Oracle LiveLabs实验:DB Security - ASO (Data Redaction)
Posted dingdingfish
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - ASO (Data Redaction)相关的知识,希望对你有一定的参考价值。
概述
此实验申请地址在这里,时间为1.5小时。
实验帮助在这里。
本实验使用的数据库为19.13。
Introduction
本研讨会介绍了 Oracle 数据编辑的各种特性和功能。 它让用户有机会学习如何配置这些功能,以便通过即时编辑敏感数据来保护对敏感数据的访问。
目标:动态编辑敏感数据,防止其显示在应用程序之外。
Task 1: Create a basic Data Redaction policy
进入实验目录:
sudo su - oracle
cd $DBSEC_LABS/data-redaction
查看编辑前的数据:
./dr_query_employee_data.sh
实际执行的代码和输出为:
==============================================================================
View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================
SQL> select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where sin is not null and rownum < 6
union all
select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where ssn is not null and rownum < 6
union all
select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where nino is not null and rownum < 6;
USERID FIRSTNAME SIN SSN NINO CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------
77 Alice 170-042-126 349662803496295
100 Marilyn 209-388-160 3783 891728 47767
105 Diana 992-21-7869 3489 086482 14372
107 Louise 195-363-011 3743 055282 87577
108 Lillian 310-358-573 3716 707331 74099
73 Craig 102-20-4997 372940885312444
75 Julie 412-62-2417 3778 531197 99440
76 Ruby 537-78-8902 3720 598915 03076
78 Marilyn 553-51-1031 373107007661806
79 Laura 568-10-8709 378570711697512
74 Fred MN 33 14 95 E 344378880591602
81 Martha FZ 84 80 43 S 3497 291709 67610
83 Melissa YD 34 65 05 B 344288073235653
85 Harry MI 95 64 44 X 346882145317230
87 Gloria ZA 26 42 75 B 3413 932254 63782
15 rows selected.
从Web应用端查看数据:
- http://<YOUR_DBSEC-LAB_VM_PUBLIC_IP>:8080/hr_prod_pdb1
- 用户名口令为:hradmin/Oracle123
- 单击Search Employees,输入条件HR ID = 77,单击Search
单击Full Name下的链接,可以看到SSN部分显示的是原始值:
创建编辑策略 PROTECT_EMPLOYEES:
./dr_redact_for_all.sh
实际执行的代码和输出如下:
==============================================================================
Create a redaction policy for the DEMO_HR_EMPLOYEES table to redact data for all queries...
==============================================================================
-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
no rows selected
-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
no rows selected
-- . Create the Data Redaction policy "PROTECT_EMPLOYEES" on "EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES"
SQL> BEGIN
DBMS_REDACT.ADD_POLICY (
OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD'
,object_name => 'DEMO_HR_EMPLOYEES'
,policy_name => 'PROTECT_EMPLOYEES'
,expression => '1=1');
END;
/
PL/SQL procedure successfully completed.
-- . Add the column "SIN" to redact by the Data Redaction policy created
SQL> BEGIN
DBMS_REDACT.ALTER_POLICY (
OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD'
,object_name => 'DEMO_HR_EMPLOYEES'
,policy_name => 'PROTECT_EMPLOYEES'
,action => DBMS_REDACT.ADD_COLUMN
,column_name => 'SIN'
,function_type => DBMS_REDACT.FULL );
END;
/
PL/SQL procedure successfully completed.
-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES 1=1 YES
-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
:OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
注意:对于每个上下文中的所有查询(表达式“1=1”),此策略将(完整)编辑 DEMO_HR_EMPLOYEES 表中 SIN 列上的数据。
再次查看数据:
./dr_query_employee_data.sh
输出为:
==============================================================================
View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================
USERID FIRSTNAME SIN SSN NINO CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------
77 Alice 349662803496295
100 Marilyn 3783 891728 47767
105 Diana 3489 086482 14372
107 Louise 3743 055282 87577
108 Lillian 3716 707331 74099
73 Craig 102-20-4997 372940885312444
75 Julie 412-62-2417 3778 531197 99440
76 Ruby 537-78-8902 3720 598915 03076
78 Marilyn 553-51-1031 373107007661806
79 Laura 568-10-8709 378570711697512
74 Fred MN 33 14 95 E 344378880591602
81 Martha FZ 84 80 43 S 3497 291709 67610
83 Melissa YD 34 65 05 B 344288073235653
85 Harry MI 95 64 44 X 346882145317230
87 Gloria ZA 26 42 75 B 3413 932254 63782
15 rows selected.
- SIN 列中的数据已完全编辑!
- 数据编辑策略启用后立即生效,无需重新启动任何内容
- 由于 Data Redaction 已经嵌入到 Oracle 核心产品中,只需重新运行查询即可查看创建的 Data Redaction 策略对您的敏感数据的影响
- 请注意,您只需在数据库端进行操作,仅此而已……无需在应用程序端重新编码任何内容!
然后,在浏览器端按F5刷新页面,此时数据不显示了:
这说明在编辑策略对于Web应用也立即生效了。
Task 2: Contextualize an existing Data Redaction policy
现在,将编辑策略修改为仅编辑非 Web应用查询(为此,我们需要一个带有“规则集”的表达式)。
./dr_redact_nonapp_queries.sh
实际执行代码和输出为:
==========================================================================
Modify the redaction policy to only redact non-Glassfish queries
==========================================================================
. We must update the script to have the fully-qualified hostname for your VM
Your machine is: dbsec-lab
. Your Rule Set will look like this:
'NOT (SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''EMPLOYEESEARCH_PROD'' AND SYS_CONTEXT(''USERENV'',''OS_USER'') = ''oracle'' AND SYS_CONTEXT(''USERENV'',''MODULE'') = ''JDBC Thin Client'' AND SYS_CONTEXT(''USERENV'',''HOST'') = ''dbsec-lab'')'
-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES 1=1 YES
-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
-- . Add the Rule Set to the Data Redaction policy "PROTECT_EMPLOYEES"
SQL> BEGIN
DBMS_REDACT.ALTER_POLICY (
OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD'
,object_name => 'DEMO_HR_EMPLOYEES'
,policy_name => 'PROTECT_EMPLOYEES'
,action => DBMS_REDACT.MODIFY_EXPRESSION
,expression => $RULE_EXPR);
END;
/
PL/SQL procedure successfully completed.
-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES NOT (SYS_CONTEXT('USERENV','SESSION_USER YES
') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTE
XT('USERENV','OS_USER') = 'oracle' AND S
YS_CONTEXT('USERENV','MODULE') = 'JDBC T
hin Client' AND SYS_CONTEXT('USERENV','H
OST') = 'dbsec-lab')
--. Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
在现有数据编校策略中添加新列很容易,请将其他列(SSN 和 NINO)添加到编校策略:
./dr_add_redacted_columns.sh
实际执行代码和输出为:
==============================================================================
Add additional columns to the redaction policy...
==============================================================================
--. Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES NOT (SYS_CONTEXT('USERENV','SESSION_USER YES
') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTE
XT('USERENV',以上是关于Oracle LiveLabs实验:DB Security - ASO (Data Redaction)的主要内容,如果未能解决你的问题,请参考以下文章
Oracle LiveLabs实验:DB Security - ASO (Data Redaction)
Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)
Oracle LiveLabs实验:DB Security - Database Vault