Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)

Posted dingdingfish

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)相关的知识,希望对你有一定的参考价值。

概述

此实验申请地址在这里,时间为30分钟。

本实验也是DB Security Advanced研讨会的的第7个实验,即Lab 7。

实验帮助在这里

本实验使了Oracle数据库19.13及Oracle Enterprise Manager 13.5。

Introduction

本研讨会介绍了 Oracle Label Security (OLS) 的各种特性和功能。 它使用户有机会学习如何配置这些功能以保护其敏感数据,帮助跟踪允诺,并根据《通用数据保护条例》等法规要求强制限制处理。

Task 1: Simple CRM Application

不同的应用有不同的用途:

  • 用户应用
    • 应用程序:用户设置其偏好以同意营销、处理数据或要求被遗忘
    • 用户标签:NCNST::DP ;数据库用户:APPPREFERENCE
  • 电子邮件营销
    • 应用程序:只能访问已同意处理其数据且专门用于电子邮件营销的用户
    • 用户标签:CONS::EMAIL;数据库用户:APPMKT
  • 商业智能
    • 应用程序:可以访问所有同意处理其数据的用户
    • 用户标签:CONS::DP;数据库用户:APPBI
  • 匿名者
    • 批处理匿名用户记录并将数据标签设置为 ANON::
    • 用户标签:FORGET::;数据库用户:APPFORGET

虽然我们提供脚本以自动化方式从头到尾执行整个实验室,但强烈建议您一个一个打开并一个一个复制/执行代码块。这样,您将更好地理解本练习的构建块。如果您决定逐个执行脚本,您可以随时查看日志文件 (.out) 以了解详细信息

进入实验目录:

sudo su - oracle
cd $DBSEC_LABS/label-security

首先设置标签安全环境,输出为ols_setup_env.out:

./ols_setup_env.sh

以上脚本:

  • 创建 C##OSCAR_OLS 用户(CDB中)、创建表、加载数据、创建将用于展示不同场景的用户(PDB中),它还配置和启用 OLS
  • 调用 load_crm_customer_data.sql 脚本以在 APPCRM 模式中创建表 CRM_CUSTOMER 并插入 391 行

接下来,您将创建标签安全策略。 策略由级别、组和/或分区组成。 政策的唯一强制性组成部分是至少有一个级别:

./ols_create_policy.sh

输出为:

==============================================================================
 Create the Label Security policy "OLS_DEMO_GDPR"...
==============================================================================

CON_NAME
------------------------------
PDB1
USER is "C##OSCAR_OLS"

-------------------------------------------

. STEP 1: CREATE OLS POLICY (OLS_DEMO_GDPR)

-------------------------------------------


PL/SQL procedure successfully completed.


-------------------------------------------

. STEP 2: CREATE LEVELS

  10 - CONSENT (CNST)

  20 - ANONYMIZED (ANON)

  30 - FORGET (FRGT)

  40 - NOCONSENT (NCNST)

-------------------------------------------


... Create CONSENT level

PL/SQL procedure successfully completed.

... Create ANONYMIZED level

PL/SQL procedure successfully completed.

... Create FORGET level

PL/SQL procedure successfully completed.

... Create NOCONSENT level

PL/SQL procedure successfully completed.


---------------------------------------------------------

. STEP 3: CREATE GROUPS

  Here we used a hierarchy of groups to control

  which data can be processed (based on given consent):

  1000 - DATA_PROCESSING (DT_PROD)

    1100 - CAMPAIGN_MGMT (CAMP_MGMT)

         1110 - EMAIL

         1120 - POST_MAIL

         1130 - WEB_ADS

    1200 - ANALYTICS

         1210 - RECOMMENDATION_ENGINE (REC_ENGINE)

    1300 - THIRDPARTY

         1310 - CONTACT_DETAILS (CONTACT_DET)

         1320 - PREFERENCE_DETAILS (PREF_DETAILS)

         1330 - PURCHASE_HIST (PURCH_HIST)

---------------------------------------------------------


... Create DATA_PROCESSING group

PL/SQL procedure successfully completed.

... ... Create CAMPAIGN_MGMT group

PL/SQL procedure successfully completed.

... ... ... Create EMAIL group

PL/SQL procedure successfully completed.

... ... ... Create POST_MAIL group

PL/SQL procedure successfully completed.

... ... ... Create ONLINE_ADS group

PL/SQL procedure successfully completed.

... ... Create ANALYTICS group

PL/SQL procedure successfully completed.

... ... ... Create REC_ENGINE group

PL/SQL procedure successfully completed.

... ... Create THIRDPARTY group

PL/SQL procedure successfully completed.

... ... ... Create CONTACT_DETAILS group

PL/SQL procedure successfully completed.

... ... ... Create PREFERENCE_DETAILS group

PL/SQL procedure successfully completed.

... ... ... Create PURCHASE_HIST group

PL/SQL procedure successfully completed.


------------------------------------------------------------

. STEP 4: CREATE LABELS

  The label is automatically designated as a valid data label

  This functionality limits the labels that can be assigned to data

  If a user widthraws consent the row label will have that compartment removed

  Allowed Labels (Trim down/add to suite the use cases):

  CNST::                                                500

  FORGET::                                              700

  ANON::                                                800

  NOCONSENT::                                           999

  ---------

    CNST::DT_PROC                                      1000

      CNST::CAMP_MGMT                                  1100

        CNST::EMAIL                                    1110

        CNST::POST_MAIL                                1120

        CNST::WEB_ADS                                  1130

        CNST::EMAIL,POST_MAIL                          1140

        CNST::EMAIL,ANALYTICS                          1145

        CNST::EMAIL,WEB_ADS                            1150

        CNST::CAMP_MGMT,ANALYTICS,THIRDPARTY           1160

        CNST::CAMP_MGMT,ANALYTICS                      1170

        CNST::CAMP_MGMT,THIRDPARTY                     1180

        CNST::ANALYTICS,THIRDPARTY                     1190

        CNST::POST_MAIL,WEB_ADS                        1195

  ---------

      CNST::ANALYTICS                                  1200

        CNST::REC_ENGINE                               1210

  ---------

      CNST::THIRDPARTY                                 1300

        CNST::CONTACT_DETAILS                          1310

        CNST::PREF_DETAILS                             1320

        CNST::PURCH_HIST                               1330

        CNST::CONTACT_DETAILS,PREF_DETAILS             1340

        CNST::CONTACT_DETAILS,PURCH_HIST               1350

        CNST::PREF_DETAILS,PURCH_HIST                  1360

------------------------------------------------------------

...
. STEP 5: ASSING LEVELS TO USERS

  Users                | Levels

  ---------------------|------------------------------------------------

  APPPREFERENCE        | Can process all data

                       | . Level Min (CNST) and Level Max (NCNST)

                       | . Group (DT_PROC)

  ---------------------|------------------------------------------------

  APPFORGET            | Can process data marked as to be forgotten

                       | . Level Min (ANON) and Level Max (FRGT)

  ---------------------|------------------------------------------------

  APPMKT               | Can process data belonging to group EMAIL only

                       | . Level Min (CNST) and Level Max (CNST)

                       | . Group (EMAIL)

  ---------------------|------------------------------------------------

  APPBI                | Can process data belonging to group ANALYTICS

                       | . Level Min (ANON) and Level Max (ANON)

                       | . Group (ANALYTICS)

  ---------------------|------------------------------------------------

  APP3RD               | Can process data belonging to group THIRDPARTY

                       | . Level Min (CNST) and Level Max (CNST)

                       | . Group (THIRDPARTY)

------------------------------------------------------------------------


... Set Levels for APPPREFERENCE

PL/SQL procedure successfully completed.

... ... prompt Set Group for APPPREFERENCE

PL/SQL procedure successfully completed.

... Set Level for APPFORGET

PL/SQL procedure successfully completed.

... Set Level for APPMKT

PL/SQL procedure successfully completed.

... ... Set Group for APPMKT

PL/SQL procedure successfully completed.

... Set Level for APPBI

PL/SQL procedure successfully completed.

... ... Set Group for APPBI

PL/SQL procedure successfully completed.

... Set Level for APP3RD

PL/SQL procedure successfully completed.

... ... Set Group for APP3RD

PL/SQL procedure successfully completed.


----------------------------------------------------

. STEP 6: APPLY THE OLS POLICY

----------------------------------------------------


PL/SQL procedure successfully completed.

此脚本将创建策略(级别、组和标签),为用户设置级别和组,并将策略应用于 APPCRM.CRM_CUSTOMER 表。对于每个步骤,您可以查看您执行的脚本的输出(例如“more ols_create_policy.out”)。

然后,我们必须标记数据……我们使用我们创建的策略并应用一个级别,一个或多个分区(可选),一个或多个组(可选)。


输出如下:

==============================================================================
 Label the data...
==============================================================================

CON_NAME
------------------------------
PDB1
USER is "SYS"

-- . ANON - Already anonymized: 10 records
SQL> 
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','ANON')
where customerid between 51 and 60;

10 rows updated.


-- . CNST::ANALYTICS - Consented to be processed for analytics: 200 records
SQL> 
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::ANALYTICS')
where customerid between 66 and 265;

200 rows updated.


. CNST::EMAIL - Consented to be processed for email: 123 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::EMAIL')
where customerid between 266 and 388;

123 rows updated.


. CNST::EMAIL,ANALYTICS - Consented to be processed for email and bi: 3 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::EMAIL,ANALYTICS')
where customerid >= 389;

3 rows updated.


-- . FRGT - Asked to be forgotten: 5 records
SQL> 
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','FRGT')
where customerid between 61 and 65;

5 rows updated.


-- . NCNST - Did not consent or revoked consent: 50 records
SQL> 
UPDATE APPCRM.CRM_CUSTOMER
SET GDPR_COL = CHAR_TO_LABEL('OLS_DEMO_GDPR','NCNST')
where customerid between 1 and 50;

50 rows updated.


Commit complete.


. Show the count per Label
SQL> 
SELECT LABEL_TO_CHAR (GDPR_COL) label, count(*) count
  FROM APPCRM.CRM_CUSTOMER
 GROUP BY GDPR_COL
 ORDER BY label;

LABEL                                                 COUNT
-------------------------------------------------- --------
ANON                                                     10
CNST::ANALYTICS                                         200
CNST::EMAIL                                             123
CNST::EMAIL,ANALYTICS                                     3
FRGT                                                      5
NCNST                                                    50

6 rows selected.

其中,CHAR_TO_LABEL的第1个参数为policy name,第二个参数为label。

此脚本更新数据标签以创建将在场景中使用的各种标签。在现实世界的场景中,建议创建一个标签函数,该函数将根据其他现有表数据(其他列)分配标签。对于每个步骤,您可以查看您执行的脚本的输出(例如“more ols_label_data.out”)

然后我们将看到标签安全性的作用,用不同的用户查看同一张表:

$ $ ./ols_label_sec_in_action.sh

==============================================================================
 Connects as different apps would be connecting to see records that they would be able to process...
==============================================================================

. Marketing App would only show 126 records
(Can process data labeled: CNST::EMAIL and CNST::ANALYTICS, EMAIL)

  COUNT(*)
----------
       126


. BI App would only show 213 records
(Can process data labeled: ANON, CNST::ANALYTICS, CNST::ANALYTICS, EMAIL)

  COUNT(*)
----------
       213


. FORGET App would only show 15 records
(Can process data labeled: FRGT and ANON)

  COUNT(*)
----------
        15


. APPPREFERENCE App can be used to set consent
(Can process ALL records - 391)

  COUNT(*)
----------
       391


. What labels are currently in session?

LABEL
------------------------------------------------------------------------------------------------------------------------------------------------------------------
NCNST::DT_PROC,CAMP_MGMT,EMAIL,POST_MAIL,WEB_ADS,ANALYTICS,REC_ENGINE,THIRDPARTY,CONTACT_DET,PREF_DETAILS,PURCH_HIST


. What is the session row label?

SA_SESSION.ROW_LABEL('OLS_DEMO_GDPR')
------------------------------------------------------------------------------------------------------------------------------------------------------------------
CNST::DT_PROC

每个应用程序只会看到他们能够处理的记录。例如。 AppMKT(用于向客户发送电子邮件的应用程序)只能查看标记为 CNST::EMAIL 的记录; AppBI 将能够查看标记为 ANON 和 CNST::ANALYTICS 的记录(标记为 CNST 级别的行,以及 Group Analytics 的一部分——也适用于 CNST::ANALYTICS、EMAIL)。

现在,我们将 UserID(100) 的状态更改为被遗忘。

$ ./ols_to_be_forgotten.sh

=====================================以上是关于Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)的主要内容,如果未能解决你的问题,请参考以下文章

Oracle LiveLabs实验:DB Security - ASO (Data Redaction)

Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall

Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Assessment Tool