vault/KMS customer-managed keys.
|
|
- Compute bastion disabled by default.
|
|
- Demo evidence and logs ignored by Git.
|
|
|
|
## Contributing
|
|
|
|
Read [CONTRIBUTING.md](CONTRIBUTING.md). Every new scenario must include `README.md`, `RUNBOOK.md`, `metadata.yaml`, numbered SQL files, positive/negative tests, and a reset script.
|
|
|
|
## CI/CD
|
|
|
|
This repository includes GitHub Actions for:
|
|
|
|
- `terraform fmt`
|
|
- `terraform init -backend=false`
|
|
- `terraform validate`
|
|
- minimum scenario structure checks
|
|
- blocking sensitive files such as `.tfvars`, `.pem`, and `.key`
|
|
|