oracle security 06-implementing oracle label security
DESCRIPTION
Oracle security 06-implementing oracle label securityTRANSCRIPT
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Objectives
After completing this lesson, you should be able to implement a simple Oracle Label Security policy by:• Describe Oracle Label Security• Install Oracle Label Security• Creating policies• Defining labels• Setting up user authorizations• Applying policies to tables
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Access Control: Overview
Oracle provides two complementary access control models:• Discretionary access control (DAC)
– Allows only grant and revoke– Controls access on an entire object– Controls access by privilege
• Row-level security– Allows sophisticated access rules – Supplements DAC– Is provided by the Virtual Private Database and
Oracle Label SecurityDAC and row-level security dictate row access.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Discretionary Access Control
Joe
Fred
GRANT SELECT ON emp TO JOE;
REVOKE SELECT ON emp FROM FRED;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Oracle Label Security
Discretionary access control
SQL request
Label security policy
Object privileges
Row-level security
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
How Sensitivity Labels Are Used
Labels Data
Users
Data sensitivity
Authorizations
Secret
Top Secret
Access mediation
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Installing Oracle Label Security
To install Oracle Label Security, perform the following steps:1. Use the Custom Install option of Oracle Universal
Installer (OUI) to add Oracle Label Security components.
2. Use the Database Configuration Assistant (DBCA) to configure Oracle Label Security.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Oracle Label Security: Features
Oracle Label Security provides:• Row-level security based on the VPD technology• A complete infrastructure for managing label
security policies, sensitivity labels, and user security clearances
• Oracle Policy Manager, a graphical user interface for managing Oracle Label Security
• Integration with Oracle Identity Management starting in Oracle Database 10g Release 1
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Comparing Oracle Label Security and the VPD
The VPD provides:• API for implementing row-level security by using
application context and PL/SQLOracle Label Security provides:• A system evaluated under Common Criteria EAL 4 • All required packages for access mediation• Complete data dictionary for managing policies,
sensitivity labels, and user clearances• A complete user interface for managing Oracle
Label Security • Integration with Oracle Identity Management
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
When to Use Oracle Label Security
VPD Uses existing user attributesUses natural data attributes
Oracle Label Security Uses created user labels
Uses assigned data labels
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Implementing the Oracle Label Security Policy
The steps to implement an Oracle Label Security solution are: 1. Develop a strategy to understand the security
problem.2. Analyze the data levels in the application3. Create policies.4. Define labels.5. Assign user authorizations.6. Apply policies.7. Review and document your policy decisions.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Analyzing the Needs
• Identify application tables that need Oracle Label Security:– Majority of the tables do not require Oracle Label
Security.– Use existing tools when possible.– Do not apply Oracle Label Security to everything.– Identify important application queries where
possible.• Discretionary access control (DAC) is sufficient
for most tables:– Database roles – Secure application roles– Stored procedures and functions
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating Policies
Create the policy to contain the label information: • Policy name is FACILITY.• Policy label column is FACLAB.
BEGINSA_SYSDBA.CREATE_POLICY(POLICY_NAME =>'FACILITY',COLUMN_NAME => 'FACLAB', DEFAULT_OPTIONS => 'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Defining Labels: Overview
• Labels have three parts:– Level– Group– Compartment
• Each part must be defined.• The label is defined on the basis of the
combinations of the parts.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Defining Levels
PPUBLIC100
CCONFIDENTIAL200
SSENSITIVE300
HSHIGHLY_SENSITIVE400
Short FormLong FormNumeric Form
• The data level is set to SENSITIVE.• These levels are part of the label that is assigned
to users and data.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating Levels
BEGINSA_COMPONENTS.CREATE_LEVEL(POLICY_NAME =>'FACILITY',LEVEL_NUM => 100,SHORT_NAME => 'P',LONG_NAME => 'PUBLIC');END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Defining Groups
Numeric Form
Long Form Short Form
Parent
1000 WESTERN_REGION WR
1100 WR_SALES WR_SAL WR
1200 WR_FINANCE WR_FIN WR
1210 WR_ACCT_PAYABLE WR_AP WR_FIN
• The group is WR_FINANCE.• The data label shows WR_FIN in the
level:compartment:group group field.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating Groups
BEGINSA_COMPONENTS.CREATE_GROUP(POLICY_NAME =>'FACILITY',GROUP_NUM => 1000,SHORT_NAME => 'WR_SAL',LONG_NAME => 'WR_SALES',PARENT_NAME => 'WR');END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Defining Compartments
Numeric Form Long Form Short Form
85 Financial FIN
65 Chemical CH
45 Operations OP
• Compartments are OP, CH, and FIN.• The second field in the data label shows OP, CH,
and FIN.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating Compartments
BEGINSA_COMPONENTS.CREATE_COMPARTMENT(POLICY_NAME =>'FACILITY',COMP_NUM => 85,SHORT_NAME => 'FIN',LONG_NAME => 'Financial');END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Identifying Data Labels
The administrator creates a set of data labels that are actually used from the components already defined.
LEVEL:COMPARMENT:GROUP----------------------------------------------SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION CONFIDENTIAL:FINANCIAL:WR_SALES SENSITIVE:: HIGHLY_SENSITIVE:FINANCIAL:SENSITIVE::WESTERN_REGION
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating Data Labels
BEGINSA_LABEL_ADMIN.CREATE_LABEL(POLICY_NAME =>'FACILITY',LABEL_TAG => 201000,LABEL_VALUE => 'S::WR');END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Assigning User Authorization Labels
A user is assigned:• Maximum and minimum labels• A default session label• A row label for inserts
BEGINSA_USER_ADMIN.SET_USER_LABELS (
POLICY_NAME =>'FACILITY',USER_NAME => 'MYCO_MGR',MAX_READ_LABEL =>'S::US,EU,ASIA');
END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Access Mediation
User session label
Row data label
SQL request
Access mediation
SQL results
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Adding Labels to Data
• Labels are defined by the administrator.• Access mediation requires all rows to have labels.• Labels are set on rows.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Policy-Enforcement Options
• Access-control enforcement:– READ_CONTROL– WRITE_CONTROL
• Label-management enforcement:– LABEL_DEFAULT– LABEL_UPDATE– CHECK_CONTROL
• Options to override enforcement:– ALL_CONTROL– NO_CONTROL
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Applying the Policy to a Table
• Add the FACILITY policy to the LOCATIONS table.• TABLE_OPTION => NULL implies that the policy
default options are used.
BEGINSA_POLICY_ADMIN.APPLY_TABLE_POLICY (
POLICY_NAME => 'FACILITY',SCHEMA_NAME => 'HR',TABLE_NAME => 'LOCATIONS',TABLE_OPTIONS => NULL,LABEL_FUNCTION => NULL);
END;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Oracle Label Security Privileges
Oracle Label Security supports these privileges that allow authorized users to bypass certain parts of the policy:• READ• FULL• COMPACCESS• SET_ACCESS_PROFILE
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Example: READ Privilege
Labeled data rows
User Label AuthorizationsNone
READprivilege
SELECT
All rows returned
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Example: FULL Privilege
Labeled data rows
User Label AuthorizationsAny
FULLprivilege
Any DML
All rows affected
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Example: COMPACCESS Privilege
Labeled data rows
User Label AuthorizationsCompartment = OP
COMPACCESSprivilege
Data labelCompartment = OP, Group=Any
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using SET_ACCESS_PROFILE
The SA_SESSION.SET_ACCESS_PROFILE function in Oracle Label Security:• Allows an application session to assume a
different Oracle Label Security authorization
• Is used when application users do not have real database accounts
Note: Users who are assigned Oracle Label Security authorizations do not need to be real database users.
SQL>connect appuser/mypasswordSQL>execute set_access_profile(‘finance’,’team1’);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Trusted Stored Package Units
To create a trusted stored package unit, you must: • Grant the Oracle Label Security privileges to a
program unit• Have the special policy_DBA role• Use OPM or the SA_USER_ADMIN package to grant
privileges
SQL> EXECUTE SA_USER_ADMIN.SET_PROG_PRIVS(-2> POLICY_NAME=>‘HR’,-3> SCHEMA_NAME=>’MYSCHEMA’,-4> PROGRAM_UNIT_NAME =>’SUM_PURCHASES’,-5> PRIVILEGE=>’READ’);
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Exporting with Oracle Label Security
• Only rows with labels authorized for read access are exported.
• The label columns can be exported.• The LBACSYS schema cannot be exported.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Importing with Oracle Label Security
• Precreate the Oracle Label Security policies and tables.
• Labels and tag values must be the same.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Performance Tips
• Analyze the LBACSYS schema.• Apply a bitmap index on the policy label column.• Plan a label tag strategy.• Partition on the basis of the label. • Allow time to tune your application after applying
Oracle Label Security.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Summary
In this lesson, you should have learned how to:• Describe the main features of Oracle Label
Security • Install and configure Oracle Label Security• Install and configure Oracle Label Security • Use Oracle Policy Manager• Create and implement a simple Oracle Label
Security policy
