Oracle LiveLabs实验:DB Security - ASO (Data Redaction)

Posted dingdingfish

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - ASO (Data Redaction)相关的知识,希望对你有一定的参考价值。

概述

此实验申请地址在这里,时间为1.5小时。

实验帮助在这里

本实验使用的数据库为19.13。

Introduction

本研讨会介绍了 Oracle 数据编辑的各种特性和功能。 它让用户有机会学习如何配置这些功能,以便通过即时编辑敏感数据来保护对敏感数据的访问。

目标:动态编辑敏感数据,防止其显示在应用程序之外。

Task 1: Create a basic Data Redaction policy

进入实验目录:

sudo su - oracle
cd $DBSEC_LABS/data-redaction

查看编辑前的数据:

./dr_query_employee_data.sh

实际执行的代码和输出为:

==============================================================================
 View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================

SQL> select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where sin is not null and rownum < 6
union all
select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where ssn is not null and rownum < 6
union all
select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where nino is not null and rownum < 6;

    USERID FIRSTNAME            SIN             SSN             NINO            CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------
        77 Alice                170-042-126                                     349662803496295
       100 Marilyn              209-388-160                                     3783 891728 47767
       105 Diana                992-21-7869                                     3489 086482 14372
       107 Louise               195-363-011                                     3743 055282 87577
       108 Lillian              310-358-573                                     3716 707331 74099
        73 Craig                                102-20-4997                     372940885312444
        75 Julie                                412-62-2417                     3778 531197 99440
        76 Ruby                                 537-78-8902                     3720 598915 03076
        78 Marilyn                              553-51-1031                     373107007661806
        79 Laura                                568-10-8709                     378570711697512
        74 Fred                                                 MN 33 14 95 E   344378880591602
        81 Martha                                               FZ 84 80 43 S   3497 291709 67610
        83 Melissa                                              YD 34 65 05 B   344288073235653
        85 Harry                                                MI 95 64 44 X   346882145317230
        87 Gloria                                               ZA 26 42 75 B   3413 932254 63782

15 rows selected.

从Web应用端查看数据:

  • http://<YOUR_DBSEC-LAB_VM_PUBLIC_IP>:8080/hr_prod_pdb1
  • 用户名口令为:hradmin/Oracle123
  • 单击Search Employees,输入条件HR ID = 77,单击Search


单击Full Name下的链接,可以看到SSN部分显示的是原始值:

创建编辑策略 PROTECT_EMPLOYEES:

./dr_redact_for_all.sh

实际执行的代码和输出如下:

==============================================================================
 Create a redaction policy for the DEMO_HR_EMPLOYEES table to redact data for all queries...
==============================================================================

-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
no rows selected


-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
no rows selected


-- . Create the Data Redaction policy "PROTECT_EMPLOYEES" on "EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES"
SQL> BEGIN
 DBMS_REDACT.ADD_POLICY  (
    OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD'
   ,object_name => 'DEMO_HR_EMPLOYEES'
   ,policy_name => 'PROTECT_EMPLOYEES'
   ,expression => '1=1');
END;
/

PL/SQL procedure successfully completed.


-- . Add the column "SIN" to redact by the Data Redaction policy created
SQL> BEGIN
 DBMS_REDACT.ALTER_POLICY  (
    OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD'
   ,object_name => 'DEMO_HR_EMPLOYEES'
   ,policy_name => 'PROTECT_EMPLOYEES'
   ,action => DBMS_REDACT.ADD_COLUMN
   ,column_name => 'SIN'
   ,function_type => DBMS_REDACT.FULL );
END;
/

PL/SQL procedure successfully completed.


-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;

POLICY_NAME                    EXPRESSION                               ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES              1=1                                      YES


-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;

:OBJECT_OWNER        OBJECT_NAME          COLUMN_NAME     FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES    SIN             FULL REDACTION

注意:对于每个上下文中的所有查询(表达式“1=1”),此策略将(完整)编辑 DEMO_HR_EMPLOYEES 表中 SIN 列上的数据。

再次查看数据:

./dr_query_employee_data.sh

输出为:

==============================================================================
 View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================

    USERID FIRSTNAME            SIN             SSN             NINO            CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------
        77 Alice                                                                349662803496295
       100 Marilyn                                                              3783 891728 47767
       105 Diana                                                                3489 086482 14372
       107 Louise                                                               3743 055282 87577
       108 Lillian                                                              3716 707331 74099
        73 Craig                                102-20-4997                     372940885312444
        75 Julie                                412-62-2417                     3778 531197 99440
        76 Ruby                                 537-78-8902                     3720 598915 03076
        78 Marilyn                              553-51-1031                     373107007661806
        79 Laura                                568-10-8709                     378570711697512
        74 Fred                                                 MN 33 14 95 E   344378880591602
        81 Martha                                               FZ 84 80 43 S   3497 291709 67610
        83 Melissa                                              YD 34 65 05 B   344288073235653
        85 Harry                                                MI 95 64 44 X   346882145317230
        87 Gloria                                               ZA 26 42 75 B   3413 932254 63782

15 rows selected.
  • SIN 列中的数据已完全编辑!
  • 数据编辑策略启用后立即生效,无需重新启动任何内容
  • 由于 Data Redaction 已经嵌入到 Oracle 核心产品中,只需重新运行查询即可查看创建的 Data Redaction 策略对您的敏感数据的影响
  • 请注意,您只需在数据库端进行操作,仅此而已……无需在应用程序端重新编码任何内容!

然后,在浏览器端按F5刷新页面,此时数据不显示了:

这说明在编辑策略对于Web应用也立即生效了。

Task 2: Contextualize an existing Data Redaction policy

现在,将编辑策略修改为仅编辑非 Web应用查询(为此,我们需要一个带有“规则集”的表达式)。

./dr_redact_nonapp_queries.sh

实际执行代码和输出为:

==========================================================================
 Modify the redaction policy to only redact non-Glassfish queries
==========================================================================
. We must update the script to have the fully-qualified hostname for your VM
  Your machine is: dbsec-lab
. Your Rule Set will look like this:
'NOT (SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''EMPLOYEESEARCH_PROD'' AND SYS_CONTEXT(''USERENV'',''OS_USER'') = ''oracle'' AND SYS_CONTEXT(''USERENV'',''MODULE'') = ''JDBC Thin Client'' AND SYS_CONTEXT(''USERENV'',''HOST'') = ''dbsec-lab'')'

-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME                    EXPRESSION                               ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES              1=1                                      YES


-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;

OBJECT_OWNER        OBJECT_NAME          COLUMN_NAME     FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES    SIN             FULL REDACTION


-- . Add the Rule Set to the Data Redaction policy "PROTECT_EMPLOYEES"
SQL> BEGIN
  DBMS_REDACT.ALTER_POLICY  (
     OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD'
    ,object_name => 'DEMO_HR_EMPLOYEES'
    ,policy_name => 'PROTECT_EMPLOYEES'
    ,action => DBMS_REDACT.MODIFY_EXPRESSION
    ,expression => $RULE_EXPR);
END;
/

PL/SQL procedure successfully completed.


-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME                    EXPRESSION                               ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES              NOT (SYS_CONTEXT('USERENV','SESSION_USER YES
                               ') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTE
                               XT('USERENV','OS_USER') = 'oracle' AND S
                               YS_CONTEXT('USERENV','MODULE') = 'JDBC T
                               hin Client' AND SYS_CONTEXT('USERENV','H
                               OST') = 'dbsec-lab')



--. Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;

OBJECT_OWNER        OBJECT_NAME          COLUMN_NAME     FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES    SIN             FULL REDACTION

在现有数据编校策略中添加新列很容易,请将其他列(SSN 和 NINO)添加到编校策略:

./dr_add_redacted_columns.sh

实际执行代码和输出为:

==============================================================================
 Add additional columns to the redaction policy...
==============================================================================

--. Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;

POLICY_NAME                    EXPRESSION                               ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES              NOT (SYS_CONTEXT('USERENV','SESSION_USER YES
                               ') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTE
                               XT('USERENV',以上是关于Oracle LiveLabs实验:DB Security - ASO (Data Redaction)的主要内容,如果未能解决你的问题,请参考以下文章

Oracle LiveLabs实验:DB Security - ASO (Data Redaction)

Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall

Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Assessment Tool