本文主要是介绍Oracle LiveLabs实验:DB Security - Data Redaction,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
概述
此实验申请地址在这里,时间为1.5小时。
实验帮助在这里。
本实验使用的数据库为19.13。
Introduction
本研讨会介绍了 Oracle 数据编辑的各种特性和功能。 它让用户有机会学习如何配置这些功能,以便通过即时编辑敏感数据来保护对敏感数据的访问。
目标:动态编辑敏感数据,防止其显示在应用程序之外。
Task 1: Create a basic Data Redaction policy
进入实验目录:
sudo su - oracle
cd $DBSEC_LABS/data-redaction
查看编辑前的数据:
./dr_query_employee_data.sh
实际执行的代码和输出为:
==============================================================================View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================SQL> select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where sin is not null and rownum < 6
union all
select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where ssn is not null and rownum < 6
union all
select userid, firstname, sin, ssn, nino, corporate_card from demo_hr_employees where nino is not null and rownum < 6;USERID FIRSTNAME SIN SSN NINO CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------77 Alice 170-042-126 349662803496295100 Marilyn 209-388-160 3783 891728 47767105 Diana 992-21-7869 3489 086482 14372107 Louise 195-363-011 3743 055282 87577108 Lillian 310-358-573 3716 707331 7409973 Craig 102-20-4997 37294088531244475 Julie 412-62-2417 3778 531197 9944076 Ruby 537-78-8902 3720 598915 0307678 Marilyn 553-51-1031 37310700766180679 Laura 568-10-8709 37857071169751274 Fred MN 33 14 95 E 34437888059160281 Martha FZ 84 80 43 S 3497 291709 6761083 Melissa YD 34 65 05 B 34428807323565385 Harry MI 95 64 44 X 34688214531723087 Gloria ZA 26 42 75 B 3413 932254 6378215 rows selected.
从Web应用端查看数据:
- http://<YOUR_DBSEC-LAB_VM_PUBLIC_IP>:8080/hr_prod_pdb1
- 用户名口令为:hradmin/Oracle123
- 单击Search Employees,输入条件HR ID = 77,单击Search
单击Full Name下的链接,可以看到SSN部分显示的是原始值:
创建编辑策略 PROTECT_EMPLOYEES:
./dr_redact_for_all.sh
实际执行的代码和输出如下:
==============================================================================Create a redaction policy for the DEMO_HR_EMPLOYEES table to redact data for all queries...
==============================================================================-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
no rows selected-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
no rows selected-- . Create the Data Redaction policy "PROTECT_EMPLOYEES" on "EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES"
SQL> BEGINDBMS_REDACT.ADD_POLICY (OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD',object_name => 'DEMO_HR_EMPLOYEES',policy_name => 'PROTECT_EMPLOYEES',expression => '1=1');
END;
/PL/SQL procedure successfully completed.-- . Add the column "SIN" to redact by the Data Redaction policy created
SQL> BEGINDBMS_REDACT.ALTER_POLICY (OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD',object_name => 'DEMO_HR_EMPLOYEES',policy_name => 'PROTECT_EMPLOYEES',action => DBMS_REDACT.ADD_COLUMN,column_name => 'SIN',function_type => DBMS_REDACT.FULL );
END;
/PL/SQL procedure successfully completed.-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES 1=1 YES-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;:OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
注意:对于每个上下文中的所有查询(表达式“1=1”),此策略将(完整)编辑 DEMO_HR_EMPLOYEES 表中 SIN 列上的数据。
再次查看数据:
./dr_query_employee_data.sh
输出为:
==============================================================================View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================USERID FIRSTNAME SIN SSN NINO CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------77 Alice 349662803496295100 Marilyn 3783 891728 47767105 Diana 3489 086482 14372107 Louise 3743 055282 87577108 Lillian 3716 707331 7409973 Craig 102-20-4997 37294088531244475 Julie 412-62-2417 3778 531197 9944076 Ruby 537-78-8902 3720 598915 0307678 Marilyn 553-51-1031 37310700766180679 Laura 568-10-8709 37857071169751274 Fred MN 33 14 95 E 34437888059160281 Martha FZ 84 80 43 S 3497 291709 6761083 Melissa YD 34 65 05 B 34428807323565385 Harry MI 95 64 44 X 34688214531723087 Gloria ZA 26 42 75 B 3413 932254 6378215 rows selected.
- SIN 列中的数据已完全编辑!
- 数据编辑策略启用后立即生效,无需重新启动任何内容
- 由于 Data Redaction 已经嵌入到 Oracle 核心产品中,只需重新运行查询即可查看创建的 Data Redaction 策略对您的敏感数据的影响
- 请注意,您只需在数据库端进行操作,仅此而已……无需在应用程序端重新编码任何内容!
然后,在浏览器端按F5刷新页面,此时数据不显示了:
这说明在编辑策略对于Web应用也立即生效了。
Task 2: Contextualize an existing Data Redaction policy
现在,将编辑策略修改为仅编辑非 Web应用查询(为此,我们需要一个带有“规则集”的表达式)。
./dr_redact_nonapp_queries.sh
实际执行代码和输出为:
==========================================================================Modify the redaction policy to only redact non-Glassfish queries
==========================================================================
. We must update the script to have the fully-qualified hostname for your VMYour machine is: dbsec-lab
. Your Rule Set will look like this:
'NOT (SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''EMPLOYEESEARCH_PROD'' AND SYS_CONTEXT(''USERENV'',''OS_USER'') = ''oracle'' AND SYS_CONTEXT(''USERENV'',''MODULE'') = ''JDBC Thin Client'' AND SYS_CONTEXT(''USERENV'',''HOST'') = ''dbsec-lab'')'-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES 1=1 YES-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION-- . Add the Rule Set to the Data Redaction policy "PROTECT_EMPLOYEES"
SQL> BEGINDBMS_REDACT.ALTER_POLICY (OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD',object_name => 'DEMO_HR_EMPLOYEES',policy_name => 'PROTECT_EMPLOYEES',action => DBMS_REDACT.MODIFY_EXPRESSION,expression => ${RULE_EXPR});
END;
/PL/SQL procedure successfully completed.-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES NOT (SYS_CONTEXT('USERENV','SESSION_USER YES') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTEXT('USERENV','OS_USER') = 'oracle' AND SYS_CONTEXT('USERENV','MODULE') = 'JDBC Thin Client' AND SYS_CONTEXT('USERENV','HOST') = 'dbsec-lab')--. Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
在现有数据编校策略中添加新列很容易,请将其他列(SSN 和 NINO)添加到编校策略:
./dr_add_redacted_columns.sh
实际执行代码和输出为:
==============================================================================Add additional columns to the redaction policy...
==============================================================================--. Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES NOT (SYS_CONTEXT('USERENV','SESSION_USER YES') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTEXT('USERENV','OS_USER') = 'oracle' AND SYS_CONTEXT('USERENV','MODULE') = 'JDBC Thin Client' AND SYS_CONTEXT('USERENV','HOST') = 'dbsec-lab')--. Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION--. Add the column "SSN" to redact by the Data Redaction policy "PROTECT_EMPLOYEES"
SQL> BEGINDBMS_REDACT.ALTER_POLICY (OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD',object_name => 'DEMO_HR_EMPLOYEES',policy_name => 'PROTECT_EMPLOYEES',action => DBMS_REDACT.ADD_COLUMN,column_name => 'SSN',function_type => DBMS_REDACT.FULL );
END;
/PL/SQL procedure successfully completed.--. Add the column "NINO" to redact by the Data Redaction policy "PROTECT_EMPLOYEES"
SQL> BEGINDBMS_REDACT.ALTER_POLICY (OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD',object_name => 'DEMO_HR_EMPLOYEES',policy_name => 'PROTECT_EMPLOYEES',action => DBMS_REDACT.ADD_COLUMN,column_name => 'NINO',function_type => DBMS_REDACT.FULL );
END;
/PL/SQL procedure successfully completed.--. Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES NOT (SYS_CONTEXT('USERENV','SESSION_USER YES') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTEXT('USERENV','OS_USER') = 'oracle' AND SYS_CONTEXT('USERENV','MODULE') = 'JDBC Thin Client' AND SYS_CONTEXT('USERENV','HOST') = 'dbsec-lab')-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES NINO FULL REDACTION
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SSN FULL REDACTION
现在,此数据编辑策略也将应用于同一上下文的 SSN 和 NINO 列,使用非Web应用访问将看不到这几列的数据:
$ ./dr_query_employee_data.sh
==============================================================================View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================USERID FIRSTNAME SIN SSN NINO CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------77 Alice 349662803496295100 Marilyn 3783 891728 47767105 Diana 3489 086482 14372107 Louise 3743 055282 87577108 Lillian 3716 707331 7409973 Craig 37294088531244475 Julie 3778 531197 9944076 Ruby 3720 598915 0307678 Marilyn 37310700766180679 Laura 37857071169751274 Fred 34437888059160281 Martha 3497 291709 6761083 Melissa 34428807323565385 Harry 34688214531723087 Gloria 3413 932254 6378215 rows selected.
Web应用端仍可以看到所有敏感数据。
Task 3: (Optional) Drop the Data Redaction policy
完成实验后,您可以删除修订策略:
./dr_drop_redaction_policy.sh
实际执行代码和输出为:
==============================================================================Drop the redaction policy...
==============================================================================-- . Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
POLICY_NAME EXPRESSION ENABLE
------------------------------ ---------------------------------------- --------
PROTECT_EMPLOYEES NOT (SYS_CONTEXT('USERENV','SESSION_USER YES') = 'EMPLOYEESEARCH_PROD' AND SYS_CONTEXT('USERENV','OS_USER') = 'oracle' AND SYS_CONTEXT('USERENV','MODULE') = 'JDBC Thin Client' AND SYS_CONTEXT('USERENV','HOST') = 'dbsec-lab')-- . Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;OBJECT_OWNER OBJECT_NAME COLUMN_NAME FUNCTION_TYPE
------------------- -------------------- --------------- -------------------------
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES NINO FULL REDACTION
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SIN FULL REDACTION
EMPLOYEESEARCH_PROD DEMO_HR_EMPLOYEES SSN FULL REDACTION-- . Drop the Data Redaction policy "PROTECT_EMPLOYEES"
SQL> BEGINDBMS_REDACT.DROP_POLICY (OBJECT_SCHEMA => 'EMPLOYEESEARCH_PROD',object_name => 'DEMO_HR_EMPLOYEES',policy_name => 'PROTECT_EMPLOYEES');
END;
/PL/SQL procedure successfully completed.--. Current Objects redacted by a Data Redaction policy
SQL> select object_owner, object_name, column_name, function_type from redaction_columns;
no rows selected. Current Data Redaction policies
SQL> select policy_name, expression, enable from redaction_policies;
no rows selected
现在,又可以查看到这几列的数据了:
$ ./dr_query_employee_data.sh
==============================================================================View sample data for table EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES...
==============================================================================USERID FIRSTNAME SIN SSN NINO CORPORATE_CARD
---------- -------------------- --------------- --------------- --------------- --------------------77 Alice 170-042-126 349662803496295100 Marilyn 209-388-160 3783 891728 47767105 Diana 992-21-7869 3489 086482 14372107 Louise 195-363-011 3743 055282 87577108 Lillian 310-358-573 3716 707331 7409973 Craig 102-20-4997 37294088531244475 Julie 412-62-2417 3778 531197 9944076 Ruby 537-78-8902 3720 598915 0307678 Marilyn 553-51-1031 37310700766180679 Laura 568-10-8709 37857071169751274 Fred MN 33 14 95 E 34437888059160281 Martha FZ 84 80 43 S 3497 291709 6761083 Melissa YD 34 65 05 B 34428807323565385 Harry MI 95 64 44 X 34688214531723087 Gloria ZA 26 42 75 B 3413 932254 6378215 rows selected.
Appendix: About the Product
在 Oracle 数据库核心产品中硬编码,此功能是高级安全选项 (ASO) 的一部分
数据编辑使您能够屏蔽(编辑)从应用程序发出的查询返回的数据。 我们也称之为动态数据屏蔽或动态数据脱敏。
您可以使用以下方法之一来编辑列数据:
- 完全编辑(Full redaction) 您编辑列数据的所有内容。 返回给查询用户的编辑值取决于列的数据类型。 例如,NUMBER 数据类型的列用零 (0) 编辑,字符数据类型用空格编辑。
- 部分编辑(Partial redaction) 您编辑了部分列数据。 例如,您可以使用星号 (*) 编辑大部分社会安全号码,但最后 4 位数字除外。
- 正则表达式(Regular expressions) 您可以在完全和部分编辑中使用正则表达式。 这使您能够根据数据的搜索模式来编辑数据。 例如,您可以使用正则表达式来编辑数据中的特定电话号码或电子邮件地址。
- 随机编辑(Random redaction) 每次显示时,呈现给查询用户的编辑数据显示为随机生成的值,具体取决于列的数据类型。
- 无编辑(No redaction) 此选项使您能够测试编校策略的内部操作,而不会影响针对已定义策略的表的查询结果。 您可以使用此选项在将编辑策略定义应用于生产环境之前对其进行测试。
数据编校在运行时执行编校,即用户尝试查看数据的那一刻。 此功能非常适合数据不断变化的动态生产系统。 在编辑数据时,Oracle 数据库能够正常处理所有数据并保留后端参照完整性约束。 数据编辑可以帮助您遵守支付卡行业数据安全标准 (PCI DSS) 和萨班斯-奥克斯利法案等行业法规。
使用 Oracle 数据编辑的好处:
- 您有不同风格的编辑可供选择
- 由于数据是在运行时编辑的,因此数据编辑非常适合数据不断变化的环境
- 您可以在一个中心位置创建数据编辑策略并从那里轻松管理它们
- 数据编校策略使您能够根据 SYS_CONTEXT 值创建各种功能条件,可在运行时使用这些条件来决定何时将数据编校策略应用于应用程序用户的查询结果
Want to Learn More?
参考文档:Data Redaction 19c
Acknowledgements
本实验的作者为Hakim Loumi,数据库安全的PM。贡献者为Rene Fontcha。
这篇关于Oracle LiveLabs实验:DB Security - Data Redaction的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
