5 Managing Global Sets/Data Discovery

Oracle AVDF 20.9 introduced Data Discovery which allowed the creation of global Privileged User and Sensitive Object sets on Oracle Database targets. In Oracle AVDF 20.10 this functionality was renamed to Global Sets and expanded to additionally allow the creation of global IP Address, OS User, Client Program, and Database User sets.

Global sets can be used in multiple Database Firewall Policies at once and simplify the creation of policies.

Global sets should be used when:

• The elements in the set will be used in more than one Database Firewall policy

Local sets should be used when:

• The sets will be used in only one Database Firewall policy
• You want the set to be deleted if the policy gets deleted, such as for a test Database Firewall policy

5.1 Data Discovery - Oracle AVDF 20.9

In Oracle AVDF 20.9 you can use Data Discovery with your Oracle Databases to create global privileged user and sensitive object sets that can be used in multiple database firewall policies.

5.1.1 About Data Discovery

In Oracle AVDF 20.9 you can use Data Discovery with your Oracle Databases to create global privileged user and sensitive object sets that can be used in multiple database firewall policies.

Data Discovery applies User Entitlements and the Database Security Assessment Tool (DBSAT) on your Oracle Database to identify privileged users and sensitive objects. This is enabled by running and scheduling the User Entitlements and Sensitive Object discovery jobs. Once the privileged users and sensitive objects have been discovered, they can be added to privileged user and sensitive objects sets, respectively. These sets are global and can be used in multiple database firewall policies.

Privileged User and Sensitive Object sets that are created in Data Discovery can be viewed in Data Discovery or in the Database User Sets and Database Objects Sets tabs in the Database Firewall Policy editor. Data Discovery can also be used to create database firewall policies and view and edit policies that were created in Data Discovery.

5.1.2 Prerequisites for Creating Global Privileged User and Sensitive Object Sets

Before global privileged user and sensitive object sets can be created, an administrator must enable the permissions on the Oracle Database to run the discovery and user entitlement jobs and the jobs must be initiated and scheduled.

• An administrator must enable user privileges for and run statistics gathering on the target Oracle Database. See Preparing Targets for Data Discovery in the Oracle AVDF Administrator's Guide for more information.
• The user entitlements retrieval job needs to be initiated and scheduled. See Retrieving User Entitlement Data for Oracle Database Targets for more information.
• The sensitive objects retrieval job needs to be initiated and scheduled. See Retrieving Sensitive Objects for Oracle Database Targets for more information.
• You must be an auditor or super auditor to use Global Sets (previously called Data Discovery in Oracle AVDF 20.9)

5.1.3 Creating Privileged User Global Sets

Privileged users are identified on your target Oracle Databases through User Entitlements.

To create a Privileged User Set,

1. Click the Policies tab.
2. Click the Data Discovery in the left navigation menu.
3. In the Privileged User Sets section, click Add.
4. Fill in the set name.
5. Select targets.
6. Select users from the list of Privileged Users. To add a new user which is not part of the list, click on the Add button and type the name of the user.
7. Click Save once done.

5.1.4 Creating Sensitive Object Global Sets

Sensitive objects are identified on your target Oracle Databases through Database Security Assessment Tool (DBSAT) integration.

To create a Sensitive Object set,

1. Click the Policies tab.
2. Click Data Discovery in the left navigation menu.
3. In the Sensitive Objects Set section click Add.
4. Fill in the set name.
5. Select targets.
6. Select categories. By default some of the sensitive categories are listed in the selected column and can be removed using the filters.
   Sensitive categories and types available for selection include:

   • Identification Information: Includes sensitive types for national, personal, and public identifiers. Examples are US Social Security Number (SSN), Canadian Social Insurance Number (SIN) and other national IDs, Visa Number, and Full Name.
   • Biographic Information: Includes sensitive types for address, family data, extended PII, and restricted processing data. Examples are Full Address, Mother's Maiden Name, Date of Birth, and Religion.
   • IT Information: Includes sensitive types for user IT data and device data. Examples are User ID, password, and IP Address.
   • Financial Information: Includes sensitive types for payment card data and bank account data. Examples are Card Number, Card Security PIN, and Bank Account Number.
   • Healthcare Information: Includes sensitive types for health insurance data, healthcare provider data, and medical data. Examples include Health Insurance Number, Healthcare Provider, and Blood Type.
   • Employment Information: Includes sensitive types for employee basic data, organization data, and compensation data. Examples are Job Title, Termination Date, Income, and Stock.
   • Academic Information: Includes sensitive types for student basic data, institution data, and performance data. Examples are Financial Aid, College Name, Grade, and Disciplinary Record.
7. Select objects from the list of Sensitive Objects. To add a new sensitive object which is not part of the list, click on the Add button and type the name of the sensitive object.
8. Click Save once done.

5.1.5 Viewing Global Sets

Privileged User and Sensitive Object Sets created in Data Discovery are global and can be used in multiple policies. You can view these lists in Data Discovery.

To view a set,

1. Click the Policies tab.
2. Click Data Discovery in the left navigation menu.
3. Click on the set name in the corresponding set section in Data Discovery. You will see the list of all privileged users or sensitive objects included in this set. You can use the Actions menu to filter the set.

Privileged user sets and sensitive object sets can also be viewed in the Database User Sets and Database Object Sets tabs in the Sets/Profiles of a database firewall policy, respectively.

Note:

Sets can't be edited. You need to delete and create a new set if you would like to make adjustments to an existing set.

5.1.6 Creating Database Firewall Policies from Data Discovery

Database firewall policies that will use existing Privileged User and Sensitive Object Sets can be created from the Data Discovery section.

To create a database firewall policy,

1. Click the Policies tab.
2. Click Data Discovery in the left navigation menu.
3. In the Database Firewall Policies section, click Add.
4. Fill in the policy name.
5. Select targets.
6. Select the privileged user sets.
7. Select sensitive object sets.
8. Select the statement classes and chose the action to be taken.
9. Click Save once done.

Once complete a new policy will be created and will consist of the following:

• DB User Set - created if a privileged user sets was created
• Profile - created if you selected any privileged users for the policy
• Session Context Rule - created if you only selected privileged users for the policy
• Database Object Rule - created if you selected sensitive tables or statement classes. The rule will apply the profile if the profile was created.

The profile can be viewed in the workflow to edit a database firewall policy.

5.1.7 Viewing and Editing Database Firewall Policies

Database firewall policies that were created in Data Discovery can be viewed in the Data Discovery section or the Database Firewall Policies section.

To view database firewall policies that were created in Data Discovery,

1. Click the Policies tab.
2. click Data Discovery or Database Firewall Policies in the left navigation menu.

Policies that use global sets but were created using the standard policy creation workflow in the Database Firewall Policies section will not be listed on the Data Discovery page.

In the Database Firewall Policies section, policies that were created in Data Discovery will not be designated differently but will appear in the list of User-defined Database Firewall Policies.

To edit a database firewall policy, click the policy name and see Editing a Database Firewall Policy.

5.2 Global Sets - Oracle AVDF 20.10 and later

Starting in Oracle AVDF 20.10, Global Sets allows you to create global IP Address, OS User, Client Program, and Database User sets on any type of target database. In addition you can create global Privileged User and Sensitive Objects sets on Oracle Database targets.

5.2.1 About Global Sets

Starting in Oracle AVDF 20.10, Global Sets allows you to create global IP Address, OS User, Client Program, and Database User sets on any type of target database. In addition you can create global Privileged User and Sensitive Objects sets on Oracle Database targets.

Global Sets allows you to add or import IP Addresses, OS user names, client program names, and database user names into sets.

In addition, Global Sets applies User Entitlements and the Database Security Assessment Tool (DBSAT) on your Oracle Database to identify privileged users and sensitive objects. This is enabled by running and scheduling the User Entitlements and Sensitive Object discovery jobs. Once the privileged users and sensitive objects have been discovered, they can be added to privileged user and sensitive objects sets, respectively.

These sets are global and can be used in multiple database firewall policies. Global sets that are created in Global Sets can be viewed in the corresponding tabs in the Database Firewall Policy editor.

5.2.2 Prerequisites for Creating Global Privileged User and Sensitive Object Sets

Before global privileged user and sensitive object sets can be created, an administrator must enable the permissions on the Oracle Database to run the discovery and user entitlement jobs and the jobs must be initiated and scheduled.

• An administrator must enable user privileges for and run statistics gathering on the target Oracle Database. See Preparing Targets for Data Discovery in the Oracle AVDF Administrator's Guide for more information.
• The user entitlements retrieval job needs to be initiated and scheduled. See Retrieving User Entitlement Data for Oracle Database Targets for more information.
• The sensitive objects retrieval job needs to be initiated and scheduled. See Retrieving Sensitive Objects for Oracle Database Targets for more information.
• You must be an auditor or super auditor to use Global Sets (previously called Data Discovery in Oracle AVDF 20.9)

5.2.3 Creating a Global Set

Creating a global set and adding elements to it allows you create one set that can be used in several Database Firewall Policies. IP Address, OS User, Client Program, and Database User sets can be using on any type of target database.

To add elements to a global set:

1. Click Global Sets tab.
2. Expand one of the desired IP Address, OS User, Client Program, or Database User sections and click Add.
3. Enter a name for the global set.
4. Optionally, enter a description for the global set.
5. Elements can be added to global sets in one or more of the following three ways, From Collected Data, Enter Values, or File Import.
   • From Collected Data - Allows you to select specific elements from your targets.
     1. Select one or more targets in the Available column and move them to the Selected column using the arrows. You can also search for targets as well.
     2. Select if you want to view data from the last 24 hours, week, month, or a specific time period.
     3. Click the Search button.
     4. Select the element(s) you would like added to the global set.
   • Enter Values - Allows you to type multiple items at once so that the elements can be added in bulk to the global set. Elements can be entered as a comma separated list or one element per line. It is also possible to use both separation methods.
   • File Import - Allows you to upload a .txt file to add elements to a global set at once. The file can contain elements as a comma separated list or one element per line. It is also possible to use both separation methods.
6. Click Save once you have added elements to the global set.

5.2.4 Creating Privileged User Sets

Privileged users are identified on your target Oracle Databases through User Entitlements.

1. Click the Global Sets tab.
2. Expand the Privileged User Set section and click Add.
3. Enter a name for the global set.
4. Optionally, enter a description for the global set.
5. Select one or more targets in the Available column and move them to the Selected column using the arrows. You can also search for targets as well.
6. Select all the users you'd like to add to the set. Users can be searched for as well.
7. Click Add.
8. Click Save.

5.2.5 Creating Sensitive Object Global Sets

Sensitive objects are identified on your target Oracle Databases through Database Security Assessment Tool (DBSAT) integration.

1. Click the Global Sets tab.
2. Expand the Privileged User Set section and click Add.
3. Enter a name for the global set.
4. Optionally, enter a description for the global set.
5. Select one or more targets in the Available column and move them to the Selected column using the arrows. You can also search for targets as well.
6. Select categories. By default some of the sensitive categories are listed in the selected column and can be removed using the filters.
   Sensitive categories and types available for selection include:

   • Identification Information: Includes sensitive types for national, personal, and public identifiers. Examples are US Social Security Number (SSN), Canadian Social Insurance Number (SIN) and other national IDs, Visa Number, and Full Name.
   • Biographic Information: Includes sensitive types for address, family data, extended PII, and restricted processing data. Examples are Full Address, Mother's Maiden Name, Date of Birth, and Religion.
   • IT Information: Includes sensitive types for user IT data and device data. Examples are User ID, password, and IP Address.
   • Financial Information: Includes sensitive types for payment card data and bank account data. Examples are Card Number, Card Security PIN, and Bank Account Number.
   • Healthcare Information: Includes sensitive types for health insurance data, healthcare provider data, and medical data. Examples include Health Insurance Number, Healthcare Provider, and Blood Type.
   • Employment Information: Includes sensitive types for employee basic data, organization data, and compensation data. Examples are Job Title, Termination Date, Income, and Stock.
   • Academic Information: Includes sensitive types for student basic data, institution data, and performance data. Examples are Financial Aid, College Name, Grade, and Disciplinary Record.
7. Select all the users you'd like to add to the set. Users can be searched for as well.
8. Click Add.
9. Click Save.

5.2.6 Modifying Global Sets

Modifying elements in a global set allows you to retain the global set while still being able to add or remove elements to or from the set. Modifying a global set makes it easier to update your Database Firewall Policies based on changes to your targets or specific needs, without having to create new sets.

Adding Elements

Elements can be added to all existing sets manually or in bulk for IP Address, OS User, Client Program, and Database User sets.

1. Click Global Sets tab.
2. Expand one of the sections and click on an existing global set.
3. For IP Address, OS User, Client Program, and Database User sets you can either click Add, Add From File, or Add From Collected Data. For Privileged User or Sensitive Object sets you can only click Add.
4. If you clicked Add, in the field that appears type the element(s) you would like to add. Elements can be entered as a comma separated list or one element per line.
5. If you clicked Add From File or Add From Collected Data the process is the same as when creating a new global set.
6. Click Save.

Deleting Elements

Elements can be removed from all existing sets manually.

1. Click Global Sets tab.
2. Expand one of the sections and click on an existing global set.
3. Select one or more elements from the list that you would like to remove from the global set. You can also search for specific elements as well.
4. Click Delete.
5. Click Save.

5.2.7 Understanding the Impact of Modifying Global Sets

When global sets are modified, policies that use the global set will need to be deployed again.

From the Global Sets page you can see which of your global sets are currently in use in a database firewall policy. Whenever any set that is in use is modified, i.e. elements are added or removed from it, you will see a dialog box of policies that use the set. These policies will automatically go into a status of Deployment Required. Multiple policies in this state can be selected and deployed from the Database Firewall Policies section of Oracle AVDF. Deploying these policies will automatically deploy them to any targets the policies were previously deployed on.

While a database firewall policy is in a Deployment Required status after a set it uses has been modified, the Database Firewall will continue to use the last deployed version of a policy until the modifications are deployed.

For example, consider the following scenario. There is a global set called AllowedUsers that consists of UserA and UserB which is currently in use by deployed database firewall policy, Policy1. If the AllowedUsers set is modified to additionally include UserC, Policy1 will go into a Deployment Required status. Until Policy1 is deployed again the database firewall will only allow traffic from UserA and UserB. Once Policy1 is deployed again then the database firewall will allow traffic from UserA, UserB, and UserC.

Note:

Policies will go into the Deployment Required status if any modification occurs to a set, even if that modification is undone. For example, if you add an element to a set, but then remove that element shortly after so that the set includes only the same elements as it did previously, any policies that use the set will still be marked with Deployment Required.