Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Oracle security 06-implementing oracle label security

799 Aufrufe

Veröffentlicht am

Oracle security 06-implementing oracle label security

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Oracle security 06-implementing oracle label security

  1. 1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing Oracle Label Security
  2. 2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to implement a simple Oracle Label Security policy by: • Describe Oracle Label Security • Install Oracle Label Security • Creating policies • Defining labels • Setting up user authorizations • Applying policies to tables
  3. 3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Control: Overview Oracle provides two complementary access control models: • Discretionary access control (DAC) – Allows only grant and revoke – Controls access on an entire object – Controls access by privilege • Row-level security – Allows sophisticated access rules – Supplements DAC – Is provided by the Virtual Private Database and Oracle Label Security DAC and row-level security dictate row access.
  4. 4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Discretionary Access Control Joe Fred GRANT SELECT ON emp TO JOE; REVOKE SELECT ON emp FROM FRED;
  5. 5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Discretionary access control SQL request Label security policy Object privileges Row-level security
  6. 6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com How Sensitivity Labels Are Used Labels Data Users Data sensitivity Authorizations Secret Top Secret Access mediation
  7. 7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Installing Oracle Label Security To install Oracle Label Security, perform the following steps: 1. Use the Custom Install option of Oracle Universal Installer (OUI) to add Oracle Label Security components. 2. Use the Database Configuration Assistant (DBCA) to configure Oracle Label Security.
  8. 8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security: Features Oracle Label Security provides: • Row-level security based on the VPD technology • A complete infrastructure for managing label security policies, sensitivity labels, and user security clearances • Oracle Policy Manager, a graphical user interface for managing Oracle Label Security • Integration with Oracle Identity Management starting in Oracle Database 10g Release 1
  9. 9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Comparing Oracle Label Security and the VPD The VPD provides: • API for implementing row-level security by using application context and PL/SQL Oracle Label Security provides: • A system evaluated under Common Criteria EAL 4 • All required packages for access mediation • Complete data dictionary for managing policies, sensitivity labels, and user clearances • A complete user interface for managing Oracle Label Security • Integration with Oracle Identity Management
  10. 10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com When to Use Oracle Label Security VPD Uses existing user attributes Uses natural data attributes Oracle Label Security Uses created user labels Uses assigned data labels
  11. 11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing the Oracle Label Security Policy The steps to implement an Oracle Label Security solution are: 1. Develop a strategy to understand the security problem. 2. Analyze the data levels in the application 3. Create policies. 4. Define labels. 5. Assign user authorizations. 6. Apply policies. 7. Review and document your policy decisions.
  12. 12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Analyzing the Needs • Identify application tables that need Oracle Label Security: – Majority of the tables do not require Oracle Label Security. – Use existing tools when possible. – Do not apply Oracle Label Security to everything. – Identify important application queries where possible. • Discretionary access control (DAC) is sufficient for most tables: – Database roles – Secure application roles – Stored procedures and functions
  13. 13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Policies Create the policy to contain the label information: • Policy name is FACILITY. • Policy label column is FACLAB. BEGIN SA_SYSDBA.CREATE_POLICY( POLICY_NAME =>'FACILITY', COLUMN_NAME => 'FACLAB', DEFAULT_OPTIONS => 'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
  14. 14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Labels: Overview • Labels have three parts: – Level – Group – Compartment • Each part must be defined. • The label is defined on the basis of the combinations of the parts.
  15. 15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Levels PPUBLIC100 CCONFIDENTIAL200 SSENSITIVE300 HSHIGHLY_SENSITIVE400 Short FormLong FormNumeric Form • The data level is set to SENSITIVE. • These levels are part of the label that is assigned to users and data.
  16. 16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Levels BEGIN SA_COMPONENTS.CREATE_LEVEL( POLICY_NAME =>'FACILITY', LEVEL_NUM => 100, SHORT_NAME => 'P', LONG_NAME => 'PUBLIC'); END;
  17. 17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Groups Numeric Form Long Form Short Form Parent 1000 WESTERN_REGION WR 1100 WR_SALES WR_SAL WR 1200 WR_FINANCE WR_FIN WR 1210 WR_ACCT_PAYABLE WR_AP WR_FIN • The group is WR_FINANCE. • The data label shows WR_FIN in the level:compartment:group group field.
  18. 18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Groups BEGIN SA_COMPONENTS.CREATE_GROUP( POLICY_NAME =>'FACILITY', GROUP_NUM => 1000, SHORT_NAME => 'WR_SAL', LONG_NAME => 'WR_SALES', PARENT_NAME => 'WR'); END;
  19. 19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Compartments Numeric Form Long Form Short Form 85 Financial FIN 65 Chemical CH 45 Operations OP • Compartments are OP, CH, and FIN. • The second field in the data label shows OP, CH, and FIN.
  20. 20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Compartments BEGIN SA_COMPONENTS.CREATE_COMPARTMENT( POLICY_NAME =>'FACILITY', COMP_NUM => 85, SHORT_NAME => 'FIN', LONG_NAME => 'Financial'); END;
  21. 21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Identifying Data Labels The administrator creates a set of data labels that are actually used from the components already defined. LEVEL:COMPARMENT:GROUP ---------------------------------------------- SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION CONFIDENTIAL:FINANCIAL:WR_SALES SENSITIVE:: HIGHLY_SENSITIVE:FINANCIAL: SENSITIVE::WESTERN_REGION
  22. 22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Data Labels BEGIN SA_LABEL_ADMIN.CREATE_LABEL( POLICY_NAME =>'FACILITY', LABEL_TAG => 201000, LABEL_VALUE => 'S::WR'); END;
  23. 23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning User Authorization Labels A user is assigned: • Maximum and minimum labels • A default session label • A row label for inserts BEGIN SA_USER_ADMIN.SET_USER_LABELS ( POLICY_NAME =>'FACILITY', USER_NAME => 'MYCO_MGR', MAX_READ_LABEL =>'S::US,EU,ASIA'); END;
  24. 24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Mediation User session label Row data label SQL request Access mediation SQL results
  25. 25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Adding Labels to Data • Labels are defined by the administrator. • Access mediation requires all rows to have labels. • Labels are set on rows.
  26. 26. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Policy-Enforcement Options • Access-control enforcement: – READ_CONTROL – WRITE_CONTROL • Label-management enforcement: – LABEL_DEFAULT – LABEL_UPDATE – CHECK_CONTROL • Options to override enforcement: – ALL_CONTROL – NO_CONTROL
  27. 27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Applying the Policy to a Table • Add the FACILITY policy to the LOCATIONS table. • TABLE_OPTION => NULL implies that the policy default options are used. BEGIN SA_POLICY_ADMIN.APPLY_TABLE_POLICY ( POLICY_NAME => 'FACILITY', SCHEMA_NAME => 'HR', TABLE_NAME => 'LOCATIONS', TABLE_OPTIONS => NULL, LABEL_FUNCTION => NULL); END;
  28. 28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Privileges Oracle Label Security supports these privileges that allow authorized users to bypass certain parts of the policy: • READ • FULL • COMPACCESS • SET_ACCESS_PROFILE
  29. 29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: READ Privilege Labeled data rows User Label Authorizations None READ privilege SELECT All rows returned
  30. 30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: FULL Privilege Labeled data rows User Label Authorizations Any FULL privilege Any DML All rows affected
  31. 31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: COMPACCESS Privilege Labeled data rows User Label Authorizations Compartment = OP COMPACCESS privilege Data label Compartment = OP, Group=Any
  32. 32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using SET_ACCESS_PROFILE The SA_SESSION.SET_ACCESS_PROFILE function in Oracle Label Security: • Allows an application session to assume a different Oracle Label Security authorization • Is used when application users do not have real database accounts Note: Users who are assigned Oracle Label Security authorizations do not need to be real database users. SQL>connect appuser/mypassword SQL>execute set_access_profile(‘finance’,’team1’);
  33. 33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Trusted Stored Package Units To create a trusted stored package unit, you must: • Grant the Oracle Label Security privileges to a program unit • Have the special policy_DBA role • Use OPM or the SA_USER_ADMIN package to grant privileges SQL> EXECUTE SA_USER_ADMIN.SET_PROG_PRIVS(- 2> POLICY_NAME=>‘HR’,- 3> SCHEMA_NAME=>’MYSCHEMA’,- 4> PROGRAM_UNIT_NAME =>’SUM_PURCHASES’,- 5> PRIVILEGE=>’READ’);
  34. 34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Exporting with Oracle Label Security • Only rows with labels authorized for read access are exported. • The label columns can be exported. • The LBACSYS schema cannot be exported.
  35. 35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Importing with Oracle Label Security • Precreate the Oracle Label Security policies and tables. • Labels and tag values must be the same.
  36. 36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Performance Tips • Analyze the LBACSYS schema. • Apply a bitmap index on the policy label column. • Plan a label tag strategy. • Partition on the basis of the label. • Allow time to tune your application after applying Oracle Label Security.
  37. 37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the main features of Oracle Label Security • Install and configure Oracle Label Security • Install and configure Oracle Label Security • Use Oracle Policy Manager • Create and implement a simple Oracle Label Security policy
  38. 38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

×