Skip to content

enable Oracle Label Security

enable Oracle Label Security published on Комментариев к записи enable Oracle Label Security нет

Oracle Database 12c: Security 13 – 3

Enabling and Managing OLS

•Register and enable OLS:
– Using DBCA or
– Executing the LBACSYS.CONFIGURE_OLS and LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS procedures
•The The LBACSYS schema owns all OLS objects.
•Use Enterprise Manager Cloud Control (EMCC) SQL*Plus to manage the Label Security policies.
•In PDBs, which canhttp://bushmelev-aa.ru/wp-admin/edit-tags.php?taxonomy=post_tag be plugged in and out of CDBs:
– Manage OLS components on a subset of PDBs in a CDB:
— Policies (no policies in the root)
— Data labels
— User authorizations
– The LBACSYS schema is a common user schema.
– LBACSYS objects are automatically available to any PDB.

OLS: Features

OLS provides:
• Row-level security based on Virtual Private Database (VPD) technology
– All required packages for access mediation
– Complete data dictionary for managing OLS components
•A complete infrastructure for managing label security policies, sensitivity labels, and user security clearances
• Enterprise Manager pages containing a graphical user interface for managing OLS
• Integration with Oracle Identity Management starting Oracle Database 10g Release 1

OLS is built on the fine-grained access control technology of VPD. The major advantage of using OLS is that OLS is a complete system. It is a ready-to-use VPD. OLS provides sophisticated functions and procedures for evaluating and comparing sensitivity labels. It provides a sophisticated infrastructure for storing and managing sensitivity labels and user security clearances.

SELECT status FROM DBA_OLS_STATUS WHERE name = 'OLS_CONFIGURE_STATUS';

22:34:47 (1)[PDB1]c##bushmelev_aa@p00db1> SELECT status FROM DBA_OLS_STATUS WHERE name = 'OLS_CONFIGURE_STATUS';

STATUS
------
FALSE

Register OLS.

22:39:02 (1)[PDB1]sys@p00db1> EXEC LBACSYS.CONFIGURE_OLS

PL/SQL procedure successfully completed.

22:39:06 (1)[PDB1]sys@p00db1> SELECT status FROM DBA_OLS_STATUS WHERE name = 'OLS_CONFIGURE_STATUS';

STATU
-----
TRUE

Check whether OLS is enabled.

22:40:33 (1)[PDB1]sys@p00db1> SELECT value FROM V$OPTION WHERE parameter = 'Oracle Label Security';

VALUE
----------------------------------------------------------------
FALSE

Enable OLS

22:48:46 (1)[PDB1]sys@p00db1>  EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.53
22:49:45 (1)[PDB1]sys@p00db1> SELECT value FROM V$OPTION WHERE parameter = 'Oracle Label Security';

VALUE
----------------------------------------------------------------
TRUE

ps: Registration and enabling execute at the container level.

pps:
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 – 64bit Production
With the Partitioning, Automatic Storage Management, Oracle Label Security, OLAP,
Advanced Analytics, Real Application Testing and Unified Auditing options

OLS2

Implementing an OLS Solution

OLS3

OLS4

check OLS:
http://www.oracle.com/technetwork/articles/idm/ls-093349.html

create user myco_emp identified by 1;
create user myco_mgr identified by 1;
create user myco_planning identified by 1;

 GRANT CREATE SESSION to MYCO_EMP ;
 GRANT CREATE SESSION to MYCO_MGR;
 GRANT CREATE SESSION to MYCO_PLANNING ;


grant select on hr.job_history to MYCO_PLANNING;
grant select on hr.job_history to MYCO_emp;
grant select on hr.job_history to MYCO_mgr;
 GRANT SELECT ON hr.LOCATIONS TO MYCO_EMP;
 GRANT SELECT ON hr.LOCATIONS TO MYCO_mgr;
 GRANT SELECT ON hr.LOCATIONS TO MYCO_PLANNING;
 GRANT SELECT, INSERT, UPDATE, DELETE ON HR.LOCATIONS TO  MYCO_PLANNING;

connect as sysdba or unlock LBACSYS and connect by it

 -- ****************************************************
 -- Creating FACILITY Policy
 -- ****************************************************
 BEGIN
 SA_SYSDBA.CREATE_POLICY('FACILITY','FACLAB',
 'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
 END;
 /

 -- ****************************************************
 -- Adding sensitivity levels to FACILITY policy:
 -- ****************************************************
BEGIN
SA_COMPONENTS.CREATE_LEVEL('FACILITY', 1000,'P','PUBLIC');
SA_COMPONENTS.CREATE_LEVEL('FACILITY',2000,'S','SENSITIVE');
SA_COMPONENTS.CREATE_LEVEL('FACILITY',3000,'HS','HIGHLY_SENSITIVE');
END;
/



 -- ****************************************************
 -- Adding groups to FACILITY policy:
 -- ****************************************************
 BEGIN
 SA_COMPONENTS.CREATE_GROUP('FACILITY', 1000,'Global','Global');
 SA_COMPONENTS.CREATE_GROUP('FACILITY',101,'US','United States','GLOBAL');
 SA_COMPONENTS.CREATE_GROUP('FACILITY',102,'EU','Europe','GLOBAL');
 SA_COMPONENTS.CREATE_GROUP('FACILITY',103,'Asia','Asia','GLOBAL');
 END;
 /


 -- ****************************************************
 -- Creating Labels for FACILITY policy
 -- ****************************************************
 EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY', 1000,'P');
 EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',2101,'S::US');
 EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',3101,'HS::US');
 EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY', 2103,'S::ASIA');
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',3103,'HS::ASIA');


 -- **************************************************
 -- Setting MYCO_EMP user label authorizations
 -- Setting MYCO_MGR user label authorizations
 -- Setting MYCO_PLANNING user label authorizations
 -- **************************************************
 exec SA_USER_ADMIN.SET_USER_LABELS ('PRIVACY', 'MYCO_MGR','C');
 exec SA_USER_ADMIN.SET_USER_LABELS ('FACILITY','MYCO_EMP','P');
 exec SA_USER_ADMIN.SET_USER_LABELS ('FACILITY','MYCO_MGR','S::US,EU,ASIA');
 exec SA_USER_ADMIN.SET_USER_LABELS ('FACILITY','MYCO_PLANNING','HS::GLOBAL');

-- Applying FACILITY policy to hr.locations table.
-- *************************************************
 Begin
 sa_policy_admin.apply_table_policy (
 POLICY_NAME => 'FACILITY',
 SCHEMA_NAME => 'HR',
 TABLE_NAME => 'LOCATIONS',
 TABLE_OPTIONS => NULL,
 LABEL_FUNCTION => NULL);
 END;
 /


 -- ****************************************************
 -- Update Labels for Sites In ASIA
 -- ****************************************************

 update hr.locations set faclab = char_to_label('FACILITY','S::ASIA') where upper(city) in ('BEIJING','TOKYO','SINGAPORE');

 -- ****************************************************
 -- Update Labels for Sites In US
 -- ****************************************************

 update hr.locations set faclab = char_to_label('FACILITY','HS::US') where upper(city) in ('SOUTH SAN FRANCISCO');


 -- ****************************************************
 -- Update Labels for all remaining locations
 -- ****************************************************

 update hr.locations set faclab = char_to_label('FACILITY','P') where faclab is NULL;


commit;


                                


where upper(city) in ('BEIJING','TOKYO','SINGAPORE');
-- ****************************************************
-- SETTING LABELS FOR PRIVACY POLICY
-- ****************************************************


connect hr/oracle_4U@localhost:1521/pdb1

last piece of code failed with error :

 update hr.job_history set privlab = char_to_label('PRIVACY','S') where ((to_char(sysdate,'YYYY') - to_char(end_date,'YYYY')) > 10);
 update hr.job_history set privlab = char_to_label('PRIVACY','C') where ((to_char(sysdate,'YYYY')- to_char(end_date,'YYYY')) <= 10);

now lets check emp:

01:13:40 not connected> select l.*,label_to_char(faclab) label from hr.locations l;

LOCATION_ID | STREET_ADDRESS                           | POSTAL_CODE  | CITY                           | STATE_PROVINCE            | CO | LABEL
----------- | ---------------------------------------- | ------------ | ------------------------------ | ------------------------- | -- | ----------
       1000 | 1297 Via Cola di Rie                     | 00989        | Roma                           | <NULL>                    | IT | P
       1100 | 93091 Calle della Testa                  | 10934        | Venice                         | <NULL>                    | IT | P
       1300 | 9450 Kamiya-cho                          | 6823         | Hiroshima                      | <NULL>                    | JP | P
       1400 | 2014 Jabberwocky Rd                      | 26192        | Southlake                      | Texas                     | US | P
       1600 | 2007 Zagora St                           | 50090        | South Brunswick                | New Jersey                | US | P
       1700 | 2004 Charade Rd                          | 98199        | Seattle                        | Washington                | US | P
       1800 | 147 Spadina Ave                          | M5V 2L7      | Toronto                        | Ontario                   | CA | P
       1900 | 6092 Boxwood St                          | YSW 9T2      | Whitehorse                     | Yukon                     | CA | P
       2100 | 1298 Vileparle (E)                       | 490231       | Bombay                         | Maharashtra               | IN | P
       2200 | 12-98 Victoria Street                    | 2901         | Sydney                         | New South Wales           | AU | P
       2400 | 8204 Arthur St                           | <NULL>       | London                         | <NULL>                    | UK | P
       2500 | Magdalen Centre, The Oxford Science Park | OX9 9ZB      | Oxford                         | Oxford                    | UK | P
       2600 | 9702 Chester Road                        | 09629850293  | Stretford                      | Manchester                | UK | P
       2700 | Schwanthalerstr. 7031                    | 80925        | Munich                         | Bavaria                   | DE | P
       2800 | Rua Frei Caneca 1360                     | 01307-002    | Sao Paulo                      | Sao Paulo                 | BR | P
       2900 | 20 Rue des Corps-Saints                  | 1730         | Geneva                         | Geneve                    | CH | P
       3000 | Murtenstrasse 921                        | 3095         | Bern                           | BE                        | CH | P
       3100 | Pieter Breughelstraat 837                | 3029SK       | Utrecht                        | Utrecht                   | NL | P
       3200 | Mariano Escobedo 9991                    | 11932        | Mexico City                    | Distrito Federal,         | MX | P

19 rows selected.

01:13:42 not connected> sho user
USER is "MYCO_EMP"

check mgr

01:16:10 not connected> sho user
USER is "MYCO_MGR"
01:16:12 not connected> select l.*,label_to_char(faclab) label from hr.locations l;

LOCATION_ID | STREET_ADDRESS                           | POSTAL_CODE  | CITY                           | STATE_PROVINCE            | CO | LABEL
----------- | ---------------------------------------- | ------------ | ------------------------------ | ------------------------- | -- | ----------
       1000 | 1297 Via Cola di Rie                     | 00989        | Roma                           | <NULL>                    | IT | P
       1100 | 93091 Calle della Testa                  | 10934        | Venice                         | <NULL>                    | IT | P
       1200 | 2017 Shinjuku-ku                         | 1689         | Tokyo                          | Tokyo Prefecture          | JP | S::ASIA
       1300 | 9450 Kamiya-cho                          | 6823         | Hiroshima                      | <NULL>                    | JP | P
       1400 | 2014 Jabberwocky Rd                      | 26192        | Southlake                      | Texas                     | US | P
       1600 | 2007 Zagora St                           | 50090        | South Brunswick                | New Jersey                | US | P
       1700 | 2004 Charade Rd                          | 98199        | Seattle                        | Washington                | US | P
       1800 | 147 Spadina Ave                          | M5V 2L7      | Toronto                        | Ontario                   | CA | P
       1900 | 6092 Boxwood St                          | YSW 9T2      | Whitehorse                     | Yukon                     | CA | P
       2000 | 40-5-12 Laogianggen                      | 190518       | Beijing                        | <NULL>                    | CN | S::ASIA
       2100 | 1298 Vileparle (E)                       | 490231       | Bombay                         | Maharashtra               | IN | P
       2200 | 12-98 Victoria Street                    | 2901         | Sydney                         | New South Wales           | AU | P
       2300 | 198 Clementi North                       | 540198       | Singapore                      | <NULL>                    | SG | S::ASIA
       2400 | 8204 Arthur St                           | <NULL>       | London                         | <NULL>                    | UK | P
       2500 | Magdalen Centre, The Oxford Science Park | OX9 9ZB      | Oxford                         | Oxford                    | UK | P
       2600 | 9702 Chester Road                        | 09629850293  | Stretford                      | Manchester                | UK | P
       2700 | Schwanthalerstr. 7031                    | 80925        | Munich                         | Bavaria                   | DE | P
       2800 | Rua Frei Caneca 1360                     | 01307-002    | Sao Paulo                      | Sao Paulo                 | BR | P
       2900 | 20 Rue des Corps-Saints                  | 1730         | Geneva                         | Geneve                    | CH | P
       3000 | Murtenstrasse 921                        | 3095         | Bern                           | BE                        | CH | P
       3100 | Pieter Breughelstraat 837                | 3029SK       | Utrecht                        | Utrecht                   | NL | P
       3200 | Mariano Escobedo 9991                    | 11932        | Mexico City                    | Distrito Federal,         | MX | P

22 rows selected.

now check myco_planning:

USER is "MYCO_PLANNING"
01:17:57 not connected> select l.*,label_to_char(faclab) label from hr.locations l;

LOCATION_ID | STREET_ADDRESS                           | POSTAL_CODE  | CITY                           | STATE_PROVINCE            | CO | LABEL
----------- | ---------------------------------------- | ------------ | ------------------------------ | ------------------------- | -- | ----------
       1000 | 1297 Via Cola di Rie                     | 00989        | Roma                           | <NULL>                    | IT | P
       1100 | 93091 Calle della Testa                  | 10934        | Venice                         | <NULL>                    | IT | P
       1200 | 2017 Shinjuku-ku                         | 1689         | Tokyo                          | Tokyo Prefecture          | JP | S::ASIA
       1300 | 9450 Kamiya-cho                          | 6823         | Hiroshima                      | <NULL>                    | JP | P
       1400 | 2014 Jabberwocky Rd                      | 26192        | Southlake                      | Texas                     | US | P
       1500 | 2011 Interiors Blvd                      | 99236        | South San Francisco            | California                | US | HS::US
       1600 | 2007 Zagora St                           | 50090        | South Brunswick                | New Jersey                | US | P
       1700 | 2004 Charade Rd                          | 98199        | Seattle                        | Washington                | US | P
       1800 | 147 Spadina Ave                          | M5V 2L7      | Toronto                        | Ontario                   | CA | P
       1900 | 6092 Boxwood St                          | YSW 9T2      | Whitehorse                     | Yukon                     | CA | P
       2000 | 40-5-12 Laogianggen                      | 190518       | Beijing                        | <NULL>                    | CN | S::ASIA
       2100 | 1298 Vileparle (E)                       | 490231       | Bombay                         | Maharashtra               | IN | P
       2200 | 12-98 Victoria Street                    | 2901         | Sydney                         | New South Wales           | AU | P
       2300 | 198 Clementi North                       | 540198       | Singapore                      | <NULL>                    | SG | S::ASIA
       2400 | 8204 Arthur St                           | <NULL>       | London                         | <NULL>                    | UK | P
       2500 | Magdalen Centre, The Oxford Science Park | OX9 9ZB      | Oxford                         | Oxford                    | UK | P
       2600 | 9702 Chester Road                        | 09629850293  | Stretford                      | Manchester                | UK | P
       2700 | Schwanthalerstr. 7031                    | 80925        | Munich                         | Bavaria                   | DE | P
       2800 | Rua Frei Caneca 1360                     | 01307-002    | Sao Paulo                      | Sao Paulo                 | BR | P
       2900 | 20 Rue des Corps-Saints                  | 1730         | Geneva                         | Geneve                    | CH | P
       3000 | Murtenstrasse 921                        | 3095         | Bern                           | BE                        | CH | P
       3100 | Pieter Breughelstraat 837                | 3029SK       | Utrecht                        | Utrecht                   | NL | P
       3200 | Mariano Escobedo 9991                    | 11932        | Mexico City                    | Distrito Federal,         | MX | P

23 rows selected.

Enable unified auditing option

Enable unified auditing option published on Комментариев к записи Enable unified auditing option нет

https://blogs.oracle.com/imc/entry/oracle_database_12c_new_unified

Enalbe unified audit

1.Stop all Oracle processes: databases, listener and Enterprise Manager.
2.Relink Oracle with the uniaud_on option.

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle

[root@oel7-2 ~]# . oraenv
ORACLE_SID = [root] ? +ASM
[root@oel7-2 ~]# srvctl stop database -d orcl
[root@oel7-2 ~]# srvctl stop asm -f
[root@oel7-2 ~]# su - oracle
[oracle@oel7-2 ~]$ cd $ORACLE_HOME/rdbms/lib
[oracle@oel7-2 lib]$ make -f ins_rdbms.mk uniaud_on ioracle
..
[oracle@oel7-2 lib]$ logout
[root@oel7-2 ~]# srvctl start database -d orcl

check that option is enabled:

23:07:24 (1)[PDBORCL]c##bushmelev_aa@orcl>  select * from v$option where PARAMETER = 'Unified Auditing'
23:07:29   2  ;

PARAMETER                                          | VALUE      |     CON_ID
-------------------------------------------------- | ---------- | ----------
Unified Auditing                                   | TRUE       |          0

Primary Sidebar