5 Managing Global Sets/Data Discovery
Oracle AVDF 20.9 introduced Data Discovery which allowed the creation of global Privileged User and Sensitive Object sets on Oracle Database targets. In Oracle AVDF 20.10 this functionality was renamed to Global Sets and expanded to additionally allow the creation of global IP Address, OS User, Client Program, and Database User sets.
Global sets can be used in multiple Database Firewall Policies at once and simplify the creation of policies.
- The elements in the set will be used in more than one Database Firewall policy
- The sets will be used in only one Database Firewall policy
- You want the set to be deleted if the policy gets deleted, such as for a test Database Firewall policy
5.1 Global Sets - Oracle AVDF 20.10 and later
Starting in Oracle AVDF 20.10, Global Sets allows you to create global IP Address, OS User, Client Program, and Database User sets on any type of target database. In addition you can create global Privileged User and Sensitive Objects sets on Oracle Database targets.
5.1.1 About Global Sets
Starting in Oracle AVDF 20.10, Global Sets allows you to create global IP Address, OS User, Client Program, and Database User sets on any type of target database. In addition you can create global Privileged User and Sensitive Objects sets on Oracle Database targets.
Global Sets allows you to add or import IP Addresses, OS user names, client program names, and database user names into sets.
In addition, Global Sets applies User Entitlements and the Database Security Assessment Tool (DBSAT) on your Oracle Database to identify privileged users and sensitive objects. This is enabled by running and scheduling the User Entitlements and Sensitive Object discovery jobs. Once the privileged users and sensitive objects have been discovered, they can be added to privileged user and sensitive objects sets, respectively.
These sets are global and can be used in multiple database firewall policies. Global sets that are created in Global Sets can be viewed in the corresponding tabs in the Database Firewall Policy editor.
5.1.2 Prerequisites for Creating Global Privileged User and Sensitive Object Sets
Before global privileged user and sensitive object sets can be created, an
administrator
must enable the permissions on the Oracle Database to run
the discovery and user entitlement jobs and the jobs must be initiated and
scheduled.
- An
administrator
must enable user privileges for and run statistics gathering on the target Oracle Database. See Preparing Targets for Data Discovery in the Oracle AVDF Administrator's Guide for more information. - The user entitlements retrieval job needs to be initiated and scheduled. See Retrieving User Entitlement Data for Oracle Database Targets for more information.
- The sensitive objects retrieval job needs to be initiated and scheduled. See Retrieving Sensitive Objects for Oracle Database Targets for more information.
- You must be an
auditor
orsuper auditor
to use Global Sets (previously called Data Discovery in Oracle AVDF 20.9)
5.1.3 Creating a Global Set
Creating a global set and adding elements to it allows you create one set that can be used in several Database Firewall Policies. IP Address, OS User, Client Program, and Database User sets can be using on any type of target database.
To add elements to a global set:
- Click Global Sets tab.
- Expand one of the desired IP Address, OS User, Client Program, or Database User sections and click Add.
- Enter a name for the global set.
- Optionally, enter a description for the global set.
- Elements can be added to global sets in one or more of the following three ways,
From Collected Data, Enter Values, or File Import.
- From Collected Data - Allows you to select specific
elements from your targets.
- Select one or more targets in the Available column and move them to the Selected column using the arrows. You can also search for targets as well.
- Select if you want to view data from the last 24 hours, week, month, or a specific time period.
- Click the Search button.
- Select the element(s) you would like added to the global set.
- Enter Values - Allows you to type multiple items at once so that the elements can be added in bulk to the global set. Elements can be entered as a comma separated list or one element per line. It is also possible to use both separation methods.
- File Import - Allows you to upload a .txt
file to add elements to a global set at once. The file can contain elements
as a comma separated list or one element per line. It is also possible to
use both separation methods.
Note:
If you're importing a file, it must be encoded in the UTF-8 format.
- From Collected Data - Allows you to select specific
elements from your targets.
- Click Save once you have added elements to the global set.
5.1.4 Creating Privileged User Sets
Privileged users are identified on your target Oracle Databases through User Entitlements.
- Click the Global Sets tab.
- Expand the Privileged User Set section and click Add.
- Enter a name for the global set.
- Optionally, enter a description for the global set.
- Select one or more targets in the Available column and move them to the Selected column using the arrows. You can also search for targets as well.
- Select all the users you'd like to add to the set. Users can be searched for as well.
- Click Add.
- Click Save.
5.1.5 Creating Sensitive Object Global Sets
Sensitive objects are identified on your target Oracle Databases through Database Security Assessment Tool (DBSAT) integration.
- Click the Global Sets tab.
- Expand the Privileged User Set section and click Add.
- Enter a name for the global set.
- Optionally, enter a description for the global set.
- Select one or more targets in the Available column and move them to the Selected column using the arrows. You can also search for targets as well.
- Select categories. By default some of the sensitive categories are listed in the
selected column and can be removed using the filters.
Sensitive categories and types available for selection include:
- Identification Information: Includes sensitive types for national, personal, and public identifiers. Examples are US Social Security Number (SSN), Canadian Social Insurance Number (SIN) and other national IDs, Visa Number, and Full Name.
- Biographic Information: Includes sensitive types for address, family data, extended PII, and restricted processing data. Examples are Full Address, Mother's Maiden Name, Date of Birth, and Religion.
- IT Information: Includes sensitive types for user IT data and device data. Examples are User ID, password, and IP Address.
- Financial Information: Includes sensitive types for payment card data and bank account data. Examples are Card Number, Card Security PIN, and Bank Account Number.
- Healthcare Information: Includes sensitive types for health insurance data, healthcare provider data, and medical data. Examples include Health Insurance Number, Healthcare Provider, and Blood Type.
- Employment Information: Includes sensitive types for employee basic data, organization data, and compensation data. Examples are Job Title, Termination Date, Income, and Stock.
- Academic Information: Includes sensitive types for student basic data, institution data, and performance data. Examples are Financial Aid, College Name, Grade, and Disciplinary Record.
- Select all the users you'd like to add to the set. Users can be searched for as well.
- Click Add.
- Click Save.
5.1.6 Modifying Global Sets
Modifying elements in a global set allows you to retain the global set while still being able to add or remove elements to or from the set. Modifying a global set makes it easier to update your Database Firewall Policies based on changes to your targets or specific needs, without having to create new sets.
Adding Elements
- Click Global Sets tab.
- Expand one of the sections and click on an existing global set.
- For IP Address, OS User, Client Program, and Database User sets you can either click Add, Add From File, or Add From Collected Data. For Privileged User or Sensitive Object sets you can only click Add.
- If you clicked Add, in the field that appears type the element(s) you would like to add. Elements can be entered as a comma separated list or one element per line.
- If you clicked Add From File or
Add From Collected Data the process is the same as
when creating a new global set.
Note:
If you're importing a file, it must be encoded in the UTF-8 format. - Click Save.
Deleting Elements
- Click Global Sets tab.
- Expand one of the sections and click on an existing global set.
- Select one or more elements from the list that you would like to remove from the global set. You can also search for specific elements as well.
- Click Delete.
- Click Save.
5.1.7 Understanding the Impact of Modifying Global Sets
When global sets are modified, policies that use the global set will need to be deployed again.
From the Global Sets page you can see which of your global sets are currently in use in a database firewall policy. Whenever any set that is in use is modified, i.e. elements are added or removed from it, you will see a dialog box of policies that use the set. These policies will automatically go into a status of Deployment Required. Multiple policies in this state can be selected and deployed from the Database Firewall Policies section of Oracle AVDF. Deploying these policies will automatically deploy them to any targets the policies were previously deployed on.
While a database firewall policy is in a Deployment Required status after a set it uses has been modified, the Database Firewall will continue to use the last deployed version of a policy until the modifications are deployed.
Note:
Policies will go into the Deployment Required status if any modification occurs to a set, even if that modification is undone. For example, if you add an element to a set, but then remove that element shortly after so that the set includes only the same elements as it did previously, any policies that use the set will still be marked with Deployment Required.5.2 Data Discovery - Oracle AVDF 20.9
In Oracle AVDF 20.9 you can use Data Discovery with your Oracle Databases to create global privileged user and sensitive object sets that can be used in multiple database firewall policies.
5.2.1 About Data Discovery
In Oracle AVDF 20.9 you can use Data Discovery with your Oracle Databases to create global privileged user and sensitive object sets that can be used in multiple database firewall policies.
Data Discovery applies User Entitlements and the Database Security Assessment Tool (DBSAT) on your Oracle Database to identify privileged users and sensitive objects. This is enabled by running and scheduling the User Entitlements and Sensitive Object discovery jobs. Once the privileged users and sensitive objects have been discovered, they can be added to privileged user and sensitive objects sets, respectively. These sets are global and can be used in multiple database firewall policies.
Privileged User and Sensitive Object sets that are created in Data Discovery can be viewed in Data Discovery or in the Database User Sets and Database Objects Sets tabs in the Database Firewall Policy editor. Data Discovery can also be used to create database firewall policies and view and edit policies that were created in Data Discovery.
5.2.2 Prerequisites for Creating Global Privileged User and Sensitive Object Sets
Before global privileged user and sensitive object sets can be created, an
administrator
must enable the permissions on the Oracle Database to run
the discovery and user entitlement jobs and the jobs must be initiated and
scheduled.
- An
administrator
must enable user privileges for and run statistics gathering on the target Oracle Database. See Preparing Targets for Data Discovery in the Oracle AVDF Administrator's Guide for more information. - The user entitlements retrieval job needs to be initiated and scheduled. See Retrieving User Entitlement Data for Oracle Database Targets for more information.
- The sensitive objects retrieval job needs to be initiated and scheduled. See Retrieving Sensitive Objects for Oracle Database Targets for more information.
- You must be an
auditor
orsuper auditor
to use Global Sets (previously called Data Discovery in Oracle AVDF 20.9)
5.2.3 Creating Privileged User Global Sets
Privileged users are identified on your target Oracle Databases through User Entitlements.
- Click the Policies tab.
- Click the Data Discovery in the left navigation menu.
- In the Privileged User Sets section, click Add.
- Fill in the set name.
- Select targets.
- Select users from the list of Privileged Users. To add a new user which is not part of the list, click on the Add button and type the name of the user.
- Click Save once done.
5.2.4 Creating Sensitive Object Global Sets
Sensitive objects are identified on your target Oracle Databases through Database Security Assessment Tool (DBSAT) integration.
To create a Sensitive Object set,
- Click the Policies tab.
- Click Data Discovery in the left navigation menu.
- In the Sensitive Objects Set section click Add.
- Fill in the set name.
- Select targets.
- Select categories. By default some of the sensitive categories are
listed in the selected column and can be removed using the filters.
Sensitive categories and types available for selection include:
- Identification Information: Includes sensitive types for national, personal, and public identifiers. Examples are US Social Security Number (SSN), Canadian Social Insurance Number (SIN) and other national IDs, Visa Number, and Full Name.
- Biographic Information: Includes sensitive types for address, family data, extended PII, and restricted processing data. Examples are Full Address, Mother's Maiden Name, Date of Birth, and Religion.
- IT Information: Includes sensitive types for user IT data and device data. Examples are User ID, password, and IP Address.
- Financial Information: Includes sensitive types for payment card data and bank account data. Examples are Card Number, Card Security PIN, and Bank Account Number.
- Healthcare Information: Includes sensitive types for health insurance data, healthcare provider data, and medical data. Examples include Health Insurance Number, Healthcare Provider, and Blood Type.
- Employment Information: Includes sensitive types for employee basic data, organization data, and compensation data. Examples are Job Title, Termination Date, Income, and Stock.
- Academic Information: Includes sensitive types for student basic data, institution data, and performance data. Examples are Financial Aid, College Name, Grade, and Disciplinary Record.
- Select objects from the list of Sensitive Objects. To add a new sensitive object which is not part of the list, click on the Add button and type the name of the sensitive object.
- Click Save once done.
5.2.5 Viewing Global Sets
Privileged User and Sensitive Object Sets created in Data Discovery are global and can be used in multiple policies. You can view these lists in Data Discovery.
- Click the Policies tab.
- Click Data Discovery in the left navigation menu.
- Click on the set name in the corresponding set section in Data Discovery. You will see the list of all privileged users or sensitive objects included in this set. You can use the Actions menu to filter the set.
Privileged user sets and sensitive object sets can also be viewed in the Database User Sets and Database Object Sets tabs in the Sets/Profiles of a database firewall policy, respectively.
Note:
Sets can't be edited. You need to delete and create a new set if you would like to make adjustments to an existing set.5.2.6 Creating Database Firewall Policies from Data Discovery
Database firewall policies that will use existing Privileged User and Sensitive Object Sets can be created from the Data Discovery section.
To create a database firewall policy,
- Click the Policies tab.
- Click Data Discovery in the left navigation menu.
- In the Database Firewall Policies section, click Add.
- Fill in the policy name.
- Select targets.
- Select the privileged user sets.
- Select sensitive object sets.
- Select the statement classes and chose the action to be taken.
- Click Save once done.
- DB User Set - created if a privileged user sets was created
- Profile - created if you selected any privileged users for the policy
- Session Context Rule - created if you only selected privileged users for the policy
- Database Object Rule - created if you selected sensitive tables or statement classes. The rule will apply the profile if the profile was created.
The profile can be viewed in the workflow to edit a database firewall policy.
5.2.7 Viewing and Editing Database Firewall Policies
Database firewall policies that were created in Data Discovery can be viewed in the Data Discovery section or the Database Firewall Policies section.
- Click the Policies tab.
- click Data Discovery or Database Firewall Policies in the left navigation menu.
Policies that use global sets but were created using the standard policy creation workflow in the Database Firewall Policies section will not be listed on the Data Discovery page.
In the Database Firewall Policies section, policies that were created in Data Discovery will not be designated differently but will appear in the list of User-defined Database Firewall Policies.
To edit a database firewall policy, click the policy name and see Editing a Database Firewall Policy.