diff --git a/data-safe/api-copy-audit-data/api-copy-audit-data-archive1.md b/data-safe/api-copy-audit-data/api-copy-audit-data-archive1.md new file mode 100644 index 000000000..1963e11b4 --- /dev/null +++ b/data-safe/api-copy-audit-data/api-copy-audit-data-archive1.md @@ -0,0 +1,413 @@ +# Copy audit data to object storage using the Oracle Data Safe REST API + +## Introduction + +When you start your target database's audit trail in Oracle Data Safe, Oracle Data Safe begins copying audit records from the database's audit trail into the Oracle Data Safe repository. In this lab, you use the Oracle Data Safe application programming interface (API) to copy Oracle Data Safe's audit data for your target database into object storage. + +Estimated Lab Time: 30 minutes + +### Objectives + +In this lab, you will: + +- Create a bucket to store the audit data +- Start the audit trail for your target database in Oracle Data Safe +- View the quantity of audit data collected by Oracle Data Safe +- Access Cloud Shell in Oracle Cloud Infrastructure and review the SDK for Java installation +- Configure the SDK +- Compile a Java file +- Obtain the compartment OCID for your target database +- Run the compiled Java file +- Verify that the audit data is copied to your bucket + + +### Prerequisites + +This lab assumes you have: + +- Obtained an Oracle Cloud account and signed in to the Oracle Cloud Infrastructure Console +- Prepared your environment for this workshop (see [Prepare Your Environment](?lab=prepare-environment)) +- Registered your target database with Oracle Data Safe (see [Register an Autonomous Database with Oracle Data Safe](?lab=register-autonomous-database)) + +### Assumptions + +Cloud Shell is running the following application versions: +- Java version 11.0.17 +- Java(TM) SE Runtime Environment 18.9 (build 11.0.17+10-LTS-269) +- Linux 7.9 +- Oracle Cloud Infrastructure Java SDK 3.32.1 + + +## Task 1: Create a bucket to store the audit data + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. + +2. Make sure that your compartment is selected. + +3. Click **Create Bucket**. + + The **Create Bucket** panel is displayed. + +4. For bucket name, enter **DataSafeAuditData**. + +5. Leave the default settings as is, and click **Create**. + + +## Task 2: Start the audit trail for your target database in Oracle Data Safe + +1. From the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. + +2. Under **Security center** on the left, click **Activity auditing**. + +3. Under **Related resources** on the left, click **Audit trails**. + +4. From the **Compartment** drop-down list on the left, make sure your compartment is selected. + +5. On the right, click the name of your target database for the **UNIFIED\_AUDIT\_TRAIL**. + + The **Audit Trail Details** page is displayed. + +6. Click **Start**. + + A **Start audit trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. + +7. Set the start date to the beginning of the current month. + + - If it's currently the first day of the month, you can select the previous day to be sure you collect all of the data. + - Do not select the **Auto Purge** option. + +8. Click **Start**. Wait for **Collection State** to change from **STARTING** to **COLLECTING** and then to **IDLE**. It takes about one minute. + + +## Task 3: View the quantity of audit data collected by Oracle Data Safe + +1. In the breadcrumb at the top of the page, click **Activity auditing**. + +2. Under **Security center**, click **Audit profiles**. + +3. On the right, click the name of your target database. + + The **Audit profile details** page for your target database is displayed. + +4. Scroll down the page to the **Compute audit volume** section. + +5. Click **Collected by Data Safe**. + + The **Compute collected volume** dialog box is displayed. + +6. Set the **Start month** and **End month** fields to the first and last day of the current month respectively, and click **Compute**. + +7. In the **Collected in Data Safe (Online)** column, make note of the number of audit records collected by Oracle Data Safe. + + +## Task 4: Access Cloud Shell in Oracle Cloud Infrastructure and review the SDK for Java installation + +The Oracle Cloud Infrastructure SDK for Java (oci-java-sdk) provides an SDK for Java that you can use to manage your Oracle Cloud Infrastructure resources. + +1. To open Cloud Shell, in the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Developer tools** icon, and then select **Cloud Shell**. + + When you first open Cloud Shell, your current directory is your home directory; for example, `/home/jody_glove`. + + +2. (Optional) Reset your Cloud Shell environment. The following command erases all the data in your `$HOME` directory on your Cloud Shell machine and resets the `$HOME/.bashrc`, `$HOME/.bash_profile`, `$HOME/.bash_logout`, and `$HOME/.emacs` files back to their default values. Enter **y** at the prompt to confirm. + + ```bash + $ csreset --all + ``` + +3. Review the `/usr/lib64/java-oci-sdk` directory. This is the OCI Java SDK location. + + ```text + $ ls /usr/lib64/java-oci-sdk + + addons buildTools CHANGELOG.md CONTRIBUTING.md examples lib LICENSE.txt NOTICE.txt README.md shaded third-party THIRD_PARTY_LICENSES.txt + ``` + +4. List the contents of the `/usr/lib64/java-oci-sdk/lib` directory. Note the version of the `oci-java-sdk-full-version.jar` file. In the example below, the version is 3.32.1. + + ```text + $ ls /usr/lib64/java-oci-sdk/lib + + jersey jersey3 oci-java-sdk-full-3.32.1.jar + ``` + +5. List the third party libraries in the `/usr/lib64/java-oci-sdk/third-party/lib` directory. + + ```text + $ ls /usr/lib64/java-oci-sdk/third-party/lib + + bcpkix-jdk15to18-1.74.jar bcutil-jdk15to18-1.74.jar jackson-databind-2.13.4.2.jar resilience4j-circuitbreaker-1.7.1.jar slf4j-api-1.7.33.jar vavr-match-0.10.4.jar bcprov-jdk15to18-1.74.jar jackson-annotations-2.15.2.jar + jakarta.annotation-api-2.1.1.jar resilience4j-core-1.7.1.jar vavr-0.10.4.jar + ``` + +6. List the examples in the `/usr/lib64/java-oci-sdk/examples` directory. Notice that there is a `DataSafeRestAPIClientExample.java` file. This Java program contains Oracle Data Safe REST API commands that copy audit data from a specified compartment to a specified bucket in object storage. + + ```text + $ ls /usr/lib64/java-oci-sdk/examples + + ... + DataSafeRestAPIClientExample.java + ... + ``` + +7. Review the `DataSafeRestAPIClientExample.java` file. + + ```text + $ cat /usr/lib64/java-oci-sdk/examples/DataSafeRestAPIClientExample.java + ``` + + + +## Task 5: Configure the SDK + +Oracle Cloud Infrastructure SDKs require basic configuration information, like user credentials and tenancy OCID. In this task, you provide this information by creating a configuration file. + +1. Create a directory named `.oci`, give yourself `read/write/execute` permissions on it, and then switch to it. + + ```bash + $ mkdir ~/.oci + $ chmod 777 ~/.oci + $ cd ~/.oci + ``` + +2. In the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Profile** icon, and then select your username. + +3. On the left, click **API Keys**. + +4. Click **Add API Key**. + + The **Add API Key** dialog box is displayed. + +5. Leave **Generate API Key Pair** selected and click **Download Private Key**. A private key (PEM file) is downloaded to your browser. Save your private key file to a local directory of your choice on your computer. + +6. In the **Add API Key** dialog box, click **Add**. + + The **Configuration File Preview** dialog box is displayed showing you a preview of the configuration file. + +7. Copy the contents of the Configuration File Preview section to a temporary local text file. Be sure to include `[DEFAULT]`. It should look similar to this: + + ```text + [DEFAULT] + user=ocid1.user.oc1... + fingerprint=ff:35... + tenancy=ocid1.tenancy.oc1... + region=eu-frankfurt-1 + key_file= # TODO + ``` + +8. Click **Close**. + + The new API key is listed under **API Keys**. + +9. In Cloud Shell in the upper-right corner, click the **Cloud Shell menu** icon (cog wheel) and select **Upload**. + + The **File upload to your home directory** dialog box is displayed. + +10. Drag your private key file to the dialog box, and click **Upload**. + + Your private key file is uploaded to your home directory. + +11. To close the **File Transfers** dialog box, click **Hide**. + +12. Move your private key file to the `~/.oci` directory. In the example below, replace `your-private-key-file.pem` with your own private key file name. + + ```bash + $ mv ~/your-private-key-file.pem ~/.oci/your-private-key-file.pem + ``` + +13. Create a configuration file in the `~/.oci` directory using the vi editor. + + ```bash + $ vi config + ``` + +14. Paste your configuration file contents into the `config` file. The content should look similar to the following code. Don't forget to include `[DEFAULT]`. + + ```text + [DEFAULT] + user=ocid1.user.oc1... + fingerprint=ff:35... + tenancy=ocid1.tenancy.oc1... + region=eu-frankfurt-1 + key_file= # TODO + ``` + +15. Modify the last line to be the path to your private key file. In the example below, substitute `your-private-key-file.pem` with your own private key file name. Remove the **# TODO** text. + + ```text + key_file=~/.oci/your-private-key-file.pem + ``` + +16. Save and close the file (press **Escape**, enter **:wq**, and then press **Enter**). + + +## Task 6: Compile a Java file + +Use the `javac` command to compile the `DataSafeRestAPIClientExample.java` file. The following two variables are already set in Cloud Shell. You can use these when compiling and running the Java program. + +- `$OCI_JAVA_SDK_LOCATION` = `/usr/lib64/java-oci-sdk` +- `$OCI_JAVA_SDK_FULL_JAR_LOCATION` = `/usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-version.jar` + + +1. Copy `DataSafeRestAPIClientExample.java` to your current directory (`~/.oci`). + + ```text + $ cp $OCI_JAVA_SDK_LOCATION/examples/DataSafeRestAPIClientExample.java . + ``` + +2. Compile `DataSafeRestAPIClientExample.java`. There is no output after the program is compiled. + + ```text + $ javac -cp $OCI_JAVA_SDK_FULL_JAR_LOCATION:$OCI_JAVA_SDK_LOCATION/third-party/lib/* DataSafeRestAPIClientExample.java + ``` + + +## Task 7: Obtain the compartment OCID for your target database + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. + +2. On the left, click **Target databases**. + +3. On the left, select your compartment. + +4. On the right, click the name of your target database. + + The **Target database information** page is displayed. + +5. On the **Target database information** tab, make note of the compartment. + +6. From the navigation menu, select **Identity & Security**, and then on the right under **Identity**, select **Compartments**. + +7. Click the name of your compartment. + + The **Compartment details** page is displayed. + +8. On the **Compartment Information** tab, click the **Copy** link next to **OCID** and paste the OCID into a temporary local text file. You need the OCID for the next task. + + +## Task 8: Run the compiled Java file + +1. Return to Cloud Shell and run the following commands to define two variables: **BUCKET** and **COMPARTMENT**. In the example below, replace `your-compartment-ocid` with the compartment OCID for your target database. + + ```bash + $ export BUCKET=DataSafeAuditData + $ export COMPARTMENT=your-compartment-ocid + ``` + +2. Find the version of the `oci-java-sdk-common-httpclient-jersey-version.jar` file. In the example below, the version is 3.32.1. + + ```bash + $ ls $OCI_JAVA_SDK_LOCATION/lib/jersey + + oci-java-sdk-common-httpclient-jersey-3.32.1.jar + ``` + +3. Run `DataSafeRestAPIClientExample.class` by running the following command. Replace `version` in `oci-java-sdk-common-httpclient-jersey-version.jar` with the version you obtained in the previous step. You can ignore the error about failing to load the `org.slf4j.impl.StaticLoggerBinder` class. + + ```text + $ java -cp $OCI_JAVA_SDK_FULL_JAR_LOCATION:$OCI_JAVA_SDK_LOCATION/third-party/lib/*:$OCI_JAVA_SDK_LOCATION/third-party/jersey/lib/*:$OCI_JAVA_SDK_LOCATION/lib/jersey/oci-java-sdk-common-httpclient-jersey-version.jar:$HOME/.oci DataSafeRestAPIClientExample $BUCKET $COMPARTMENT + + + SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". + SLF4J: Defaulting to no-operation (NOP) logger implementation + SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. + Getting the namespace + + + Namespace: frmwj0cqbupb + + + Getting content for object cursor from bucket: DataSafeAuditData + + + ignore + Finished reading content for object cursor, last upload's last auditEvent record's timecollected FAILED + + + 2023-02-14T22:01:38.325Z + Querying for auditEvents with timeCollected Start = 2023-02-14T22:01:38.325Z, End = 2023-02-15T22:01:38.324Z + + + Count38 + + + Upload complete at Mon Feb 05 20:52:40 UTC 2024 of auditeventjson2024-02-05T20:52:39.499251Z _noofrecords_ 38 Start =2024-02-04T20:52:36.814Z, End=2024-02-05T20:52:36.814Z OpcRequestId: fra-1:1Xrqw2rKYYsvKlFHOkLNt... + + + Upload complete at Mon Feb 05 20:52:41 UTC 2024 of cursor OpcRequestId: fra-1:jnPcU8YTLX7r6VbSJMmFxNdJQWeVM... + ``` + +4. Review the output. The third last output line tells you the count of audit records copied into object storage. Your value may be different than the one shown in this example. + + +## Task 9: Verify that the audit data is copied to your bucket + +1. From the navigation menu, select **Storage**, and then **Buckets**. + +2. Make sure your compartment is selected. + +3. Click the name of your bucket. + + The **Bucket Details** page for your bucket is displayed. + +4. Scroll down to the **Objects** section. + +5. Notice that you now have a line item named `auditeventjson` that contains the text `noofrecords_`. This is the audit data copied from the Oracle Data Safe repository. `` is the number of copied audit records. + + ```text + auditeventjson2024-02-05T20:52:39.499251Z _noofrecords_ 38 Start =2024-02-04T20:52:36.814Z, End=2024-02-05T20:52:36.814Z + ``` + +6. Delete the object and cursor: One at a time, click the three dots at the end of the row and select **Delete**. In the **Confirm Delete Object** dialog box, click **Delete**. + +You may now **proceed to the next lab**. + +## Learn More + +- [Activity Auditing Overview](https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/data-safe&id=UDSCS-GUID-741E8CFE-041E-46C4-9C04-D849573A4DB7) +- [Audit Trails](https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/data-safe&id=UDSCS-GUID-8E684604-879A-4312-8FF6-519ECD67D179) +- [Getting Started (with SDK for Java)](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/javasdkgettingstarted.htm) +- [oci-java-sdk (on GitHub)](https://github.com/oracle/oci-java-sdk) +- [SDK for Java (configuring the SDK)](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/javasdk.htm) +- [Data Safe API (reference and endpoints)](https://docs.oracle.com/en-us/iaas/api/#/en/data-safe/20181201/) +- [Oracle Cloud Infrastructure Java SDK (packages and classes)](https://docs.oracle.com/en-us/iaas/tools/java/3.2.2/) + +## Acknowledgements +- **Author** - Jody Glover, Consulting User Assistance Developer, Database +- **Consultants** - Richard Evans, Bettina Schaeumer, Archana Rao, Anna Haikl +- **Last Updated By/Date** - Jody Glover, February 5, 2024 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/data-safe/api-copy-audit-data/api-copy-audit-data.md b/data-safe/api-copy-audit-data/api-copy-audit-data.md index c90faa07a..f218ef0f2 100644 --- a/data-safe/api-copy-audit-data/api-copy-audit-data.md +++ b/data-safe/api-copy-audit-data/api-copy-audit-data.md @@ -13,12 +13,15 @@ In this lab, you will: - Create a bucket to store the audit data - Start the audit trail for your target database in Oracle Data Safe - View the quantity of audit data collected by Oracle Data Safe -- Access Cloud Shell in Oracle Cloud Infrastructure and review the SDK for Java installation -- Configure the SDK -- Compile a Java file +- Provision a compute instance with the Oracle Cloud Developer Kit preinstalled +- Connect to your compute instance +- Create an API key +- Upload your private key (PEM file) to your compute instance +- Create an API configuration file on your compute instance +- Compile a Java program on your compute instance - Obtain the compartment OCID for your target database -- Run the compiled Java file -- Verify that the audit data is copied to your bucket +- Run the compiled Java file on your compute instance +- Verify that the audit data is saved to your bucket in object storage ### Prerequisites @@ -32,10 +35,8 @@ This lab assumes you have: ### Assumptions Cloud Shell is running the following application versions: -- Java version 11.0.17 -- Java(TM) SE Runtime Environment 18.9 (build 11.0.17+10-LTS-269) -- Linux 7.9 -- Oracle Cloud Infrastructure Java SDK 3.2.2 +- Oracle Linux Server 7.9 +- Oracle Cloud Infrastructure Java SDK 3.33.0 ## Task 1: Create a bucket to store the audit data @@ -57,9 +58,9 @@ Cloud Shell is running the following application versions: 1. From the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. -2. Under **Security Center** on the left, click **Activity Auditing**. +2. Under **Security center** on the left, click **Activity auditing**. -3. Under **Related Resources** on the left, click **Audit Trails**. +3. Under **Related resources** on the left, click **Audit trails**. 4. From the **Compartment** drop-down list on the left, make sure your compartment is selected. @@ -69,7 +70,7 @@ Cloud Shell is running the following application versions: 6. Click **Start**. - A **Start Audit Trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. + A **Start audit trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. 7. Set the start date to the beginning of the current month. @@ -81,28 +82,76 @@ Cloud Shell is running the following application versions: ## Task 3: View the quantity of audit data collected by Oracle Data Safe -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. -2. Under **Security Center**, click **Audit Profiles**. +2. Under **Security center**, click **Audit profiles**. 3. On the right, click the name of your target database. - The **Audit Profile Details** page for your target database is displayed. + The **Audit profile details** page for your target database is displayed. -4. Scroll down the page to the **Compute Audit Volume** section. +4. Scroll down the page to the **Compute audit volume** section. 5. Click **Collected by Data Safe**. - The **Compute Collected Volume** dialog box is displayed. + The **Compute collected volume** dialog box is displayed. -6. Set the **Start Month** and **End Month** fields to the first and last day of the current month respectively, and click **Compute**. +6. Set the **Start month** and **End month** fields to the first and last day of the current month respectively, and click **Compute**. 7. In the **Collected in Data Safe (Online)** column, make note of the number of audit records collected by Oracle Data Safe. -## Task 4: Access Cloud Shell in Oracle Cloud Infrastructure and review the SDK for Java installation -The Oracle Cloud Infrastructure SDK for Java (oci-java-sdk) provides an SDK for Java that you can use to manage your Oracle Cloud Infrastructure resources. +## Task 4: Provision a compute instance with the Oracle Cloud Development Kit preinstalled + +1. From the home page in Oracle Cloud Infrastructure, scroll down and click the **RESOURCE MANAGER** tile called **Create a stack**. + + The **Create stack** page is displayed. You first need to complete **Step 1 Stack information**. + +2. Leave **Template** selected. + +3. Click **Change template**. + +4. Click the **Architecture** tab. Scroll down and select **Oracle Cloud Development kit**. Click **Select template**. + +5. (Optional) Enter a different name for the stack. + +6. Select your compartment. + +7. Leave the default terraform version as is. + +8. Click **Next**. + + Now you need to complete **Step 2 Configure variables**. + +9. Leave the default instance shape set to **VM.Standard.E2.1.Micro**. + +10. Leave **Auto-generate SSH key pair** selected. + +11. Leave **Compute instance to access all resources at tenancy level** selected. + +12. Click **Next**. + + Now you need to complete **Step 3 Review**. + +13. Review the configuration, and if it is correct, select the **Run apply** check box at the bottom of the page, and click **Create**. + + The new stack is displayed on the **Stack details** page. + +14. Wait for your compute instance to be provisioned. + + When the instance is provisioned (indicated by a "Succeeded" status for the apply job), installation of the development kit items begins. The installation process takes a few minutes. If you connect to the instance before the installation finishes, then a warning message indicates that the installation is still in process. Once the items are installed on the instance, you can immediately use them. + +15. To obtain information about your compute instance, click the **Application information** tab. From here you can copy connectivity information, including the following: + + - Compute instance public IP + - Generated private key for SSH access + - Compartment ID for your compute instance + + +## Task 5: Connect to your compute instance + +To connect to your compute instance, you first need to copy your private key to Cloud Shell. 1. To open Cloud Shell, in the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Developer tools** icon, and then select **Cloud Shell**. @@ -115,163 +164,240 @@ The Oracle Cloud Infrastructure SDK for Java (oci-java-sdk) provides an SDK for $ csreset --all ``` -3. Review the `/usr/lib64/java-oci-sdk` directory. This is the OCI Java SDK location. +3. Create an `.ssh` directory in your home directory on your Cloud Shell machine. - ```text - $ ls /usr/lib64/java-oci-sdk - - addons apidocs buildTools CHANGELOG.md CONTRIBUTING.md examples lib LICENSE.txt NOTICE.txt README.md shaded third-party THIRD_PARTY_LICENSES.txt + ```bash + $ mkdir ~/.ssh ``` -4. List the contents of the `/usr/lib64/java-oci-sdk/lib` directory. Note the version of the `oci-java-sdk-full-version.jar` file. In the example below, the version is 3.3.0. +4. Create a file named `cloudshellkey` to store your private key data. - ```text - $ ls /usr/lib64/java-oci-sdk/lib - - jersey jersey3 oci-java-sdk-full-3.3.0.jar oci-java-sdk-full-3.3.0-javadoc.jar oci-java-sdk-full-3.3.0-sources.jar + ```bash + $ vi ~/.ssh/cloudshellkey ``` -5. List the third party libraries in the `/usr/lib64/java-oci-sdk/third-party/lib` directory. +5. On the **Application information** tab, click **Unlock** to view your private key. Copy your private key data to the vi editor. It is important that you put **-----BEGIN RSA PRIVATE KEY-----** on the first line, the key code on the second line, and **-----END RSA PRIVATE KEY-----** on the third line. Be careful not to include any code for line breaks. - ```text - $ ls /usr/lib64/java-oci-sdk/third-party/lib - ``` + Here is an example: -6. List the examples in the `/usr/lib64/java-oci-sdk/examples` directory. Notice that there is a `DataSafeRestAPIClientExample.java` file. This Java program contains Oracle Data Safe REST API commands that copy audit data from a specified compartment to a specified bucket in object storage. + ``` + $ -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEAoLeHMmDKzeYdOJYKtxaGvtTjn40X5Hfy6A/Rdem90d59m5u0\nqSXmzGYqX1Yj1tgd6...AQj8uvBC7kW8Fstl + -----END RSA PRIVATE KEY----- + ``` - ```text - $ ls /usr/lib64/java-oci-sdk/examples +6. Give only yourself permission to use the private key. This step is important; otherwise, you will not be able to connect to your compute instance. - ... - DataSafeRestAPIClientExample.java - ... + ``` + $ chmod 600 ~/.ssh/cloudshellkey ``` -7. Review the `DataSafeRestAPIClientExample.java` file. +7. Enter the following command to connect to your compute instance. Substitute `compute-instance-public-ip` with your own. If connectivity is refused or you are prompted for a passphrase, check that your private key file (`cloudshellkey`) does not contain any line return code. You do not require a passphrase to connect. - ```text - $ cat /usr/lib64/java-oci-sdk/examples/DataSafeRestAPIClientExample.java + ``` + $ ssh -i ~/.ssh/cloudshellkey opc@compute-instance-public-ip ``` +## Task 6: Create an API key -## Task 5: Configure the SDK +To use the SDK for Java on your compute instance, you must have a key pair used for signing API requests, with the public key uploaded to Oracle. Only the user calling the API should be in possession of the private key. -Oracle Cloud Infrastructure SDKs require basic configuration information, like user credentials and tenancy OCID. In this task, you provide this information by creating a configuration file. +There are three parts to configuring the SDK: create an API key, upload the private key to your compute instancee, and create a configuration file. This task covers the first part. -1. Create a directory named `.oci`, give yourself `read/write/execute` permissions on it, and then switch to it. - ```bash - $ mkdir ~/.oci - $ chmod 777 ~/.oci - $ cd ~/.oci - ``` +1. In the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Profile** icon, and then click your username. -2. In the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Profile** icon, and then select your username. +2. On the left, click **API Keys**. -3. On the left, click **API Keys**. - -4. Click **Add API Key**. +3. Click **Add API Key**. The **Add API Key** dialog box is displayed. -5. Leave **Generate API Key Pair** selected and click **Download Private Key**. A private key (PEM file) is downloaded to your browser. Save your private key file to a local directory of your choice on your computer. +4. Leave **Generate API Key Pair** selected, click **Download Private Key**, and save your private key (PEM file) to a local directory on your computer. -6. Click **Add**. +5. Click **Add**. - The **Configuration File Preview** dialog box is displayed showing you a preview of the configuration file. + The **Configuration File Preview** dialog box is displayed, showing you a preview of the configuration file. -7. Copy the contents of the Configuration File Preview to a temporary local text file. Be sure to include `[DEFAULT]`. It should look similar to this: +6. Copy the configuration file contents to a temporary text file because you need it in a later task. Be sure to include `[DEFAULT]`. The content looks similar to this: ```text [DEFAULT] user=ocid1.user.oc1... - fingerprint=ff:35... + fingerprint=your-fingerprint tenancy=ocid1.tenancy.oc1... region=eu-frankfurt-1 key_file= # TODO ``` -8. Click **Close**. +7. Click **Close**. - The new API key is listed under **API Keys**. -9. In Cloud Shell in the upper-right corner, click the **Cloud Shell Menu** icon, and select **Upload**. +8. Create a `.oci` directory. - The **File Upload to your Home Directory** dialog box is displayed. + ```text + $ mkdir ~/.oci + ``` -10. Drag your private key file to the dialog box, and click **Upload**. +## Task 7: Upload your private key (PEM file) to your compute instance - Your private key file is uploaded to your home directory. +This task covers the second part for configuring the SDK on your compute instnace: Upload your private key (PEM file) into object storage, and then copy it to the `.oci` directory on your compute instance. -11. To close the **File Transfers** dialog box, click **Hide**. +1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. Select your compartment. Click the name of your bucket. + + The **Bucket Details** page is displayed. -12. Move your private key file to the `~/.oci` directory. In the example below, replace `your-private-key-file.pem` with your own private key file name. +2. Scroll down to the **Objects** section and click **Upload**. - ```bash - $ mv ~/your-private-key-file.pem ~/.oci/your-private-key-file.pem + The **Upload Objects** panel is displayed. + +3. Drag your private key file to the **Choose Files from your Computer** area, and click **Upload**. + +4. Click **Close**. + +5. At the end of the row for your private key file listing, click the three dots, and then select **Create Pre-Authenticated Request**. + + The **Create Pre-Authenticated Request** panel is displayed. + +6. Click **Create Pre-Authenticated Request**. + + The **Pre-Authenticated Request Details** dialog box is displayed. + +7. Copy the **Pre-Authenticated Request URL** to the clipboard and paste it into a temporary local text file. *IMPORTANT: You will not be able to view this URL again after you close the dialog box.* + +8. Click **Close**. + +9. In Cloud Shell, change to the `.oci` directory. + + ```text + $ cd ~/.oci ``` -13. Create a configuration file in the `~/.oci` directory using the vi editor. +10. Use the `WGET` command to copy your private key file from object storage into the `.oci` directory. Replace `pre-authenticated-request-url` with your own url. - ```bash - $ vi config + ```text + $ wget pre-authenticated-request-url + ``` + +11. List the contents of the directory and verify that the private key file is listed. + + ```text + $ ls + + your-private-key-file-name ``` -14. Paste your configuration file contents into the `config` file. The content should look similar to the following code. Don't forget to include `[DEFAULT]`. + + +## Task 8: Create an API configuration file on your compute instance + +This task covers the third (and last) part for configuring the SDK on your compute instance: Create a configuration file named `config` in the `.oci` directory for the SDK, and then add the API content that you obtained from the API key (which you created in a previous task). In the config file, correct the last line by adding the actual path to your private key file on your compute instance. The java file that you compile in a subsequent task looks for this config file in `~/.oci/config` with a profile named `DEFAULT`. + +1. While you are still in the `.oci` directory, use the vi editor to create a configuration file. ```text + $ vi config + ``` + +2. Paste the configuration file contents into the `config` file. Note: Earlier you pasted this content into a temporary text file. The content looks similar to the following code. Be sure to include `[DEFAULT]` at the top. + + ```text [DEFAULT] user=ocid1.user.oc1... - fingerprint=ff:35... + fingerprint=your-fingerprint tenancy=ocid1.tenancy.oc1... region=eu-frankfurt-1 key_file= # TODO ``` -15. Modify the last line to be the path to your private key file. In the example below, substitute `your-private-key-file.pem` with your own private key file name. Remove the **# TODO** text. +3. Modify the last line to be the path to your PEM file on your compute instance. In the example below, substitute `your-private-key-file-name` with your own private key file name. + + ```text + key_file=~/.oci/your-private-key-file-name + ``` + +4. Save and close the file (press **Escape**, enter **:wq**, and press **Enter**). + +5. List the contents of the current directory and ensure that your `config` file is there. ```text - key_file=~/.oci/your-private-key-file.pem + $ ls + + config your-private-key-file-name ``` -16. Save and close the file (press **Escape**, enter **:wq**, and then press **Enter**). +6. Give only yourself permission to use the private key and config files. Substitute `your-private-key-file` with the name of your own private key file. -## Task 6: Compile a Java file + ``` + $ chmod 600 ~/.oci/your-private-key-file + $ chmod 600 ~/.oci/config + ``` -Use the `javac` command to compile the `DataSafeRestAPIClientExample.java` file. The following two variables are already set in Cloud Shell. You can use these when compiling and running the Java program. +## Task 9: Compile a Java program on your compute instance -- `$OCI_JAVA_SDK_LOCATION` = `/usr/lib64/java-oci-sdk` -- `$OCI_JAVA_SDK_FULL_JAR_LOCATION` = `/usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-version.jar` +The Oracle Cloud Development Kit comes with the Java SDK already installed. The OCI jar file is located in `/usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-.jar`, and third-party libraries are in `/usr/lib64/java-oci-sdk/third-party/lib`. To compile a Java file, use the `javac` command. +In this task, you compile a Java program named `DataSafeRestAPIClientExample.java`, which is included with the SDK installation. The purpose of this program is to copy audit data from the Oracle Data Safe repository into a specified object storage bucket. If needed, you can also download the program directly from Github by running the following command: `wget https://raw.githubusercontent.com/oracle/oci-java-sdk/master/bmc-examples/src/main/java/DataSafeRestAPIClientExample.java`. -1. Copy `DataSafeRestAPIClientExample.java` to your current directory (`~/.oci`). +1. Find the version of the `oci-java-sdk-full-version.jar` file and make note of it. You will need it in later steps. In this example, the version is 3.33.0. ```text - $ cp $OCI_JAVA_SDK_LOCATION/examples/DataSafeRestAPIClientExample.java . + $ ls /usr/lib64/java-oci-sdk/lib + + jersey jersey3 oci-java-sdk-full-3.33.0.jar oci-java-sdk-full-3.33.0-javadoc.jar oci-java-sdk-full-3.33.0-sources.jar ``` -2. Compile `DataSafeRestAPIClientExample.java`. There is no output after the program is compiled. +2. Copy the example Java program `DataSafeRestAPIClientExample.java` to your current directory (`~/.oci`). ```text - $ javac -cp $OCI_JAVA_SDK_FULL_JAR_LOCATION:$OCI_JAVA_SDK_LOCATION/third-party/lib/* DataSafeRestAPIClientExample.java + $ cp /usr/lib64/java-oci-sdk/examples/DataSafeRestAPIClientExample.java . ``` +3. Review the program in the vi editor. + + ```text + $ vi DataSafeRestAPIClientExample.java + ``` -## Task 7: Obtain the compartment OCID for your target database +4. (Temporary fix) In the program, substitute `Region.EU_FRANKFURT_1` with `provider.getRegion()`. You need to make this change on lines 73 and 231. Save the change (press **Escape**, enter **:wq**, and then press **Enter**.) + + This is the correct code: + + ```text + ObjectStorage objStoreClient = + ObjectStorageClient.builder().region(provider.getRegion()).build(provider); + ``` + +5. Compile the `DataSafeRestAPIClientExample.java` file. Be sure to use the correct version in the `oci-java-sdk-full-.jar` file name. The example below uses version 3.33.0. It’s very common that a Java program depends on one or more external libraries (JAR files). Use the flag `-classpath` (or `-cp`) to tell the compiler where to look for external libraries. Note that there is no output after the file is compiled. You are simply returned to the prompt. + + ```text + # javac -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-3.33.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/* DataSafeRestAPIClientExample.java + ``` + +6. Confirm that you now have a class file named `DataSafeRestAPIClientExample.class`. + + ```text + $ ls + + config DataSafeRestAPIClientExample.class DataSafeRestAPIClientExample.java your-private-key-file + ``` + + +## Task 10: Obtain the compartment OCID for your target database 1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. -2. On the left, click **Target Databases**. +2. On the left, click **Target databases**. 3. On the left, select your compartment. 4. On the right, click the name of your target database. - The **Target Database Details** page is displayed. + The **Target database information** page is displayed. -5. On the **Target Database Details** tab, make note of the compartment. +5. On the **Target database information** tab, make note of the compartment. 6. From the navigation menu, select **Identity & Security**, and then on the right under **Identity**, select **Compartments**. @@ -282,30 +408,31 @@ Use the `javac` command to compile the `DataSafeRestAPIClientExample.java` file. 8. On the **Compartment Information** tab, click the **Copy** link next to **OCID** and paste the OCID into a temporary local text file. You need the OCID for the next task. -## Task 8: Run the compiled Java file -1. Return to Cloud Shell and run the following commands to define two variables: **BUCKET** and **COMPARTMENT**. In the example below, replace `your-compartment-ocid` with the compartment OCID for your target database. +## Task 11: Run the compiled Java class file on your compute instance - ```bash - $ export BUCKET=DataSafeAuditData - $ export COMPARTMENT=your-compartment-ocid - ``` +The `DataSafeRestAPIClientExample.class` program requires two inputs, which you can define upfront: -2. Find the version of the `oci-java-sdk-common-httpclient-jersey-version.jar` file. In the example below, the version is 3.3.0. +- **BUCKET**: The name of the bucket in which to store the copied audit data +- **COMPARTMENT**: The compartment OCID of your target database - ```bash - $ ls $OCI_JAVA_SDK_LOCATION/lib/jersey +1. Run the following commands to set the two inputs. Substitute `compartment-ocid-for-target-database` with your own OCID. - oci-java-sdk-common-httpclient-jersey-3.3.0.jar oci-java-sdk-common-httpclient-jersey-3.3.0-javadoc.jar oci-java-sdk-common-httpclient-jersey-3.3.0-sources.jar + ```text + $ export BUCKET=DataSafeAuditData + $ export COMPARTMENT=compartment-ocid-for-target-database ``` -3. Run `DataSafeRestAPIClientExample.class` by running the following command. Replace `version` in `oci-java-sdk-common-httpclient-jersey-version.jar` with the version you obtained in the previous step. You can ignore the error about failing to load the `org.slf4j.impl.StaticLoggerBinder` class. +2. Run the following command to run the class file. The example below uses `oci-java-sdk-full-3.33.0.jar`, but be sure to use the version that is on your system. You can ignore the error about failing to load the `org.slf4j.impl.StaticLoggerBinder` class. ```text - $ java -cp $OCI_JAVA_SDK_FULL_JAR_LOCATION:$OCI_JAVA_SDK_LOCATION/third-party/lib/*:$OCI_JAVA_SDK_LOCATION/third-party/jersey/lib/*:$OCI_JAVA_SDK_LOCATION/lib/jersey/oci-java-sdk-common-httpclient-jersey-version.jar:$HOME/.oci DataSafeRestAPIClientExample $BUCKET $COMPARTMENT + $ java -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-3.33.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/*:/usr/lib64/java-oci-sdk/third-party/jersey/lib/*:/usr/lib64/java-oci-sdk/lib/jersey/oci-java-sdk-common-httpclient-jersey-3.33.0.jar:. DataSafeRestAPIClientExample $BUCKET $COMPARTMENT + ``` - - SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". +3. Review the output. The third last output line tells you the count of audit records copied into object storage. Your value may be different. If your count is equal to zero, delete any cursors in your bucket and repeat step 3. + + ```text + SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. Getting the namespace @@ -321,27 +448,27 @@ Use the `javac` command to compile the `DataSafeRestAPIClientExample.java` file. Finished reading content for object cursor, last upload's last auditEvent record's timecollected FAILED - 2023-02-14T22:01:38.325Z - Querying for auditEvents with timeCollected Start = 2023-02-14T22:01:38.325Z, End = 2023-02-15T22:01:38.324Z + 2024-02-05T18:46:52.701Z + Querying for auditEvents with timeCollected Start = 2024-02-05T18:46:52.701Z, End = 2024-02-06T18:46:52.701Z - Count35 + Count38 - Upload complete at Wed Feb 15 22:01:40 UTC 2023 of auditeventjson2023-02-15T22:01:39.579619Z _noofrecords_ 35 Start =2023-02-14T22:01:38.325Z, End=2023-02-15T22:01:38.324Z OpcRequestId: fra-1:q_rNFX-2hAnzGEoiurT376... + Upload complete at Tue Feb 06 18:46:54 GMT 2024 of auditeventjson2024-02-06T18:46:54.382Z _noofrecords_ 87 Start =2024-02-05T18:46:52.701Z, End=2024-02-06T18:46:52.701Z OpcRequestId: iad-1:ZzjIHd0Q_vmD6ctGG... - Upload complete at Wed Feb 15 22:01:40 UTC 2023 of cursor OpcRequestId: fra-1:YpGeKJmQ7HtfJLXCVGLYKIEGCEPGbsdF... + Upload complete at Tue Feb 06 18:46:55 GMT 2024 of cursor OpcRequestId: iad-1:gdp3sqAUejDr4RhpGfT6gTB1N7Zz4IKJ7b... + ``` -4. Review the output. The third last output line tells you the count of audit records copied into object storage. Your value may be different than the one shown in this example. -## Task 9: Verify that the audit data is copied to your bucket +## Task 12: Verify that the audit data is saved to your bucket in object storage -1. From the navigation menu, select **Storage**, and then **Buckets**. +1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. -2. Make sure your compartment is selected. +2. Select your compartment. 3. Click the name of your bucket. @@ -352,10 +479,9 @@ Use the `javac` command to compile the `DataSafeRestAPIClientExample.java` file. 5. Notice that you now have a line item named `auditeventjson` that contains the text `noofrecords_`. This is the audit data copied from the Oracle Data Safe repository. `` is the number of copied audit records. ```text - auditeventjson2023-02-15T22:01:39.579619Z _noofrecords_ 35 Start =2023-02-14T22:01:38.325Z, End=2023-02-15T22:01:38.324Z + auditeventjson2024-02-06T18:46:54.382Z _noofrecords_ 38 Start =2024-02-05T18:46:52.701Z, End=2024-02-06T18:46:52.701Z ``` -6. Delete the object and cursor: One at a time, click the three dots at the end of the row and select **Delete**. In the **Confirm Delete Object** dialog box, click **Delete**. You may now **proceed to the next lab**. @@ -368,43 +494,11 @@ You may now **proceed to the next lab**. - [SDK for Java (configuring the SDK)](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/javasdk.htm) - [Data Safe API (reference and endpoints)](https://docs.oracle.com/en-us/iaas/api/#/en/data-safe/20181201/) - [Oracle Cloud Infrastructure Java SDK (packages and classes)](https://docs.oracle.com/en-us/iaas/tools/java/3.2.2/) +- [Preinstalling the Oracle Cloud Development Kit](https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Tasks/devtools.htm) +- [Regions and Availability Domains](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm) ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database - **Consultants** - Richard Evans, Bettina Schaeumer, Archana Rao, Anna Haikl -- **Last Updated By/Date** - Jody Glover, April 11, 2023 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy.md b/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy.md index 55ed04286..05c984d9b 100644 --- a/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy.md +++ b/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy.md @@ -4,30 +4,15 @@ When you start your target database's audit trail in Oracle Data Safe, Oracle Data Safe begins copying audit records from the database's audit trail into the Oracle Data Safe repository. In this lab, you use the Oracle Data Safe application programming interface (API) and crontab on a compute instance to schedule the copying of Oracle Data Safe's audit data for your target database into object storage. -If you already have a bucket in Oracle Cloud Infrastructure and you have started the audit trail for your target database in Oracle Data Safe, then you can skip tasks 1 and 2. - -Estimated Lab Time: 30 minutes +Estimated Lab Time: 10 minutes ### Objectives In this lab, you will: -- Create a bucket in your compartment -- Start the audit trail for your target database in Oracle Data Safe -- View the quantity of audit data collected by Oracle Data Safe -- Create SSH keys in Cloud Shell -- Create a virtual cloud network (VCN) -- Create a compute instance using the Oracle Linux Cloud Developer 8 image -- Connect to your compute instance from Cloud Shell -- Create an API key -- Upload your private key (PEM file) to your compute instance -- Create a configuration file -- Compile the Java program -- Obtain the compartment OCID for your target database -- Run the compiled Java class file -- Verify that the audit data is in your bucket - Create an SH script for cronjob -- Schedule the SH script using crontab +- Schedule the script to run every minute +- Schedule the script to run at 2AM every day - Remove the scheduled activity in crontab @@ -38,514 +23,36 @@ This lab assumes you have: - Obtained an Oracle Cloud account and signed in to the Oracle Cloud Infrastructure Console - Prepared your environment for this workshop (see [Prepare Your Environment](?lab=prepare-environment)) - Registered your target database with Oracle Data Safe (see [Register an Autonomous Database with Oracle Data Safe](?lab=register-autonomous-database)) +- Completed the [Copy Audit Data to Object Storage using the Oracle Data Safe REST API](?lab=api-copy-audit-data) lab. This lab is a continuation of that lab. -## Task 1: Create a bucket in your compartment - -Create a bucket to store your audit data. You also use the bucket to transfer a PEM file to a compute instance in a later task. - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. - -2. Select your compartment. - -3. Click **Create Bucket**. - - The **Create Bucket** dialog box is displayed. - -4. For bucket name, enter **DataSafeAuditData**. - -5. Leave the default settings as is, and click **Create**. - - -## Task 2: Start the audit trail for your target database in Oracle Data Safe - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. - -2. Under **Security Center** on the left, click **Activity Auditing**. - -3. Under **Related Resources** on the left, click **Audit Trails**. - -4. From the **Compartment** drop-down list on the left, make sure your compartment is selected. - -5. On the right, click the name of your target database for the **UNIFIED\_AUDIT\_TRAIL**. - - The **Audit Trail Details** page is displayed. - -6. Click **Start**. - - A **Start Audit Trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. - -7. Set the start date to the beginning of the current month. - -8. Click **Start**. Wait for **Collection State** to change from **STARTING** to **COLLECTING** and then to **IDLE**. It takes about one minute. - - -## Task 3: View the quantity of audit data collected by Oracle Data Safe - -1. In the breadcrumb at the top of the page, click **Activity Auditing**. - -2. Under **Security Center**, click **Audit Profiles**. - -3. On the right, click the name of your target database. - - The **Audit Profile Details** page for your target database is displayed. - -4. Scroll down the page to the **Compute Audit Volume** section. - -5. Click **Collected by Data Safe**. - - The **Compute Collected Volume** dialog box is displayed. - -6. Set the **Start Month** and **End Month** fields to the first and last day of the current month respectively, and click **Compute**. Make note of the number of audit records collected by Oracle Data Safe. - -7. If for some reason the number of audit records is equal to zero, run the [**load-data-safe-sample-data_admin.sql**](https://objectstorage.us-ashburn-1.oraclecloud.com/p/AUKfPIGuTde04z4OnuaZN2EP0LxNl4hJWI2jZiTw23aWzSoa2_Byvs8OGPw20-dt/n/c4u04/b/livelabsfiles/o/security-library/load-data-safe-sample-data_admin.sql) SQL script in Database Actions to load sample data into your database. This script generates auditable database activity for the `ADMIN` user. Then, repeat steps 5 and 6 to view the amount of collected audit data. - - -## Task 4: Create SSH keys in Cloud Shell - -In Cloud Shell, create an SSH key pair that you can use to connect to your compute instance. The standard name in LiveLabs workshops is `cloudshellkey`. - -1. On the toolbar in Oracle Cloud Infrastructure, click **Developer tools**, and then select **Cloud Shell**. When you first open Cloud Shell, you are in your home directory; for example, `/home/jody_glove`. - -2. (Optional) Reset your Cloud Shell environment. The following command erases all the data in your `$HOME` directory on your Cloud Shell machine and resets the `$HOME/.bashrc`, `$HOME/.bash_profile`, `$HOME/.bash_logout`, and `$HOME/.emacs` files back to their default values. Enter **y** at the prompt to confirm. - - ```bash - $ csreset --all - ``` - -3. Create an `.ssh` directory in your home directory on your Cloud Shell machine, change to it, and then verify the directory in which you are working. - - ```bash - $ mkdir ~/.ssh - $ cd ~/.ssh - $ pwd - - /home/your-user-name/.ssh - ``` - - -4. While you are in the `.ssh` directory, generate an SSH key pair. The following command generates two keys: a private key named `cloudshellkey` and a public key named `cloudshellkey.pub`. Please use the `cloudshellkey` naming convention as it is a LiveLabs standard. When prompted to enter a passphrase, simply click **Enter** twice to not enter a passphrase. - - ```bash - $ ssh-keygen -b 2048 -t rsa -f cloudshellkey - ``` - -5. Confirm the private key and public key files exist in the `.ssh` directory. - - ```bash - $ ls - - cloudshellkey cloudshellkey.pub - ``` - - - -6. Show the contents of the public key. Later, you copy this to the clipboard and paste it into the SSH keys box when creating the compute instance. - - ```bash - $ cat cloudshellkey.pub - ``` - -7. Leave Cloud Shell open. - - -## Task 5: Create a virtual cloud network (VCN) - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Networking**, and then **Virtual cloud networks**. - -2. Select your compartment. - -3. Click **Create VCN**. - -4. For **Name**, enter **labVCN**. - -5. Select your compartment. +## Task 1: Create an SH script for cronjob -6. For **IPv4 CIDR Blocks**, enter **10.0.0.0/24**. +The Cron daemon is a built-in Linux utility that runs processes on your system at a scheduled time. Cron reads the crontab (cron tables) for predefined commands and scripts. You need to be the `root` user or a user with `sudo` privileges to create a cron job. -7. Leave the **Use DNS hostnames in this VCN** check box selected. +In this task, you create an SH script that contains the variables and Java command to run the example Data Safe Java program. In the next task, you schedule the SH script. -8. For **DNS Label**, enter **labVCN**. - -9. Click **Create VCN**. - -10. Click **Create Subnet**. - -11. For name, enter **lab-public-subnet1**. - -12. Select your compartment. - -13. For subnet type, leave **Regional** selected. - -14. For **IPv4 CIDR Block**, enter **10.0.0.0/24**. - -15. For subnet access, leave **Public Subnet** selected. - -16. Leave the **Use DNS hostnames in this SUBNET** check box selected. - -17. For **DNS label**, enter **subnet1**. - -18. Click **Create Subnet**. - -19. On the left, click **Internet Gateways**. - -20. Click **Create Internet Gateway**. The **Create Internet Gateway** panel is displayed. - -21. For name, enter **livelabs-igw**. - -22. Select your compartment. - -23. Click **Create Internet Gateway**. - -24. On the left, click **Route Tables**. - -25. In the list of route tables, click **Default Route Table for labVCN**. - -26. Click **Add Route Rules**. - - The **Add Route Rules** panel is displayed. - -27. For target type, select **Internet Gateway**. - -28. For destination CIDR block, enter **0.0.0.0/0**. - -29. For target internet gateway, select **livelabs-igw**. - -30. Click **Add Route Rules**. - - -## Task 6: Create a compute instance using the Oracle Linux Cloud Developer 8 image - -The Oracle Linux Cloud Developer Image is supported on all compute shapes, except the GPU shapes. A minimum of 8 GB of memory is required for this image for all standard and flexible shapes. The one exception is the VM.Standard.E2.1.Micro shape, which only has 1 GB of memory allocated to it. Because of the small memory size in the VM.Standard.E2.1.Micro shape, some graphical intensive programs are not installed in the image. - -1. From the navigation menu for Oracle Cloud Infrastructure, select **Compute**, and then **Instances**. - -2. Select your compartment. - -3. Click **Create instance**. - -4. Enter a friendly name for your compute instance. - -5. Leave your compartment selected. - -6. Leave placement as is. - -7. In the **Image and shape** section, click **Edit**. - -8. Click **Change image**. Leave **Oracle Linux** selected. Scroll down and select **Oracle Linux Cloud Developer 8**. Select the **I have reviewed and accept the following documents: Oracle LInux Cloud Developer Image Terms of Use** check box. Click **Select image**. - -9. Click **Change shape**. Leave **Virtual Machine** and the **Ampere** shape series selected. Leave the **VM.Standard.A1.Flex** image selected. Scroll down and enter **8** GB of memory. Click **Select shape**. - -10. In the **Networking** section, click **Edit**, leave **Select existing virtual cloud network** selected. For **Virtual cloud network in your-compartment**, select **labVCN**. For **Subnet in your-compartment**, select **lab-public-subnet1**. For **Public IPv4 Address**, leave **Assign a public IPv4 address** selected. - -11. In the **Add SSH keys** section, select **Paste public keys**. Return to Cloud Shell and copy the entire SSH public key to the clipboard. It starts with `ssh-rsa` and ends with something similar to `jody_glove@1e3ebc618797`. In the SSH keys box, paste your public key. Make sure that there are no hard returns. If needed, you can run `cat .ssh/cloudshellkey.pub` to display the public key again. - -12. In the **Boot volume** section, leave the default settings as is. - -13. Click **Create** and wait two minutes for your compute instance to be provisioned. The **Work requests** page is displayed where you can view information about your compute instance. - - -## Task 7: Connect to your compute instance from Cloud Shell - -1. If you've navigated away from your compute instance page, you can find it again by doing this: From the navigation menu in Oracle Cloud Infrastructure, select **Compute**, and then **Instances**. Select your compartment. Click the name of your compute instance. - -2. On the **Instance Information** tab under **Instance access**, copy the public IP address to the clipboard. - -3. In Cloud Shell, enter the following `SSH` command to connect to your compute instance, replacing `public-ip-address` with the one you just copied to the clipboard. - - ```bash - $ ssh -i ~/.ssh/cloudshellkey opc@public-ip-address - ``` - - You receive a message stating that the authenticity of your compute instance can't be established. Do you want to continue connecting? - - -4. Enter **yes** to continue. - - The public IP address of your compute instance is added to the list of known hosts on your Cloud Shell machine. The terminal prompt becomes `[opc@ ~]$`, where `opc` is your user account on your compute instance. You are now connected to your new compute instance. - - -## Task 8: Create an API key - -There are three parts to configuring the SDK: create an API key, create a configuration file, and upload a PEM file to your compute instance. To use the SDK for Java, you must have a key pair used for signing API requests, with the public key uploaded to Oracle. Only the user calling the API should be in possession of the private key. - - -1. Begin by creating an API key. To do so, in the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Profile** icon, and then click your username. - -2. On the left, click **API Keys**. - -3. Click **Add API Key**. - - The **Add API Key** dialog box is displayed. - -4. Leave **Generate API Key Pair** selected, click **Download Private Key**, and save your private key (PEM file) to a local directory on your computer. - -5. Click **Add**. - - The **Configuration File Preview** dialog box is displayed. This dialog shows you a preview of the configuration file. - -6. Copy the configuration file contents to a temporary text file because you need it in a later task. It content looks similar to this: - - ```text - [DEFAULT] - user=ocid1.user.oc1... - fingerprint=your-fingerprint - tenancy=ocid1.tenancy.oc1... - region=eu-frankfurt-1 - key_file= # TODO - ``` - -6. Click **Close**. - -7. In Cloud Shell, switch to the `root` user. +1. In Cloud Shell, switch to the `root` user. ```bash $ sudo su - ``` -8. Create a `.oci` directory. - - ```text - # mkdir ~/.oci - ``` - -## Task 9: Upload your private key (PEM file) to your compute instance - -Upload your private key (PEM file) into object storage, and then copy it to your compute instance. - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. Select your compartment. Click the name of your bucket. - - The **Bucket Details** page is displayed. - -2. Scroll down to the **Objects** section and click **Upload**. - - The **Upload Objects** panel is displayed. - -3. Drag your private key file to the **Choose Files from your Computer** area, and click **Upload**. - -4. Click **Close**. - -5. At the end of the row for your private key file listing, click the three dots, and then select **Create Pre-Authenticated Request**. - - The **Create Pre-Authenticated Request** panel is displayed. - -6. Click **Create Pre-Authenticated Request**. - - The **Pre-Authenticated Request Details** dialog box is displayed. - -7. Copy the **Pre-Authenticated Request URL** to the clipboard and paste it into a temporary local text file. *IMPORTANT:* You will not be able to view this URL again after you close the dialog box. - -8. Click **Close**. - -9. In Cloud Shell, change to the `.oci` directory. - - ```text - # cd ~/.oci - ``` - -10. Use the `WGET` command to copy your private key file from object storage into the `.oci` directory. Replace `pre-authenticated-request-url` with your own url. - - ```text - # wget pre-authenticated-request-url - ``` - -11. List the contents of the directory to ensure the private key file is present. - - ```text - # ls - ``` - -## Task 10: Create a configuration file - -In this task, you create a configuration file named `config` in the `.oci` directory for the SDK, and then add the API content that you obtained from the API key (which you created in a previous task). In the config file, correct the last line by adding the actual path to your private key file on your compute instance. The java file that you compile in a subsequent task looks for the config file in `~/.oci/config` with a profile named `DEFAULT`. - -1. Using the vi editor and while you are still in the `.oci` directory, create a configuration file. - - ```text - # vi config - ``` - -2. Paste the configuration file contents into the `config` file. Note: Earlier you pasted this content into a temporary text file. The content looks similar to the following code. Be sure to include `[DEFAULT]` at the top. - ```text - [DEFAULT] - user=ocid1.user.oc1... - fingerprint=your-fingerprint - tenancy=ocid1.tenancy.oc1... - region=eu-frankfurt-1 - key_file= # TODO - ``` - -3. Modify the last line to be the path to your PEM file on your compute instance. In the example below, substitute `your-private-key-file-name` with your own private key file name. - - ```text - key_file=~/.oci/your-private-key-file-name - ``` - -4. Save and close the file (press **Escape**, enter **:wq**, and press **Enter**). - -5. List the contents of the current directory and ensure that your `config` file is there. - - ```text - # ls - - config your-private-key-file-name - ``` - - -## Task 11: Compile a Java program - -The Oracle Linux Cloud Developer image comes with the SDK and Java software already installed. The OCI jar file is located in `/usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-.jar`, and third-party libraries are in `/usr/lib64/java-oci-sdk/third-party/lib`. To compile a Java file, use the `javac` command. - -In this task, you compile a Java program named `DataSafeRestAPIClientExample.java`, which comes with the SDK installation. The purpose of this program is to copy audit data from the Oracle Data Safe repository into a specified object storage bucket. If needed, you can also download the program directly from Github by running the following command: `wget https://raw.githubusercontent.com/oracle/oci-java-sdk/master/bmc-examples/src/main/java/DataSafeRestAPIClientExample.java`. - -1. Verify the version of the `oci-java-sdk-full-version.jar` file. In this example, the version is 2.27.0. - - ```text - # ls /usr/lib64/java-oci-sdk/lib - - oci-java-sdk-full-2.27.0.jar oci-java-sdk-full-2.27.0-javadoc.jar oci-java-sdk-full-2.27.0-sources.jar - ``` - -2. Switch to the `/usr/lib64/java-oci-sdk` directory. - - ```text - # cd /usr/lib64/java-oci-sdk - ``` - -3. Compile the `DataSafeRestAPIClientExample.java` file. Be sure to use the correct version in the `oci-java-sdk-full-.jar` file name. The example below uses version 2.27.0. - - It’s very common that a Java program depends on one or more external libraries (JAR files). Use the flag `-classpath` (or `-cp`) to tell the compiler where to look for external libraries. By default, the compiler looks in the bootstrap classpath and in the `CLASSPATH` environment variable. - - ```text - # javac -cp lib/oci-java-sdk-full-2.27.0.jar:third-party/lib/* examples/DataSafeRestAPIClientExample.java - ``` - - Note: There is no output after the file is compiled. You are simply returned to the prompt. - - -6. Change to the `examples` directory and list the files. Confirm that you now have a class file named `DataSafeRestAPIClientExample.class`. - - ```text - # cd examples - # ls - ``` - -## Task 12: Obtain the compartment OCID for your target database - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. - -2. On the left, click **Target Databases**. - -3. On the left, select your compartment. - -4. On the right, click the name of your target database. - - The **Target Database Details** page is displayed. - -5. On the **Target Database Details** tab, make note of the compartment. - -6. From the navigation menu, select **Identity & Security**, and then on the right under **Identity**, select **Compartments**. - -7. Click the name of your compartment. - - The **Compartment details** page is displayed. - -8. On the **Compartment Information** tab, click the **Copy** link next to **OCID** and paste the OCID into a temporary local text file. You need the OCID for the next task. - - - -## Task 13: Run the compiled Java class file - -Run the `DataSafeRestAPIClientExample.class` file to test that it runs without errors before you schedule it. The program requires two inputs, which you can define upfront: - -- The name of the bucket in which to store the copied audit data -- The compartment OCID of your target database - -1. Run the following commands to set two variables - **BUCKET** and **COMPARTMENT**. Substitute `compartment-ocid-for-target-database` with your own OCID. - - ```text - # export BUCKET=DataSafeAuditData - # export COMPARTMENT=compartment-ocid-for-target-database - ``` - -2. Make sure that you are still working in the `/usr/lib64/java-oci-sdk/lib/examples` directory. - -3. Run the following command to run the class file. The example below uses `oci-java-sdk-full-2.27.0.jar`, but be sure to use the version that is on your system. You can ignore the error about failing to load the `org.slf4j.impl.StaticLoggerBinder` class. - - ```text - # java -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-2.27.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/*:/usr/lib64/java-oci-sdk/examples DataSafeRestAPIClientExample $BUCKET $COMPARTMENT - - SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". - SLF4J: Defaulting to no-operation (NOP) logger implementation - SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. - Getting the namespace - - - Namespace: frmwj0cqbupb - - - Getting content for object cursor from bucket: DataSafeAuditData - - - ignore - Finished reading content for object cursor, last upload's last auditEvent record's timecollected FAILED - - - 2023-02-15T19:03:33.225Z - Querying for auditEvents with timeCollected Start = 2023-02-15T19:03:33.225Z, End = 2023-02-16T19:03:33.223Z - - - Count43 - - - Upload complete at Thu Feb 16 19:03:34 GMT 2023 of auditeventjson2023-02-16T19:03:34.290935835Z _noofrecords_ 43 Start =2023-02-15T19:03:33.225Z, End=2023-02-16T19:03:33.223Z OpcRequestId: fra-1:RMvrVLBJGMQYyKnOATHwJs6Ywthox3dK9BGYWIaZv3LD2lFq5oRaUuZKzWsJkwZf - - - Upload complete at Thu Feb 16 19:03:34 GMT 2023 of cursor OpcRequestId: fra-1:v5KE-S9VbuBMsqnof2qx5dkabTsHgbZv50wSAJJLk-TD-b3e4cqwRmIDG6Bdwa1y - ``` - -4. Review the output. The third last output line tells you the count of audit records copied into object storage. Your value may be different. If your count is equal to zero, delete any cursors in your bucket and repeat step 3. - - - -## Task 14: Verify that the audit data is in your bucket - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. - -2. Select your compartment. - -3. Click the name of your bucket. - - The **Bucket Details** page for your bucket is displayed. - -4. Scroll down to the **Objects** section. - -5. Notice that you now have a line item named `auditeventjson` that contains the text `noofrecords_`. This is the audit data copied from the Oracle Data Safe repository. `` is the number of copied audit records. - - ![Initial audit records object](images/initial-audit-records-object.png "Initial audit records object") - - -## Task 15: Create an SH script for cronjob - -Now that you've verified that the compiled Java program works fine, you are ready to schedule it using cronjob on your compute instance. The Cron daemon is a built-in Linux utility that runs processes on your system at a scheduled time. Cron reads the crontab (cron tables) for predefined commands and scripts. You need to be the `root` user or a user with `sudo` privileges to create a cron job. - -In this task, you create an SH script that contains the variables and Java command to run the Java program. In the next task, you schedule the SH script. - -1. Change to the `/usr/local/bin` directory. +2. Change to the `/usr/local/bin` directory. ```text # cd /usr/local/bin ``` -2. Using the vi editor, create an SH file named `datasafejob.sh`. +3. Using the vi editor, create an SH file named `datasafejob.sh`. ```text # vi datasafejob.sh ``` -3. Add the following content to the SH file. Notice that we run the class file using a slightly different Java command than we used in task 13. To run the class file from anywhere, we need to include the path to the `examples` directory in the class path. Again, we are using `oci-java-sdk-full-2.27.0.jar`. Be sure to use the correct version on your system. Substitute `compartment-ocid-for-target-database` with your own compartment OCID. +4. Add the following content to the SH file. To run the class file from anywhere, we need to include the path to the `examples` directory in the class path. Again, we are using `oci-java-sdk-full-3.33.0.jar`. Be sure to use the correct version on your system. Substitute `compartment-ocid-for-target-database` with your own compartment OCID. ```text #!/bin/bash @@ -554,7 +61,7 @@ In this task, you create an SH script that contains the variables and Java comma export COMPARTMENT=compartment-ocid-for-target-database - java -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-2.27.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/*:/usr/lib64/java-oci-sdk/examples DataSafeRestAPIClientExample $BUCKET $COMPARTMENT + java -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-3.33.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/*:/usr/lib64/java-oci-sdk/third-party/jersey/lib/*:/usr/lib64/java-oci-sdk/lib/jersey/oci-java-sdk-common-httpclient-jersey-3.33.0.jar:/home/opc/.oci DataSafeRestAPIClientExample $BUCKET $COMPARTMENT ``` 4. Save and close the file (press **Escape**, enter **:wq**, and press **Enter**). @@ -565,7 +72,7 @@ In this task, you create an SH script that contains the variables and Java comma # chmod 777 datasafejob.sh ``` -## Task 16: Schedule the SH script using crontab +## Task 2: Schedule the SH script to run every minute Start by scheduling the SH script to run every minute so that you can test that the scheduling works. After confirming, change the schedule to be at 2AM every day. @@ -590,22 +97,23 @@ Start by scheduling the SH script to run every minute so that you can test that ![Audit records objects](images/audit-records-objects.png "Audit records objects") -5. In Cloud Shell, access crontab. + +## Task 3: Schedule to script to run at 2AM every day + +1. In Cloud Shell, access crontab. ```text # crontab -e ``` -6. Change the schedule to be at 2AM every day and then save the file (press **Escape**, enter **:wq**, and press **Enter**). - - In the example below, `0 2 * * *` indicates that the cron job runs any time the system clock shows 2am. +2. Replace the existing text with the following text, and then save the file (press **Escape**, enter **:wq**, and press **Enter**). In the example below, `0 2 * * *` indicates that the cron job runs any time the system clock shows 2am. ```text 0 2 * * * /usr/local/bin/datasafejob.sh ``` -## Task 17: Remove the scheduled activity in crontab +## Task 4: Remove the scheduled activity in crontab 1. Access crontab. @@ -635,7 +143,7 @@ You may now **proceed to the next lab**. ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database Development - **Contributors** - Richard Evans, Anna Haikl, Russ Lowenthal, Archana Rao, Bettina Schaeumer -- **Last Updated By/Date** - Jody Glover, April 11, 2023 +- **Last Updated By/Date** - Jody Glover, February 6, 2024 diff --git a/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy_archive1.md b/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy_archive1.md new file mode 100644 index 000000000..e8a0f135c --- /dev/null +++ b/data-safe/api-schedule-audit-data-copy/api-schedule-audit-data-copy_archive1.md @@ -0,0 +1,647 @@ +# Schedule the copying of audit data to object storage using the Oracle Data Safe REST API + +## Introduction + +When you start your target database's audit trail in Oracle Data Safe, Oracle Data Safe begins copying audit records from the database's audit trail into the Oracle Data Safe repository. In this lab, you use the Oracle Data Safe application programming interface (API) and crontab on a compute instance to schedule the copying of Oracle Data Safe's audit data for your target database into object storage. + +If you already have a bucket in Oracle Cloud Infrastructure and you have started the audit trail for your target database in Oracle Data Safe, then you can skip tasks 1 and/or 2. + +Estimated Lab Time: 30 minutes + +### Objectives + +In this lab, you will: + +- Create a bucket in your compartment +- Start the audit trail for your target database in Oracle Data Safe +- View the quantity of audit data collected by Oracle Data Safe +- Create SSH keys in Cloud Shell +- Create a virtual cloud network (VCN) +- Create a compute instance using the Oracle Linux Cloud Developer 8 image +- Connect to your compute instance from Cloud Shell +- Create an API key +- Upload your private key (PEM file) to your compute instance +- Create a configuration file +- Compile the Java program +- Obtain the compartment OCID for your target database +- Run the compiled Java class file +- Verify that the audit data is in your bucket +- Create an SH script for cronjob +- Schedule the SH script using crontab +- Remove the scheduled activity in crontab + + +### Prerequisites + +This lab assumes you have: + +- Obtained an Oracle Cloud account and signed in to the Oracle Cloud Infrastructure Console +- Prepared your environment for this workshop (see [Prepare Your Environment](?lab=prepare-environment)) +- Registered your target database with Oracle Data Safe (see [Register an Autonomous Database with Oracle Data Safe](?lab=register-autonomous-database)) + + + +## Task 1: Create a bucket in your compartment + +Create a bucket to store your audit data. You also use the bucket to transfer a PEM file to a compute instance in a later task. + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. + +2. Select your compartment. + +3. Click **Create Bucket**. + + The **Create Bucket** dialog box is displayed. + +4. For bucket name, enter **DataSafeAuditData**. + +5. Leave the default settings as is, and click **Create**. + + +## Task 2: Start the audit trail for your target database in Oracle Data Safe + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. + +2. Under **Security center** on the left, click **Activity auditing**. + +3. Under **Related resources** on the left, click **Audit trails**. + +4. From the **Compartment** drop-down list on the left, make sure your compartment is selected. + +5. On the right, click the name of your target database for the **UNIFIED\_AUDIT\_TRAIL**. + + The **Audit trail information** page is displayed. + +6. Click **Start**. + + A **Start audit trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. + +7. Set the start date to the beginning of the current month. + +8. Click **Start**. Wait for **Collection state** to change from **STARTING** to **COLLECTING** and then to **IDLE**. It takes about one minute. + + +## Task 3: View the quantity of audit data collected by Oracle Data Safe + +1. In the breadcrumb at the top of the page, click **Activity auditing**. + +2. Under **Security center**, click **Audit profiles**. + +3. On the right, click the name of your target database. + + The **Audit Profile Details** page for your target database is displayed. + +4. Scroll down the page to the **Compute audit volume** section. + +5. Click **Collected by Data Safe**. + + The **Compute Collected Volume** dialog box is displayed. + +6. Set the **Start month** and **End month** fields to the first and last day of the current month respectively, and click **Compute**. Make note of the number of audit records collected by Oracle Data Safe. + +7. If for some reason the number of audit records is equal to zero, run the [**load-data-safe-sample-data_admin.sql**](https://objectstorage.us-ashburn-1.oraclecloud.com/p/AUKfPIGuTde04z4OnuaZN2EP0LxNl4hJWI2jZiTw23aWzSoa2_Byvs8OGPw20-dt/n/c4u04/b/livelabsfiles/o/security-library/load-data-safe-sample-data_admin.sql) SQL script in Database Actions to load sample data into your database. This script generates auditable database activity for the `ADMIN` user. Then, repeat steps 5 and 6 to view the amount of collected audit data. + + +## Task 4: Create SSH keys in Cloud Shell + +In Cloud Shell, create an SSH key pair that you can use to connect to your compute instance. The standard name in LiveLabs workshops is `cloudshellkey`. + +1. On the toolbar in Oracle Cloud Infrastructure, click **Developer tools**, and then select **Cloud Shell**. When you first open Cloud Shell, you are in your home directory; for example, `/home/jody_glove`. + +2. (Optional) Reset your Cloud Shell environment. The following command erases all the data in your `$HOME` directory on your Cloud Shell machine and resets the `$HOME/.bashrc`, `$HOME/.bash_profile`, `$HOME/.bash_logout`, and `$HOME/.emacs` files back to their default values. Enter **y** at the prompt to confirm. + + ```bash + $ csreset --all + ``` + +3. Create an `.ssh` directory in your home directory on your Cloud Shell machine, change to it, and then verify the directory in which you are working. + + ```bash + $ mkdir ~/.ssh + $ cd ~/.ssh + $ pwd + + /home/your-user-name/.ssh + ``` + + +4. While you are in the `.ssh` directory, generate an SSH key pair. The following command generates two keys: a private key named `cloudshellkey` and a public key named `cloudshellkey.pub`. Please use the `cloudshellkey` naming convention as it is a LiveLabs standard. When prompted to enter a passphrase, simply click **Enter** twice to not enter a passphrase. + + ```bash + $ ssh-keygen -b 2048 -t rsa -f cloudshellkey + ``` + +5. Confirm the private key and public key files exist in the `.ssh` directory. + + ```bash + $ ls + + cloudshellkey cloudshellkey.pub + ``` + + + +6. Show the contents of the public key. Later, you copy this to the clipboard and paste it into the SSH keys box when creating the compute instance. + + ```bash + $ cat cloudshellkey.pub + ``` + +7. Leave Cloud Shell open. + + +## Task 5: Create a virtual cloud network (VCN) + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Networking**, and then **Virtual cloud networks**. + +2. Select your compartment. + +3. Click **Create VCN**. + +4. For **Name**, enter **labVCN**. + +5. Select your compartment. + +6. For **IPv4 CIDR Blocks**, enter **10.0.0.0/24**. + +7. Leave the **Use DNS hostnames in this VCN** check box selected. + +8. For **DNS Label**, enter **labVCN**. + +9. Click **Create VCN**. + +10. Click **Create Subnet**. + +11. For name, enter **lab-public-subnet1**. + +12. Select your compartment. + +13. For subnet type, leave **Regional** selected. + +14. For **IPv4 CIDR Block**, enter **10.0.0.0/24**. + +15. For subnet access, leave **Public Subnet** selected. + +16. Leave the **Use DNS hostnames in this SUBNET** check box selected. + +17. For **DNS label**, enter **subnet1**. + +18. Click **Create Subnet**. + +19. On the left, click **Internet Gateways**. + +20. Click **Create Internet Gateway**. + + The **Create Internet Gateway** panel is displayed. + +21. For name, enter **livelabs-igw**. + +22. Select your compartment. + +23. Click **Create Internet Gateway**. + +24. On the left, click **Route Tables**. + +25. In the list of route tables, click **Default Route Table for labVCN**. + +26. Click **Add Route Rules**. + + The **Add Route Rules** panel is displayed. + +27. For target type, select **Internet Gateway**. + +28. For destination CIDR block, enter **0.0.0.0/0**. + +29. For target internet gateway, select **livelabs-igw**. + +30. Click **Add Route Rules**. + + +## Task 6: Create a compute instance using the Oracle Linux Cloud Developer 8 image + +The Oracle Linux Cloud Developer Image is supported on all compute shapes, except the GPU shapes. A minimum of 8 GB of memory is required for this image for all standard and flexible shapes. The one exception is the VM.Standard.E2.1.Micro shape, which only has 1 GB of memory allocated to it. Because of the small memory size in the VM.Standard.E2.1.Micro shape, some graphical intensive programs are not installed in the image. + +1. From the navigation menu for Oracle Cloud Infrastructure, select **Compute**, and then **Instances**. + +2. Select your compartment. + +3. Click **Create instance**. + +4. Enter a friendly name for your compute instance. + +5. Leave your compartment selected. + +6. Leave placement as is. + +7. In the **Image and shape** section, click **Edit**. + +8. Click **Change image**. Leave **Oracle Linux** selected. Scroll down and select **Oracle Linux Cloud Developer 8**. Select the **I have reviewed and accept the following documents: Oracle LInux Cloud Developer Image Terms of Use** check box. Click **Select image**. + +9. Click **Change shape**. Leave **Virtual Machine** selected. Select the **Ampere** shape series. Select the **VM.Standard.A1.Flex** shape. Scroll down and enter **8** GB of memory. Click **Select shape**. + +10. In the **Primary VNIC information** section, leave **Select existing virtual cloud network** selected and select your VCN called **labVCN**. Leave **Select existing subnet** selected, and select your subnet called **lab-public-subnet1**. For **Public IPv4 address**, leave **Automatically assign public IPv4 address** selected. + +11. In the **Add SSH keys** section, select **Paste public keys**. Return to Cloud Shell and copy the entire SSH public key to the clipboard. It starts with `ssh-rsa` and ends with something similar to `jody_glove@1e3ebc618797`. In the **SSH keys** box, paste your public key. Make sure that there are no hard returns. If needed, you can run `cat .ssh/cloudshellkey.pub` to display the public key again. + +12. In the **Boot volume** section, leave the default settings as is. + +13. Click **Create** and wait two minutes for your compute instance to be provisioned. The **Work requests** page is displayed where you can view information about your compute instance. Wait for the status to change to **RUNNING**. + + +## Task 7: Connect to your compute instance from Cloud Shell + +1. If you've navigated away from your compute instance page, you can find it again by doing this: From the navigation menu in Oracle Cloud Infrastructure, select **Compute**, and then **Instances**. Select your compartment. Click the name of your compute instance. + +2. On the **Instance information** tab under **Instance access**, copy the public IP address to the clipboard. + +3. In Cloud Shell, enter the following `SSH` command to connect to your compute instance, replacing `public-ip-address` with the one you just copied to the clipboard. + + ```bash + $ ssh -i ~/.ssh/cloudshellkey opc@public-ip-address + ``` + + You receive a message stating that the authenticity of your compute instance can't be established. Do you want to continue connecting? + + +4. Enter **yes** to continue. + + The public IP address of your compute instance is added to the list of known hosts on your Cloud Shell machine. The terminal prompt becomes `[opc@ ~]$`, where `opc` is your user account on your compute instance. You are now connected to your new compute instance. + + +## Task 8: Create an API key + +There are three parts to configuring the SDK: create an API key, create a configuration file, and upload a PEM file to your compute instance. To use the SDK for Java, you must have a key pair used for signing API requests, with the public key uploaded to Oracle. Only the user calling the API should be in possession of the private key. + + +1. Begin by creating an API key. To do so, in the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Profile** icon, and then click your username. + +2. On the left, click **API Keys**. + +3. Click **Add API Key**. + + The **Add API Key** dialog box is displayed. + +4. Leave **Generate API Key Pair** selected, click **Download Private Key**, and save your private key (PEM file) to a local directory on your computer. + +5. Click **Add**. + + The **Configuration File Preview** dialog box is displayed. This dialog shows you a preview of the configuration file. + +6. Copy the configuration file contents to a temporary text file because you need it in a later task. Be sure to include `[DEFAULT]`. The content looks similar to this: + + ```text + [DEFAULT] + user=ocid1.user.oc1... + fingerprint=your-fingerprint + tenancy=ocid1.tenancy.oc1... + region=eu-frankfurt-1 + key_file= # TODO + ``` + +6. Click **Close**. + +7. In Cloud Shell, switch to the `root` user. + + ```bash + $ sudo su - + ``` + +8. Create a `.oci` directory. + + ```text + # mkdir ~/.oci + ``` + +## Task 9: Upload your private key (PEM file) to your compute instance + +Upload your private key (PEM file) into object storage, and then copy it to your compute instance. + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. Select your compartment. Click the name of your bucket. + + The **Bucket Details** page is displayed. + +2. Scroll down to the **Objects** section and click **Upload**. + + The **Upload Objects** panel is displayed. + +3. Drag your private key file to the **Choose Files from your Computer** area, and click **Upload**. + +4. Click **Close**. + +5. At the end of the row for your private key file listing, click the three dots, and then select **Create Pre-Authenticated Request**. + + The **Create Pre-Authenticated Request** panel is displayed. + +6. Click **Create Pre-Authenticated Request**. + + The **Pre-Authenticated Request Details** dialog box is displayed. + +7. Copy the **Pre-Authenticated Request URL** to the clipboard and paste it into a temporary local text file. *IMPORTANT:* You will not be able to view this URL again after you close the dialog box. + +8. Click **Close**. + +9. In Cloud Shell, change to the `.oci` directory. + + ```text + # cd ~/.oci + ``` + +10. Use the `WGET` command to copy your private key file from object storage into the `.oci` directory. Replace `pre-authenticated-request-url` with your own url. + + ```text + # wget pre-authenticated-request-url + ``` + +11. List the contents of the directory to ensure the private key file is present. + + ```text + # ls + ``` + +## Task 10: Create a configuration file + +In this task, you create a configuration file named `config` in the `.oci` directory for the SDK, and then add the API content that you obtained from the API key (which you created in a previous task). In the config file, correct the last line by adding the actual path to your private key file on your compute instance. The java file that you compile in a subsequent task looks for the config file in `~/.oci/config` with a profile named `DEFAULT`. + +1. While you are still in the `.oci` directory, use the vi editor to create a configuration file. + + ```text + # vi config + ``` + +2. Paste the configuration file contents into the `config` file. Note: Earlier you pasted this content into a temporary text file. The content looks similar to the following code. Be sure to include `[DEFAULT]` at the top. + + ```text + [DEFAULT] + user=ocid1.user.oc1... + fingerprint=your-fingerprint + tenancy=ocid1.tenancy.oc1... + region=eu-frankfurt-1 + key_file= # TODO + ``` + +3. Modify the last line to be the path to your PEM file on your compute instance. In the example below, substitute `your-private-key-file-name` with your own private key file name. + + ```text + key_file=~/.oci/your-private-key-file-name + ``` + +4. Save and close the file (press **Escape**, enter **:wq**, and press **Enter**). + +5. List the contents of the current directory and ensure that your `config` file is there. + + ```text + # ls + + config your-private-key-file-name + ``` + + +## Task 11: Compile a Java program + +The Oracle Linux Cloud Developer image comes with the SDK and Java software already installed. The OCI jar file is located in `/usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-.jar`, and third-party libraries are in `/usr/lib64/java-oci-sdk/third-party/lib`. To compile a Java file, use the `javac` command. + +In this task, you compile a Java program named `DataSafeRestAPIClientExample.java`, which comes with the SDK installation. The purpose of this program is to copy audit data from the Oracle Data Safe repository into a specified object storage bucket. If needed, you can also download the program directly from Github by running the following command: `wget https://raw.githubusercontent.com/oracle/oci-java-sdk/master/bmc-examples/src/main/java/DataSafeRestAPIClientExample.java`. + +1. Verify the version of the `oci-java-sdk-full-version.jar` file. In this example, the version is 3.11.0. + + ```text + # ls /usr/lib64/java-oci-sdk/lib + + jersey jersey3 oci-java-sdk-full-3.11.0.jar oci-java-sdk-full-3.11.0-javadoc.jar oci-java-sdk-full-3.11.0-sources.jar + ``` + +2. Switch to the `/usr/lib64/java-oci-sdk` directory. + + ```text + # cd /usr/lib64/java-oci-sdk + ``` + +3. Compile the `DataSafeRestAPIClientExample.java` file. Be sure to use the correct version in the `oci-java-sdk-full-.jar` file name. The example below uses version 3.11.0. + + It’s very common that a Java program depends on one or more external libraries (JAR files). Use the flag `-classpath` (or `-cp`) to tell the compiler where to look for external libraries. By default, the compiler looks in the bootstrap classpath and in the `CLASSPATH` environment variable. + + ```text + # javac -cp lib/oci-java-sdk-full-3.11.0.jar:third-party/lib/* examples/DataSafeRestAPIClientExample.java + ``` + + Note: There is no output after the file is compiled. You are simply returned to the prompt. + + +6. Change to the `examples` directory and list the files. Confirm that you now have a class file named `DataSafeRestAPIClientExample.class`. + + ```text + # cd examples + # ls + ``` + +## Task 12: Obtain the compartment OCID for your target database + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. + +2. On the left, click **Target databases**. + +3. On the left, select your compartment. + +4. On the right, click the name of your target database. + + The **Target database information** page is displayed. + +5. On the **Target database information** tab, make note of the compartment. + +6. From the navigation menu, select **Identity & Security**, and then on the right under **Identity**, select **Compartments**. + +7. Click the name of your compartment. + + The **Compartment details** page is displayed. + +8. On the **Compartment Information** tab, click the **Copy** link next to **OCID** and paste the OCID into a temporary local text file. You need the OCID for the next task. + + + +## Task 13: Run the compiled Java class file + +Run the `DataSafeRestAPIClientExample.class` file to test that it runs without errors before you schedule it. The program requires two inputs, which you can define upfront: + +- The name of the bucket in which to store the copied audit data +- The compartment OCID of your target database + +1. Run the following commands to set two variables - **BUCKET** and **COMPARTMENT**. Substitute `compartment-ocid-for-target-database` with your own OCID. + + ```text + # export BUCKET=DataSafeAuditData + # export COMPARTMENT=compartment-ocid-for-target-database + ``` + +2. Make sure that you are still working in the `/usr/lib64/java-oci-sdk/lib/examples` directory. + +3. Run the following command to run the class file. The example below uses `oci-java-sdk-full-3.11.0.jar`, but be sure to use the version that is on your system. You can ignore the error about failing to load the `org.slf4j.impl.StaticLoggerBinder` class. + + ```text + # java -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-3.11.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/*:/usr/lib64/java-oci-sdk/third-party/jersey/lib/*:/usr/lib64/java-oci-sdk/lib/jersey/oci-java-sdk-common-httpclient-jersey-3.11.0.jar:/usr/lib64/java-oci-sdk/examples DataSafeRestAPIClientExample $BUCKET $COMPARTMENT + + SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". + SLF4J: Defaulting to no-operation (NOP) logger implementation + SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. + Getting the namespace + + + Namespace: frmwj0cqbupb + + + Getting content for object cursor from bucket: DataSafeAuditData + + + ignore + Finished reading content for object cursor, last upload's last auditEvent record's timecollected FAILED + + + 2023-02-15T19:03:33.225Z + Querying for auditEvents with timeCollected Start = 2023-02-15T19:03:33.225Z, End = 2023-02-16T19:03:33.223Z + + + Count38 + + + Upload complete at Mon Feb 05 22:03:42 GMT 2024 of auditeventjson2024-02-05T22:03:41.988198716Z _noofrecords_ 38 Start =2024-02-04T22:03:40.791Z, End=2024-02-05T22:03:40.791Z OpcRequestId: fra-1:yZBD9z2X8Z3... + + + Upload complete at Mon Feb 05 22:03:42 GMT 2024 of cursor OpcRequestId: fra-1:H1tb7M0mOw4ZDE... + ``` + +4. Review the output. The third last output line tells you the count of audit records copied into object storage. Your value may be different. If your count is equal to zero, delete any cursors in your bucket and repeat step 3. + + + +## Task 14: Verify that the audit data is in your bucket + +1. From the navigation menu in Oracle Cloud Infrastructure, select **Storage**, and then **Buckets**. + +2. Select your compartment. + +3. Click the name of your bucket. + + The **Bucket Details** page for your bucket is displayed. + +4. Scroll down to the **Objects** section. + +5. Notice that you now have a line item named `auditeventjson` that contains the text `noofrecords_`. This is the audit data copied from the Oracle Data Safe repository. `` is the number of copied audit records. + + ```text + auditeventjson2024-02-05T22:03:41.988198716Z _noofrecords_ 38 Start =2024-02-04T22:03:40.791Z, End=2024-02-05T22:03:40.791Z + ``` + + +## Task 15: Create an SH script for cronjob + +Now that you've verified that the compiled Java program works fine, you are ready to schedule it using cronjob on your compute instance. The Cron daemon is a built-in Linux utility that runs processes on your system at a scheduled time. Cron reads the crontab (cron tables) for predefined commands and scripts. You need to be the `root` user or a user with `sudo` privileges to create a cron job. + +In this task, you create an SH script that contains the variables and Java command to run the Java program. In the next task, you schedule the SH script. + +1. Change to the `/usr/local/bin` directory. + + ```text + # cd /usr/local/bin + ``` + +2. Using the vi editor, create an SH file named `datasafejob.sh`. + + ```text + # vi datasafejob.sh + ``` + +3. Add the following content to the SH file. To run the class file from anywhere, we need to include the path to the `examples` directory in the class path. Again, we are using `oci-java-sdk-full-3.11.0.jar`. Be sure to use the correct version on your system. Substitute `compartment-ocid-for-target-database` with your own compartment OCID. + + ```text + #!/bin/bash + + export BUCKET=DataSafeAuditData + + export COMPARTMENT=compartment-ocid-for-target-database + + java -cp /usr/lib64/java-oci-sdk/lib/oci-java-sdk-full-3.11.0.jar:/usr/lib64/java-oci-sdk/third-party/lib/*:/usr/lib64/java-oci-sdk/third-party/jersey/lib/*:/usr/lib64/java-oci-sdk/lib/jersey/oci-java-sdk-common-httpclient-jersey-3.11.0.jar:/usr/lib64/java-oci-sdk/examples DataSafeRestAPIClientExample $BUCKET $COMPARTMENT + ``` + +4. Save and close the file (press **Escape**, enter **:wq**, and press **Enter**). + +5. Add permissions to the script. + + ```text + # chmod 777 datasafejob.sh + ``` + +## Task 16: Schedule the SH script using crontab + +Start by scheduling the SH script to run every minute so that you can test that the scheduling works. After confirming, change the schedule to be at 2AM every day. + +1. To edit the cron job, enter the following command: + + ```text + # crontab -e + ``` + +2. Add the following to the first line and then save (press **Escape**, enter **:wq**, and press **Enter**): + + + ```text + * * * * * /usr/local/bin/datasafejob.sh + ``` + +3. Generate some activity for Oracle Data Safe to audit. To do this, access Database Actions for your target database. Download the [**load-data-safe-sample-data_admin.sql**](https://objectstorage.us-ashburn-1.oraclecloud.com/p/AUKfPIGuTde04z4OnuaZN2EP0LxNl4hJWI2jZiTw23aWzSoa2_Byvs8OGPw20-dt/n/c4u04/b/livelabsfiles/o/security-library/load-data-safe-sample-data_admin.sql) script and open it in a text editor, such as NotePad. Copy the entire script to the clipboard and paste it into the worksheet in Database Actions. On the toolbar, click the **Run Script** button and wait for the script to finish running. + + +4. Return to your bucket and view the audit data being collected each minute. It can take up to ten minutes for the audit data objects to be displayed. + + ![Audit records objects](images/audit-records-objects.png "Audit records objects") + + +5. In Cloud Shell, access crontab. + + ```text + # crontab -e + ``` + +6. Change the schedule to be at 2AM every day and then save the file (press **Escape**, enter **:wq**, and press **Enter**). + + In the example below, `0 2 * * *` indicates that the cron job runs any time the system clock shows 2am. + + ```text + 0 2 * * * /usr/local/bin/datasafejob.sh + ``` + + +## Task 17: Remove the scheduled activity in crontab + +1. Access crontab. + + ```text + # crontab -e + ``` + +2. Delete the content. + +3. Save your changes (press **Escape**, enter **:wq**, and press **Enter**). + +4. Close Cloud Shell. + +You may now **proceed to the next lab**. + +## Learn More +- [Activity Auditing Overview](https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/data-safe&id=UDSCS-GUID-741E8CFE-041E-46C4-9C04-D849573A4DB7) +- [Audit Trails](https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/data-safe&id=UDSCS-GUID-8E684604-879A-4312-8FF6-519ECD67D179) +- [Oracle Linux Cloud Developer Image](https://docs.oracle.com/en-us/iaas/oracle-linux/developer/index.htm) +- [Getting Started (with SDK for Java)](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/javasdkgettingstarted.htm) +- [oci-java-sdk (on GitHub)](https://github.com/oracle/oci-java-sdk) +- [SDK for Java (configuring the SDK)](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/javasdk.htm) +- [Data Safe API (reference and endpoints)](https://docs.oracle.com/en-us/iaas/api/#/en/data-safe/20181201/) +- [Oracle Cloud Infrastructure Java SDK (packages and classes)](https://docs.oracle.com/en-us/iaas/tools/java/3.2.2/) + + +## Acknowledgements +- **Author** - Jody Glover, Consulting User Assistance Developer, Database Development +- **Contributors** - Richard Evans, Anna Haikl, Russ Lowenthal, Archana Rao, Bettina Schaeumer +- **Last Updated By/Date** - Jody Glover, February 5, 2023 + + + + + diff --git a/data-safe/api-schedule-audit-data-copy/images/audit-records-objects.png b/data-safe/api-schedule-audit-data-copy/images/audit-records-objects.png index 80b4a268e..09c80b603 100644 Binary files a/data-safe/api-schedule-audit-data-copy/images/audit-records-objects.png and b/data-safe/api-schedule-audit-data-copy/images/audit-records-objects.png differ diff --git a/data-safe/assess-database-configurations/assess-database-configurations.md b/data-safe/assess-database-configurations/assess-database-configurations.md index 8f26469ad..ba334244b 100644 --- a/data-safe/assess-database-configurations/assess-database-configurations.md +++ b/data-safe/assess-database-configurations/assess-database-configurations.md @@ -1,12 +1,15 @@ -# Assess Database Configurations +# Assess database configurations ## Introduction -Security Assessment helps you assess the security of your database configurations. It analyzes database configurations, user accounts, and security controls, and then reports the findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk. By default, Oracle Data Safe automatically generates security assessments for your target databases and stores them in the Assessment History. You can analyze assessment data across all your target databases and for each target database. You can monitor security drift on your target databases by comparing the latest assessment to a baseline or to another assessment. +Security Assessment helps you assess the security of your database configurations. It analyzes database configurations, user accounts, and security controls, and then reports the findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk. + +Oracle Data Safe automatically creates a security assessment of your target database during registration. This assessment is referred to as the *latest assessment* and is automatically updated on a weekly basis. All assessments are stored in the Assessment History. You can analyze assessment data across all your target databases and for each target database. You can monitor security drift on your target databases by comparing the latest assessment to a baseline or to another assessment. In this lab, you explore Security Assessment. -Estimated Lab Time: 20 minutes +Estimated Time: 20 minutes + ### Objectives @@ -14,14 +17,11 @@ In this lab, you will: - View the overview page for Security Assessment - View the latest security assessment for your target database -- View the history of security assessments for your target database -- Set a baseline assessment +- Adjust the risk level of a risk finding +- Set the latest assessment as the baseline assessment - Generate activity on the target database - Refresh the latest security assessment and analyze the results -- Review the high risk level findings from the overview page -- Generate a Comparison report for Security Assessment -- Add a schedule to save a security assessment for your target database every Sunday at 11:30 PM -- View the history of all security assessments for all of your target databases +- Compare your assessment with the baseline ### Prerequisites @@ -35,144 +35,125 @@ This lab assumes you have: ### Assumptions - Your data values might be different than those shown in the screenshots. +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. ## Task 1: View the overview page for Security Assessment -1. In Security Center, click **Security Assessment**. +1. Under **Security center**, click **Security assessment**. -2. Under **List Scope**, select your compartment. Deselect **Include child compartments**. +2. Under **List scope**, select your compartment. Deselect **Include child compartments**. The overview page shows statistics for your target database. -3. At the top of the page, review the **Risk Level** and **Risks by Category** charts. +3. At the top of the page, review the charts. - - The **Risk Level** chart shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, and Evaluate) across all target databases in the selected compartment(s). - - The **Risks by Category** chart shows you percentage breakdowns and counts of the different risk categories (User Accounts, Privileges and Roles, Authorization Control, Data Encryption, Fine-Grained Access, Auditing, and Database Configurations) across target databases in the selected compartment(s). + - The **Risk level** chart shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, and Evaluate) across all target databases in the selected compartment(s). + - The **Risks by category** chart shows you a percentage breakdown of the different risk categories (User accounts, Privileges and roles, Authorization control, Data encryption, Fine-grained access, Auditing, and Database configurations) across target databases in the selected compartment(s). + - The **Top 5 common controls** chart shows a bar graph of the number of target databases at each risk level for each of the top five common controls. The top five common controls are the five security controls that Oracle considers the most important to the security of your target databases. Clicking on any of the bars will show you the list of target databases associated with the selected data. - ![Security Assessment Risk Level and Risks by Category charts for all targets](images/sa_risklevel_risksbycategory.png "Security Assessment Risk Level and Risks by Category charts for all targets") + ![Security assessment overview charts for all targets](images/sa_overview_charts.png "Security assessment overview charts for all targets") -4. Review the information on the **Risk Summary** tab. +4. Review the information on the **Risk summary** tab. - - The **Risk Summary** tab shows you how much risk you have across all target databases in the specified compartment(s). + - The **Risk summary** tab shows you how much risk you have across all target databases in the specified compartment(s). - You can compare the number of high, medium, low, advisory, and evaluate risk findings across all target databases, and view which risk categories have the greatest numbers. - - Risk categories include Target Databases, User Accounts, Privileges and Roles, Authorization Control, Fine-Grained Access Control, Data Encryption, Auditing, and Database Configuration. + - Risk categories include Target databases, User accounts, Privileges and roles, Authorization control, Fine-grained access control, Data encryption, Auditing, and Database configuration. - ![Security Assessment Risk Summary tab](images/sa-risk-summary-tab.png "Security Assessment Risk Summary tab") + ![Security assessment risk summary tab](images/sa-risk-summary-tab.png "Security assessment risk summary tab") -5. Click the **Target Summary** tab and review the information. +5. Click the **Target summary** tab and review the information. - - The **Target Summary** tab shows you the security posture of each target database. + - The **Target summary** tab shows you the security posture of each target database. - You can view the number of high, medium, low, advisory, and evaluate risk findings for each target database. - - You can view the latest assessment date and find out if the latest assessment deviates from a baseline (if one is set). - - You can access the latest assessment for each target database. + - You can view the lastest assessment date and find out if the latest assessment deviates from a baseline (if one is set). + - You can access the latest assessment report for each target database. - ![Security Assessment Target Summary tab](images/sa-target-summary-tab.png "Security Assessment Target Summary tab") + ![Security assessment target summary tab](images/sa-target-summary-tab.png "Security assessment target summary tab") ## Task 2: View the latest security assessment for your target database -Oracle Data Safe automatically creates a security assessment of your target database during registration. This assessment is referred to as the *latest assessment*. - -1. On the **Target Summary** tab, locate the line that has your target database, and click **View Report**. +1. On the **Target summary** tab, locate the line that has your target database, and click **View report**. The latest security assessment for your target database is displayed. Notice that **Latest assessment for target database** is displayed at the top of the page. -2. Review the table on the **Assessment Summary** tab. +2. Review the top 5 common controls that Oracle considers to be the most important to the security of your target databases. You can click the links to quickly navigate to more detail below. - - This table compares the number of findings for each category in the report and counts the number of findings per risk level (**High Risk**, **Medium Risk**, **Low Risk**, **Advisory**, **Evaluate**, and **Pass**). - - These values help you to identify areas that need attention. + ![Top 5 common controls](images/top-5-common-controls.png "Top 5 common controls") - ![Latest Security Assessment Assessment Summary tab](images/latest-sa-assessment-summary-tab.png "Latest Security Assessment Assessment Summary tab") +3. Review the information in the table. + - This table compares the number of findings for each category in the report and counts the number of findings per risk level (**High risk**, **Medium risk**, **Low risk**, **Advisory**, **Evaluate**, **Pass**, and **Deferred**). + - These values help you to identify areas that need attention. -3. To view details about the security assessment itself, click the **Assessment Information** tab. + ![Latest security assessment assessment summary tab](images/latest-sa-assessment-summary-tab.png "Latest security assessment assessment summary tab") - - Details include assessment name, OCID, compartment to which the assessment was saved, target database name, target database version, assessment date, schedule, name of the baseline assessment (if one is set), and whether the assessment complies with the baseline assessment (Yes, No, or No Baseline Set). +4. To view details about the security assessment itself, click the **Assessment information** tab. - ![Latest Security Assessment Assessment Information tab](images/latest-sa-assessment-information-tab.png "Latest Security Assessment Assessment Information tab") + - Details include assessment name, OCID, compartment to which the assessment was saved, target database name, target database version, assessment date and time, schedule, name of the baseline assessment (if one is set), and whether the assessment complies with the baseline (Yes, No, or No baseline set). -4. Rename the latest security assessment: Click the pencil icon to the right of **Name**, enter **Latest Security Assessment**, and click the **Save** icon. + ![Latest security assessment assessment information tab](images/latest-sa-assessment-information-tab.png "Latest security assessment assessment information tab") - ![Rename Latest Security Assessment](images/rename-latest-sa-assessment.png "Rename Latest Security Assessment") +4. Rename the latest security assessment: Click the pencil icon to the right of **Name**, enter **SA_target-database** (replace **target-database** with the name of your target database), and click the **Save** icon. -5. Scroll down and view the **Assessment Details** section. + ![Rename latest security assessment](images/rename-latest-sa-assessment.png "Rename latest security assessment") + +5. Scroll down and view the **Assessment details** section. - This section shows you all the findings for each risk category. - Risks are color-coded to help you easily identify categories that have high risk findings (red). - The high risk findings listed under **Privileges and Roles** were introduced when you ran the SQL script to populate your target database with sample data. - ![Latest Security Assessment Assessment Details section](images/latest-sa-assessment-details-section.png "Latest Security Assessment Assessment Details section") - - -6. Under **Filters By Risks** on the left, notice that you can select the risk levels that you want displayed. Select **Pass**, and then click **Apply**. - - The **Assessment Details** section is updated to include findings with no risk found (they have a **Pass** level). + ![Latest Security Assessment Assessment details section](images/latest-sa-assessment-details-section.png "Latest Security Assessment Assessment details section") - ![Security Assessment filters for risk levels](images/sa-filters-risk-levels.png "Security Assessment filters for risk levels") +6. Under **Filters by risks** on the left, notice that you can select the risk levels that you want displayed. Also notice on the left that you can filter by references. -7. Under **Filters By References** on the left, notice that you can also filter the list of findings based on recommendations from DISA STIG (Security Technical Implementation Guide), CIS Benchmark (Center for Internet Security), EU GDPR (European Union's General Data Protection Regulation), and Oracle Best Practices. + ![Security Assessment filters](images/sa-filters.png "Security Assessment filters") - ![Filters by references](images/filters-by-references.png "Filters by references") +8. On the right, expand categories and review the findings. -8. Under **User Accounts**, expand **User Details**. + - Each finding shows you the status (risk level), a summary of the finding, details about the finding, remarks to help you to mitigate the risk, and references - whether a finding is recommended by the Center for Internet Security (**CIS**), European Union's General Data Protection Regulation (**GDPR**), Security Technical Implementation Guide (**STIG**), and/or **Oracle best practices**. These references make it easy for you to identify the recommended security controls. + - In the example below, the **Transparent Data Encryption** finding has two references: **STIG** and **GDPR**. - - For each user in your target database, the table shows the user status, profile used, the user's default tablespace, whether the user is Oracle Defined (Yes or No), and how the user is authenticated (Auth Type). + ![Transparent Data Encryption finding](images/transparent-data-encryption-finding.png "Transparent Data Encryption finding") - ![Security Assessment user details](images/sa-user-details.png "Security Assessment user details") +## Task 3: Adjust the risk level of a risk finding -9. Expand another category and review the findings. +You can defer or change the risk level of a risk finding. In this task, defer the **Sample Schemas** risk finding. - - Each finding shows you the status (risk level), a summary of the finding, details about the finding, remarks to help you to mitigate the risk, and references. The references make it easy for you to identify the recommended security controls. - - In the example below, the **Users with Powerful Roles** finding is a high risk finding that has two references: **STIG** and **CIS**. +1. Click the pencil icon for the **Sample Schemas** finding. - ![Users with Powerful Roles finding](images/users-with-powerful-roles.png "Users with Powerful Roles finding") + ![Adjust risk icon](images/adjust-risk-icon.png "Adjust risk icon") +2. In the **Update risk for finding** panel, leave **Defer risk** selected. Optionally, enter a justification and set an expiration date. Click **Save**. -10. Expand a few categories under **Privileges and Roles**, and review the findings. + Setting an expiration date is optional. Upon expiry, the next assessment resumes evaluating the finding and displays as found. With no expiration date, the risk finding is deferred indefinitely. -11. Scroll down further and expand other categories. Each category lists related findings about your target database and how you can make changes to improve its security. + ![Update risk for finding panel](images/update-risk-for-finding.png "Update risk for finding panel") +3. Notice that the risk finding is recatorized in the **Assessment details** section. + ![Deferred risk finding](images/deferred-risk-finding.png "Deferred risk finding") -## Task 3: View the history of security assessments for your target database -1. At the top of the page, click **View History**. +## Task 4: Set the latest assessment as the baseline assessment -2. Make sure that your compartment is selected. Deselect **Include child compartments**. +A baseline assessment shows you data for all your target databases in a selected compartment at a given point in time. However, because we are only dealing with one target database in your compartment, the baseline assessment shows data for only one target database. -3. Notice that you have one security assessment listed for your target database. This is a *static* copy (separate copy) of the latest security assessment. +1. At the top of the page, click **Set as baseline**. - ![Assessment History page](images/assessment-history.png "Assessment History page") + The **Set as baseline?** dialog box is displayed. + ![Set as baseline dialog box](images/set-as-baseline-dialog-box.png "Set as baseline dialog box") -## Task 4: Set a baseline assessment +2. Click **Yes** to confirm that you want to set these findings as the baseline. -A baseline assessment shows you data for all your target databases in a selected compartment at a given point in time. However, because we are only dealing with one target database in your compartment, the baseline assessment shows data for only one target database. Let's set the first security assessment as the baseline. - -1. While you are on the **Assessment History** page for your target database, click the name of your security assessment. The security assessment details are displayed. - -2. Click **Set As Baseline**. - - The **Set As Baseline?** dialog box is displayed. - - ![Set As Baseline dialog box](images/set-as-baseline-dialog-box.png "Set As Baseline dialog box") - -3. Click **Yes** to confirm that you want to set these findings as the baseline. - -4. *Important! Stay on the page until the message **Baseline has been set** is displayed.* +3. *Important! Stay on the page until the message **Baseline has been set** is displayed.* ![Security Assessment Baseline has been set message](images/sa-baseline-has-been-set-message.png "Security Assessment Baseline has been set message") -5. Click **Back** to return to the **Assessment History** page, and confirm that there is a new row in the table for the baseline assessment. The assessment name starts with **SA_baseline**. - - ![Assessment history with baseline assessment](images/sa-assessment-history-with-baseline.png "Assessment history with baseline assessment") - -6. Click **Close**. - - The latest security assessment is displayed. - ## Task 5: Generate activity on the target database @@ -197,20 +178,20 @@ In this task, you issue a `GRANT` command on your target database so that later, 1. Return to the browser tab for Oracle Data Safe. -2. At the top of the latest security assessment, click **Refresh Now** to get the latest data. +2. At the top of the latest security assessment, click **Refresh now** to get the latest data. - The **Refresh Now** panel is displayed. + The **Refresh now** panel is displayed. -3. In the **Save Latest Assessment** box, enter **My Security Assessment**, and then click **Refresh Now**. Wait for the status to read as **SUCCEEDED**. +3. In the **Save latest assessment** box, enter **My Security Assessment**, and then click **Refresh now**. Wait for the status to read as **SUCCEEDED**. - This action updates the data in the latest security assessment for your target database and also saves a copy of the assessment (named My Security Assessment) to the Assessment History. - The refresh operation takes about one minute. - ![Security Assessment Refresh Now panel](images/sa-refresh-now-panel.png "Security Assessment Refresh Now panel") + ![Security Assessment Refresh now panel](images/sa-refresh-now-panel.png "Security Assessment Refresh now panel") -4. Click the **Assessment Information** tab. Notice that the assessment date and time is right now, and that **Complies With Baseline** is equal to **No**. +4. Click the **Assessment information** tab. Notice that the assessment date and time is right now, and that **Complies with baseline** is equal to **No**. - ![Security Assessment Assessed On right now](images/sa-assessed-on-right-now.png "Security Assessment Assessed On right now") + ![Security Assessment Assessed on right now](images/sa-assessed-on-right-now.png "Security Assessment assessed on right now") 5. Scroll down and expand **System Privileges Granted to Public**. @@ -219,119 +200,23 @@ In this task, you issue a `GRANT` command on your target database so that later, ![System Privileges Granted to PUBLIC finding](images/system-privileges-granted-to-public.png "System Privileges Granted to PUBLIC finding") +## Task 7: Compare your assessment with the baseline -## Task 7: Generate a Comparison report for Security Assessment +1. With the latest security assessment displayed, under **Resources** on the left, click **Compare with baseline**. Oracle Data Safe automatically begins processing the comparison. -1. With the latest security assessment displayed, under **Resources** on the left, click **Compare With Baseline**. Oracle Data Safe automatically begins processing the comparison. + If you navigated away from the latest security assessment, you can return to it by doing the following: Click **Security assessment** in the breadcrumb. Click the **Target summary** tab. Click **View report** for your target database. - If you navigated away from the latest security assessment, you can return to it by doing the following: Click **Security Assessment** in the breadcrumb. Click the **Target Summary** tab. Click **View Report** for your target database. - ![Compare With Baseline option under Resources](images/sa-resources-compare-with-baseline-option.png "Compare With Baseline option under Resources") +2. When the comparison operation is completed, scroll down the page to the **Comparison with baseline** section and review the information. -2. When the comparison operation is completed, scroll down the page to the **Comparison With Baseline** section and review the information. - - - Review the number of findings per risk category for each risk level. Categories include **User Accounts**, **Privileges and Roles**, **Authorization Control**, **Data Encryption**, **Fine-Grained Access Control**, **Auditing**, and **Database Configuration**. + - Review the number of findings per risk category for each risk level. Categories include **User accounts**, **Privileges and roles**, **Authorization control**, **Data encryption**, **Fine-grained access control**, **Auditing**, and **Database configuration**. - You can identify where the changes have occurred on your target database by viewing cells that contain the word **Modified**. The number represents the total count of new, remediated, and modified risks on the target database. - In the details table, you can view the risk level for each finding, the category to which the finding belongs, the finding name, and a description of what has changed on your target database. The Comparison Report column is important because it explains what is changed, added, or removed from the target database since the baseline report was generated. - - Notice the **`PUBLIC: [ALTER ANY ROLE]` Modification Details(added)** notes for some of the findings. The changes introduced by granting the masking role to `DS$ADMIN` are also included. - - ![Security Assessment Comparison report top](images/sa-comparison-report-top.png "Security Assessment Comparison report top") - ![Security Assessment Comparison report bottom](images/sa-comparison-report-bottom.png "Security Assessment Comparison report bottom") - - -## Task 8: Review high risk level findings from the overview page - -1. In the breadcrumb at the top of the page, click **Security Assessment** to return to the overview page. Make sure your compartment is selected. Deselect **Include child compartments**. - -2. In the **Risk Level** column, click **High** to view all the high risk findings. - - ![Security Assessment High Risk link](images/sa-high-risk-link.png "Security Assessment High Risk link") - -3. On the **Overview** tab, review the **Risks by Category** chart. You can position your cursor over the percentage values to view the category name and count. - - ![Security Assessment High Risk findings for all target databases](images/sa-high-risk-findings-all-targets.png "Security Assessment High Risk findings for all target databases") - -4. In the **Risk Details** section, expand **System Privileges Granted to PUBLIC**. - - The **Remarks** section explains the risk and how you can mitigate it. - - The **Target Databases** section lists the target databases to which the high risk applies. Notice that your target database is listed. - - ![Security Assessment System Privileges Granted to Public](images/sa-system-privileges-granted-to-public.png "Security Assessment System Privileges Granted to Public") - -5. Click your target database name to view the details about the finding for your target database. - - - The finding includes your target database name, risk level, a summary about the risk, details on your target database, remarks that explain the risk and help you to mitigate it, and references. - - The **Summary** section tells you how many grants to `PUBLIC` exist. - - In the **Details** section, you can see that **`PUBLIC`** has **`ALTER ANY ROLE`** grant, which is what you did in task 5. - - The **Remarks** section says **Privileges granted to PUBLIC are available to all users. This generally should include few, if any, system privileges since these will not be needed by ordinary users who are not administrators.** - - The **References** section tells you the Security Technical Information Guide (STIG) rule number, which is **RULE SV-75925R1**. - - ![Security Assessment System Privileges Granted to PUBLIC Details](images/sa-system-privileges-granted-to-public-details.png "Security Assessment System Privileges Granted to PUBLIC Details") - -6. To view the latest assessment for your target database, scroll down to the bottom of the page and click the **click here** link. You are returned to the latest security assessment. - - ![Click Here link to view latest security assessment](images/sa-click-here-link.png "Click Here link to view latest security assessment") - - - - -## Task 9: Add a schedule to save a security assessment for your target database every Sunday at 11:30 PM - -1. In the breadcrumb at the top of the page, click **Security Assessment**. - -2. Under **Related Resources** on the left, click **Schedules**. - - The **Schedules** page is displayed. - -3. In the table, notice that a schedule already exists. Its type is LATEST. This is the default schedule that automatically runs a security assessment job on your target database once per week. You can update it and rename it, but you can't delete it. - - ![Default schedule for Security Assessment](images/sa-default-schedule.png "Default schedule for Security Assessment") - -4. Click **Add Schedule**. - - The **Add Schedule To Save An Assessment** panel is displayed. - -5. If the compartment shown at the top of the page is not yours, click **Change Compartment** and select your compartment. - -6. From the **Target Database** drop-down list, select your target database. - -7. In the **Schedule Name** box, enter **Sunday Security Assessment**. - -8. From the **Compartment To Save The Assessments** drop-down list, select your compartment. - -9. From the **Schedule Type** drop-down list, select **Weekly**. - -10. From the **Every** drop-down list, select **Sunday**. - -11. Click the **Time** box, scroll down, and select **11:30 PM**. You can manually enter the time too. - -12. Click **Add Schedule**. - - ![Add Schedule to Save Assessments page](images/sa-add-schedule-to-save-an-assessment.png "Add Schedule to Save Assessments page") - - The **Schedule Details** page is displayed. - -13. Notice that when the schedule is created, its status changes to **SUCCEEDED**. The schedule type is **SAVED**. - - ![Schedule Details page](images/sa-schedule-details-page.png "Schedule Details page") - - -## Task 10: View the history of all security assessments for all of your target databases - -1. In the breadcrumb at the top of the page, click **Security Assessment**. - -2. Under **Related Resources**, click **Assessment History**. - -3. Under **List Scope** on the left, select your compartment. Optionally, deselect **Include child compartments**. - -4. View the list of security assessments. - - - The table shows the target database name, the assessment name, whether the assessment is a baseline assessment, the date and time the assessment was created, the state of the assessment (for example, Succeeded), and the number of high, medium, low, advisory, and evaluate risk findings. - - You can click on an assessment name to view it. - - You can click **Save Latest Assessment As** and create a copy of the latest assessment for a selected target database. + - Notice that the change you made is noted in the **Comparison report** column. - ![Assessment History page](images/sa-assessment-history-page.png "Assessment History page") + ![Security Assessment Comparison report top](images/sa-comparison-report-top2.png "Security Assessment Comparison report top") + ![Security Assessment Comparison report bottom](images/sa-comparison-report-bottom2.png "Security Assessment Comparison report bottom") -You may now **proceed to the next lab**. ## Learn More @@ -340,4 +225,4 @@ You may now **proceed to the next lab**. ## Acknowledgements * **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -* **Last Updated By/Date** - Jody Glover, June 8, 2023 +* **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/assess-database-configurations/images/adjust-risk-icon.png b/data-safe/assess-database-configurations/images/adjust-risk-icon.png new file mode 100644 index 000000000..02914d2f7 Binary files /dev/null and b/data-safe/assess-database-configurations/images/adjust-risk-icon.png differ diff --git a/data-safe/assess-database-configurations/images/deferred-risk-finding.png b/data-safe/assess-database-configurations/images/deferred-risk-finding.png new file mode 100644 index 000000000..28a3679ad Binary files /dev/null and b/data-safe/assess-database-configurations/images/deferred-risk-finding.png differ diff --git a/data-safe/assess-database-configurations/images/latest-sa-assessment-details-section.png b/data-safe/assess-database-configurations/images/latest-sa-assessment-details-section.png index 7bd648be9..9d6ee6606 100644 Binary files a/data-safe/assess-database-configurations/images/latest-sa-assessment-details-section.png and b/data-safe/assess-database-configurations/images/latest-sa-assessment-details-section.png differ diff --git a/data-safe/assess-database-configurations/images/latest-sa-assessment-information-tab.png b/data-safe/assess-database-configurations/images/latest-sa-assessment-information-tab.png index 56ea85ae7..0e9fabdbe 100644 Binary files a/data-safe/assess-database-configurations/images/latest-sa-assessment-information-tab.png and b/data-safe/assess-database-configurations/images/latest-sa-assessment-information-tab.png differ diff --git a/data-safe/assess-database-configurations/images/latest-sa-assessment-summary-tab.png b/data-safe/assess-database-configurations/images/latest-sa-assessment-summary-tab.png index 434bfdb61..3193b11d3 100644 Binary files a/data-safe/assess-database-configurations/images/latest-sa-assessment-summary-tab.png and b/data-safe/assess-database-configurations/images/latest-sa-assessment-summary-tab.png differ diff --git a/data-safe/assess-database-configurations/images/rename-latest-sa-assessment.png b/data-safe/assess-database-configurations/images/rename-latest-sa-assessment.png index ce752ba7c..683d99472 100644 Binary files a/data-safe/assess-database-configurations/images/rename-latest-sa-assessment.png and b/data-safe/assess-database-configurations/images/rename-latest-sa-assessment.png differ diff --git a/data-safe/assess-database-configurations/images/sa-assessed-on-right-now.png b/data-safe/assess-database-configurations/images/sa-assessed-on-right-now.png index 2a7c088bf..155126066 100644 Binary files a/data-safe/assess-database-configurations/images/sa-assessed-on-right-now.png and b/data-safe/assess-database-configurations/images/sa-assessed-on-right-now.png differ diff --git a/data-safe/assess-database-configurations/images/sa-comparison-report-bottom2.png b/data-safe/assess-database-configurations/images/sa-comparison-report-bottom2.png index b914b8107..7ff5113c5 100644 Binary files a/data-safe/assess-database-configurations/images/sa-comparison-report-bottom2.png and b/data-safe/assess-database-configurations/images/sa-comparison-report-bottom2.png differ diff --git a/data-safe/assess-database-configurations/images/sa-comparison-report-top2.png b/data-safe/assess-database-configurations/images/sa-comparison-report-top2.png index d86377e5c..9cfc287b3 100644 Binary files a/data-safe/assess-database-configurations/images/sa-comparison-report-top2.png and b/data-safe/assess-database-configurations/images/sa-comparison-report-top2.png differ diff --git a/data-safe/assess-database-configurations/images/sa-filters.png b/data-safe/assess-database-configurations/images/sa-filters.png new file mode 100644 index 000000000..83b502e10 Binary files /dev/null and b/data-safe/assess-database-configurations/images/sa-filters.png differ diff --git a/data-safe/assess-database-configurations/images/sa-refresh-now-panel.png b/data-safe/assess-database-configurations/images/sa-refresh-now-panel.png index 49fdc219d..075c5d035 100644 Binary files a/data-safe/assess-database-configurations/images/sa-refresh-now-panel.png and b/data-safe/assess-database-configurations/images/sa-refresh-now-panel.png differ diff --git a/data-safe/assess-database-configurations/images/sa-risk-summary-tab.png b/data-safe/assess-database-configurations/images/sa-risk-summary-tab.png index 892fe5275..a40f9f7e6 100644 Binary files a/data-safe/assess-database-configurations/images/sa-risk-summary-tab.png and b/data-safe/assess-database-configurations/images/sa-risk-summary-tab.png differ diff --git a/data-safe/assess-database-configurations/images/sa-target-summary-tab.png b/data-safe/assess-database-configurations/images/sa-target-summary-tab.png index cd32a0938..ace15254f 100644 Binary files a/data-safe/assess-database-configurations/images/sa-target-summary-tab.png and b/data-safe/assess-database-configurations/images/sa-target-summary-tab.png differ diff --git a/data-safe/assess-database-configurations/images/sa_overview_charts.png b/data-safe/assess-database-configurations/images/sa_overview_charts.png new file mode 100644 index 000000000..e131962c1 Binary files /dev/null and b/data-safe/assess-database-configurations/images/sa_overview_charts.png differ diff --git a/data-safe/assess-database-configurations/images/sa_risklevel_risksbycategory.png b/data-safe/assess-database-configurations/images/sa_risklevel_risksbycategory.png index ef61137da..06310b7a3 100644 Binary files a/data-safe/assess-database-configurations/images/sa_risklevel_risksbycategory.png and b/data-safe/assess-database-configurations/images/sa_risklevel_risksbycategory.png differ diff --git a/data-safe/assess-database-configurations/images/system-privileges-granted-to-public.png b/data-safe/assess-database-configurations/images/system-privileges-granted-to-public.png index 831f5b26d..539a14330 100644 Binary files a/data-safe/assess-database-configurations/images/system-privileges-granted-to-public.png and b/data-safe/assess-database-configurations/images/system-privileges-granted-to-public.png differ diff --git a/data-safe/assess-database-configurations/images/top-5-common-controls.png b/data-safe/assess-database-configurations/images/top-5-common-controls.png new file mode 100644 index 000000000..57228376a Binary files /dev/null and b/data-safe/assess-database-configurations/images/top-5-common-controls.png differ diff --git a/data-safe/assess-database-configurations/images/top-5-security-controls.png b/data-safe/assess-database-configurations/images/top-5-security-controls.png new file mode 100644 index 000000000..9cf7b282b Binary files /dev/null and b/data-safe/assess-database-configurations/images/top-5-security-controls.png differ diff --git a/data-safe/assess-database-configurations/images/transparent-data-encryption-finding.png b/data-safe/assess-database-configurations/images/transparent-data-encryption-finding.png index 6df72b026..3abe6e5d8 100644 Binary files a/data-safe/assess-database-configurations/images/transparent-data-encryption-finding.png and b/data-safe/assess-database-configurations/images/transparent-data-encryption-finding.png differ diff --git a/data-safe/assess-database-configurations/images/update-risk-for-finding.png b/data-safe/assess-database-configurations/images/update-risk-for-finding.png new file mode 100644 index 000000000..acd3b2f1e Binary files /dev/null and b/data-safe/assess-database-configurations/images/update-risk-for-finding.png differ diff --git a/data-safe/assess-database-users/assess-database-users.md b/data-safe/assess-database-users/assess-database-users.md index 926ca2e60..36bff7aa0 100644 --- a/data-safe/assess-database-users/assess-database-users.md +++ b/data-safe/assess-database-users/assess-database-users.md @@ -1,4 +1,4 @@ -# Assess Database Users +# Assess database users ## Introduction @@ -6,7 +6,7 @@ User Assessment helps you assess the security of your database users and identif In this lab, you explore User Assessment. -Estimated Lab Time: 20 minutes +Estimated Time: 20 minutes ### Objectives @@ -14,13 +14,11 @@ In this lab, you will: - View the overview page for User Assessment - Analyze users in the latest user assessment -- Review the `ADMIN` user's audit records -- Create a user on the target database -- Refresh the latest user assessment and rename it +- (Optional) Review the `ADMIN` user's audit records +- Change users and entitlements on the target database +- Refresh the latest user assessment - View the user assessment history for your target database - Compare the latest user assessment with the initial user assessment -- Download the latest user assessment as a PDF report -- View the user assessment history for all target databases ### Prerequisites @@ -30,86 +28,81 @@ This lab assumes you have: - Obtained an Oracle Cloud account and signed in to the Oracle Cloud Infrastructure Console - Prepared your environment for this workshop (see [Prepare Your Environment](?lab=prepare-environment)) - Registered your target database with Oracle Data Safe (see [Register an Autonomous Database with Oracle Data Safe](?lab=register-autonomous-database)) -- Started audit data collection for your target database in Oracle Data Safe (see [Audit Database Activity](?lab=audit-database-activity)). Audit data collection is required if you want to view users' audit records from within User Assessment. +- (Optional) Started audit data collection for your target database in Oracle Data Safe (see [Audit Database Activity](?lab=audit-database-activity)). Audit data collection is required if you want to view users' audit records from within User Assessment. ### Assumptions - Your data values might be different than those shown in the screenshots. - -[Assess Database Users](videohub:1_fvykqng1) +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. ## Task 1: View the overview page for User Assessment -1. Navigate to **User Assessment**. To do this, in the breadcrumb at the top of the page, click **Security Center**. On the left, click **User Assessment**. +1. In the breadcrumb at the top of the page, click **Security center**. On the left, click **User assessment**. -2. Under **List Scope**, make sure your compartment is selected. Deselect **Include child compartments**. +2. Under **List scope**, make sure your compartment is selected. Deselect **Include child compartments**. 3. At the top of the overview page, review the four charts. - - The **Potential User Risk** chart shows you the number of users who are potentially **Critical**, **High**, **Medium**, and **Low** risk. - - The **User Roles** chart shows you the number of users with the **DBA**, **DV Admin**, and **Audit Admin** roles. - - The **Last Password Change** chart shows you the number of users who changed their passwords within the last 30 days, within the last 30-90 days, and 90 days ago or more. - - The **Last Login** chart shows you the number of users that signed in to the target database within the last 24 hours, within the last week, within the current month, within the current year, and a year ago or more. + - The **Potential user risk** chart shows you the number and percentage of users who are potentially **Critical**, **High**, **Medium**, and **Low** risk. + - The **User roles** chart shows you the number of users with the **DBA**, **DV admin**, and **Audit admin** roles. + - The **Last password change** chart shows you the number of users who changed their passwords within the last 30 days, within the last 30-90 days, and 90 days ago or more. + - The **Last login** chart shows you the number of users that signed in to the target database within the last 24 hours, within the last week, within the current month, within the current year, and a year ago or more. + + ![User Assessment overview page first three charts](images/ua-dashboard-charts1.png "User Assessment overview page first three charts") - ![User Assessment overview page charts](images/ua-dashboard-charts.png "User Assessment overview page charts") + ![User Assessment overview page last chart](images/ua-dashboard-charts2.png "User Assessment overview page last chart") -4. Review the **Risk Summary** tab. +4. Review the **Risk summary** tab. - - The **Risk Summary** tab focuses on potential risks across all selected target databases. It shows you potential risk levels, the number of target databases, the total number of users at each risk level, the total number of privileged users at each risk level, and counts for DBAs, DV Admins, and Audit Admins. + - The **Risk summary** tab focuses on potential risks across all selected target databases. It shows you potential risk levels, the number of target databases, the total number of users at each risk level, the total number of privileged users at each risk level, and counts for DBAs, DV admins, and Audit admins. - Potential risk levels are categorized as **Critical**, **High**, **Medium**, and **Low**. - ![User Assessment Risk Summary tab](images/ua-risk-summary-tab.png "User Assessment Risk Summary tab") + ![User Assessment Risk summary tab](images/ua-risk-summary-tab.png "User Assessment Risk summary tab") -5. Click the **Target Summary** tab. This tab provides the following information: +5. Click the **Target summary** tab. This tab provides the following information: - - Number of critical and high risk users, DBAs, DV Admins, and Audit Admins + - Number of critical and high risk users, DBAs, DV admins, and Audit admins - Date and time of the latest user assessment - Whether the latest user assessment deviates from the baseline (if one is set) - ![User Assessment Target Summary tab](images/ua-target-summary-tab.png "User Assessment Target Summary tab") + ![User Assessment Target summary tab](images/ua-target-summary-tab.png "User Assessment Target summary tab") ## Task 2: Analyze users in the latest user assessment -The latest user assessment is automatically generated by Oracle Data Safe when you register your target database. +The latest user assessment is the one that was automatically generated by Oracle Data Safe when you registered your target database. -1. On the **Target Summary** tab, click **View Report** to view the latest user assessment for your target database. +1. On the **Target summary** tab, click **View report** to view the latest user assessment for your target database. -2. At the top of the report on the **Overview** tab, review the **Potential User Risk**, **User Roles**, **Last Password Change**, and **Last Login** charts. +2. At the top of the report on the **Overview** tab, review the **Potential user risk**, **User roles**, **Top 5 users by schema access**, **Last password change**, and **Last login** charts. - ![User Assessment Latest charts](images/ua-latest-charts.png "User Assessment Latest charts") + ![User Assessment Latest charts](images/ua-latest-charts1.png "User Assessment Latest charts") -3. Click the **Assessment Information** tab. You can view the following information: + ![User Assessment Latest charts](images/ua-latest-charts2.png "User Assessment Latest charts") - - The name of the latest user assessment - - The OCID of the latest user assessment - - The compartment to which the latest user assessment belongs - - The target database name - - The assessment date and time - - The schedule for the latest assessment - - Whether the latest assessment is set as a baseline assessment - - Whether the latest assessment complies with the baseline assessment (if one is set) +3. Click the **Assessment Information** tab and review the details. - ![Assessment Information tab for the latest user assessment](images/ua-assessment-information-tab-latest-assessment.png "Assessment Information tab for the latest user assessment") + ![Assessment Information tab](images/ua-assessment-information-tab.png "Assessment Information tab") -4. Scroll down and review the **User Details** section. By default, this table provides the following information about each user: +4. Scroll down and review the **User details** section. This table provides the following information about each user: - User name - User type (for example, PRIVILEGED, SCHEMA) - - Whether the user is a DBA, DV Admin, or Audit Admin + - Whether the user is a DBA, DV admin, or Audit admin - Potential risk level (for example, LOW, HIGH, or CRITICAL) - User's status (for example, OPEN, LOCKED, or EXPIRED\_AND\_LOCKED) - Date and time the user last logged in to the target database + - Schemas and tables to which the user has access and the privileges granted on them - User profile - Audit records for the user - ![User Assessment latest assessment details](images/ua-latest-user-details.png "User Assessment latest assessment details") + ![User Assessment latest assessment details](images/ua-latest-assessment-details.png "User Assessment latest assessment details") -5. In the **User Name** column, click a user that is a **CRITICAL** potential risk, for example, **EVIL_RICH**. +5. In the **User name** column, click a user that is a **CRITICAL** potential risk, for example, **EVIL_RICH**. - The **User Details** panel shows the following information about the user: + The **User details** panel shows the following information about the user: - Target database name - User name @@ -119,50 +112,55 @@ The latest user assessment is automatically generated by Oracle Data Safe when y - Potential risk (for example, CRITICAL) - Hover over the **i** to view what constitutes a critical risk user. - Last login date and time - Date and time when the user was created - - Date and time when the password was changed + - Date and time when the password was last changed - Privileged roles (the Admin roles granted to the user) - - Roles: Expand **All Roles** to view all the roles granted to the user. - - Privileges: Expand **All Privileges** to view all the privileges granted to the user. + - Roles: Expand **All roles** to view all the roles granted to the user. + - Privileges: Expand **All privileges** to view all the privileges granted to the user. - ![EVIL RICH user details](images/ua-evil-rich-user-details.png "EVIL RICH user details") + ![EVIL_RICH user details](images/ua-EVIL_RICH-user-details.png "EVIL_RICH user details") 6. Click **Close**. -7. To filter the report to show potentially critical risk users only, do the following: Click the **Overview** tab. In the **Potential User Risk** chart, click the **CRITICAL** section of the chart. A filter is automatically created. +7. To filter the report to show potentially critical risk users only, do the following: Click the **Overview** tab. In the **Potential user risk** chart, click the **Critical** section of the chart. A filter is automatically created. ![Critical risk users filter](images/ua-critical-risk-users-filter.png "Critical risk users filter") 8. To remove the filter, click the **X** next to the filter. -## Task 3: Review the `ADMIN` user's audit records +## Task 3 (Optional): Review the `ADMIN` user's audit records -1. Identify the row in the table for the `ADMIN` user. In the **Audit Records** column for the `ADMIN` user, click **View Activity**. +1. Identify the row in the table for the `ADMIN` user. In the **Audit records** column for the `ADMIN` user, click **View activity**. ![ADMIN user audit records](images/ua-admin-user-audit-records.png "ADMIN user audit records") - The **All Activity** report for the `ADMIN` user is displayed. + The **All activity** report for the `ADMIN` user is displayed. 2. Examine the report. - The report is automatically filtered to show you audit records for the past one week, for the `ADMIN` user, and for your target database. - - At the top of the report, you can view totals for **Targets**, **DB Users**, **Client Hosts**, **DMLs**, **Privilege Changes**, **DDLs**, **User/Entitlement Changes**, **Login Failures**, **Login Successes**, and **Total Events**. + - At the top of the report, you can view totals for **Targets**, **DB users**, **Client hosts**, **DMLs**, **Privilege changes**, **DDLs**, **User/entitlement changes**, **Login failures**, **Login successes**, and **Total events**. - The **Event** column in the table shows you the types of activities performed by the `ADMIN` user, for example, `GRANT`, `LOGON`, `CREATE USER`, and so on. - At the bottom of the page, you can click the page numbers to view more audit records. - ![All Activity report for the ADMIN user](images/ua-all-activity-report-admin-user.png "All Activity report for the ADMIN user") + ![All activity report for the ADMIN user top](images/ua-all-activity-top.png "All activity report for the ADMIN user bottom") + + ![All activity report for the ADMIN user bottom](images/ua-all-activity-bottom.png "All activity report for the ADMIN user bottom") +3. Click the browser's back button to return to the latest user assessment. -## Task 4: Create a user on the target database + +## Task 4: Change users and entitlements on the target database 1. Access the SQL worksheet in **Database Actions**. -2. If needed, clear the worksheet and the **Script Output** tab. +2. Clear the worksheet and the **Script Output** tab. -3. On the SQL worksheet, enter the following commands: +3. On the SQL worksheet, enter the following commands. Substitute your own password for database-password. ``` - CREATE USER joe_smith identified by Oracle123_Oracle123; + DROP USER evil_rich; + CREATE USER joe_smith identified by database-password; GRANT PDB_DBA to joe_smith; ``` @@ -170,121 +168,50 @@ The latest user assessment is automatically generated by Oracle Data Safe when y ![Run Script button](images/run-script.png "Run Script button") -5. On the **Script Output** tab at the bottom of the page, verify that the `JOE_SMITH` user is created and the grant is successful. - - -## Task 5: Refresh the latest user assessment and rename it +5. On the **Script Output** tab at the bottom of the page, verify that the `EVIL_RICH` user is dropped, the `JOE_SMITH` user is created, and the grant is successful. -1. Return to the browser tab for Oracle Data Safe. -2. Under **Security Center** on the left, click **User Assessment**. +## Task 5: Refresh the latest user assessment -3. Click the **Target Summary** tab. +1. Return to the browser tab for Oracle Data Safe. You last left off viewing the latest user assessment. -4. Click **View Report** for your target database to open the latest user assessment. +2. Click the **Refresh now** button. -5. To refresh the latest user assessment, click the **Refresh Now** button. + The **Refresh now** panel is displayed. - ![User Assessment Refresh Now button](images/ua-refresh-now-button.png "User Assessment Refresh Now button") - -6. In the **Refresh Now** panel, keep the default name as is, and click **Refresh Now**. Wait for the status of the latest user assessment to read as **SUCCEEDED**. Oracle Data Safe automatically saves a static copy of the assessment to the Assessment History. +3. Keep the default name as is, and click **Refresh now**. Wait for the status of the latest user assessment to read as **SUCCEEDED**. Oracle Data Safe automatically saves a static copy of the assessment to the Assessment History. ![User Assessment Refresh Now panel](images/ua-refresh-now-panel.png "User Assessment Refresh Now panel") -7. Review the refreshed latest assessment. Notice that the user you just created, `JOE_SMITH`, is listed. - -8. Click the **Assessment Information** tab, and then click the **Pencil** icon next to the assessment name. Change the name to **Latest User Assessment**, and then click the **Save** icon. Wait for the status to change from **UPDATING** to **SUCCEEDED**. The name is updated on the page. - - ![Renamed latest user assessment](images/ua-renamed-latest-assessment.png "Renamed latest user assessment") - - -## Task 6: View the user assessment history for your target database - -1. At the top of the **Latest User Assessment** page, click **View History**. - -2. Make sure that your compartment is selected. Deselect **Include child compartments**. - -3. Review the list of assessments. - - ![Assessment history for the latest user assessment](images/user-assessment-history-page.png "Assessment history for the latest user assessment") - -4. Click **Close** to return to the latest user assessment. - - If you navigated away from the latest user assessment, you can return to it by doing the following: Click **User Assessment** in the breadcrumb. Click the **Target Summary** tab. Click **View Report** for your target database. - - -## Task 7: Compare the latest user assessment with the initial user assessment - -You can select a user assessment to compare with the latest user assessment. With this option, you don't need to set a baseline. This option is only available when you are viewing the latest user assessment. - -1. While viewing the latest user assessment, on the left under **Resources**, click **Compare Assessments**. - -2. Scroll down to the **Comparison With Other Assessments** section. - -3. If your compartment isn't shown, click **Change Compartment** and select your compartment. - -4. From the **Select Assessment** drop-down list, select the initial assessment for your target database (second one in the list). As soon as you select it, the comparison operation is started. - -5. Review the **Comparison** report. - - - The report tells you that there is a new user added. - - The **New User** finding is a potential **CRITICAL** risk. - - ![User Assessment Comparison report](images/ua-comparison-report.png "User Assessment Comparison report") - -6. In the **Comparison Results** column for the potential critical risk finding, click the **Open Details** links to view more information. - - The **Comparison Details** panel is displayed. - - ![Comparison Details panel](images/ua-comparison-details-panel.png "Comparison Details panel") - -7. Review the information, and then click **Close**. - - -## Task 8: Download the latest user assessment as a PDF report - -1. At the top of the latest user assessment page, from the **More actions** menu, click **Generate Report**. - - The **Generate Report** dialog box is displayed. - -2. Leave **PDF** selected as the report format, and click **Generate Report**. - -3. Wait for a message that says the **PDF report generation is complete**, and then click the **here** link. - - ![Generate Report dialog box in User Assessment](images/ua-generate-report-dialog.png "Generate Report dialog box in User Assessment") - -4. Open the PDF and review it. - - ![Latest user assessment in PDF format page 1](images/ua-pdf-report-page1.png "Latest user assessment in PDF format page 1") - - ![Latest user assessment in PDF format page 2](images/ua-pdf-report-page2.png "Latest user assessment in PDF format page 2") +4. Review the refreshed latest assessment. -5. Close the PDF and return to the browser tab for Oracle Data Safe. +## Task 6: Compare the latest user assessment with the initial user assessment -## Task 9: View the user assessment history for all target databases +You can select a user assessment to compare with the latest user assessment. With this option, you don't need to set a baseline. This option is only available when you are viewing the latest user assessment. Note that you could have set a baseline and compared the latest assessment to it. -On the User Assessment History page, you can view a listing of all of your saved user assessments for all your target databases. +1. While viewing the latest user assessment, on the left under **Resources**, click **Compare assessments**. -1. In the breadcrumb at the top of the page, click **User Assessment**. +2. Scroll down to the **Comparison with other assessments** section. -2. Under **Related Resources**, click **Assessment History**. +3. If your compartment isn't shown, click **Change compartment** and select your compartment. -3. Under **List Scope**, make sure your compartment is selected. +4. From the **Select assessment** drop-down list, select the initial assessment for your target database (second one in the list). As soon as you select it, the comparison operation is started. -4. Notice that your saved user assessments are listed here. +5. Review the results. - - You can compare the number of critical risks, high risks, DBAs, DV Admins, and Audit Admins across all target databases in the selected compartment(s). - - You can also quickly identify user assessments that are set as baselines. + - There is a new user added and a user deleted. + - The New user finding is identified as a potential **CRITICIAL** risk. - ![Assessment History for all target databases](images/ua-assessment-history-all-targets.png "Assessment History for all target databases") + ![User Assessment Comparison report](images/ua-comparison-report2.png "User Assessment Comparison report") +6. In the **Comparison results** column, click one of the **Open details** links to view more information. -5. To sort the list by target database, click the **Target Database** column heading. + The **Comparison details** panel is displayed. -6. Click the name of a user assessment for your target database. Notice that you cannot refresh the data in a saved user assessment. + ![Comparison Details panel](images/ua-comparison-details-panel.png "Comparison details panel") -You may now **proceed to the next lab**. +7. Review the information, and then click **Close**. At this point, you might consider setting a baseline assessment. ## Learn More @@ -294,4 +221,4 @@ You may now **proceed to the next lab**. ## Acknowledgements * **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -* **Last Updated By/Date** - Jody Glover, June 8, 2023 +* **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/assess-database-users/images/ua-EVIL_RICH-user-details.png b/data-safe/assess-database-users/images/ua-EVIL_RICH-user-details.png new file mode 100644 index 000000000..5c8828208 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-EVIL_RICH-user-details.png differ diff --git a/data-safe/assess-database-users/images/ua-admin-user-audit-records.png b/data-safe/assess-database-users/images/ua-admin-user-audit-records.png index 2bff27ae3..7376d46e7 100644 Binary files a/data-safe/assess-database-users/images/ua-admin-user-audit-records.png and b/data-safe/assess-database-users/images/ua-admin-user-audit-records.png differ diff --git a/data-safe/assess-database-users/images/ua-all-activity-bottom.png b/data-safe/assess-database-users/images/ua-all-activity-bottom.png new file mode 100644 index 000000000..66d5b2ba2 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-all-activity-bottom.png differ diff --git a/data-safe/assess-database-users/images/ua-all-activity-top.png b/data-safe/assess-database-users/images/ua-all-activity-top.png new file mode 100644 index 000000000..f153398ef Binary files /dev/null and b/data-safe/assess-database-users/images/ua-all-activity-top.png differ diff --git a/data-safe/assess-database-users/images/ua-assessment-information-tab.png b/data-safe/assess-database-users/images/ua-assessment-information-tab.png new file mode 100644 index 000000000..ca589a9a0 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-assessment-information-tab.png differ diff --git a/data-safe/assess-database-users/images/ua-comparison-details-panel.png b/data-safe/assess-database-users/images/ua-comparison-details-panel.png index 5ef061e93..6cad6f9c0 100644 Binary files a/data-safe/assess-database-users/images/ua-comparison-details-panel.png and b/data-safe/assess-database-users/images/ua-comparison-details-panel.png differ diff --git a/data-safe/assess-database-users/images/ua-comparison-report2.png b/data-safe/assess-database-users/images/ua-comparison-report2.png index a02dbce5f..c146eb685 100644 Binary files a/data-safe/assess-database-users/images/ua-comparison-report2.png and b/data-safe/assess-database-users/images/ua-comparison-report2.png differ diff --git a/data-safe/assess-database-users/images/ua-critical-risk-users-filter.png b/data-safe/assess-database-users/images/ua-critical-risk-users-filter.png index b30879d4e..4d8585f55 100644 Binary files a/data-safe/assess-database-users/images/ua-critical-risk-users-filter.png and b/data-safe/assess-database-users/images/ua-critical-risk-users-filter.png differ diff --git a/data-safe/assess-database-users/images/ua-dashboard-charts1.png b/data-safe/assess-database-users/images/ua-dashboard-charts1.png new file mode 100644 index 000000000..6512f97a0 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-dashboard-charts1.png differ diff --git a/data-safe/assess-database-users/images/ua-dashboard-charts2.png b/data-safe/assess-database-users/images/ua-dashboard-charts2.png new file mode 100644 index 000000000..0a7dc6a39 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-dashboard-charts2.png differ diff --git a/data-safe/assess-database-users/images/ua-latest-assessment-details.png b/data-safe/assess-database-users/images/ua-latest-assessment-details.png index b9c405b92..23dfc411e 100644 Binary files a/data-safe/assess-database-users/images/ua-latest-assessment-details.png and b/data-safe/assess-database-users/images/ua-latest-assessment-details.png differ diff --git a/data-safe/assess-database-users/images/ua-latest-charts1.png b/data-safe/assess-database-users/images/ua-latest-charts1.png new file mode 100644 index 000000000..fe40a99a2 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-latest-charts1.png differ diff --git a/data-safe/assess-database-users/images/ua-latest-charts2.png b/data-safe/assess-database-users/images/ua-latest-charts2.png new file mode 100644 index 000000000..de7efa6c9 Binary files /dev/null and b/data-safe/assess-database-users/images/ua-latest-charts2.png differ diff --git a/data-safe/assess-database-users/images/ua-refresh-now-panel.png b/data-safe/assess-database-users/images/ua-refresh-now-panel.png index 14c67bb52..4cce93bf6 100644 Binary files a/data-safe/assess-database-users/images/ua-refresh-now-panel.png and b/data-safe/assess-database-users/images/ua-refresh-now-panel.png differ diff --git a/data-safe/assess-database-users/images/ua-risk-summary-tab.png b/data-safe/assess-database-users/images/ua-risk-summary-tab.png index 524b63c76..6a29b2509 100644 Binary files a/data-safe/assess-database-users/images/ua-risk-summary-tab.png and b/data-safe/assess-database-users/images/ua-risk-summary-tab.png differ diff --git a/data-safe/assess-database-users/images/ua-target-summary-tab.png b/data-safe/assess-database-users/images/ua-target-summary-tab.png index 18a8744ab..e068e6529 100644 Binary files a/data-safe/assess-database-users/images/ua-target-summary-tab.png and b/data-safe/assess-database-users/images/ua-target-summary-tab.png differ diff --git a/data-safe/audit-database-activity/audit-database-activity.md b/data-safe/audit-database-activity/audit-database-activity.md index 1a13738d1..de73a0983 100644 --- a/data-safe/audit-database-activity/audit-database-activity.md +++ b/data-safe/audit-database-activity/audit-database-activity.md @@ -1,10 +1,10 @@ -# Audit Database Activity +# Audit database activity ## Introduction In Oracle Data Safe, you can provision audit policies on your target databases and collect audit data into the Oracle Data Safe repository. There are basic, administrator, user, Oracle pre-defined, and custom audit policies, as well as audit policies designed to help your organization meet compliance standards. When you register a target database, Oracle Data Safe automatically creates an audit profile, audit policy, and audit trails relevant for the target database. -Start by reviewing the global settings in Oracle Data Safe. Then, review the audit profile, audit trail(s), and audit policy that are automatically created for your target database. Start audit data collection on your target database and provision a few audit policies. Analyze the audit events, view reports, create a custom audit report, and download the custom audit report as a PDF. +Start by reviewing the global settings in Oracle Data Safe. Then, review the audit profile, audit trail(s), and audit policy that are automatically created for your target database. Start audit data collection on your target database and provision a few audit policies. Analyze the audit events and view reports. Create, download, and schedule a custom audit report. Estimated Lab Time: 20 minutes @@ -21,10 +21,10 @@ In this lab, you will: - Review the Activity Auditing dashboard - Provision audit policies on your target database - Analyze the audit events for your target database -- View the All Activity report +- View the All activity report - Create a custom audit report - Generate and download a custom audit report as a PDF -- View the Audit Report History +- View the audit report history - Schedule your custom audit report ### Prerequisites @@ -40,10 +40,11 @@ This lab assumes you have: ### Assumptions - Your data values may be different than those shown in the screenshots. +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. ## Task 1: Review the global settings for Oracle Data Safe -1. Access the **Overview** page for Oracle Data Safe by clicking **Data Safe** in the breadcrumb at the top of the page. +1. In the breadcrumb at the top of the page, click **Data Safe**. 2. Under **Data Safe**, click **Settings**. @@ -53,197 +54,189 @@ This lab assumes you have: - Global settings are applied to all target databases unless their audit profiles override them. - By default, paid usage is enabled for all target databases, the online retention period is set to the maximum value of 12 months, and the archive retention period is set to the minimum value of 0 months. Note that you cannot enable paid usage for a free trial account. - ![Global Settings](images/global-settings.png "Global Settings") + ![Global settings](images/global-settings.png "Global settings") ## Task 2: Review the audit profile for your target database -1. In the breadcrumb, click **Data Safe**. +1. In the breadcrumb at the top of the page, click **Data Safe**. -2. Under **Security Center** on the left, click **Activity Auditing**. +2. Under **Security center** on the left, click **Activity auditing**. -3. Under **Related Resources**, click **Audit Profiles**. +3. Under **Related resources**, click **Audit profiles**. -4. From the **Compartment** drop-down list under **List Scope**, make sure your compartment is selected. +4. From the **Compartment** drop-down list under **List scope**, make sure your compartment is selected. 5. On the right, review the audit profile information about your target database, and then click your target database name to view more detail. - ![Audit Profiles page](images/audit-profiles-page.png "Audit Profiles page") + ![Audit profiles page](images/audit-profiles-page.png "Audit profiles page") 6. Review the details in the audit profile. - There are default settings for paid usage, online retention period, and offline retention period. - All initial audit profile settings for your target database are inherited from the global settings for Oracle Data Safe, but you can modify them here as needed. - ![Audit Profile Details page](images/audit-profile-details-page.png "Audit Profile Details page") + ![Audit profile information page](images/audit-profile-details-page.png "Audit profile information page") ## Task 3: Review the audit trail(s) for your target database -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. -2. On the left under **Related Resources**, click **Audit Trails**. +2. On the left under **Related resources**, click **Audit trails**. -3. Under **List Scope** on the left, make sure your compartment is selected. +3. Under **List scope** on the left, make sure your compartment is selected. 4. Under **Filters** on the left, select your target database. 5. On the right, review the audit trail(s) for your target database. Oracle Data Safe discovers one audit trail for an Autonomous Database called `UNIFIED_AUDIT_TRAIL`. - ![Audit Trails page](images/audit-trails-page.png "Audit Trails page") + ![Audit trails page](images/audit-trails-page.png "Audit trails page") -6. Click your target database name for one of the audit trails and review the information on the **Audit Trail Details** page. This is where you can manage audit data collection for the audit trail. Notice that the audit trail is currently inactive. +6. Click your target database name for one of the audit trails and review the information on the **Audit trail information** page. This is where you can manage audit data collection for the audit trail. Notice that the audit trail is currently inactive. - ![Audit Trail Details page](images/audit-trail-details-page.png "Audit Trail Details page") + ![Audit trail information page](images/audit-trail-details-page.png "Audit trail information page") ## Task 4: Review the audit policy for your target database -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. -2. Under **Related Resources**, click **Audit Policies**. +2. Under **Related resources**, click **Audit policies**. 3. From the **Compartment** drop-down list on the left, make sure your compartment is selected. -4. From the **Target Databases** drop-down list on the left, select your target database. +4. From the **Target databases** drop-down list on the left, select your target database. -5. On the right, review the information provided for your target database's audit policy. Notice that only the **Additional Policies** category has policies enabled, which is indicated by a green circle with a check mark. These are Oracle pre-defined policies that are enabled by default on an Autonomous Transaction Processing database. +5. On the right, review the information provided for your target database's audit policy. Notice that only the **Additional policies** category has policies enabled, which is indicated by a green circle with a check mark. These are Oracle pre-defined policies that are enabled by default on an Autonomous Transaction Processing database. - ![Audit Policies page](images/audit-policies-page.png "Audit Policies page") + ![Audit policies page](images/audit-policies-page.png "Audit policies page") -6. Click your target database name to view more detail on the **Audit Policy Details** page. Scroll down and review the list of audit policies available for your target database. +6. Click your target database name to view more detail on the **Audit policy information** page. Scroll down and review the list of audit policies available for your target database. - A grey circle means the audit policy is not yet provisioned on the target database. A green circle means the audit policy is provisioned. - You can choose to provision and enable any number of audit policies on your target database and set filters on users and roles. - ![Audit Policies Details page](images/audit-policies-details-page.png "Audit Policies Details page") + ![Audit policies information page](images/audit-policies-details-page.png "Audit policies information page") ## Task 5: View the quantity of audit records available on your target database for the discovered audit trail(s) -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. -2. On the left under **Related Resources**, click **Audit Profiles**. +2. On the left under **Related resources**, click **Audit profiles**. 3. From the **Compartment** drop-down list on the left, make sure your compartment is selected. -4. From the **Target Databases** drop-down list on the left, select your target database. +4. From the **Target databases** drop-down list on the left, select your target database. 5. On the right, click the name of your target database. -6. Scroll down to the **Compute Audit Volume** section, and click **Available on Target Database**. +6. Scroll down to the **Compute audit volume** section, and click **Available on target database**. - The **Compute Available Volume** dialog box is displayed. + The **Compute available volume** dialog box is displayed. 7. For the start date, click the calendar widget and select the current date at 00:00 UTC. You select the current date because your target database is brand new. -8. From the **Trail Locations** drop-down list, select `UNIFIED_AUDIT_TRAIL`. - -9. Click **Compute** and wait for Oracle Data Safe to calculate the available audit volume. - - ![Compute Available Volume dialog box](images/compute-available-volume-dialog-box.png "Compute Available Volume dialog box") - +8. Click **Compute** and wait for Oracle Data Safe to calculate the available audit volume. -10. In the **Available in Target Database** column, view the number of audit records for the `UNIFIED_AUDIT_TRAIL`. +9. In the **Available in target batabase** column, view the number of audit records for `UNIFIED_AUDIT_TRAIL`. - - In our case, the number of records in the `UNIFIED_AUDIT_TRAIL` is small because your target database has just been provisioned. For an older target database, however, there are probably a large number of audit records. + - In our case, the number of records in `UNIFIED_AUDIT_TRAIL` is small because your target database has just been provisioned. For an older target database, however, there are probably a large number of audit records. - Oracle Data Safe splits up the numbers by month. These values help you to decide on a start date for the Oracle Data Safe audit trail. - Don't worry if the number of audit records on your system is different than what is shown below. - ![Available in Target Database column](images/available-in-target-database.png "Available in Target Database column") + ![Available in target database column](images/available-in-target-database.png "Available in target database column") ## Task 6: Start audit data collection -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. -2. On the left under **Related Resources**, click **Audit Trails**. +2. On the left under **Related resources**, click **Audit trails**. 3. From the **Compartment** drop-down list on the left, make sure your compartment is selected. -4. From the **Target Databases** drop-down list on the left, select your target database. +4. From the **Target databases** drop-down list on the left, select your target database. -5. On the right, click the name of your target database for the `UNIFIED_AUDIT_TRAIL`. +5. On the right, click the name of your target database for `UNIFIED_AUDIT_TRAIL`. - The **Audit Trail Details** page is displayed. + The **Audit trail information** page is displayed. 6. Click **Start**. - A **Start Audit Trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. + A **Start audit trail: UNIFIED\_AUDIT\_TRAIL** dialog box is displayed. -7. Configure a start date based on the data in the **Compute Audit Volume** region of the audit profile that you viewed in task 5 (step 10). For example, if you have one month listed (Feb 2023), you can set the start date to the beginning of February. +7. Configure a start date based on the data in the **Compute audit volume** region of the audit profile that you viewed in task 5 (step 9). For example, if you have one month listed (Jan 2024), you can set the start date to the beginning of January. - ![Start Audit Trail dialog box](images/start-audit-trail-dialog-box.png "Start Audit Trail dialog box") + ![Start audit trail dialog box](images/start-audit-trail-dialog-box.png "Start audit trail dialog box") -8. Click **Start**. Wait for the **Collection State** to change from **STARTING** to **COLLECTING** and then to **IDLE**. It takes about one minute. +8. Click **Start**. Wait for **Collection state** to change from **STARTING** to **COLLECTING** and then to **IDLE**. It takes about one minute. - ![Collection State Idle](images/collection-state-idle.png "Collection State Idle") + ![Collection state IDLE](images/collection-state-idle.png "Collection state IDLE") ## Task 7: Review the Activity Auditing dashboard -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. - By default, the Activity Auditing dashboard shows you a summary of audit events for the last one week for all target databases in the form of charts and tables. On the left under **List Scope** and **Filters**, you can filter by compartment, time period, and target database. + By default, the Activity Auditing dashboard shows you a summary of audit events for the last one week for all target databases in the form of charts and tables. On the left under **List scope** and **Filters**, you can filter by compartment, time period, and target database. 2. From the **Compartments** drop-down list on the left, make sure your compartment is selected. -3. From the **Target Databases** drop-down list on the left, select your target database. The dashboard is automatically updated to include audit event statistics for only your target database. +3. From the **Target databases** drop-down list on the left, select your target database. The dashboard is automatically updated to include audit event statistics for only your target database. 4. Review the charts. - - The **Failed Login Activity** chart shows you the number of failed logins on your target database for the last one week. You may or may not have any failed logins, depending on how you have interacted in Database Actions so far. - - The **Admin Activity** chart shows you the number of database schema changes, logins, audit setting changes, and entitlement changes on your target database for the last one week. - - The **All Activity** chart shows you the total count of audit events on your target database for the specified time period. + - The **Failed login activity** chart shows you the number of failed logins on your target database for the last one week. You may or may not have any failed logins, depending on how you have interacted in Database Actions so far. + - The **Admin activity** chart shows you the number of database schema changes, logins, audit setting changes, and entitlement changes on your target database for the last one week. + - The **All activity** chart shows you the total count of audit events on your target database for the specified time period. ![Activity Auditing dashboard initial charts](images/activity-auditing-dashboard-charts-initial.png "Activity Auditing dashboard initial charts") -5. On the **Events Summary** tab, review the statistics for audit event categories. +5. On the **Events summary** tab, review the statistics for audit event categories. - Statistics include the number of target databases that have an audit event in each event category and the total number of events per category. Because you are viewing statistics for your target database only, the **Target Databases** column shows ones. + Statistics include the number of target databases that have an audit event in each event category and the total number of events per category. Because you are viewing statistics for your target database only, the **Target databases** column shows ones. - ![Activity Auditing dashboard Events Summary tab](images/activity-auditing-events-summary-tab.png "Activity Auditing dashboard Events Summary tab") + ![Activity Auditing dashboard Events summary tab](images/activity-auditing-events-summary-tab.png "Activity Auditing dashboard Events summary tab") -4. Click the **Target Summary** tab and review the various audit event counts per target database. +4. Click the **Target summary** tab and review the various audit event counts per target database. Audit events include the number of login failures, schema changes, entitlement changes, audit settings changes, all activity (all audit events), Database Vault violations, and Database Vault policy changes. - ![Activity Auditing dashboard Target Summary tab](images/activity-auditing-dashboard-target-summary-tab.png "Activity Auditing dashboard Target Summary tab") + ![Activity Auditing dashboard Target summary tab](images/activity-auditing-dashboard-target-summary-tab.png "Activity Auditing dashboard Target summary tab") ## Task 8: Provision audit policies - -1. Under **Related Resources**, click **Audit Policies**. +1. Under **Related resources**, click **Audit policies**. 2. From the **Compartment** drop-down list on the left, make sure your compartment is selected. -3. From the **Target Databases** drop-down list on the left, select your target database. +3. From the **Target databases** drop-down list on the left, select your target database. 4. On the right, click the name of your target database. -5. Notice that the following custom audit policies are provisioned on your target database, but not yet enabled: +5. Review the custom audit policies that are provisioned on your target database. If the check box is not selected, it means that the policy is not yet enabled. For example, the following are custom audit policies provided with the sample data that you loaded into your target database: - `APP_USER_NOT_APP_SERVER` - `EMPSEARCH_SELECT_USAGE_BY_PETE` - - `ADB_SAAS_ADMIN_AUDIT` - `EMP_RECORD_CHANGES` +6. Click **Update and provision**. -6. Click **Update and Provision**. - - The **Provision Audit Policies** panel is displayed. + The **Provision audit policies** panel is displayed. 7. Select **Exclude Data Safe user activity**. -8. Under **Basic Auditing**, select **Database Schema Changes** and **Critical Database Activity**. +8. Under **Basic auditing**, select **Database schema changes** and **Critical database activity**. -9. Under **Admin Activity Auditing**, select **Admin User Activity**. +9. Under **Admin activity auditing**, select **Admin user activity**. -10. Under **Custom Policies**, select **APP\_USER\_NOT\_APP\_SERVER**. +10. Under **Custom policies**, select **APP\_USER\_NOT\_APP\_SERVER**. -11. Click **Update and Provision** to provision the selected policies on your target database. +11. Click **Update and provision** to provision the selected policies on your target database. - ![Provision Audit Policies panel](images/provision-audit-policies-panel.png "Provision Audit Policies panel") + ![Provision audit policies panel](images/provision-audit-policies-panel.png "Provision audit policies panel") 12. Wait for the provisioning to finish, and then view the updated policy information on the page. Notice that the policies you enabled now have green circles. @@ -252,25 +245,25 @@ This lab assumes you have: ## Task 9: Analyze the audit events for your target database -1. In the breadcrumb at the top of the page, click **Activity Auditing**. +1. In the breadcrumb at the top of the page, click **Activity auditing**. -2. From the **Target Databases** drop-down list on the left, select your target database. +2. From the **Target databases** drop-down list on the left, select your target database. The dashboard is automatically updated to include audit event statistics for your target database. Do you notice any difference in the numbers? ![Activity Auditing dashboard charts after provisioning policies](images/activity-auditing-dashboard-charts-afterprovision.png "Activity Auditing dashboard charts after provisioning policies") ![Activity Auditing dashboard table after provisioning policies](images/activity-auditing-dashboard-table-afterprovision.png "Activity Auditing dashboard table after provisioning policies") -3. You notice that there are schema changes. To investigate, on the **Events Summary** tab, click **Schema Changes By Admin** to view more detail. +3. Notice that there are schema changes. To investigate, on the **Events summary** tab, click **Schema changes by admin** to view more detail. -4. On the **Schema Changes By Admin** page, review the following: +4. On the **Event category** page, review the following: - - The filters set at the top of the page. There are two filters set on **Operation Time**, setting the time period for the past one week. There is one filter set on **Target Id**, setting the target database to your database. + - The filters set at the top of the page. There are two filters set on **Operation time**, setting the time period for the past one week. There is one filter set on **Target id**, setting the target database to your database. - The total number of targets, database users, client hosts, `CREATE` statements, `ALTER` statements, and `DROP` statements - The total number of events - The individual audit events - ![Schema Changes By Admin page](images/schema-changes-by-admin-page.png "Schema Changes By Admin page") + ![Schema changes by admin](images/schema-changes-by-admin-page.png "Schema changes by admin") 5. Click the down arrow at the end of any row in the event table to view more detail about the event. When you click the down arrow, it changes to an up arrow. @@ -278,38 +271,37 @@ This lab assumes you have: 6. What was the SQL issued? - Answer: Scroll down to the **SQL Text** line item. Here you can choose to show the SQL or copy it. The SQL issued was as follows: + Answer: Scroll down to the **SQL text** line item. Here you can choose to show the SQL or copy it. The SQL issued was as follows: ``` drop function HCM1.return_condition ``` -## Task 10: View the All Activity report - -By default, the All Activity report shows audit events for the past one week for all target databases in the selected compartment(s). +## Task 10: View the All activity report -1. Under **Related Resources**, click **Audit Reports**. Oracle Data Safe has the following predefined audit reports: +By default, the All activity report shows audit events for the past one week for all target databases in the selected compartment(s). - - All Activity - - Admin Activity - - User/Entitlement Changes - - Audit Policy Changes - - Login Activity - - Data Access - - Data Modification - - Database Schema Changes - - Data Safe Activity - - Database Vault Activity - - Common User Activity - - Database Errors - - Data Extraction Activity - - Sensitive Data Activity +1. Under **Related resources**, click **Audit reports**. Oracle Data Safe has the following predefined audit reports: - ![Audit Reports page](images/audit-reports-page.png "Audit Reports page") + - All activity + - Admin activity + - User/entitlement changes + - Audit policy changes + - Login activity + - Data access + - Data modification + - Database schema changes + - Data Safe activity + - Database Vault activity + - Common user activity + - Database errors + - Data extraction activity + - Sensitive data activity + - SQL Firewall audited violations 2. Make sure that your compartment is selected. Deselect **Include child compartments**. -3. Click the **All Activity** report to view it. +3. Click the **All activity** report to view it. 4. View the filters set in the report. @@ -318,60 +310,60 @@ By default, the All Activity report shows audit events for the past one week for 5. View the totals in the report. - - You can click **Targets**, **DB Users**, and **Client Hosts** to view the list of targets, database users, and client hosts respectively. - - If you click **DMLs**, **Privilege Changes**, **DDLs**, **User/Entitlement Changes**, **Login Failures**, **Login Successes**, or **Total Events**, the audit events table is filtered accordingly. + - You can click **Targets**, **DB users**, and **Client hosts** to view the list of targets, database users, and client hosts respectively. + - If you click **DMLs**, **Privilege changes**, **DDLs**, **User/entitlement changes**, **Login failures**, **Login successes**, or **Total events**, the audit events table is filtered accordingly. 6. Scroll down and view the individual audit events. 7. To view more detail for a particular audit event, click the down arrow to expand the row and show details for the particular event. For some details, you can copy their values to the clipboard. - ![All Activity report](images/all-activity-report.png "All Activity report") + ![All activity report](images/all-activity-report.png "All activity report") ## Task 11: Create a custom audit report -1. At the top of the **All Activity** report, add the following two filters. To add a filter, click **+ Another Filter**. When you are done setting the filter parameters, click **Apply**. +1. At the top of the **All activity** report, add the following two filters. To add a filter, click **+ Another filter**. When you are done setting the filter parameters, click **Apply**. - **Target = your-target-database-name** - - **Object Owner = HCM1** + - **Object owner = HCM1** -2. Click **Manage Columns**. In the **Manage Columns** panel, select **Target**, **DB User**, **Event**, **Object**, **Operation Time**, and **Unified Audit Policies** columns. Click **Apply Changes**. +2. Click **Manage columns**. In the **Manage columns** panel, select **Target**, **DB user**, **Event**, **Object**, **Operation time**, and **Unified audit policies** columns. Click **Apply changes**. The table displays the selected columns. Also notice that the totals are adjusted too. - ![All Activity report](images/custom-audit-report3.png "All Activity report") + ![All activity report](images/custom-audit-report3.png "All activity report") -3. Click **Create Custom Report**. +3. Click **Create custom report**. - The **Create Custom Report** dialog box is displayed. + The **Create custom report** dialog box is displayed. -4. Enter the display name **All Activity Report on schema: HCM1 in the target your-target-database-name**. Enter an optional description. Select your compartment, if needed. Click **Create Custom Report** and wait for the report to generate. +4. Enter the display name **All activity report on schema: HCM1 in target your-target-database-name**. Enter an optional description. Select your compartment, if needed. Click **Create custom report** and wait for the report to generate. - ![Create Custom Report dialog box](images/create-custom-report-dialog-box.png "Create Custom Report dialog box") + ![Create custom report dialog box](images/create-custom-report-dialog-box.png "Create custom report dialog box") -5. In the **Create Custom Report** dialog box, click the **click here** link to navigate to your custom report. +5. In the **Create custom report** dialog box, click the **click here** link to navigate to your custom report. - - If you need to modify your custom report, you can click **Save Report** to save the changes. - - To view your custom report in the future, under **Related Resources** for **Activity Auditing**, click **Audit Reports**. Click the **Custom Reports** tab, and then click the name of your custom audit report. + - If you need to modify your custom report, you can click **Save report** to save the changes. + - To view your custom report in the future, under **Related resources** for **Activity auditing**, click **Audit reports**. Click the **Custom reports** tab, and then click the name of your custom audit report. ## Task 12: Generate and download a custom audit report as a PDF -1. On the custom audit report page, click **Generate Report**. +1. On the custom audit report page, click **Generate report**. - The **Generate Report** dialog box is displayed. + The **Generate report** dialog box is displayed. 2. Leave **PDF** selected. -3. Enter the display name **All Activity Report on schema: HCM1 in the target your-target-database-name**. +3. Enter the display name **All activity report on schema: HCM1 in target your-target-database-name**. 4. (Optional) Enter a description. 5. Make sure your compartment is selected. -6. Leave the report start time as is. +6. Leave the other settings as is. -7. Click **Generate Report** and wait until the PDF report is generated. A message is displayed stating that report generation is complete. +7. Click **Generate report** and wait until the PDF report is generated. A message is displayed stating that report generation is complete. ![Generate PDF of custom audit report](images/generate-pdf-custom-audit-report.png "Generate PDF of custom audit report") @@ -379,26 +371,24 @@ By default, the All Activity report shows audit events for the past one week for 9. If you are prompted to open or save the report, choose to save. -10. Close the **Generate Report** dialog box. +10. To close the **Generate Report** dialog box, click **Close**. 11. Open the PDF report and view it. - ![All Activity PDF report](images/all-activity-report-pdf.png "All Activity PDF report") + ![All activity PDF report](images/all-activity-report-pdf.png "All activity PDF report") 12. To close the PDF report, close the browser tab. -13. To close the **Generate Report** dialog box, click **Close**. - -## Task 13: View the Audit Report History +## Task 13: View the audit report history -1. Under **Related Resources**, click **Audit Report History**. +1. Under **Related resources**, click **Audit report history**. -2. View the details for your custom report. On this page, you can click the name of a report to view its report details and download the report as a PDF or XLS document (depending on how you originally generated it). Oracle Data Safe keeps the history of audit reports for up to three months. +2. View the details for your custom report. On this page, you can click the name of a report to view its details and download the report as a PDF or XLS document (depending on how you originally generated it). Oracle Data Safe keeps the history of audit reports for up to three months. ![History for custom report](images/history-custom-report.png "History for custom report") -3. In the **Report Name** column, click the name of your custom report to view its details. +3. In the **Name** column, click the name of your custom report to view its details. ![Custom report details](images/custom-report-details.png "Custom report details") @@ -406,41 +396,41 @@ By default, the All Activity report shows audit events for the past one week for ## Task 14: Schedule your custom audit report Schedule your custom audit report to generate a PDF every Sunday at 11PM UTC. -1. In the breadcrumb, select **Activity Auditing**. +1. In the breadcrumb at the top of the page, select **Activity auditing**. -2. Under **Related Resources**, click **Audit Reports**. +2. Under **Related resources**, click **Audit reports**. -3. On the right, click the **Custom Reports** tab. +3. On the right, click the **Custom reports** tab. -4. In the **Report Name** column in the table, click the name of your custom report. +4. In the **Report name** column in the table, click the name of your custom report. Your custom report is displayed. -5. Click **Manage Report Schedule**. +5. Click **Manage report schedule**. - The **Manage Report Schedule** panel is displayed. + The **Manage report schedule** panel is displayed. -6. Enter a schedule name, for example, **All Activity HCM1 on your-database-name Schedule**. +6. Enter a schedule name, for example, **All activity HCM1 on your-database-name schedule**. 7. Make sure that your compartment is selected. 8. Leave **PDF** selected as the report format. -9. For **Schedule Frequency**, select **Weekly**. +9. For **Schedule frequency**, select **Weekly**. 10. For **Every**, select **Sunday**. 11. For **Time (in UTC)**, select **11 PM**. -12. For **Events Time Span**, leave **Last Days** and **7** as is so that only one weeks worth of data is displayed in the report. +12. For **Events time span**, leave **Last days** and **7** as is so that only one weeks worth of data is displayed in the report. - ![Manage Report Schedule panel](images/manage-report-schedule-panel.png "Manage Report Schedule panel") + ![Manage Report Schedule panel](images/manage-report-schedule-panel.png "Manage report schedule panel") -13. Click **Save Schedule**. +13. Click **Save schedule**. The panel closes and you are returned to your custom report. -14. To view the schedule, under **Related Resources**, click **Audit Reports**. On the right, click the **Custom Reports** tab. Notice that now there is a report schedule for your custom report. You can access the reports generated by the schedule on the **Audit Report History** page. +14. To view the schedule, under **Related resources**, click **Audit reports**. On the right, click the **Custom reports** tab. Notice that now there is a report schedule for your custom report. You can access the reports generated by the schedule on the **Audit report history** page. ![Custom report with schedule](images/custom-report-w-schedule.png "Custom report with schedule") @@ -454,4 +444,4 @@ You may now **proceed to the next lab**. ## Acknowledgements * **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -* **Last Updated By/Date** - Jody Glover, June 8, 2023 +* **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-afterprovision.png b/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-afterprovision.png index fbc858628..862a26021 100644 Binary files a/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-afterprovision.png and b/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-afterprovision.png differ diff --git a/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-initial.png b/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-initial.png index a09eb6a1f..ec10ec31a 100644 Binary files a/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-initial.png and b/data-safe/audit-database-activity/images/activity-auditing-dashboard-charts-initial.png differ diff --git a/data-safe/audit-database-activity/images/activity-auditing-dashboard-table-afterprovision.png b/data-safe/audit-database-activity/images/activity-auditing-dashboard-table-afterprovision.png index 633cd168a..4caf11e75 100644 Binary files a/data-safe/audit-database-activity/images/activity-auditing-dashboard-table-afterprovision.png and b/data-safe/audit-database-activity/images/activity-auditing-dashboard-table-afterprovision.png differ diff --git a/data-safe/audit-database-activity/images/activity-auditing-dashboard-target-summary-tab.png b/data-safe/audit-database-activity/images/activity-auditing-dashboard-target-summary-tab.png index 5d35f8a34..0d7694066 100644 Binary files a/data-safe/audit-database-activity/images/activity-auditing-dashboard-target-summary-tab.png and b/data-safe/audit-database-activity/images/activity-auditing-dashboard-target-summary-tab.png differ diff --git a/data-safe/audit-database-activity/images/activity-auditing-events-summary-tab.png b/data-safe/audit-database-activity/images/activity-auditing-events-summary-tab.png index b5293d8b4..045c9be96 100644 Binary files a/data-safe/audit-database-activity/images/activity-auditing-events-summary-tab.png and b/data-safe/audit-database-activity/images/activity-auditing-events-summary-tab.png differ diff --git a/data-safe/audit-database-activity/images/alerts-dashboard-no-data.png b/data-safe/audit-database-activity/images/alerts-dashboard-no-data.png index a14a91054..a605fc422 100644 Binary files a/data-safe/audit-database-activity/images/alerts-dashboard-no-data.png and b/data-safe/audit-database-activity/images/alerts-dashboard-no-data.png differ diff --git a/data-safe/audit-database-activity/images/all-activity-report-pdf.png b/data-safe/audit-database-activity/images/all-activity-report-pdf.png index 82ff85942..1e136a713 100644 Binary files a/data-safe/audit-database-activity/images/all-activity-report-pdf.png and b/data-safe/audit-database-activity/images/all-activity-report-pdf.png differ diff --git a/data-safe/audit-database-activity/images/all-activity-report.png b/data-safe/audit-database-activity/images/all-activity-report.png index 831a0b43b..3fc41f39c 100644 Binary files a/data-safe/audit-database-activity/images/all-activity-report.png and b/data-safe/audit-database-activity/images/all-activity-report.png differ diff --git a/data-safe/audit-database-activity/images/audit-event-table-expander.png b/data-safe/audit-database-activity/images/audit-event-table-expander.png index 67b92d52e..075c976f2 100644 Binary files a/data-safe/audit-database-activity/images/audit-event-table-expander.png and b/data-safe/audit-database-activity/images/audit-event-table-expander.png differ diff --git a/data-safe/audit-database-activity/images/audit-policies-details-page.png b/data-safe/audit-database-activity/images/audit-policies-details-page.png index ea47ec6a7..ef84afa20 100644 Binary files a/data-safe/audit-database-activity/images/audit-policies-details-page.png and b/data-safe/audit-database-activity/images/audit-policies-details-page.png differ diff --git a/data-safe/audit-database-activity/images/audit-policies-page.png b/data-safe/audit-database-activity/images/audit-policies-page.png index d812dc9bb..e372b81fa 100644 Binary files a/data-safe/audit-database-activity/images/audit-policies-page.png and b/data-safe/audit-database-activity/images/audit-policies-page.png differ diff --git a/data-safe/audit-database-activity/images/audit-profile-details-page.png b/data-safe/audit-database-activity/images/audit-profile-details-page.png index b622def15..4779bbf8f 100644 Binary files a/data-safe/audit-database-activity/images/audit-profile-details-page.png and b/data-safe/audit-database-activity/images/audit-profile-details-page.png differ diff --git a/data-safe/audit-database-activity/images/audit-profiles-page.png b/data-safe/audit-database-activity/images/audit-profiles-page.png index 5d1ac5111..45d82afcb 100644 Binary files a/data-safe/audit-database-activity/images/audit-profiles-page.png and b/data-safe/audit-database-activity/images/audit-profiles-page.png differ diff --git a/data-safe/audit-database-activity/images/audit-trail-details-page.png b/data-safe/audit-database-activity/images/audit-trail-details-page.png index 663713a5f..ae37c6327 100644 Binary files a/data-safe/audit-database-activity/images/audit-trail-details-page.png and b/data-safe/audit-database-activity/images/audit-trail-details-page.png differ diff --git a/data-safe/audit-database-activity/images/audit-trails-page.png b/data-safe/audit-database-activity/images/audit-trails-page.png index 9c5b9ec0f..70560f128 100644 Binary files a/data-safe/audit-database-activity/images/audit-trails-page.png and b/data-safe/audit-database-activity/images/audit-trails-page.png differ diff --git a/data-safe/audit-database-activity/images/available-in-target-database.png b/data-safe/audit-database-activity/images/available-in-target-database.png index a359b9eb5..53227d3d0 100644 Binary files a/data-safe/audit-database-activity/images/available-in-target-database.png and b/data-safe/audit-database-activity/images/available-in-target-database.png differ diff --git a/data-safe/audit-database-activity/images/collection-state-idle.png b/data-safe/audit-database-activity/images/collection-state-idle.png index e978b6955..d03eff4f4 100644 Binary files a/data-safe/audit-database-activity/images/collection-state-idle.png and b/data-safe/audit-database-activity/images/collection-state-idle.png differ diff --git a/data-safe/audit-database-activity/images/create-custom-report-dialog-box.png b/data-safe/audit-database-activity/images/create-custom-report-dialog-box.png index 8aa1ce817..81b539515 100644 Binary files a/data-safe/audit-database-activity/images/create-custom-report-dialog-box.png and b/data-safe/audit-database-activity/images/create-custom-report-dialog-box.png differ diff --git a/data-safe/audit-database-activity/images/custom-audit-report3.png b/data-safe/audit-database-activity/images/custom-audit-report3.png index 4c426e816..5b55eefb7 100644 Binary files a/data-safe/audit-database-activity/images/custom-audit-report3.png and b/data-safe/audit-database-activity/images/custom-audit-report3.png differ diff --git a/data-safe/audit-database-activity/images/custom-report-details.png b/data-safe/audit-database-activity/images/custom-report-details.png index 4055c67c5..c9c54c248 100644 Binary files a/data-safe/audit-database-activity/images/custom-report-details.png and b/data-safe/audit-database-activity/images/custom-report-details.png differ diff --git a/data-safe/audit-database-activity/images/custom-report-w-schedule.png b/data-safe/audit-database-activity/images/custom-report-w-schedule.png index 31c9104fe..e0b32c46d 100644 Binary files a/data-safe/audit-database-activity/images/custom-report-w-schedule.png and b/data-safe/audit-database-activity/images/custom-report-w-schedule.png differ diff --git a/data-safe/audit-database-activity/images/enabled-policies.png b/data-safe/audit-database-activity/images/enabled-policies.png index 4dd762b39..be88aa3cc 100644 Binary files a/data-safe/audit-database-activity/images/enabled-policies.png and b/data-safe/audit-database-activity/images/enabled-policies.png differ diff --git a/data-safe/audit-database-activity/images/generate-pdf-custom-audit-report.png b/data-safe/audit-database-activity/images/generate-pdf-custom-audit-report.png index aaa74fee5..8ec141e70 100644 Binary files a/data-safe/audit-database-activity/images/generate-pdf-custom-audit-report.png and b/data-safe/audit-database-activity/images/generate-pdf-custom-audit-report.png differ diff --git a/data-safe/audit-database-activity/images/history-custom-report.png b/data-safe/audit-database-activity/images/history-custom-report.png index 62622b626..2431448aa 100644 Binary files a/data-safe/audit-database-activity/images/history-custom-report.png and b/data-safe/audit-database-activity/images/history-custom-report.png differ diff --git a/data-safe/audit-database-activity/images/manage-report-schedule-panel.png b/data-safe/audit-database-activity/images/manage-report-schedule-panel.png index e79d9f9ff..c84820116 100644 Binary files a/data-safe/audit-database-activity/images/manage-report-schedule-panel.png and b/data-safe/audit-database-activity/images/manage-report-schedule-panel.png differ diff --git a/data-safe/audit-database-activity/images/provision-audit-policies-panel.png b/data-safe/audit-database-activity/images/provision-audit-policies-panel.png index 427b4579f..e88b8db1d 100644 Binary files a/data-safe/audit-database-activity/images/provision-audit-policies-panel.png and b/data-safe/audit-database-activity/images/provision-audit-policies-panel.png differ diff --git a/data-safe/audit-database-activity/images/schema-changes-by-admin-page.png b/data-safe/audit-database-activity/images/schema-changes-by-admin-page.png index ace862ed6..4abd85f07 100644 Binary files a/data-safe/audit-database-activity/images/schema-changes-by-admin-page.png and b/data-safe/audit-database-activity/images/schema-changes-by-admin-page.png differ diff --git a/data-safe/audit-database-activity/images/start-audit-trail-dialog-box.png b/data-safe/audit-database-activity/images/start-audit-trail-dialog-box.png index e4c79cabc..31c542de5 100644 Binary files a/data-safe/audit-database-activity/images/start-audit-trail-dialog-box.png and b/data-safe/audit-database-activity/images/start-audit-trail-dialog-box.png differ diff --git a/data-safe/clean-up-environment/clean-up-environment-ocw.md b/data-safe/clean-up-environment/clean-up-environment-ocw.md index 261172c65..0a72d6fce 100644 --- a/data-safe/clean-up-environment/clean-up-environment-ocw.md +++ b/data-safe/clean-up-environment/clean-up-environment-ocw.md @@ -1,4 +1,4 @@ -# Clean Up Your Environment +# Clean up your environment ## Introduction diff --git a/data-safe/cli/cli.md b/data-safe/cli/cli.md index ee981a5f2..33e12bb40 100644 --- a/data-safe/cli/cli.md +++ b/data-safe/cli/cli.md @@ -1,10 +1,12 @@ -# Download the Latest Security Assessment by using the Oracle Data Safe CLI +# Download the latest security assessment by using the Oracle Data Safe CLI + +[comment]: <> (A policy is required to access Cloud Shell) ## Introduction You can use the command line interface (CLI) in Cloud Shell to perform tasks in Oracle Data Safe. Cloud Shell is a small virtual machine running a Linux shell and is accessible in your tenancy in the Oracle Cloud Infrastructure Console. It's ready and free to use in your tenancy (within monthly tenancy limits). If you want to perform complex tasks using the CLI, it's useful to create an SH script that contains all of your CLI commands. - In this lab, you use the CLI to refresh the latest Security Assessment report for your target database and download it to a directory on your Cloud Shell machine. Begin by familiarizing yourself with the command line interface (CLI) documentation for Oracle Data Safe. + In this lab, you use the CLI to refresh the latest Security Assessment report for your target database and download the report to a directory on your Cloud Shell machine. Begin by familiarizing yourself with the command line interface (CLI) documentation for Oracle Data Safe. Estimated Lab Time: 20 minutes @@ -65,10 +67,13 @@ This lab assumes you have: 1. To open Cloud Shell, in the upper-right corner of the Oracle Cloud Infrastructure Console, click the **Developer tools** icon, and then select **Cloud Shell**. - When you first open Cloud Shell, your current directory is your home directory; for example, `/home/jody_glove`. For this lab, we can work in the home directory (`~/`). +2. If prompted to run a tutorial, enter **N** to skip the tutorial. + + Your current directory is your home directory; for example, `/home/jody_glove`. For this lab, we can work in the home directory (`~/`). +3. To verify your current directory, enter `pwd`. -2. (Optional) If you use Cloud Shell often and want to start fresh, you can reset it. The following command erases all the data in your `$HOME` directory on your Cloud Shell machine and resets the `$HOME/.bashrc`, `$HOME/.bash_profile`, `$HOME/.bash_logout`, and `$HOME/.emacs` files back to their default values. Enter **y** at the prompt to confirm. +4. (Optional) If you use Cloud Shell often and want to start fresh, you can reset it. The following command erases all the data in your `$HOME` directory on your Cloud Shell machine and resets the `$HOME/.bashrc`, `$HOME/.bash_profile`, `$HOME/.bash_logout`, and `$HOME/.emacs` files back to their default values. Enter **y** at the prompt to confirm. ```bash $ csreset --all @@ -89,7 +94,7 @@ Identify the commands and values that are required for the SH script and test ea 2. Create a variable that defines your Oracle Data Safe target database OCID (not your Autonomous Database OCID!). - To do this, first find your target database OCID: From the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. Under **Data Safe** on the left, click **Target Databases**. Under **List Scope** on the left, select your compartment. On the right, click the name of your target database. On the **Target Database Details** tab, click **Copy** next to **OCID**. In Cloud Shell, enter the following command, replacing `your-target-database-ocid` with your own OCID. + To do this, first find your target database OCID: From the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. Under **Data Safe** on the left, click **Target databases**. Under **List scope** on the left, select your compartment. On the right, click the name of your target database. On the **Target database information** tab, click **Copy** next to **OCID**. In Cloud Shell, enter the following command, replacing `your-target-database-ocid` with your own OCID. ```text $ export target_id=your-target-database-ocid @@ -119,7 +124,7 @@ Identify the commands and values that are required for the SH script and test ea $ security_assessment_id=$(oci data-safe security-assessment create --compartment-id $compartment_id --target-id $target_id --query data.id --raw-output) ``` - Notice how we are using the `security-assessment create` CLI command with the `--query data.id` and `--raw-output` parameters. If you need to obtain metadata about a resource, you can learn which metadata values are available by including the `--query data` and `--raw-output` parameters. For example, if the above statement used `--query data` instead of `--query data.id`, the output value would include all possible key-value pairs. + Notice how we are using the `security-assessment create` CLI command with the `--query data.id` and `--raw-output` parameters. If you need to obtain metadata about a resource, you can learn which metadata values are available by including the `--query data` and `--raw-output` parameters. For example, if the above statement used `--query data` instead of `--query data.id`, the output value would include all possible key-value pairs: ```json {"compartment-id": "ocid1.compartment.oc1...", "defined-tags": { "Oracle-Tags": { "CreatedBy": "jody.glove..", "CreatedOn": "2023-01-30T20:40:53.671Z" } }, "description": null, "display-name": "SA_1675111253797", "freeform-tags": {}, "id": "ocid1.datasafesecurityassessment.oc1...", "ignored-assessment-ids": null, "ignored-targets": null, "is-baseline": false, "is-deviated-from-baseline": null, "last-compared-baseline-id": null, "lifecycle-details": null, "lifecycle-state": "CREATING", "link": null, "schedule": null, "schedule-security-assessment-id": null, "statistics": null, "system-tags": {}, "target-ids": [ "ocid1.datasafetargetdatabase.oc1..." ], "target-version": null, "time-created": "2023-01-30T20:40:53.797000+00:00", "time-updated": "2023-01-30T20:40:53.797000+00:00", "triggered-by": "USER", "type": "SAVED" } @@ -127,7 +132,7 @@ Identify the commands and values that are required for the SH script and test ea 6. Verify that the security assessment is created in Oracle Data Safe. - To do this, from the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. Under **Data Safe** on the left, click **Security Assessment**. Click the **Target Summary** tab, locate the line that has your target database, and click **View Report**. At the top of the latest security assessment page, click **View History**. Make sure that your compartment is selected. Find the new security assessment for your target database that was generated by the CLI command in the previous step. + To do this, from the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. Under **Data Safe** on the left, click **Security assessment**. Click the **Target summary** tab, locate the line that has your target database, and click **View report**. At the top of the latest security assessment page, click **View history**. Make sure that your compartment is selected. Find the new security assessment for your target database that was generated by the CLI command in the previous step. You should have at least two security assessments. The first one was automatically created by Oracle Data Safe when you registered your target database. The second one is the one you just created via the command line. If the second one isn't listed, you may need to wait a little longer. @@ -218,13 +223,13 @@ When you run the SH file, the latest security assessment is downloaded to your C ``` 4. In the upper-right corner of Cloud Shell, click the **Cloud Shell Menu** icon (cog wheel), and select **Download**. - A **Download File** dialog box is displayed. + A **Download file** dialog box is displayed. 5. Enter the name of your PDF file, and then click **Download**. - The file is downloaded to the browser. + The file is downloaded to the browser. -6. Open the PDF file and review the assessment report. Close the browser tab when you're finished. +6. Open the PDF file, if needed, and review the assessment report. Close the browser tab when you're finished. 7. Close Cloud Shell and click **Exit** to confirm. @@ -239,4 +244,4 @@ You may now **proceed to the next lab**. ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database - **Consultants** - Bettina Schaeumer -- **Last Updated By/Date** - Jody Glover, April 11, 2023 \ No newline at end of file +- **Last Updated By/Date** - Jody Glover, February 6, 2024 \ No newline at end of file diff --git a/data-safe/discover-sensitive-data/discover-sensitive-data.md b/data-safe/discover-sensitive-data/discover-sensitive-data.md index e58b1d57b..e6010b1f2 100644 --- a/data-safe/discover-sensitive-data/discover-sensitive-data.md +++ b/data-safe/discover-sensitive-data/discover-sensitive-data.md @@ -1,12 +1,12 @@ -# Discover Sensitive Data +# Discover sensitive data ## Introduction Data Discovery helps you find sensitive data in your target databases. You tell Data Discovery what kind of sensitive data to search for, and it inspects the actual data in your target database and its data dictionary, and then returns to you a list of sensitive columns. By default, Data Discovery can search for a wide variety of sensitive data pertaining to identification, biographic, IT, financial, healthcare, employment, and academic information. -Start by examining sensitive data in one of the tables on your target database by using Database Actions. Then, use Oracle Data Safe to discover sensitive data on your target database and generate a sensitive data model. Create a PDF of your sensitive data model. +In this lab, you use Oracle Data Safe to discover sensitive data on your target database and then adjust the sensitive data model. -Estimated Lab Time: 10 minutes +Estimated Lab Time: 15 minutes ### Objectives @@ -14,7 +14,9 @@ In this lab, you will: - Discover sensitive data in your target database by using Data Discovery - Analyze the sensitive data model -- Create a PDF of the Sensitive Data Model report +- Perform an incremental discovery +- Remove a column from the sensitive data model +- Add a column to the sensitive data model ### Prerequisites @@ -29,6 +31,7 @@ This lab assumes you have: ### Assumptions - Your data values might be different than those shown in the screenshots. +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. ## Task 1: Discover sensitive data in your target database by using Data Discovery @@ -37,101 +40,159 @@ This lab assumes you have: 2. In the breadcrumb at the top of the page, click **Data Safe**. -3. On the left under **Security Center**, and click **Data Discovery**. +3. On the left under **Security center**, and click **Data discovery**. 4. From the **Compartment** drop-down list, select your compartment. - A Data Discovery overview page is displayed with statistics for the top five target databases in your compartment. Your page is most likely empty because this is the first time you are using Data Discovery in this workshop. + The Data discovery page is displayed with statistics for the top five target databases in your compartment. Your page is most likely empty because this is the first time you are using Data Discovery in this workshop. -5. Click **Discover Sensitive Data**. +5. Click **Discover sensitive data**. - The **Create Sensitive Data Model** wizard is displayed. + The **Create sensitive data model** wizard is displayed. -6. On the **Provide Basic Information** page, do the following, and then click **Next**. +6. On the **Provide basic information** page, do the following, and then click **Next**. - In the **Name** box, enter **SDM1**. - Leave the compartment set to your compartment. - In the **Description** box, enter **Sensitive Data Model 1**. - Select your target database - ![Provide Basic Information page](images/provide-basic-information-page.png "Provide Basic Information page") + ![Provide basic information](images/provide-basic-information-page.png "Provide basic information") -7. On the **Select Schemas** page, leave **Select specific schemas only** selected. Scroll down and select the **HCM1** schema, and then click **Next**. You might need to click the right arrow button at the bottom of the page to navigate to page 2. +7. On the **Select schemas** page, wait for the schemas to be refreshed if prompted to do so. Leave **Select specific schemas only** selected. Scroll down and select the **HCM1** schema, and then click **Next**. You might need to click the right arrow button at the bottom of the page to navigate to page 2. - ![Select Schemas page](images/select-schemas-page.png "Select Schemas page") + ![Select schemas](images/select-schemas-page.png "Select schemas") -8. On the **Select Sensitive Types** page, expand all of the sensitive categories by moving the **Expand All** slider to the right. Scroll down the page and review the sensitive types. Notice that you can select individual sensitive types, sensitive categories, and all sensitive types at one time. At the top of the page, select the **All** check box, and then click **Next**. +8. On the **Select sensitive types** page, review the list of common sensitive types and then scroll down and review all available sensitive types. Scroll up and select the **All** check box for common sensitive types. Click **Next**. - ![Select Sensitive Types page](images/select-sensitive-types-page.png "Select Sensitive Types page") + ![Select all common sensitive types](images/select-all-common-sensitive-types.png "Select all common sensitive types") -9. On the **Select Discovery Options** page, select **Collect, display and store sample data**, and then click **Create Sensitive Data Model** at the bottom of the page to begin the data discovery process. +9. On the **Select discovery options** page, select **Collect, display and store sample data**, and then click **Create sensitive data model** at the bottom of the page to begin the data discovery process. - ![Select Discovery Options page page](images/select-discovery-options-page.png "Select Discovery Options page") + ![Select discovery options page](images/select-discovery-options-page.png "Select discovery options") -10. Wait for the sensitive data model to be created. The **Sensitive Data Model Details** page is displayed. +10. Wait for the sensitive data model to be created. The **Sensitive data model details** page is displayed. ## Task 2: Analyze the sensitive data model -1. Review the information on the **Sensitive Data Model Details** page. +1. Review the information about the sensitive data model. - - The **Sensitive Data Model Information** tab lists information about your sensitive data model, including its name and Oracle Cloud Identifier (OCID), the compartment to which you saved it, the date and time when it was created and last updated, the target database associated with it, the selected schema for discovery (HCM1), the selected sensitive types for discovery (click the **View Details** link), and totals for discovered sensitive schemas, sensitive tables, sensitive columns, sensitive types, and sensitive values. - - You can view the selected sensitive types for discovery (click **View Details**). - - You can view the work request information (click **View Details**). - - The pie chart shows percentages of sensitive categories and sensitive types. - - The **Sensitive Columns** table lists the discovered sensitive columns. By default, the table is displayed in **Flat View** format. For each sensitive column, you can view its schema name, table name, column name, sensitive type, parent column, data type, estimated row count, sample data (if you chose to retrieve sample data and if it exists), and audit records. Review the sample data to get an idea of what it looks like. + - The **Sensitive data model information** tab lists information about your sensitive data model, including its name, description, Oracle Cloud Identifier (OCID), the compartment to which you saved it, the date and time when it was created and last updated, the target database associated with it, the selected schema for discovery (HCM1), the selected sensitive types for discovery (click the **View details** link), and totals for discovered sensitive schemas, sensitive tables, sensitive columns, sensitive types, and sensitive values. + - You can view the selected sensitive types for discovery (click **View details**). + - You can view the work request information (click **View details**). + - The bar chart shows you the number of sensitive columns found for the top five sensitive types. + - The **Sensitive columns** table lists the discovered sensitive columns. By default, the table is displayed in **Flat view** format. For each sensitive column, you can view its schema name, table name, column name, sensitive type, parent column, data type, estimated row count, sample data (if you chose to retrieve sample data and if it exists), and audit records. Review the sample data to get an idea of what it looks like. ![Sensitive Data Model Details page top](images/sensitive-data-model-details-page-1.png "Sensitive Data Model Details page top") ![Sensitive Data Model Details page bottom](images/sensitive-data-model-details-page-2.png "Sensitive Data Model Details page bottom") -2. Position your mouse over the **Identification Information** category in the chart to view its value. Your percentage value might be different than the value shown in the screenshot. +2. Under **Sensitive columns**, from the first drop-down list, select **Sensitive type view** to sort the sensitive columns by sensitive type. By default, all items are expanded in the view. You can collapse the items by moving the **Expand all** slider to the left. - ![Identification Information category in sensitive data model chart](images/sdm-chart-identification-information.png "Identification Information category in sensitive data model chart") + ![Sensitive type view of sensitive data model](images/sensitive-type-view-sdm1.png "Sensitive type view of sensitive data model") -3. With your mouse still over **Identification Information**, click the pie slice to drill down. Notice that the **Identification Information** category is now divided into two smaller categories (**Personal Identifiers** and **Public Identifiers**). +3. From the same drop-down list, select **Schema view** to sort the sensitive columns by schema and table name. - ![Personal and Public Identifiers in sensitive data model chart](images/sdm-chart-personal-public-identifiers.png "Personal and Public Identifiers in sensitive data model chart") + - If a sensitive column was discovered because it has a relationship to another sensitive column as defined in the database's data dictionary, the other sensitive column is displayed in the **Parent column**. For example, `EMPLOYEE_ID` in the `EMP_EXTENDED` table has a relationship to `EMPLOYEE_ID` in the `EMPLOYEES` table. + ![Schema view of sensitive data model](images/schema-view-sdm1.png "Schema view of sensitive data model") -4. To drill-up, click the **All** link in the chart's breadcrumb. +## Task 3: Perform an incremental discovery -5. Under **Sensitive Columns**, from the drop-down list, select **Sensitive Type View** to sort the sensitive columns by sensitive type. By default, all items are expanded in the view. You can collapse the items by moving the **Expand All** slider to the left. +Increase the scope of the data discovery job. - ![Sensitive Type View of sensitive data model](images/sensitive-type-view-sdm1.png "Sensitive Type View of sensitive data model") +1. Under **Resources** on the left, click **Lastest incremental discovery**. -6. From the drop-down list, select **Schema View** to sort the sensitive columns by table name. +2. Under **Incremental discovery** on the right, click **Run discovery now**. - - If a sensitive column was discovered because it has a relationship to another sensitive column as defined in the database's data dictionary, the other sensitive column is displayed in the **Parent Column**. For example, `EMPLOYEE_ID` in the `EMP_EXTENDED` table has a relationship to `EMPLOYEE_ID` in the `EMPLOYEES` table. + The **Run discovery now** dialog box is displayed. - ![Schema View of sensitive data model](images/schema-view-sdm1.png "Schema View of sensitive data model") +3. Select **Adjust the scope for the incremental discovery**, and then click **Submit**. + You are returned to the beginning of the data discovery wizard. -## Task 3: Create a PDF of the Sensitive Data Model report + ![Run discovery now dialog box](images/run-discovery-now-dialog-box.png "Run discovery now dialog box") -1. At the top of the **Sensitive Data Models Details** page, click **Generate Report**. +4. On the **Provide basic information** page, click **Next**. - A **Generate Report** dialog box is displayed. +5. On the **Select schemas** page, click **Next**. -2. Leave **PDF** selected, click **Generate Report**, and wait for the report to be 100% generated. Click the **here** link to download the report. +6. On the **Select sensitive types** page, scroll down to the section where all sensitive types are listed. Select **Biographic Information** and **Employment Information**, and click **Next**. - ![Generate PDF report of SDM1](images/generate-pdf-report-sdm1.png "Generate PDF report of SDM1") +7. For **Select discovery options**, select **Collect, display and store sample data**. +8. Click **Run discovery now**, and wait for the message **Incremental discovery completed successfully** to be displayed. -3. Open the PDF report and review it. +9. Review the additional sensitive data that was discovered. Notice that you can approve and reject incremental discovery results or specific results. - - The **Summary** table shows totals for columns and values scanned, and counts for sensitive types, sensitive tables, sensitive columns, and sensitive values. - - The **Sensitive Columns** table lists the sensitive columns in the sensitive data model. For each sensitive column, the table shows you its sensitive type, schema name, table name, column name, sensitive value count, whether the column data was matched (Y or N), whether the column name was matched (Y or N), and whether the column comment was matched (Y or N). +10. Select **All incremental discovery results**, and click **Approve**. - ![PDF report of SDM1](images/pdf-report-sdm1.png "PDF report of SDM1") + ![Approve all incremental discovery results](images/approve-discovery-results.png "Approve all incremental discovery results") -4. Close the PDF report and return to Oracle Data Safe. +11. In the **Approve discovery results** dialog box, click **Approve**. + + ![Approve discovery results dialog box](images/approve-discovery-results-dialog-box.png "Approve discovery results dialog box") + +12. Click **Apply to SDM**. + + The **Apply to sensitive data model** dialog box is displayed. + + ![Apply to sensitive data model dialog box](images/apply-to-sensitive-data-model.png "Apply to sensitive data model dialog box") + +13. Click **Submit** and wait for the message **Sensitive data model updated successfully** to be displayed. + + The sensitive data model is updated with the additional sensitive columns. + + +## Task 4: Remove a column from the sensitive data model + +Remove the `DATE_OF_HIRE` column from the sensitive data model. + +1. Under **Resources** on the left, click **Sensitive columns**. + +2. In the **Sensitive columns** section, click **Remove columns**. + + The **Remove columns** panel is displayed. + +3. In the **Column name** box, enter **DATE**, and then select **DATE\_OF\_HIRE**. + +4. Click **Search**. + +5. Select the check box for the **DATE\_OF\_HIRE** column in the **JOB_HISTORY** table, and then click **Remove columns**. + + ![Remove columns page](images/remove-columns-panel.png "Remove columns page") + +## Task 5: Add a column to the sensitive data model + +Add `COUNTRY_ABBREV` to the sensitive data model. + +1. Click **Add columns**. + +2. From the **Schema name** drop-down list, select **HCM1**. + +3. From the **Table name** drop-down list, select **LOCATIONS**. + +4. From the **Column name** drop-down list, select **COUNTRY_ID**. + +5. Click **Search**. + +6. Select the check box for the `COUNTRY_ID` column. + +7. From the **Sensitive type** drop-down list, select **Country** under **Biographic Information > Address**. + +8. Click **Add columns**. + + ![Add columns page](images/add-columns-page.png "Add columns page") + +9. Verify that `COUNTRY_ABBREV` from the `LOCATIONS` table is added to your sensitive data model. You may now **proceed to the next lab**. + ## Learn More - [Data Discovery](https://docs.oracle.com/en-us/iaas/data-safe/doc/data-discovery.html) ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -- **Last Updated By/Date** - Jody Glover, June 8, 2023 +- **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/discover-sensitive-data/images/add-columns-page.png b/data-safe/discover-sensitive-data/images/add-columns-page.png new file mode 100644 index 000000000..b75804ebf Binary files /dev/null and b/data-safe/discover-sensitive-data/images/add-columns-page.png differ diff --git a/data-safe/discover-sensitive-data/images/apply-to-sensitive-data-model.png b/data-safe/discover-sensitive-data/images/apply-to-sensitive-data-model.png new file mode 100644 index 000000000..c2bf2743b Binary files /dev/null and b/data-safe/discover-sensitive-data/images/apply-to-sensitive-data-model.png differ diff --git a/data-safe/discover-sensitive-data/images/approve-discovery-results-dialog-box.png b/data-safe/discover-sensitive-data/images/approve-discovery-results-dialog-box.png new file mode 100644 index 000000000..983066e82 Binary files /dev/null and b/data-safe/discover-sensitive-data/images/approve-discovery-results-dialog-box.png differ diff --git a/data-safe/discover-sensitive-data/images/approve-discovery-results.png b/data-safe/discover-sensitive-data/images/approve-discovery-results.png new file mode 100644 index 000000000..ee42f20ee Binary files /dev/null and b/data-safe/discover-sensitive-data/images/approve-discovery-results.png differ diff --git a/data-safe/discover-sensitive-data/images/provide-basic-information-page.png b/data-safe/discover-sensitive-data/images/provide-basic-information-page.png index 434884834..1266304d1 100644 Binary files a/data-safe/discover-sensitive-data/images/provide-basic-information-page.png and b/data-safe/discover-sensitive-data/images/provide-basic-information-page.png differ diff --git a/data-safe/discover-sensitive-data/images/remove-columns-page.png b/data-safe/discover-sensitive-data/images/remove-columns-page.png new file mode 100644 index 000000000..f4d57e2b2 Binary files /dev/null and b/data-safe/discover-sensitive-data/images/remove-columns-page.png differ diff --git a/data-safe/discover-sensitive-data/images/remove-columns-panel.png b/data-safe/discover-sensitive-data/images/remove-columns-panel.png new file mode 100644 index 000000000..a2deb7d33 Binary files /dev/null and b/data-safe/discover-sensitive-data/images/remove-columns-panel.png differ diff --git a/data-safe/discover-sensitive-data/images/run-discovery-now-dialog-box.png b/data-safe/discover-sensitive-data/images/run-discovery-now-dialog-box.png new file mode 100644 index 000000000..0c53001de Binary files /dev/null and b/data-safe/discover-sensitive-data/images/run-discovery-now-dialog-box.png differ diff --git a/data-safe/discover-sensitive-data/images/schema-view-sdm1.png b/data-safe/discover-sensitive-data/images/schema-view-sdm1.png index 6a4597ced..da0a49f19 100644 Binary files a/data-safe/discover-sensitive-data/images/schema-view-sdm1.png and b/data-safe/discover-sensitive-data/images/schema-view-sdm1.png differ diff --git a/data-safe/discover-sensitive-data/images/select-all-common-sensitive-types.png b/data-safe/discover-sensitive-data/images/select-all-common-sensitive-types.png new file mode 100644 index 000000000..1b5adfcd0 Binary files /dev/null and b/data-safe/discover-sensitive-data/images/select-all-common-sensitive-types.png differ diff --git a/data-safe/discover-sensitive-data/images/select-discovery-options-page.png b/data-safe/discover-sensitive-data/images/select-discovery-options-page.png index b8c93b272..7ae6d855c 100644 Binary files a/data-safe/discover-sensitive-data/images/select-discovery-options-page.png and b/data-safe/discover-sensitive-data/images/select-discovery-options-page.png differ diff --git a/data-safe/discover-sensitive-data/images/select-schemas-page.png b/data-safe/discover-sensitive-data/images/select-schemas-page.png index 975d78760..14dd751b9 100644 Binary files a/data-safe/discover-sensitive-data/images/select-schemas-page.png and b/data-safe/discover-sensitive-data/images/select-schemas-page.png differ diff --git a/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-1.png b/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-1.png index ee71cebf1..6322a71ab 100644 Binary files a/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-1.png and b/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-1.png differ diff --git a/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-2.png b/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-2.png index 677e78fbe..6a716319a 100644 Binary files a/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-2.png and b/data-safe/discover-sensitive-data/images/sensitive-data-model-details-page-2.png differ diff --git a/data-safe/discover-sensitive-data/images/sensitive-type-view-sdm1.png b/data-safe/discover-sensitive-data/images/sensitive-type-view-sdm1.png index e53a86aab..d1d7abe79 100644 Binary files a/data-safe/discover-sensitive-data/images/sensitive-type-view-sdm1.png and b/data-safe/discover-sensitive-data/images/sensitive-type-view-sdm1.png differ diff --git a/data-safe/events/events.md b/data-safe/events/events.md index 8f6600600..76fae600b 100644 --- a/data-safe/events/events.md +++ b/data-safe/events/events.md @@ -1,6 +1,6 @@ -# Get notified about security drift on your target databases by setting up Oracle Data Safe events +# Get notified about security drift on your target databases by setting up notifications in Oracle Data Safe -In this lab, you configure the Events service to notify you via email when there is security drift on your target database. +In this lab, you set up contextual notifications in Oracle Data Safe to notify you via email when there is security drift on your target database. Estimated Lab Time: 20 minutes @@ -10,8 +10,7 @@ In this lab, you will: - Review the latest user assessment - Set the latest user assessment as the baseline -- Create a notification topic and subscription -- Create a rule in the Events service +- Create a notification - Generate activity on the target database - Refresh the latest user assessment and analyze the results - Generate a Comparison report for User Assessment @@ -36,17 +35,17 @@ This lab assumes you have: 1. From the navigation menu in Oracle Cloud Infrastructure, select **Oracle Database**, and then **Data Safe - Database Security**. -2. Under **Security Center**, click **User Assessment**. +2. Under **Security center**, click **User assessment**. - The User Assessment dashboard is displayed. +3. Click the **Target summary** tab. -3. Click the **Target Summary** tab. - -4. In the **Last Assessed On** column, click **View Report** to view the latest user assessment. +4. In the **Last assessed time** column, click **View report** to view the latest user assessment. 5. Review the charts on the **Overview** tab.  - ![Latest user assessment Overview tab](images/latest-ua-overview-tab.png "Latest user assessment Overview tab") + ![Latest user assessment charts1](images/latest-ua-charts1.png "Latest user assessment charts1") + + ![Latest user assessment charts2](images/latest-ua-charts2.png "Latest user assessment charts2") 6. Scroll down and review the information in the **User Details** section. @@ -55,98 +54,54 @@ This lab assumes you have: ## Task 2: Set the latest user assessment as the baseline -1. While you are still viewing the latest user assessment, click **Set As Baseline**. +1. While you are still viewing the latest user assessment, click **Set as baseline**. - The **Set As Baseline?** dialog box is displayed asking if you are sure. + The **Set as baseline?** dialog box is displayed asking if you are sure. 2. Click **Yes**, and remain on the page until the following message is displayed: `Baseline has been set.` -3. Click **View History**. Notice that in your compartment you have a baseline assessment. - - ![Assessment History page](images/assessment-history.png "Assessment History page") - +3. Click **View history**. Notice that in your compartment you have a baseline assessment. -## Task 3: Create a notification topic and subscription + ![Assessment history page](images/assessment-history.png "Assessment history page") -To create a notifications topic, you must a tenancy administrator. +4. Click **Close**. -1. From the navigation menu in Oracle Cloud Infrastructure, select **Developer Services**, and then under **Application Integration**, select **Notifications**. - The **Notifications** page is displayed. +## Task 3: Create a notification -2. Under **List scope**, make sure that your compartment is selected. +1. In the breadcrumb at the top of the page, click **User assessment**. -3. Click **Create Topic**. +2. Click the **Notifications** tab. - The **Create Topic** panel is displayed. +3. Click **Create notification**. -4. Enter a topic name, for example, **security-drift**. + The **Create notification** panel is displayed. -5. Click **Create**. - -6. Click the name of the topic. +4. Click **Advanced event notification**. - The **Topic Details** page is displayed. +5. In the **Event rule** section, do the following: In the **Rule name** box, enter **Security Drift**. From the **Event type** drop-down, select **User Assessment Drift From Baseline**. -7. Click **Create Subscription**. +7. In the **Topics and subscriptions** section, leave **Create new topic** selected. Select your compartment if needed. In the **Topic name** box, enter **security-drift**. In the **Email address** box, enter your email address. - The **Create Subscription** panel is displayed. -8. For **Protocol**, leave **Email** selected. + ![Create notifications panel1](images/create-notifications-panel1.png "Create notifications panel1") + ![Create notifications panel2](images/create-notifications-panel2.png "Create notifications panel2") -9. For **Email**, enter your email address. +8. Click **Create notification**. -10. Click **Create**.  + An event is added on the **Notifications** tab. - The state of the subscription is **Pending**. + ![Notification added](images/notification-added.png "Notification added") -11. Open your email application and locate the email from Oracle. In the email, click **Confirm subscription**.  +9. Open your email application and locate the email from Oracle. In the email, click **Confirm subscription**.  A **Subscription confirmed** page is displayed in the browser. -12. Refresh the **Topic Details** page. Notice that the state of the subscription is now set to **Active**. - - ![Active Subscription](images/active-subscription.png "Active Subscription") - - -## Task 4: Create a rule in the Events service - -1. From the navigation menu in Oracle Cloud Infrastructure, select **Observability & Management**, and then **Events Service**. - -2. Under **List scope**, make sure your compartment is selected. - -3. Click **Create Rule**. - -4. For **Display Name**, enter **Security Drift**. - -5. For **Description**, enter **Send an email notification when a user assessment is compared with a baseline assessment and a difference is found**. - -6. In the **Rule Conditions** section, leave **Event Type** selected as the condition. - -7. For **Service Name**, select **Data Safe**. - -8. For **Event Type**, select **User Assessment Drift From Baseline**. - -9. Click **View example events (JSON)** and review the rule logic. This is the information that you will receive in your email. Click **Cancel** to close the panel. -10. For **Action Type**, select **Notifications**. -11. For **Notifications Compartment**, select your compartment. - -12. For **Topic**, select the topic that you just created (for example, **security-drift**). - - ![Create Rule page](images/create-rule-page.png "Create Rule page") - -13. Click **Create Rule**. - - The **Security Drift** page is displayed. - - ![Security Drift page](images/security-drift-page.png "Security Drift page") - - -## Task 5: Generate activity on the target database +## Task 4: Generate activity on your target database In this task, you create a user on your target database with the `PDB_DBA` role. @@ -166,29 +121,24 @@ In this task, you create a user on your target database with the `PDB_DBA` role. ![Run Statement button](images/run-statement-button.png "Run Statement button") -## Task 6: Refresh the latest user assessment and analyze the results - +## Task 5: Refresh the latest user assessment and analyze the results -1. Return to the browser tab for Oracle Cloud Infrastructure. +1. Return to the browser tab for Oracle Cloud Infrastructure. You last left off on the **Notifications** tab on the **User assessment** page. -2. From the navigation menu, select **Oracle Database**, and then **Data Safe - Database Security**. +2. Click the **Target summary** tab. -3. Under **Security Center**, click **User Assessment**. +3. Click **View Report** to view the latest user assessement. -4. Click the **Target Summary** tab. +4. At the top of the latest user assessment, click **Refresh Now** to get the latest data. -5. Click **View Report** to view the latest user assessement. + The **Refresh now** panel is displayed. -6. At the top of the latest user assessment, click **Refresh Now** to get the latest data. +7. Leave the default assessment name as is, and click **Refresh now**. Wait for the status to read as **SUCCEEDED**. - The **Refresh Now** panel is displayed. - -7. Leave the default assessment name as is, and click **Refresh Now**. Wait for the status to read as **SUCCEEDED**. - - - This action updates the data in the latest user assessment for your target database and also saves a copy of the assessment in the Assessment History. + - This action updates the data in the latest user assessment for your target database and also saves a copy of the assessment in the Assessment history. - The refresh operation takes about one minute. -8. Click **View History**. +8. Click **View history** and verify that there is another assessment listed. 9. Compare the risk values between the baseline assessment and the new assessment that you just generated. Are there any differences? @@ -197,18 +147,22 @@ In this task, you create a user on your target database with the `PDB_DBA` role. 10. Click **Close**. -## Task 7: Generate a Comparison report for User Assessment +## Task 6: Generate a Comparison report for User Assessment -After you generate a comparison report, if there is security drift (which there should be because you added a privileged user), the Events service should trigger an email notification. +1. With the latest user assessment displayed, under **Resources** on the left, click **Compare with baseline**. Oracle Data Safe automatically begins processing the comparison. -1. With the latest user assessment displayed, under **Resources** on the left, click **Compare with Baseline**. Oracle Data Safe automatically begins processing the comparison. +2. When the comparison operation is completed, review the **Comparison** report. -2. When the comparison operation is completed, review the **Comparison** report. Click **Open Details** to view more information. + ![Comparison report](images/comparison-report.png "Comparison report") + +3. Click **Open details** to view more information. ![Comparison Details panel](images/comparison-details-panel.png "Comparison Details panel") +4. Click **Close**. + -## Task 8: Review your email notification +## Task 7: Review your email notification 1. Open your email application. @@ -216,32 +170,32 @@ After you generate a comparison report, if there is security drift (which there ```text { - "eventType" : "com.oraclecloud.datasafe.userassessmentdriftfrombaseline", - "cloudEventsVersion" : "0.1", - "eventTypeVersion" : "2.0", - "source" : "DataSafe", - "eventTime" : "2023-02-16T19:54:52Z", - "contentType" : "application/json", - "data" : { - "compartmentId" : "ocid1.compartment.oc1...", - "compartmentName" : "compartment-name", - "resourceName" : "userAssessment", - "resourceId" : "not applicable", - "availabilityDomain" : "ad3", + "eventType" : "com.oraclecloud.datasafe.userassessmentdriftfrombaseline", + "cloudEventsVersion" : "0.1", + "eventTypeVersion" : "2.0", + "source" : "DataSafe", + "eventTime" : "2024-02-05T19:26:38Z", + "contentType" : "application/json", + "data" : { + "compartmentId" : "ocid1.compartment.oc1.....", + "compartmentName" : "...", + "resourceName" : "UA_1707159041468", + "resourceId" : "ocid1.datasafeuserassessment.oc1....", + "availabilityDomain" : "ad1", "additionalDetails" : { - "targetName" : "ATP2000", - "comparedWith" : "ocid1.datasafeuserassessment.oc1..." + "targetName" : "ATP1001", + "comparedWith" : "ocid1.datasafeuserassessment.oc1.eu-frankfurt-1.... } - }, - "eventID" : "e46fad7b-ac11...", - "extensions" : { - "compartmentId" : "ocid1.compartment.oc1..." - } + }, + "eventID" : "06cda7fe-1bd1-4823-...", + "extensions" : { + "compartmentId" : "ocid1.compartment.oc1....." + } } -- - You are receiving notifications as a subscriber to the topic: security-drift (Topic OCID: ocid1.onstopic.oc1.eu-frankfurt-1.aaaaa...). - To stop receiving notifications from this topic, unsubscribe: https://cell1.notification.eu-frankfurt-1.oci.oraclecloud.com/20181201/subscriptions/ocid1.onssubscription.oc1.eu-frankfurt-1.aaaaa.../unsubscription?token=YVpsOE4weTU4TTdKSGxoTkVwR3kyaU8...==&protocol=EMAIL + You are receiving notifications as a subscriber to the topic: security-drift (Topic OCID: ocid1.onstopic.oc1.eu-frankfurt-1....). + To stop receiving notifications from this topic, unsubscribe: https://cell1.notification.eu-frankfurt-1.oci.oraclecloud.com/20181201/subscriptions/ocid1.onssubscription.oc1....==&protocol=EMAIL Please do not reply directly to this email. If you have any questions or comments regarding this email, contact your account administrator. @@ -257,6 +211,4 @@ After you generate a comparison report, if there is security drift (which there ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database Development - **Contributors** - Bettina Schaeumer -- **Last Updated By/Date** - Jody Glover, April 11, 2023 - - +- **Last Updated By/Date** - Jody Glover, February 6, 2024 \ No newline at end of file diff --git a/data-safe/events/images/assessment-history-after.png b/data-safe/events/images/assessment-history-after.png index 77c4a2d74..81b411ecb 100644 Binary files a/data-safe/events/images/assessment-history-after.png and b/data-safe/events/images/assessment-history-after.png differ diff --git a/data-safe/events/images/assessment-history.png b/data-safe/events/images/assessment-history.png index fd91c29dc..1c1c066b7 100644 Binary files a/data-safe/events/images/assessment-history.png and b/data-safe/events/images/assessment-history.png differ diff --git a/data-safe/events/images/comparison-details-panel.png b/data-safe/events/images/comparison-details-panel.png index c1b09e93c..0c505091c 100644 Binary files a/data-safe/events/images/comparison-details-panel.png and b/data-safe/events/images/comparison-details-panel.png differ diff --git a/data-safe/events/images/comparison-report.png b/data-safe/events/images/comparison-report.png new file mode 100644 index 000000000..77f5a9559 Binary files /dev/null and b/data-safe/events/images/comparison-report.png differ diff --git a/data-safe/events/images/create-notifications-panel1.png b/data-safe/events/images/create-notifications-panel1.png new file mode 100644 index 000000000..3d6afb143 Binary files /dev/null and b/data-safe/events/images/create-notifications-panel1.png differ diff --git a/data-safe/events/images/create-notifications-panel2.png b/data-safe/events/images/create-notifications-panel2.png new file mode 100644 index 000000000..aa17279e9 Binary files /dev/null and b/data-safe/events/images/create-notifications-panel2.png differ diff --git a/data-safe/events/images/latest-ua-charts1.png b/data-safe/events/images/latest-ua-charts1.png new file mode 100644 index 000000000..4fd407d13 Binary files /dev/null and b/data-safe/events/images/latest-ua-charts1.png differ diff --git a/data-safe/events/images/latest-ua-charts2.png b/data-safe/events/images/latest-ua-charts2.png new file mode 100644 index 000000000..436f54a74 Binary files /dev/null and b/data-safe/events/images/latest-ua-charts2.png differ diff --git a/data-safe/events/images/latest-ua-user-details-section.png b/data-safe/events/images/latest-ua-user-details-section.png index d374dce32..c0eb97bc3 100644 Binary files a/data-safe/events/images/latest-ua-user-details-section.png and b/data-safe/events/images/latest-ua-user-details-section.png differ diff --git a/data-safe/events/images/notification-added.png b/data-safe/events/images/notification-added.png new file mode 100644 index 000000000..fd66d63bf Binary files /dev/null and b/data-safe/events/images/notification-added.png differ diff --git a/data-safe/generate-alerts/generate-alerts.md b/data-safe/generate-alerts/generate-alerts.md index d054921fb..88dbe2a85 100644 --- a/data-safe/generate-alerts/generate-alerts.md +++ b/data-safe/generate-alerts/generate-alerts.md @@ -1,4 +1,4 @@ -# Generate Alerts +# Generate alerts ## Introduction @@ -6,7 +6,7 @@ An alert is a message that notifies you when a particular audit event happens on Start by reviewing the predefined alert policies in Oracle Data Safe, and then provision two of them. Using Database Actions, perform activity on your target database to cause alerts in Oracle Data Safe. Review the generated alerts and create a custom alerts report. Download the report as a PDF. -Estimated Lab Time: 20 minutes +Estimated Lab Time: 15 minutes ### Objectives @@ -34,70 +34,73 @@ This lab assumes you have: ### Assumptions - Your data values are most likely different than those shown in the screenshots. +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. ## Task 1: Review the Oracle Data Safe alert policies -1. In **Security Center**, click **Alerts**. +1. In **Security center**, click **Alerts**. The **Alerts** page is displayed. The alerts dashboard does not have any data because you have not yet enabled any alert policies. - ![Alerts dashboard without data](images/alerts-dashboard-no-data.png "Alerts dashboard without data") + ![Alerts page without data](images/alerts-dashboard-no-data.png "Alerts page without data") -2. Under **Related Resources**, click **Alert Policies**. +2. Under **Related resources**, click **Alert policies**. 3. Review the list of available alert policies provided by Oracle Data Safe. They are as follows: - - Failed Logins by Admin User - - Profile Changes - - Database Parameter Changes - - Audit Policy Changes - - User Creation/Modification - - User Entitlement Changes - - Database Schema Changes - + - SQL Firewall violations + - Profile changes + - Failed logins by admin user + - Audit policy changes + - Database parameter changes + - Database schema changes + - User entitlement changes + - User creation/modification + - ![Oracle Data Safe alert policies](images/oracle-data-safe-alert-policies.png "Oracle Data Safe alert policies") +4. Click the **User creation/modification** alert policy and review its details. -4. Click the **User Creation/Modification** alert policy and review its details. + The **Alert policy details** page is displayed for the **User creation/modification** alert policy. - The **Alert Policy Details** page is displayed for the **User Creation/Modification** alert policy. + ![User creation modification alert policy details](images/user-creation-modification-alert-policy-details.png "User creation modification alert policy details") - ![User Creation Modification alert policy details](images/user-creation-modification-alert-policy-details.png "User Creation Modification alert policy details") +5. Next to **Policy applied on target databases**, click **View list** to view the target databases associated with the alert policy. -5. Next to **Policy Applied On Target Databases**, click **View List** to view the target databases associated with the alert policy. + The **Target-policy associations** page is displayed with the **Policy name** filter set to **User creation/modification**. - The **Target-Policy Associations** page is displayed with the **Policy Name** filter set to **User Creation/Modification**. - Because you have not yet associated the alert policy with any target database, the table shows **No Target-Policy Associations Available**. +6. Under **Filters** on the left, select your target database. - ![No Target-Policy Associations Available](images/no-target-policy-associations.png "No Target-Policy Associations Available") +7. Notice that the table shows **No target-policy associations available**. This is because you have not yet associated the alert policy with your target database. ## Task 2: Provision alert policies on your target database -1. From the **Policy Name** drop-down list under **Filters**, select **All**. +1. From the **Policy name** drop-down list under **Filters**, select **All**. -2. On the **Target-Policy Associations** page, click **Apply Policy**. +2. On the **Target-policy associations** page, click **Apply policy**. - The **Apply And Enable Alert Policy To Target Databases** panel is displayed. + The **Apply and enable alert policy to target databases** panel is displayed. -3. Select **Selected Targets Only**. +3. Select **Selected targets only**. -4. If needed, click **Change Compartment** and select your compartment. +4. If needed, click **Change compartment** and select your compartment. 5. From the drop-down list, select your target database. -6. Select **Selected Policies Only**. +6. Select **Selected policies only**. -7. From the drop-down list, one at a time, select the **User Creation/Modification** and **Failed Logins by Admin User** alert policies. +7. From the drop-down list, one at a time, select the **User creation/modification** and **Failed logins by admin user** alert policies. -8. Click **Apply Policy** and wait until a message states that you can close the panel. +8. Click **Apply policy** and wait until a message states that you can close the panel. - ![Apply and Enable Alert Policy To Target Databases panel](images/apply-and-enable-alert-policy-panel.png "Apply and Enable Alert Policy To Target Databases panel") + ![Apply and enable alert policy to target databases panel](images/apply-and-enable-alert-policy-panel.png "Apply and enable alert policy to target databases panel") 9. Click **Close**. - The two target-policy associations for your target database are listed on the page and are enabled and active. If a target-policy association is not displayed, please clear the filter for the policy name if it's still set to **User Creation/Modification**. + The two target-policy associations for your target database are listed on the page and are enabled. + +10. Wait for the state to change to **Active** for both target-policy associations. If a target-policy association is not displayed, please set the **Policy name** filter to **All**. ![Two target-policy associations for your target database](images/two-target-policy-associations-for-target.png "Two target-policy associations for your target database") @@ -108,21 +111,23 @@ In this task, you perform activities on your target database in Database Actions 1. Return to the SQL worksheet in Database Actions. -2. If your session has expired, that's fine. Click **OK** and then click **Leave**. Otherwise, from the drop-down list in the upper-right corner, select **Sign Out**, and then in the dialog box, click **Leave**. +2. Sign out of Database Actions. - The **Sign-in** page is displayed. The username field is pre-populated with the `ADMIN` user. + The **Sign-in** page is displayed. -3. Do this twice: Enter an incorrect password, and then click **Sign in**. +3. In the **Username** box, enter `ADMIN`. + +4. Do this twice: Enter an incorrect password, and then click **Sign in**. An **Invalid credentials** message is displayed. ![Invalid database password message](images/invalid-database-password.png "Invalid database password message") -4. Enter the correct password, and click **Sign in**. +5. Enter the correct password, and click **Sign in**. -5. If needed, under **Development**, click **SQL**. +6. If needed, click the **SQL** tile. -6. Clear the worksheet, and then paste the following SQL script. Replace `your-password` with a password of your choice. The password must be between 12 and 30 characters long and must include at least one uppercase letter, one lowercase letter, and one numeric character. It cannot contain your username or the double quote (") character. +7. Clear the worksheet, and then paste the following SQL script. Replace `your-password` with a password of your choice. The password must be between 12 and 30 characters long and must include at least one uppercase letter, one lowercase letter, and one numeric character. It cannot contain your username or the double quote (") character. ``` drop user MALFOY cascade; @@ -130,49 +135,50 @@ In this task, you perform activities on your target database in Database Actions grant PDB_DBA to MALFOY; ``` -7. On the toolbar, click the **Run Script** button and wait for the script to finish running. -8. In the script output, verify that the `MALFOY` user was successfully dropped and then recreated. +8. On the toolbar, click the **Run Script** button and wait for the script to finish running. + +9. In the script output, verify that the `MALFOY` user was successfully dropped and then recreated. -9. Return to the browser tab for Oracle Data Safe and wait a couple of minutes for Oracle Data Safe to produce the alerts. +10. Return to the browser tab for Oracle Data Safe and wait a couple of minutes for Oracle Data Safe to produce the alerts. ## Task 4: Review alerts in Oracle Data Safe -1. Under **Security Center** on the left, click **Alerts**. +1. Under **Security center** on the left, click **Alerts**. 2. Under **Filters** on the left, select your target database. 3. Notice that the alerts dashboard now has data. - - The **Alerts Summary** chart shows that there are four alerts. Two are critical risk and two are medium risk. - - The **Open Alerts** chart shows that there are four alerts on the current day. - - The **Alerts Summary** tab shows the number of critical, high, and medium alerts along with target database counts. It also shows you the total number of alerts and target databases. - - The **Targets Summary** tab shows the number of open, critical, high, and medium alerts. + - The **Alerts summary** chart shows that there are four alerts. Two are critical risk and two are medium risk. + - The **Open alerts** chart shows that there are four alerts on the current day. + - The **Alerts summary** tab shows the number of critical, high, and medium alerts along with target database counts. It also shows you the total number of alerts and target databases. + - The **Targets summary** tab shows the number of open, critical, high, and medium alerts. ![Alerts dashboard with data](images/alerts-dashboard-with-data.png "Alerts dashboard with data") - ![Targets Summary tab](images/targets-summary.png "Targets Summary tab") + ![Targets Summary tab](images/targets-summary.png "Targets summary tab") -4. Under **Related Resources**, click **Reports**. +4. Under **Related resources**, click **Reports**. -5. In the **Report Name** column on the right, click the **All Alerts** report to view it. +5. In the **Report name** column on the right, click the **All alerts** report to view it. - ![All Alerts report](images/alerts-reports.png "All Alerts report") + ![All alerts report](images/alerts-reports.png "All alerts report") 6. Review the report. - - The report is automatically filtered to show you all alerts for all target databases in the selected compartment for the past one week. To manually create custom filters, you can use the **SCIM Query Builder**. + - The report is automatically filtered to show you all alerts for all target databases in the selected compartment for the past one week. To manually create custom filters, you can use the **SCIM query builder**. - You can view several totals, including the total number of target databases; total number of open and closed alerts, and the total number of critical, high, medium, and low alerts. You can click the **Targets** total to view the list of target databases. You can click the other totals to toggle a filter on the list of alerts. - At the bottom of the report, you can view the list of alerts. By default, the table shows you the alert name, alert status, alert severity, target databases on which the audited event occurred, and when the alert was created. - You have options to create a PDF or XLS report, create a custom report, schedule a custom report, open and close alerts, and specify which table columns you want displayed on the page. - ![All Alerts report](images/all-alerts-report.png "All Alerts report") + ![All alerts report](images/all-alerts-report.png "All alerts report") -7. At the top of the report, click **+ Another Filter**. Create the filter **Target Databases = your-target-database-name**, and click **Apply**. +7. At the top of the report, click **+ Another filter**. Create the filter **Target databases = your-target-database-name**, and click **Apply**. Only alerts that pertain to your target database are listed in the table. -8. Click **+ Another Filter**. Create the filter **Alert Name = User Creation/Modification**, and click **Apply**. +8. Click **+ Another filter**. Create the filter **Alert name = User creation/modification**, and click **Apply**. Only alerts that pertain to User Creation/Modification are listed in the table. @@ -200,7 +206,7 @@ In this task, you perform activities on your target database in Database Actions - Compartment in which the alert resides - Operation details - ![Alert Details page](images/alert-details-page.png "Alert Details page") + ![Alert details page](images/alert-details-page.png "Alert details page") 3. To close the alert, click **Close**. @@ -209,43 +215,43 @@ In this task, you perform activities on your target database in Database Actions ## Task 6: Create a custom alerts report -1. In the breadcrumb at the top of the page, click **All Alerts** to return to the All Alerts report. +1. In the breadcrumb at the top of the page, click **All alerts** to return to the All alerts report. 2. In addition to the default filter that is already set, add two more filters: - **Target Databases = your-target-database-name** - - **Alert Name = Failed Logins by Admin User** + - **Alert Name = Failed logins by admin user** -3. Click **Create Custom Report**. +3. Click **Create custom report**. - The **Create Custom Report** dialog box is displayed. + The **Create custom report** dialog box is displayed. -4. For **Display Name**, enter **Failed Logins by Admin User for your-target-database-name**. (Optional) Enter a description. Select your compartment. Click **Create Custom Report** and wait for the report to generate. +4. For **Display name**, enter **Failed logins by admin user for your-target-database-name**. (Optional) Enter a description. Select your compartment. Click **Create custom report** and wait for the report to generate. - ![Create Custom Report dialog box](images/create-custom-report-dialog-box.png "Create Custom Report dialog box") + ![Create custom report dialog box](images/create-custom-report-dialog-box.png "Create custom report dialog box") 5. Click the **click here** link to view the report. ## Task 7: Generate and download a custom alerts report as a PDF -1. On the custom report page, click **Generate Report**. +1. On the custom report page, click **Generate report**. - The **Generate Report** dialog box is displayed. + The **Generate report** dialog box is displayed. 2. Leave **PDF** selected. -3. Enter the display name **Failed Admin Logins for your-target-database-name**. +3. Enter the display name **Failed ADMIN logins for your-target-database-name**. -4. (Optional) For **Description**, enter **Failed logins by Admin user for target database your-target-database-name**. +4. (Optional) For **Description**, enter **Failed logins by ADMIN user for target database your-target-database-name**. 5. Leave your compartment selected, leave the row limit set to 10000, and leave the report start time as is. -6. Click **Generate Report** and wait until the PDF report is generated. +6. Click **Generate report** and wait until the PDF report is generated. A message is displayed stating that report generation is complete. - ![Generate Report dialog box](images/generate-report-dialog-box.png "Generate Report dialog box") + ![Generate report dialog box](images/generate-report-dialog-box.png "Generate report dialog box") 7. Click the **here** link to download the report. @@ -253,16 +259,16 @@ In this task, you perform activities on your target database in Database Actions 9. Open the PDF report and view it. When you are finished, close the browser tab. - ![Failed Admin Logins PDF report](images/failed-admin-logins-report-pdf.png "Failed Admin Logins PDF report") + ![Failed admin logins PDF report](images/failed-admin-logins-report-pdf.png "Failed admin logins PDF report") -10. In the **Generate Report** dialog box, click **Close**. +10. In the **Generate report** dialog box, click **Close**. ## Task 8: View the alert report history -1. Under **Related Resources**, click **Alert Report History**. +1. Under **Related resources**, click **Alert report history**. -2. Notice that your custom report is listed. You can view its state, its description, when it was generated, whether it was generated by you (`GENERATED`) or by the scheduler, the file format available for download, and a download icon. Oracle Data Safe keeps your report available for up to three months. +2. Notice that your custom report is listed. You can view its state, its description, when it was generated, whether it was generated by you (`Generated`) or by the scheduler, the file format available for download, and a download button. Oracle Data Safe keeps your report available for up to three months. ![Alert report history](images/alert-report-history.png "Alert report history") @@ -276,4 +282,4 @@ You may now **proceed to the next lab**. ## Acknowledgements * **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -* **Last Updated By/Date** - Jody Glover, June 8, 2023 +* **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/generate-alerts/images/alert-details-page.png b/data-safe/generate-alerts/images/alert-details-page.png index fc8d466b0..cec35bfb5 100644 Binary files a/data-safe/generate-alerts/images/alert-details-page.png and b/data-safe/generate-alerts/images/alert-details-page.png differ diff --git a/data-safe/generate-alerts/images/alert-report-history.png b/data-safe/generate-alerts/images/alert-report-history.png index ab12a8c00..717720c35 100644 Binary files a/data-safe/generate-alerts/images/alert-report-history.png and b/data-safe/generate-alerts/images/alert-report-history.png differ diff --git a/data-safe/generate-alerts/images/alerts-dashboard-with-data-only2.png b/data-safe/generate-alerts/images/alerts-dashboard-with-data-only2.png new file mode 100644 index 000000000..ea5d0b9ad Binary files /dev/null and b/data-safe/generate-alerts/images/alerts-dashboard-with-data-only2.png differ diff --git a/data-safe/generate-alerts/images/alerts-dashboard-with-data.png b/data-safe/generate-alerts/images/alerts-dashboard-with-data.png index e18ae0d7b..446dc54de 100644 Binary files a/data-safe/generate-alerts/images/alerts-dashboard-with-data.png and b/data-safe/generate-alerts/images/alerts-dashboard-with-data.png differ diff --git a/data-safe/generate-alerts/images/alerts-reports-only2.png b/data-safe/generate-alerts/images/alerts-reports-only2.png new file mode 100644 index 000000000..7ff6e8e45 Binary files /dev/null and b/data-safe/generate-alerts/images/alerts-reports-only2.png differ diff --git a/data-safe/generate-alerts/images/alerts-reports.png b/data-safe/generate-alerts/images/alerts-reports.png index 646d1aac2..4a3c40dfc 100644 Binary files a/data-safe/generate-alerts/images/alerts-reports.png and b/data-safe/generate-alerts/images/alerts-reports.png differ diff --git a/data-safe/generate-alerts/images/alerts-user-creation-modification.png b/data-safe/generate-alerts/images/alerts-user-creation-modification.png index 948f278df..eba15ce08 100644 Binary files a/data-safe/generate-alerts/images/alerts-user-creation-modification.png and b/data-safe/generate-alerts/images/alerts-user-creation-modification.png differ diff --git a/data-safe/generate-alerts/images/all-alerts-report.png b/data-safe/generate-alerts/images/all-alerts-report.png index 1cdadcb2e..16ea92c6c 100644 Binary files a/data-safe/generate-alerts/images/all-alerts-report.png and b/data-safe/generate-alerts/images/all-alerts-report.png differ diff --git a/data-safe/generate-alerts/images/apply-and-enable-alert-policy-panel.png b/data-safe/generate-alerts/images/apply-and-enable-alert-policy-panel.png index a010d68e1..883b300a9 100644 Binary files a/data-safe/generate-alerts/images/apply-and-enable-alert-policy-panel.png and b/data-safe/generate-alerts/images/apply-and-enable-alert-policy-panel.png differ diff --git a/data-safe/generate-alerts/images/create-custom-report-dialog-box.png b/data-safe/generate-alerts/images/create-custom-report-dialog-box.png index 2cc0748f1..6cf8a2dc1 100644 Binary files a/data-safe/generate-alerts/images/create-custom-report-dialog-box.png and b/data-safe/generate-alerts/images/create-custom-report-dialog-box.png differ diff --git a/data-safe/generate-alerts/images/failed-admin-logins-report-pdf.png b/data-safe/generate-alerts/images/failed-admin-logins-report-pdf.png index 88f59af43..6c7ab86cc 100644 Binary files a/data-safe/generate-alerts/images/failed-admin-logins-report-pdf.png and b/data-safe/generate-alerts/images/failed-admin-logins-report-pdf.png differ diff --git a/data-safe/generate-alerts/images/generate-report-dialog-box.png b/data-safe/generate-alerts/images/generate-report-dialog-box.png index af2ef0c56..17dc8f4d8 100644 Binary files a/data-safe/generate-alerts/images/generate-report-dialog-box.png and b/data-safe/generate-alerts/images/generate-report-dialog-box.png differ diff --git a/data-safe/generate-alerts/images/invalid-database-password.png b/data-safe/generate-alerts/images/invalid-database-password.png index d6a50650c..55e3f5f18 100644 Binary files a/data-safe/generate-alerts/images/invalid-database-password.png and b/data-safe/generate-alerts/images/invalid-database-password.png differ diff --git a/data-safe/generate-alerts/images/no-target-policy-associations.png b/data-safe/generate-alerts/images/no-target-policy-associations.png index 01c73487f..aabc1c17c 100644 Binary files a/data-safe/generate-alerts/images/no-target-policy-associations.png and b/data-safe/generate-alerts/images/no-target-policy-associations.png differ diff --git a/data-safe/generate-alerts/images/targets-summary-only2.png b/data-safe/generate-alerts/images/targets-summary-only2.png new file mode 100644 index 000000000..ae96aac4a Binary files /dev/null and b/data-safe/generate-alerts/images/targets-summary-only2.png differ diff --git a/data-safe/generate-alerts/images/targets-summary.png b/data-safe/generate-alerts/images/targets-summary.png index ce9b03bdc..4c13fc4cf 100644 Binary files a/data-safe/generate-alerts/images/targets-summary.png and b/data-safe/generate-alerts/images/targets-summary.png differ diff --git a/data-safe/generate-alerts/images/two-target-policy-associations-for-target.png b/data-safe/generate-alerts/images/two-target-policy-associations-for-target.png index d93501798..57d13cfdc 100644 Binary files a/data-safe/generate-alerts/images/two-target-policy-associations-for-target.png and b/data-safe/generate-alerts/images/two-target-policy-associations-for-target.png differ diff --git a/data-safe/generate-alerts/images/user-creation-modification-alert-policy-details.png b/data-safe/generate-alerts/images/user-creation-modification-alert-policy-details.png index b88a07d0f..230bc69af 100644 Binary files a/data-safe/generate-alerts/images/user-creation-modification-alert-policy-details.png and b/data-safe/generate-alerts/images/user-creation-modification-alert-policy-details.png differ diff --git a/data-safe/introduction/introduction-integration.md b/data-safe/introduction/introduction-integration.md index 51ca7a5a4..7fec2b26b 100644 --- a/data-safe/introduction/introduction-integration.md +++ b/data-safe/introduction/introduction-integration.md @@ -20,7 +20,7 @@ In this workshop, you learn how to perform the following tasks: - Download the latest security assessment by using the Oracle Data Safe CLI - Copy audit data to object storage using the Oracle Data Safe REST API - Schedule the copying of audit data to object storage using the Oracle Data Safe REST API -- Get notified about security drift on your target database by setting up an Oracle Data Safe event +- Get notified about security drift on your target databases by setting up notifications in Oracle Data Safe ## Learn More diff --git a/data-safe/introduction/introduction.md b/data-safe/introduction/introduction.md index 2c145e6e1..08e37fbae 100644 --- a/data-safe/introduction/introduction.md +++ b/data-safe/introduction/introduction.md @@ -31,11 +31,10 @@ The following links provide more information about Oracle Data Safe: - [Oracle Data Safe website](https://www.oracle.com/database/technologies/security/data-safe.html) - [Oracle Data Safe user assistance](https://docs.oracle.com/en/cloud/paas/data-safe/index.html) - [Oracle Data Safe data sheet](https://www.oracle.com/a/tech/docs/dbsec/data-safe/ds-security-data-safe.pdf) -- [Oracle Data Safe frequently asked questions](https://www.oracle.com/a/tech/docs/dbsec/data-safe/faq-security-data-safe. -pdf) +- [Oracle Data Safe frequently asked questions](https://www.oracle.com/a/tech/docs/dbsec/data-safe/faq-security-data-safe.pdf) - [Integrate Oracle Data Safe with Applications and Services Workshop in LiveLabs](https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=3596) ## Acknowledgements * **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -* **Last Updated By/Date** - Jody Glover, May 8, 2023 +* **Last Updated By/Date** - Jody Glover, February 6, 2024 diff --git a/data-safe/mask-sensitive-data/images/addresses-shuffled.png b/data-safe/mask-sensitive-data/images/addresses-shuffled.png new file mode 100644 index 000000000..bd4908d57 Binary files /dev/null and b/data-safe/mask-sensitive-data/images/addresses-shuffled.png differ diff --git a/data-safe/mask-sensitive-data/images/create-masking-policy-sdm1.png b/data-safe/mask-sensitive-data/images/create-masking-policy-sdm1.png index eb4fff760..9d5f1082f 100644 Binary files a/data-safe/mask-sensitive-data/images/create-masking-policy-sdm1.png and b/data-safe/mask-sensitive-data/images/create-masking-policy-sdm1.png differ diff --git a/data-safe/mask-sensitive-data/images/edit-masking-format-page.png b/data-safe/mask-sensitive-data/images/edit-masking-format-page.png new file mode 100644 index 000000000..fdd20d1e7 Binary files /dev/null and b/data-safe/mask-sensitive-data/images/edit-masking-format-page.png differ diff --git a/data-safe/mask-sensitive-data/images/group-mask1.png b/data-safe/mask-sensitive-data/images/group-mask1.png new file mode 100644 index 000000000..0e0d2fd37 Binary files /dev/null and b/data-safe/mask-sensitive-data/images/group-mask1.png differ diff --git a/data-safe/mask-sensitive-data/images/mask-sensitive-data-panel.png b/data-safe/mask-sensitive-data/images/mask-sensitive-data-panel.png index 0d33bbb22..dbeffa180 100644 Binary files a/data-safe/mask-sensitive-data/images/mask-sensitive-data-panel.png and b/data-safe/mask-sensitive-data/images/mask-sensitive-data-panel.png differ diff --git a/data-safe/mask-sensitive-data/images/masked-query-results.png b/data-safe/mask-sensitive-data/images/masked-query-results.png index 3e237d830..980a852d8 100644 Binary files a/data-safe/mask-sensitive-data/images/masked-query-results.png and b/data-safe/mask-sensitive-data/images/masked-query-results.png differ diff --git a/data-safe/mask-sensitive-data/images/masking-log-messages.png b/data-safe/mask-sensitive-data/images/masking-log-messages.png index 3fe6094ab..bd3d5e741 100644 Binary files a/data-safe/mask-sensitive-data/images/masking-log-messages.png and b/data-safe/mask-sensitive-data/images/masking-log-messages.png differ diff --git a/data-safe/mask-sensitive-data/images/masking-policy-details-bottom.png b/data-safe/mask-sensitive-data/images/masking-policy-details-bottom.png new file mode 100644 index 000000000..16507102a Binary files /dev/null and b/data-safe/mask-sensitive-data/images/masking-policy-details-bottom.png differ diff --git a/data-safe/mask-sensitive-data/images/masking-policy-details-middle.png b/data-safe/mask-sensitive-data/images/masking-policy-details-middle.png new file mode 100644 index 000000000..42199821b Binary files /dev/null and b/data-safe/mask-sensitive-data/images/masking-policy-details-middle.png differ diff --git a/data-safe/mask-sensitive-data/images/masking-policy-details-top.png b/data-safe/mask-sensitive-data/images/masking-policy-details-top.png new file mode 100644 index 000000000..7d43384ba Binary files /dev/null and b/data-safe/mask-sensitive-data/images/masking-policy-details-top.png differ diff --git a/data-safe/mask-sensitive-data/images/masking-report-bottom.png b/data-safe/mask-sensitive-data/images/masking-report-bottom.png index 2d0a14f27..cd2e47333 100644 Binary files a/data-safe/mask-sensitive-data/images/masking-report-bottom.png and b/data-safe/mask-sensitive-data/images/masking-report-bottom.png differ diff --git a/data-safe/mask-sensitive-data/images/masking-report-top2.png b/data-safe/mask-sensitive-data/images/masking-report-top2.png index 0e8e0032d..ce20f0cc8 100644 Binary files a/data-safe/mask-sensitive-data/images/masking-report-top2.png and b/data-safe/mask-sensitive-data/images/masking-report-top2.png differ diff --git a/data-safe/mask-sensitive-data/images/updated-row-is-highlighted.png b/data-safe/mask-sensitive-data/images/updated-row-is-highlighted.png new file mode 100644 index 000000000..539f8fc62 Binary files /dev/null and b/data-safe/mask-sensitive-data/images/updated-row-is-highlighted.png differ diff --git a/data-safe/mask-sensitive-data/mask-sensitive-data.md b/data-safe/mask-sensitive-data/mask-sensitive-data.md index 6e10e280d..8a4dc75d4 100644 --- a/data-safe/mask-sensitive-data/mask-sensitive-data.md +++ b/data-safe/mask-sensitive-data/mask-sensitive-data.md @@ -1,12 +1,14 @@ -# Mask Sensitive Data +# Mask sensitive data ## Introduction Data Masking provides a way for you to mask sensitive data so that the data is safe for non-production purposes. For example, organizations often need to create copies of their production data to support development and test activities. Simply copying the production data exposes sensitive data to new users. To avoid a security risk, you can use Data Masking to replace the sensitive data with realistic, but fictitious data. -Mask the sensitive data that you discovered in the [Discover Sensitive Data](?lab=discover-sensitive-data) lab by using the default masking policy generated by the Data Masking feature. View the before and after effect on the masked data by using Database Actions. +The roles granted to the Oracle Data Safe service account on your target database control which Oracle Data Safe features you can use with the database. By default, Autonomous Database Serverless has all Oracle Data Safe roles granted during target database registration, except for the Data Masking role (`DS$DATA_MASKING_ROLE`). -Estimated Lab Time: 15 minutes +Begin by granting the Data Masking role on your target database. Then, create a masking policy using the default settings and then customize it. Mask the sensitive data that you discovered in the [Discover Sensitive Data](?lab=discover-sensitive-data-ocw) lab. View the before and after effect on the masked data by using Oracle Database Actions. + +Estimated Time: 20 minutes ### Objectives @@ -15,12 +17,14 @@ In this lab, you will: - Grant the Data Masking role on your target database - View sensitive data in your target database - Create a masking policy for your target database -- Mask sensitive data in your target database by using Data Masking +- Modify a masking format to use a fixed number +- Create a group mask +- Mask sensitive data in your target database - View the Data Masking report -- Create a PDF of the Data Masking report - Validate the masked data in your target database + ### Prerequisites This lab assumes you have: @@ -34,38 +38,41 @@ This lab assumes you have: ### Assumptions - Your data values might be different than those shown in the screenshots. +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. + ## Task 1: Grant the Data Masking role on your target database -To use the Data Masking feature with **Autonomous Database Serverless (with secure access from everywhere)**, you must first grant the Data Masking role to the Oracle Data Safe pre-seeded service account on the database. If you are using a different kind of target database, please refer to the _Administering Oracle Data Safe_ guide for instructions on how to grant the required roles. +1. Return to the SQL worksheet in Database Actions. -1. Access the SQL worksheet in Database Actions. If your session has expired, sign in again as the `ADMIN` user. Clear the worksheet and the **Script Output** tab. +2. If you are prompted to sign in to your target database, sign in as the `ADMIN` user. -2. On the SQL worksheet, enter the following command to grant the Data Masking role to the Oracle Data Safe service account on your target database. +3. Clear the worksheet and the **Script Output** tab. + +4. On the SQL worksheet, enter the following command to grant the Data Masking role to the Oracle Data Safe service account on your target database. ``` EXECUTE DS_TARGET_UTIL.GRANT_ROLE('DS$DATA_MASKING_ROLE'); ``` -3. On the toolbar, click the **Run Statement** button (green circle with a white arrow) to execute the query. +5. On the toolbar, click the **Run Statement** button (green circle with a white arrow) to execute the query. ![Run Statement button on toolbar](images/run-statement-button.png "Run Statement button on toolbar") -4. Verify that the script output reads as follows: +6. Verify that the script output reads as follows: - `PL/SQL procedure successfully completed` + `PL/SQL procedure successfully completed.` You are now able to mask sensitive data on your target database. -4. Clear the worksheet and script output. - +7. Clear the worksheet and script output. ## Task 2: View sensitive data in your target database -In the [Discover Sensitive Data](?lab=discover-sensitive-data) lab, you learned that the `HCM1.EMPLOYEES` table has sensitive data. In this task, you view the actual sensitive data in that table. +View the sensitive data in the `HCM1.EMPLOYEES` table. -1. On the **Navigator** tab, select the **HCM1** schema from the first drop-down list. +1. On the **Navigator** tab in Database Actions, select the **HCM1** schema from the first drop-down list. 2. Drag the `EMPLOYEES` table to the worksheet. @@ -87,29 +94,26 @@ In the [Discover Sensitive Data](?lab=discover-sensitive-data) lab, you learned 6. On the **Script Output** tab, review the query results. - - Data such as `EMPLOYEE_ID`, `FIRST_NAME`, `LAST_NAME`, `EMAIL`, `PHONE_NUMBER`, and `HIRE_DATE` are considered sensitive data and should be masked if shared for non-production use. + - Data such as `EMPLOYEE_ID`, `FIRST_NAME`, `LAST_NAME`, `EMAIL`, and `PHONE_NUMBER` are considered sensitive data and should be masked if shared for non-production use. 7. Return to the browser tab for Oracle Data Safe. Keep this browser tab open because you return to it later. ## Task 3: Create a masking policy for your target database -Data Masking can generate a masking policy for your target database based on your sensitive data model. It automatically tries to select a default masking format for each sensitive column. You can edit these default selections and select different ones as needed. Occasionally you might be prompted to fix issues (if they exist) in the masking formats. +Data Masking can generate a masking policy for your target database based on your sensitive data model. It automatically tries to select a default masking format for each sensitive column. You can edit these default selections and select different ones as needed. Occasionally you might be prompted to fix issues (if they exist) in your masking formats. 1. In the breadcrumb at the top of the page, click **Data Safe**. -2. On the left under **Security Center**, click **Data Masking**. - -3. Under **Related Resources**, click **Masking Policies**. +2. On the left under **Security center**, click **Data masking**. -4. Under **List Scope** on the left, select your compartment. The **Masking Policies** page shows that there are no masking policies available for your target database. +3. Under **Related resources**, click **Masking policies**. - ![Masking Policies page](images/no-masking-policies-available.png "Masking Policies page") +4. Under **List scope** on the left, select your compartment. +5. On the right, click **Create masking policy**. -5. Click **Create Masking Policy**. - - The **Create Masking Policy** panel is displayed. + The **Create masking policy** panel is displayed. 6. Configure the masking policy as follows: @@ -117,101 +121,159 @@ Data Masking can generate a masking policy for your target database based on you - Compartment: **Select your compartment** - Description: **Masking policy for SDM1** - Choose how you want to create the masking policy: Leave **Using a sensitive data model** selected. - - Sensitive Data Model: Select **SDM1[your-target-database-name]**. If you don't have this sensitive data model, see the [Discover Sensitive Data](?lab=discover-sensitive-data) lab. + - Sensitive Data Model: Select **SDM1\[your-target-database-name\]**. If you don't have this sensitive data model, please refer to the [Discover Sensitive Data](?lab=discover-sensitive-data-ocw) lab. - ![Create Masking Policy panel using SDM1](images/create-masking-policy-sdm1.png "Create Masking Policy panel using SDM1") + ![Create masking policy panel using SDM1](images/create-masking-policy-sdm1.png "Create masking policy panel using SDM1") -7. Click **Create Masking Policy**. +7. Click **Create masking policy**. *Important! Please do not close the panel. It closes automatically after all operations are completed. If you close the panel before the operations are finished, the operation to add columns to the masking policy is not initiated.* - The **Masking Policy Details** page is displayed. + The **Masking policy details** page is displayed. 8. Review the masking policy. - - On the **Masking Policy Information** tab, you can view the masking policy name (and edit it), the Oracle Cloud Identifier (OCID) for the masking policy, the compartment in which the masking policy is stored, a link to the work request for the masking policy, a link to masking options, the target database and sensitive data model to which the masking policy is associated, and the date/time in which the masking policy was created and last updated. - - The **Masking Columns** table lists all the masking columns and their masking formats. If needed, you can select a different masking format for any masking column. You can click the pencil icon next to a masking format to edit it. + - On the **Masking policy information** tab, you can view the masking policy name (and edit it), the Oracle Cloud Identifier (OCID) for the masking policy, the compartment in which the masking policy is stored, a link to the work request for the masking policy, a link to masking options, the target database and sensitive data model to which the masking policy is associated, and the date/time in which the masking policy was created and last updated. + - The **Masking columns** table lists all the masking columns and their masking formats. If needed, you can select a different masking format for any masking column. You can click the pencil icon next to a masking format to edit it. - ![Masking Policy Details page for Mask SDM1 - top](images/masking-policy-details-page-mask-sdm1-top.png "Masking Policy Details page for Mask SDM1 - top") - ![Masking Policy Details page for Mask SDM1 - bottom](images/masking-policy-details-page-mask-sdm1-bottom.png "Masking Policy Details page for Mask SDM1 - bottom") + ![Masking policy details page for Mask SDM1 top](images/masking-policy-details-top.png "Masking policy details page for Mask SDM1 top") -9. Under **Resources** on the left, click **Masking Columns Needing Attention**. + ![Masking policy details page for Mask SDM1 middle](images/masking-policy-details-middle.png "Masking policy details page for Mask SDM1 middle") - The **Masking Columns Needing Attention** section is displayed at the bottom of the page. This section informs you of masking columns that do not have a properly configured masking format. The screenshot below shows an example where there are no masking columns requiring attention. + ![Masking policy details page for Mask SDM1 bottom](images/masking-policy-details-bottom.png "Masking policy details page for Mask SDM1 bottom") - ![Masking Columns Needing Attention section](images/masking-columns-needing-attention.png "Masking Columns Needing Attention section") +## Task 4: Modify a masking format to use a fixed number -## Task 4: Mask sensitive data in your target database by using Data Masking +Set `SALARY` to be a fixed number, such as 50000. -After you create a masking policy, you can run a data masking job against your target database from the **Masking Policy Details** page. You can also run a data masking job from the **Data Masking** page. +1. Locate the row for the `SALARY` column in the `EMPLOYEES` table. -1. On the **Masking Policy Details** page, click **Mask Target**. +2. Click the pencil button next to the masking format. - The **Mask Sensitive Data** panel is displayed. + The **Edit masking format** page is displayed. -2. From the **Target Database** drop-down list, select your target database, and then click **Mask Data**. +3. From the **Masking format entry** drop-down list, select **Fixed Number**. - ![Mask Sensitive Data panel](images/mask-sensitive-data-panel.png "Mask Sensitive Data panel") +4. In the **Fixed number** box, enter **50000**. - The **Work Request** page is displayed. + ![Edit masking format page](images/edit-masking-format-page.png "Edit masking format page") -3. Monitor the progress of the work request by viewing the log messages in the **Log Messages** table. +5. Click **Continue**. - ![Log messages for data masking work request](images/masking-log-messages.png "Log messages for data masking work request") + Notice that the updated row is highlighted. + + ![Updated row is highlighted](images/updated-row-is-highlighted.png "Updated row is highlighted") + +6. To save your update, click **Save masking formats** and wait for the update operation to finish. -4. Wait for the status to read as **SUCCEEDED**. - ![Work Request page for masking job succeeded](images/work-request-masking-job-succeeded.png "Work Request page for masking job succeeded") +## Task 5: Create a group mask + +Use the group masking feature to create a group named `ADDRESS` and apply the `SHUFFLE` masking format to the group. + +1. In the list of columns in the masking policy, find `STREET_ADDRESS` from the `LOCATIONS` table, and then select the masking format called **Group Masking**. + + The **Edit masking format** page is displayed. + +2. For **Group name**, enter **Address**. + +3. From the **Masking format entry** drop-down list, select **Shuffle**. + +4. Notice that **STREET_ADDRESS** is listed as a column for the group. + +5. For each of the following columns, click **+Another** column and select the column. + + - `CITY` + - `STATE_PROVINCE` + - `COUNTRY_ABBREV` + - `POSTAL_CODE` + + Note: If `COUNTRY_ABBREV` is not available, you need to add it to your sensitive data model first before creating the group mask (see [Discover Sensitive Data](?lab=discover-sensitive-data)). Or, you can leave it out. + + ![Group mask configuration](images/group-mask1.png "Group mask configuration") +6. Click **Continue**. -## Task 5: View the Data Masking report +7. Notice that the masking format for the columns is set to **Address**. -1. While on the **Work Request** page, next to **Masking Report** on the **Work Request Information** tab, click **View Details**. +8. Click **Save masking formats**. - The **Masking Report Details** page is displayed. + +## Task 6: Mask sensitive data in your target database + +You can run a data masking job against your target database from the **Masking policy details** or **Data masking** page. + +1. On the **Masking policy details** page, click **Mask target**. + + The **Mask sensitive data** panel is displayed. + +2. From the **Target database** drop-down list, select your target database, and then click **Mask data**. + + ![Mask sensitive data panel](images/mask-sensitive-data-panel.png "Mask sensitive data panel") + + The **Work request** page is displayed. + +3. Monitor the progress of the work request by viewing the log messages in the **Log messages** table. + + ![Log messages for data masking work request](images/masking-log-messages.png "Log messages for data masking work request") + +4. Wait for the status to read as **SUCCEEDED**. + + +## Task 7: View the Data Masking report + +1. While on the **Work request** page, next to **Masking report** on the **Work request information** tab, click **View details**. + + The **Masking report details** page is displayed. 2. Review the masking report. - - The **Masking Report Information** tab shows you the target database name, masking policy name (you can click a link to view it), the Oracle Cloud Identifier (OCID) for the masking report, the date and time when the data masking job started and finished, and the number of masked sensitive types, schemas, tables, columns, and values. You can click a link to view masking options. There is also a pie chart that shows you the masked value percentages for each sensitive type. You can click on a pie slice to drill down into the chart. - - The **Masked Columns** table lists each masked sensitive column and its respective schema, table, masking format, sensitive type, parent column, and total number of masked values. + - The **Masking report information** tab shows you the target database name, masking policy name (you can click a link to view it), the Oracle Cloud Identifier (OCID) for the masking report, the date and time when the data masking job started and finished, and the number of masked sensitive types, schemas, tables, columns, and values. You can click a link to view masking options. There is also a pie chart that shows you the masked value percentages for each sensitive type. You can click on a pie slice to drill down into the chart. + - The **Masked columns** table lists each masked sensitive column and its respective schema, table, masking format, sensitive type, parent column, and total number of masked values. ![Masking report top](images/masking-report-top2.png "Masking report top") ![Masking report bottom](images/masking-report-bottom.png "Masking report bottom") -## Task 6: Create a PDF of the Data Masking report -1. At the top of the **Masking Report Details** page, click **Generate Report**. +## Task 8: Validate the masked data in your target database - The **Generate Report** dialog box is displayed. +1. Return to the SQL worksheet in Database Actions. If your session expired, sign in again as the `ADMIN` user. The `SELECT` statement against the `EMPLOYEES` table should be displayed on the worksheet. -2. Leave **PDF** selected, and click **Generate Report**. Wait for the report to generate, and then click the **here** link to download the report. +2. On the toolbar, click the **Run Statement** button (green circle with a white arrow) to execute the query. - ![Generate PDF report for masked data](images/generate-pdf-masked-data.png "Generate PDF report for masked data") + Clicking the **Run Statement** button (instead of the **Run Script** button) will show the results on the **Query Results** tab instead of the **Script Output** tab. This will allow you to do a before and after comparison of the masked data. -3. Open the PDF report, review it, and then close it. +3. Review the masked data on the **Query Result** tab at the bottom of the page. - ![Data Masking PDF report](images/data-masking-pdf-report.png "Data Masking PDF report") + - You can resize the panel to view more data and you can scroll down and to the right. + - Find the `SALARY` column and verify that the values are all 50000. + ![Masked EMPLOYEE data](images/masked-query-results.png "Masked EMPLOYEE data") -## Task 7: Validate the masked data in your target database +4. (Optional) Click the **Script Output** tab to view the original unmasked data. -1. Return to the SQL worksheet in Database Actions. If your session expired, sign in again as the `ADMIN` user. The `SELECT` statement against the `EMPLOYEES` table should be displayed on the worksheet. The **Script Output** tab should still have the original data. Take a moment to examine it. +5. Clear the worksheet. -2. On the toolbar, click the **Run Statement** button (not the **Run Script** button) to run the query. +6. Drag the `LOCATIONS` table to the worksheet. -3. Review the masked data on the **Query Result** tab at the bottom of the page. You can resize the panel to view more data and you can scroll down and to the right. +7. When prompted to choose an insertion type, click **Select**, and then click **Apply**. - ![Masked EMPLOYEE data](images/masked-query-results.png "Masked EMPLOYEE data") +8. On the toolbar, click the **Run Script** button. + + ![Run Script button](images/run-script.png "Run Script button") + +9. Examine the data on the **Script Output** tab. The data for each `LOCATION_ID` has changed. `STREET_ADDRESS`, `POSTAL_CODE`, `CITY`, `STATE_PROVINCE`, AND `COUNTRY_ABBREV` are shuffled as an entire group to maintain the accuracy of each location. Notice that the `COUNTRY_ID`, which has not been masked and is not included in the screenshot below, is different than the `COUNTRY_ABBREV`. -4. To compare the masked data to the original data, click the **Script Output** tab, which still contains the original data. + ![Addresses shuffled](images/addresses-shuffled.png "Addresses shuffled") ## Learn More - [Data Masking](https://docs.oracle.com/en-us/iaas/data-safe/doc/data-masking.html) +- [Target Database Registration](https://www.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/data-safe&id=ADMDS-GUID-B5F255A7-07DD-4731-9FA5-668F7DD51AA6) ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -- **Last Updated By/Date** - Jody Glover, June 8, 2023 +- **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/prepare-environment/images/autonomous-database-details-page.png b/data-safe/prepare-environment/images/autonomous-database-details-page.png index cfa92ae01..1610cceb0 100644 Binary files a/data-safe/prepare-environment/images/autonomous-database-details-page.png and b/data-safe/prepare-environment/images/autonomous-database-details-page.png differ diff --git a/data-safe/prepare-environment/prepare-environment.md b/data-safe/prepare-environment/prepare-environment.md index 51b40022a..bac5433b4 100644 --- a/data-safe/prepare-environment/prepare-environment.md +++ b/data-safe/prepare-environment/prepare-environment.md @@ -1,10 +1,10 @@ -# Prepare Your Environment +# Prepare your environment ## Introduction In this lab, you prepare your environment in Oracle Cloud Infrastructure for the workshop. -*Please read the following instructions carefully!:* +*Please read the following instructions carefully!* - For the **Run on Your Tenancy** option: If you are the tenancy administrator, complete all tasks except for 2, 3, and 5. If you are not a tenancy administrator, enlist the help of one in your organization to complete all tasks, except for task 5. @@ -93,7 +93,7 @@ Create an IAM policy that grants you the necessary permissions for the workshop. The **Policies** page in IAM is displayed. -2. On the left under **COMPARTMENT**, leave the **root** compartment selected. +2. On the left under **COMPARTMENT**, select the **root** compartment. 3. Click **Create Policy**. @@ -118,7 +118,7 @@ Create an IAM policy that grants you the necessary permissions for the workshop. ``` - - For the **Integrate Oracle Data Safe with Applications and Services** workshop, you require the following permissions. Note that only tenancy administrators have the necessary permissions to do the lab called **Get notified about security drift on your target databases by setting up Oracle Data Safe events**. + - For the **Integrate Oracle Data Safe with Applications and Services** workshop, you require the following permissions: ```text @@ -131,6 +131,11 @@ Create an IAM policy that grants you the necessary permissions for the workshop. Allow group {group name} to manage instance-family in compartment {compartment name} Allow group {group name} to read app-catalog-listing in tenancy Allow group {group name} to manage virtual-network-family in compartment {compartment name} + Allow group to manage ons-topic in tenancy + Allow group to manage cloudevents-rules in tenancy + Allow group to manage alarms in tenancy + Allow group to read metrics in tenancy + ``` @@ -160,12 +165,9 @@ Create an Autonomous Transaction Processing (ATP) database in your compartment. - **Workload type** - Select **Transaction Processing**. - **Deployment type** - Leave **Serverless** selected. - **Always Free** - Select this option by moving the slider to the right. - - **Database version** - Leave **21c** selected. - - **OCPU Count** - You get **1** OCPU. - - **Storage** - You get 0.02TB of storage. + - **Database version** - If possible, select a database version; for example, **21c**. - **Password** and **Confirm Password** - Specify a password for the `ADMIN` database user and jot it down. The password must be between 12 and 30 characters long and must include at least one uppercase letter, one lowercase letter, and one numeric character. It cannot contain your username or the double quote (") character. - **Access Type** - Leave **Secure access from everywhere** selected. - - **License Type** - Leave **License included** selected. 6. Click **Create Autonomous Database**. @@ -192,7 +194,7 @@ Create an Autonomous Transaction Processing (ATP) database in your compartment. - A compartment of your very own. We refer to this compartment as "your compartment" throughout the workshop. Make note of your compartment's name because you need to select it often throughout the workshop. - An Autonomous Database in your compartment. You are provided the password for the `ADMIN` account on your database. -3. Make note of your username and click the **Copy Password** button for Oracle Cloud Infrastructure. +3. Make note of your Oracle Cloud Infrastructure username and click the **Copy Password** button. 4. On the **Reservation Information** panel, click the **Launch OCI** button. @@ -206,31 +208,23 @@ Create an Autonomous Transaction Processing (ATP) database in your compartment. You are now signed in to your LiveLabs Sandbox in Oracle Cloud Infrastructure. -7. Access your target database: From the navigation menu (hamburger menu in the upper-left corner), select **Oracle Database**, and then **Autonomous Transaction Processing**. Under **List Scope**, select your compartment under the **LiveLabs** folder. In the table on the right, click the name of your target database. +7. Access your target database: From the navigation menu (hamburger menu in the upper-left corner), select **Oracle Database**, and then **Autonomous Transaction Processing**. Under **List scope**, select your compartment under the **LiveLabs** folder. In the table on the right, click the name of your target database. ## Task 6: Access Oracle Database Actions Database Actions provides a way for you to run SQL commands on your target database. The step-by-step instructions for accessing Database Actions are covered here. The labs simply say to "access the SQL worksheet in Database Actions." You can always refer back to these steps for help if needed. -1. At the top of the **Autonomous Database details** page, click **Database actions**. - - The **Sign-in** page is displayed. +1. At the top of the **Autonomous Database details** page, from the **Database actions** menu, select **SQL**. 2. If required, sign in as the `ADMIN` user. - A browser tab named **Oracle Database Actions** is opened. *Keep this tab open throughout the workshop.* If your session expires, you can always sign in again. - - If a tenancy administrator provided you an Autonomous Database, obtain the password from that person. - If you are using an Oracle-provided environment, enter the database password provided to you. -3. In the **Development** section, click **SQL**. +3. Close the warning and help dialog boxes. - The browser tab name is changed to **SQL | Oracle Database Actions**. - -4. Close the warning and help dialog boxes. - -5. Review the interface. Here are the ways that you use Database Actions during the workshop: +4. Review the interface. Here are the ways that you use Database Actions during the workshop: - In the **Navigator** pane on the left, you select tables from the **HCM1** schema on your target database. - On the **Worksheet** on the right, you run SQL commands and scripts. @@ -270,13 +264,15 @@ As the `ADMIN` user on the database, run the `load-data-safe-sample-data_admin.s - `SUPPLEMENTAL_DATA` - 149 rows - If your results are different than what is specified above, rerun the [load-data-safe-sample-data_admin.sql](https://objectstorage.us-ashburn-1.oraclecloud.com/p/VEKec7t0mGwBkJX92Jn0nMptuXIlEpJ5XJA-A6C9PymRgY2LhKbjWqHeB5rVBbaV/n/c4u04/b/livelabsfiles/o/data-management-library-files/load-data-safe-sample-data_admin.sql) script. + If your results are different than what is specified above, rerun the [load-data-safe-sample-data_admin.sql](https://objectstorage.us-ashburn-1.oraclecloud.com/p/AUKfPIGuTde04z4OnuaZN2EP0LxNl4hJWI2jZiTw23aWzSoa2_Byvs8OGPw20-dt/n/c4u04/b/livelabsfiles/o/security-library/load-data-safe-sample-data_admin.sql) script. 5. Refresh Database Actions by refreshing the _browser_ page. If prompted, click **Leave page**. 6. Verify that the `HCM1` schema is listed in the first drop-down list on the **Navigator** pane. -7. *Leave the **SQL | Oracle Database Actions** tab open because you return to it throughout this workshop.* If your session expires, you can always sign in again. Return to the **Autonomous Database | Oracle Cloud Infrastructure** tab. +7. *Leave the **SQL | Oracle Database Actions** tab open because you return to it throughout this workshop.* If your session expires, you can always sign in again. + +8. Return to the **Autonomous Database | Oracle Cloud Infrastructure** tab. You may now **proceed to the next lab**. @@ -291,4 +287,4 @@ You may now **proceed to the next lab**. ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -- **Last Updated By/Date** - Jody Glover, June 8, 2023 +- **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/register-autonomous-database/images/ADB-wizard-review-submit.png b/data-safe/register-autonomous-database/images/ADB-wizard-review-submit.png index 4ea679472..79bf12d38 100644 Binary files a/data-safe/register-autonomous-database/images/ADB-wizard-review-submit.png and b/data-safe/register-autonomous-database/images/ADB-wizard-review-submit.png differ diff --git a/data-safe/register-autonomous-database/images/ADB-wizard-select-database.png b/data-safe/register-autonomous-database/images/ADB-wizard-select-database.png index 4682de030..8a27d80bd 100644 Binary files a/data-safe/register-autonomous-database/images/ADB-wizard-select-database.png and b/data-safe/register-autonomous-database/images/ADB-wizard-select-database.png differ diff --git a/data-safe/register-autonomous-database/images/dashboard-security-controls.png b/data-safe/register-autonomous-database/images/dashboard-security-controls.png new file mode 100644 index 000000000..facedc89a Binary files /dev/null and b/data-safe/register-autonomous-database/images/dashboard-security-controls.png differ diff --git a/data-safe/register-autonomous-database/images/feature-metrics-bottom-half.png b/data-safe/register-autonomous-database/images/feature-metrics-bottom-half.png new file mode 100644 index 000000000..3a53aa36b Binary files /dev/null and b/data-safe/register-autonomous-database/images/feature-metrics-bottom-half.png differ diff --git a/data-safe/register-autonomous-database/images/feature-metrics-top-half.png b/data-safe/register-autonomous-database/images/feature-metrics-top-half.png new file mode 100644 index 000000000..a3d87a229 Binary files /dev/null and b/data-safe/register-autonomous-database/images/feature-metrics-top-half.png differ diff --git a/data-safe/register-autonomous-database/images/manual-target-registration.png b/data-safe/register-autonomous-database/images/manual-target-registration.png index 84883b6d2..fb3691041 100644 Binary files a/data-safe/register-autonomous-database/images/manual-target-registration.png and b/data-safe/register-autonomous-database/images/manual-target-registration.png differ diff --git a/data-safe/register-autonomous-database/images/register-database.png b/data-safe/register-autonomous-database/images/register-database.png index 84fad5a75..c883b0290 100644 Binary files a/data-safe/register-autonomous-database/images/register-database.png and b/data-safe/register-autonomous-database/images/register-database.png differ diff --git a/data-safe/register-autonomous-database/images/registration-wizards.png b/data-safe/register-autonomous-database/images/registration-wizards.png index a0fdf0179..6ed06be47 100644 Binary files a/data-safe/register-autonomous-database/images/registration-wizards.png and b/data-safe/register-autonomous-database/images/registration-wizards.png differ diff --git a/data-safe/register-autonomous-database/images/target-database-details-page.png b/data-safe/register-autonomous-database/images/target-database-details-page.png index 388bcea01..9971e3623 100644 Binary files a/data-safe/register-autonomous-database/images/target-database-details-page.png and b/data-safe/register-autonomous-database/images/target-database-details-page.png differ diff --git a/data-safe/register-autonomous-database/images/target-databases-page-oci.png b/data-safe/register-autonomous-database/images/target-databases-page-oci.png index b25c12c6c..cb0c8b37f 100644 Binary files a/data-safe/register-autonomous-database/images/target-databases-page-oci.png and b/data-safe/register-autonomous-database/images/target-databases-page-oci.png differ diff --git a/data-safe/register-autonomous-database/register-autonomous-database.md b/data-safe/register-autonomous-database/register-autonomous-database.md index c40087a33..36c74b230 100644 --- a/data-safe/register-autonomous-database/register-autonomous-database.md +++ b/data-safe/register-autonomous-database/register-autonomous-database.md @@ -27,7 +27,7 @@ This lab assumes you have: ### Assumptions - Your data values are most likely different than those shown in the screenshots. -- Please ignore the dates for the data. Screenshots are taken at various times and may differ between labs and within labs. +- Please ignore the dates for the data and database names. Screenshots are taken at various times and may differ between labs and within labs. ## Task 1: Explore target database registration options @@ -42,7 +42,7 @@ You have three options for registering your Autonomous Database: If you navigated away from this page: From the navigation menu, select **Oracle Database**, and then **Autonomous Transaction Processing**. Select your compartment (if needed), and then click the name of your database. -2. Scroll down the page, and then under **Data Safe**, notice that there is a **Register** option. Please don't click the link, and instead, lets view the other options. +2. Scroll down the page, and then under **Data Safe**, notice that there is a **Register** option. *Please don't click the link, and instead, lets view the other options.* ![Register option for your database](images/register-database.png "Register option for your database") @@ -50,17 +50,18 @@ You have three options for registering your Autonomous Database: On this page, there are wizards to register the following types of databases: - - Autonomous Databases - - Oracle Cloud Databases - - Oracle On-Premises Databases - - Oracle Databases on Compute - - Oracle Cloud@Customer Databases + - Autonomous databases + - Oracle cloud databases + - Oracle databases on compute + - Oracle Cloud@Customer databases + - Oracle on-premises databases + - Amazon RDS for Oracle ![Registration wizards for Oracle Data Safe](images/registration-wizards.png "Registration wizards for Oracle Data Safe") -4. Under **Data Safe** on the left, click **Target Databases**. +4. Under **Data Safe** on the left, click **Target databases**. -5. On the right, click **Register Database**. From here, you can configure registration details. This method assumes that you have already completed the required pre-registration tasks for your database. +5. On the right, click **Register database**. From here, you can configure registration details. This method assumes that you have already completed the required pre-registration tasks for your database. ![Manual target registration](images/manual-target-registration.png "Manual target registration") @@ -70,15 +71,15 @@ You have three options for registering your Autonomous Database: To register a database other than an ATP database for this workshop, please follow the registration instructions specific for your database type in the _Administering Oracle Data Safe_ guide. See the **Learn More** section at the bottom of this page. -1. Click **Register Database via Wizard**. +1. Click **Register database via wizard**. The **Overview** page is displayed. -2. On the **Autonomous Databases** tile, click **Start Wizard**. +2. On the **Autonomous databases** tile, click **Start wizard**. - The first page in the wizard called **Select Database** is displayed. + The first page in the wizard called **Select database** is displayed. -3. From the first drop-down list, select your database. If needed, click **Change Compartment**, select your compartment, and then select your database. +3. From the first drop-down list, select your database. If needed, click **Change compartment**, select your compartment, and then select your database. 4. (Optional) Change the default display name for your target database. This name is displayed in your Oracle Data Safe reports. @@ -86,40 +87,40 @@ To register a database other than an ATP database for this workshop, please foll 6. (Optional) Enter a description for your target database. -7. Notice the message at the bottom of the page: **The selected database is configured to be securely accessible from everywhere. Steps 2 ('Connectivity Option') and 3 ('Add Security Rule') are not necessary and will be skipped.** If your database has a private IP address, you need to configure an Oracle Data Safe private endpoint and security rules. +7. Notice the message at the bottom of the page: **The selected database is configured to be securely accessible from everywhere. Steps 2 ('Connectivity option') and 3 ('Add security rule') are not necessary and will be skipped.** If your database has a private IP address, you need to configure an Oracle Data Safe private endpoint and security rules. ![Autonomous Database registration wizard - Select Database page](images/ADB-wizard-select-database.png "Autonomous Database registration wizard - Select Database page") 8. Click **Next**. -9. On the **Review and Submit** page, review the information. To make a change, you can return to the **Select Database** page. +9. On the **Review and submit** page, review the information. To make a change, you can return to the **Select database** page. ![Autonomous Database registration wizard - Review and Submit page](images/ADB-wizard-review-submit.png "Autonomous Database registration wizard - Review and Submit page") 10. Click **Register**. - The **Registration Progress** page is displayed briefly, and then the **Target Database Details** page is displayed. + The **Target database information** page is displayed. 11. Wait for the target database status to turn to **ACTIVE**, which means your target database is fully registered. Next, review the information and options provided on the page. - You can view/edit the target database name and description. - - You can view the Oracle Cloud Identifier (OCID), when the target database was registered, the compartment name to where the target database was registered, the database type (Autonomous Database), and the connection protocol (TLS). The information varies depending on the target database type. - - You have options to edit connection details (change the connection protocol), move the target database to another compartment, deregister the target database, and add tags. + - You can view the Oracle Cloud Identifier (OCID), when the target database was registered, the compartment name to where the target database is registered, the database type (Autonomous Database), and the connection protocol (TLS). The information varies depending on the target database type. + - You have options to edit connection details (for example, choose a connectivity option), move the target database to another compartment, deregister the target database, and add tags. - ![Target Database Details page](images/target-database-details-page.png "Target Database Details page") + ![Target database information page](images/target-database-details-page.png "Target database information page") ## Task 3: Access Oracle Data Safe and view your list of registered target databases -1. In the breadcrumb at the top of the page, click **Target Databases**. +1. In the breadcrumb at the top of the page, click **Target databases**. -2. Under **List Scope**, make sure your compartment is selected. Your registered target database is listed on the right. +2. Under **List scope**, make sure your compartment is selected. Your registered target database is listed on the right. - A target database with an **Active** status means that it is currently registered with Oracle Data Safe. - A target database with a **Deleted** status means that it is no longer registered with Oracle Data Safe. The listing is removed 45 days after the target database is deregistered. - ![Target Databases page in OCI](images/target-databases-page-oci.png "Target Databases page in OCI") + ![Target databases page in OCI](images/target-databases-page-oci.png "Target databases page in OCI") ## Task 4: Explore Security Center @@ -128,15 +129,18 @@ To register a database other than an ATP database for this workshop, please foll The **Overview** page is displayed. -2. Under **Security Center** on the left, click **Dashboard** and review the dashboard. Scroll down to view all the charts. Make sure your compartment is selected under **List Scope**. From the **Target Databases** drop-down list, select your target database so that the data in the dashboard pertains to your target database only. +2. Under **Security center** on the left, click **Dashboard** and review the dashboard. Scroll down to view the security controls and feature metrics (charts). Make sure your compartment is selected under **List scope**. From the **Target databases** drop-down list, select your target database so that the data in the dashboard pertains to your target database only. - - In Security Center, you can access all the Oracle Data Safe features, including the dashboard, Security Assessment, User Assessment, Data Discovery, Data Masking, Activity Auditing, and Alerts. - - When you register a target database, Oracle Data Safe automatically creates a security assessment and user assessment for you. That's why the **Security Assessment**, **User Assessment**, **Feature Usage**, and **Operations Summary** charts in the dashboard already have data. - - During registration, Oracle Data Safe also discovers audit trails on your target database. That's why the **Audit Trails** chart in the dashboard shows one audit trail with the status **In Transition** for your Autonomous Database. Later you start this audit trail to collect audit data into Oracle Data Safe. + - In Security center, you can access all the Oracle Data Safe features, including the dashboard, Security Assessment, User Assessment, Data Discovery, Data Masking, Activity Auditing, SQL Firewall, and Alerts. + - When you register a target database, Oracle Data Safe automatically creates a security assessment and user assessment for you. That's why the **Security assessment**, **User assessment**, **Feature usage**, and **Operations summary** charts in the dashboard already have data. + - During registration, Oracle Data Safe also discovers audit trails on your target database. That's why the **Audit trails** chart in the dashboard shows one audit trail with the status **In transition** for your Autonomous Database. Later you start this audit trail to collect audit data into Oracle Data Safe. - ![Initial Dashboard - top half](images/dashboard-initial-top.png "Initial Dashboard - top half") + ![Initial Dashboard - security controls](images/dashboard-security-controls.png "Initial Dashboard - security controls") + + ![Initial Dashboard - feature metrics top half](images/feature-metrics-top-half.png "Initial Dashboard - feature metrics top half") + + ![Initial Dashboard - feature metrics bottom half](images/feature-metrics-bottom-half.png "Initial Dashboard - feature metrics bottom half") - ![Initial Dashboard - bottom half](images/dashboard-initial-bottom.png "Initial Dashboard - bottom half") You may now **proceed to the next lab**. @@ -149,4 +153,4 @@ You may now **proceed to the next lab**. ## Acknowledgements - **Author** - Jody Glover, Consulting User Assistance Developer, Database Development -- **Last Updated By/Date** - Jody Glover, June 8, 2023 +- **Last Updated By/Date** - Jody Glover, February 12, 2024 diff --git a/data-safe/workshops/freetier/manifest.json b/data-safe/workshops/freetier/manifest.json index d512239a0..e329ff87e 100644 --- a/data-safe/workshops/freetier/manifest.json +++ b/data-safe/workshops/freetier/manifest.json @@ -9,13 +9,13 @@ "type": "freetier" }, { - "title": "Get Started", + "title": "Get started", "description": "Get an Oracle Cloud account if needed and sign in.", "filename": "https://oracle-livelabs.github.io/common/labs/cloud-login/pre-register-free-tier-account.md", "type": "freetier" }, { - "title": "Prepare Your Environment", + "title": "Prepare your environment", "description": "Prerequisites to run the Oracle Data Safe workshop in your own tenancy.", "filename": "../../prepare-environment/prepare-environment.md", "type": "freetier" @@ -27,37 +27,37 @@ "type": "freetier" }, { - "title": "Lab 2: Audit Database Activity", + "title": "Lab 2: Audit database activity", "description": "This lab shows you how to provision audit policies in Oracle Data Safe.", "filename": "../../audit-database-activity/audit-database-activity.md", "type": "freetier" }, { - "title": "Lab 3: Generate Alerts", + "title": "Lab 3: Generate alerts", "description": "This lab shows you how to provision alert policies in Oracle Data Safe.", "filename": "../../generate-alerts/generate-alerts.md", "type": "freetier" }, { - "title": "Lab 4: Assess Database Configurations", + "title": "Lab 4: Assess database configurations", "description": "This lab shows you how to assess database configurations in your Autonomous Database by using the Security Assessment feature in Oracle Data Safe.", "filename": "../../assess-database-configurations/assess-database-configurations.md", "type": "freetier" }, { - "title": "Lab 5: Assess Database Users", + "title": "Lab 5: Assess database users", "description": "This lab shows you how to assess database users in your Autonomous Database by using the User Assessment feature in Oracle Data Safe.", "filename": "../../assess-database-users/assess-database-users.md", "type": "freetier" }, { - "title": "Lab 6: Discover Sensitive Data", + "title": "Lab 6: Discover sensitive data", "description": "This lab shows you how to discover sensitive data on your target database by using the Data Discovery feature in Oracle Data Safe.", "filename": "../../discover-sensitive-data/discover-sensitive-data.md", "type": "freetier" }, { - "title": "Lab 7: Mask Sensitive Data", + "title": "Lab 7: Mask sensitive data", "description": "This lab shows you how to mask sensitive data on your target database by using the Data Masking feature in Oracle Data Safe.", "filename": "../../mask-sensitive-data/mask-sensitive-data.md", "type": "freetier" diff --git a/data-safe/workshops/integration-freetier/manifest.json b/data-safe/workshops/integration-freetier/manifest.json index b466bcf8a..95a791650 100644 --- a/data-safe/workshops/integration-freetier/manifest.json +++ b/data-safe/workshops/integration-freetier/manifest.json @@ -9,13 +9,13 @@ "type": "freetier" }, { - "title": "Get Started", + "title": "Get started", "description": "Get an Oracle Cloud account if needed and sign in.", "filename": "https://oracle-livelabs.github.io/common/labs/cloud-login/pre-register-free-tier-account.md", "type": "freetier" }, { - "title": "Prepare Your Environment", + "title": "Prepare your environment", "description": "Prerequisites to run the Oracle Data Safe workshop in your own tenancy.", "filename": "../../prepare-environment/prepare-environment.md", "type": "freetier" @@ -44,8 +44,8 @@ "type": "freetier" }, { - "title": "Lab 5: Get notified about security drift on your target databases by setting up Oracle Data Safe events", - "description": "This lab shows you how to set up events in Oracle Cloud Infrastructure for Oracle Data Safe events.", + "title": "Lab 5: Get notified about security drift on your target databases by setting up notifications in Oracle Data Safe", + "description": "This lab shows you how to set up notifications in Oracle Data Safe.", "filename": "../../events/events.md", "type": "freetier" }, diff --git a/data-safe/workshops/livelabs/manifest.json b/data-safe/workshops/livelabs/manifest.json index 9be1f9708..1e681e7bb 100644 --- a/data-safe/workshops/livelabs/manifest.json +++ b/data-safe/workshops/livelabs/manifest.json @@ -9,7 +9,7 @@ "type": "livelabs" }, { - "title": "Prepare Your Environment", + "title": "Prepare your environment", "description": "Prerequisites to run the Oracle Data Safe workshop in your own tenancy.", "filename": "../../prepare-environment/prepare-environment.md", "type": "livelabs" @@ -21,37 +21,37 @@ "type": "livelabs" }, { - "title": "Lab 2: Audit Database Activity", + "title": "Lab 2: Audit database activity", "description": "This lab shows you how to provision audit policies in Oracle Data Safe.", "filename": "../../audit-database-activity/audit-database-activity.md", "type": "livelabs" }, { - "title": "Lab 3: Generate Alerts", + "title": "Lab 3: Generate alerts", "description": "This lab shows you how to provision alert policies in Oracle Data Safe.", "filename": "../../generate-alerts/generate-alerts.md", "type": "livelabs" }, { - "title": "Lab 4: Assess Database Configurations", + "title": "Lab 4: Assess database configurations", "description": "This lab shows you how to assess database configurations in your Autonomous Database by using the Security Assessment feature in Oracle Data Safe.", "filename": "../../assess-database-configurations/assess-database-configurations.md", "type": "livelabs" }, { - "title": "Lab 5: Assess Database Users", + "title": "Lab 5: Assess database users", "description": "This lab shows you how to assess database users in your Autonomous Database by using the User Assessment feature in Oracle Data Safe.", "filename": "../../assess-database-users/assess-database-users.md", "type": "livelabs" }, { - "title": "Lab 6: Discover Sensitive Data", + "title": "Lab 6: Discover sensitive data", "description": "This lab shows you how to discover sensitive data on your target database by using the Data Discovery feature in Oracle Data Safe.", "filename": "../../discover-sensitive-data/discover-sensitive-data.md", "type": "livelabs" }, { - "title": "Lab 7: Mask Sensitive Data", + "title": "Lab 7: Mask sensitive data", "description": "This lab shows you how to mask sensitive data on your target database by using the Data Masking feature in Oracle Data Safe.", "filename": "../../mask-sensitive-data/mask-sensitive-data.md", "type": "livelabs" diff --git a/data-safe/workshops/paid/manifest.json b/data-safe/workshops/paid/manifest.json index 651c41c5a..1838be132 100644 --- a/data-safe/workshops/paid/manifest.json +++ b/data-safe/workshops/paid/manifest.json @@ -15,7 +15,7 @@ "type": "paid" }, { - "title": "Prepare Your Environment", + "title": "Prepare your environment", "description": "Prerequisites to run the Oracle Data Safe workshop in your own tenancy.", "filename": "../../prepare-environment/prepare-environment.md", "type": "paid" @@ -27,37 +27,37 @@ "type": "paid" }, { - "title": "Lab 2: Audit Database Activity", + "title": "Lab 2: Audit database activity", "description": "This lab shows you how to provision audit policies in Oracle Data Safe.", "filename": "../../audit-database-activity/audit-database-activity.md", "type": "paid" }, { - "title": "Lab 3: Generate Alerts", + "title": "Lab 3: Generate alerts", "description": "This lab shows you how to provision alert policies in Oracle Data Safe.", "filename": "../../generate-alerts/generate-alerts.md", "type": "paid" }, { - "title": "Lab 4: Assess Database Configurations", + "title": "Lab 4: Assess database configurations", "description": "This lab shows you how to assess database configurations in your Autonomous Database by using the Security Assessment feature in Oracle Data Safe.", "filename": "../../assess-database-configurations/assess-database-configurations.md", "type": "paid" }, { - "title": "Lab 5: Assess Database Users", + "title": "Lab 5: Assess database users", "description": "This lab shows you how to assess database users in your Autonomous Database by using the User Assessment feature in Oracle Data Safe.", "filename": "../../assess-database-users/assess-database-users.md", "type": "paid" }, { - "title": "Lab 6: Discover Sensitive Data", + "title": "Lab 6: Discover sensitive data", "description": "This lab shows you how to discover sensitive data on your target database by using the Data Discovery feature in Oracle Data Safe.", "filename": "../../discover-sensitive-data/discover-sensitive-data.md", "type": "paid" }, { - "title": "Lab 7: Mask Sensitive Data", + "title": "Lab 7: Mask sensitive data", "description": "This lab shows you how to mask sensitive data on your target database by using the Data Masking feature in Oracle Data Safe.", "filename": "../../mask-sensitive-data/mask-sensitive-data.md", "type": "paid"