Home / security / Oracle Database Security Assessment Tool (DBSAT)

Oracle Database Security Assessment Tool (DBSAT)

Oracle Database Security Assessment Tool (DBSAT)

the Oracle Database Security Assessment Tool (DBSAT) is a command line tool targeted on detecting areas of potential security vulnerabilities or misconfigurations and offering suggestions on tips on how to mitigate these potential vulnerabilities. The DBSAT focuses on the database but additionally examines surrounding database associated system parts together with OS and network (listener). The tool offers a view into the present standing, users, roles and policies in place, with the purpose of promoting profitable approaches to mitigate potential security risks.

The DBSAT has two parts: the Collector and the Reporter. The Collector is accountable to gather raw information from the target database by executing SQL queries and OS commands. The Reporter will read the collected information, analyze it and produce reports with the findings. The Reporter outputs three reports in Textual content, HTML, and XLS formats.

It’s extremely important to validate the safety infrequently on the database stage. Very not too long ago, Oracle has come up with one more energy database tool, DBSAT, utilizing which we are able to simply analyze the database safety settings and get suggestions to repair these points, in addition, to enhance safety settings and so forth. This paper is targeted on the DBSAT tool, enlightens the next matter:

  • DBSAT Overview and Flow
  • Advantages
  • How to download, configure and execute
  • Gather data and preparing reports
  • Interpreting the report

DBSAT Overview

Oracle development crew unleashed one more highly effective database tool very not too long ago. DBSAT is a database safety evaluation tool which is fairly new and quite simple to make use of. It carries out the safety evaluation in your databases seamlessly. It may be simply sitting alongside with the opposite database tools, such as ORAchk and ExaChk. What’s lacking in DBSAT report in distinction to the opposite two tools, is the general scoring rate. Although it’s not very important, however, having a closing rating card may give a way of satisfaction or curiosity to the purchasers to look deeper and enhance the database safety finest practices.

The target of DBSAT is to investigate the database present safety configuration, look at the potential safety vulnerabilities or misconfiguration and supply the advice on finest safety practices and recommendation on how you can mitigate these potential safety points. Pre DBSAT tool, the identical could be achieved by operating a number of database scripts towards the dictionary views, nonetheless, this tool has accomplished this for you without the necessity of operating a number of scripts and in addition gives you the suggestions in a report of three format

According to Oracle, the security rules are defined as shown in the image below:

Oracle Database Security Assesment Tool

Advantages of DBSAT

  • Recommendation on safety finest practices
  • Rapidly identifies the safety flaws in your database
  • Suggestions to improvise the safety posture of your databases
  • Reduce learning curve to offer first rate safety reporting to administration.

DBSAT validations

Below is the action list that DBSAT examines during the data collection:

  • Data Encryption
  • DB User account, Roles, and Privileges
  • Auditing Policies
  • OS File Permissions
  • Listener configuration
  • Database security configuration
  • Fine-grained access control
  • Authorization control

DBSAT Functionality and Flow

DBSAT Collector and DBSAT Reporter are the two parts of DBSAT tool. The performance of these parts is printed within the beneath segments.

  • The role of the DBSAT Collector is to collect the raw data by executing SQL queries towards the database dictionary views plus some OS commands, and the information is written to a JSON output file. The output file by default is password encrypted for apparent safety goal. The DBSAT Collector needs to run on the server where the database is running.

  • The core functionality of the Reporter is to learn the information, analyze the information and report its findings and suggestions to a readable file. The file is obtainable in formats: HTML, Textual content, and Excel sheet. Quite the opposite, theDBSAT Reporter can run on the DB server or on another machine. It’s a platform-independent program, requires Python 2.6 or greater on the system to run. You should utilize the findings to repair some quick short-term risks or develop/enhance a complete safety technique.

The image outlines the typical DBSAT functionality and its components flow:

DBSAT
Oracle

Earlier than we dive deeper into the main points of launching DBSAT, how you can initiate the DBSAT collector and Reporter, let’s talk about among the conditions that should be set. The next environment variables and DB user with the required privileges have to be achieved:

 

Download, Configure & Execute

Download

In the intervening time, the one accessible choice to obtain the DBSAT software is to login to support.oracle.com web site (with the predefined user credentials), and obtain it from My Oracle Support ID 21382541.1, titled ‘Oracle Database Security Assessment Tool (DBSAT). On the finish of the DOWNLOAD part click on on the I AGREE hyperlink and the dbsat.zip file shall be downloaded in your system. It’s extremely beneficial to have a look at the notice sometimes to get the most recent model of the software so that you simply keep up-to-date with all security validations.

Currently, the DBSAT tool is available and supported on the following Platforms:

  •  Solaris
  • Linux x86-64
  • Windows x64
  • HP-UX IA (64-bit)
  • IBM AIX

Configure

Installing the tool is a pretty simple and straightforward process. Follow the steps below:

  1. Copy the zip file to the target database server
  2. Create a new directory (for example, dbsat) on the target server
  3. Unzip the file to the dbsat directory (example, unzip dbsat.zip –d /dbsat)
  4. The following files are extracted to the directory:
  • dbsat.bat (for Windows)
  • dbsat
  • sat_analysis.py
  • sat_collector.sql
  • sat_reporter.py
  • /xlsxwriter

The DBSAT tool is compatible and runs on Oracle DB version 10.2.0.5 or higher

Execute

Earlier than we dive deeper into the details of launching DBSAT, learn how to provoke the DBSAT collector and Reporter, let’s focus on among the conditions that have to be set. The next setting variables and DB user with the required privileges have to be achieved:

Environment Variables

For Windows

SET ZIP_CMD=%ORACLE_HOME%\bin\zip.exe

SET UNZIP_CMD=%ORACLE_HOME%\bin\unzip.exe

On Unix

ZIP=/usr/bin/zip

UNZIP=/usr/bin/unzip

DBZIP=${ORACLE_HOME}/bin/zip

Within the documentation the talked about variable have to be set as a prerequisite. Nonetheless, they appear to be hard coded within the script and therefore will probably be overwritten. I might advocate to check if the required binaries are accessible as anticipated and alter their location within the script if obligatory.

OS User Authentication

As acknowledged earlier, DBSAT Collector should run on the database server with the OS person that has permissions to learn the Oracle binaries underneath the ORACLE HOME. That is necessary as a result of as a part of the information collection, the Collector will read the information underneath the Oracle residence utilizing some OS particular commands.

DB Settings (user, privileges, and roles)

As part of data collection, the Collector queries the data dictionary views. Therefore, the DB user must have certain DB privileges, mostly read only. If you don’t want to grant the DBA plus DV_SECANALYST (if DB Vault is enabled) privileges to the user, following specific privileges are granted:

  • CREATE SESSION
  • SELECT ON SYS.REGISTRY$HISOTRY, AUDSYS.AUD$UNIFIED(12c), SYS.DBA_USERS_WITH_DEFPWD (11g, 12c)
  • Roles: SELECT_CATALOG_ROLE, AUDIT_VIEWER (12c), CAPTURE_ADMIN (12c) , DV_SECANALYST

DB User creation example:

Oracle database user creation

DBSAT collector

./dbsat

Usage:

dbsat collect [ -n ] <database_connect_string> <output_file>

dbsat report [ -a ] [ -n ] [ -x] <input_file>

Options:

-a Report about all user accounts, including locked, Oracle-supplied users

-n No encryption for output

-x Specify sections to exclude from the report (may be repeated for multiple sections)

The beneath phase explains the process with some examples to execute the data collection half on the database server:

$./dbsat collect username/password output_file

Example:

$./dbsat collect zia/Tigerit_1 db04

As soon as the above command is successfully executed, an output file named db04.zip. By default, the output file is password protected and encrypted for security causes. Although the -n argument can be utilized to bypass the encryption, nevertheless, Oracle doesn’t suggest this.

  • While working with 12c multitenant container databases, data can be gathered at the root container or at the PDB level separately. If the collector script is running on the root container, only root container database is gathered, no PDBs data will be collected. You will have to run the script at the PDB level to gather data for the PDB separately.
  • ./dbsat collect -n will not encrypt the output file.

 

DBSAT Reporter

Earlier than you launch the DBSAT reporter, guarantee python v2.6 or greater is installed on the machine the place you run the reporter. The next is the instance to confirm the version of python working on the native system, a lot of the OS ought to have the python put in already, if not, obtain the specific version and configure it:

Checking Python version

$ python -V

Python 2.6.6

Usage

./dbsat report

dbsat report [ -a ] [ -n ] [ -x] <input_file>

 Options:

-a Report about all user accounts, including locked, Oracle-supplied users

-n No encryption for output

-x Specify sections to exclude from the report (may be repeated for multiple sections)

 Syntax

 ./dbsat report -a db04

After successful execution of DBSAT report, the records data beneath are generated. The reports are by default encrypted and password protected, which will be skipped with –n argument. The output (reviews) records data can be found in txt, HTML and Excel sheet (xlsx) formats. They’re all zipped collectively in a singular file.

                                           db04.txt

                                           db04.html

                                           db04.xlsx

Note:

  • With –x argument, you can exclude some part of the security validations from the reports:

    • USER — user authentication

    • PRIV — Privileges and Roles

    • AUTH — Authentication Controls

    • CRYPT — Data Encryption

    • AUDIT — Auditing

    • OS — Operating System

    • NET — Network Configuration

    • CONF — Database Configuration

    • ACCESS — Fine-Grained Access Control

Examples:

./dbsat report –x OS db04 — OS validation is excluded from the report

./dbsat report –x OS,PRIV db04 — OS & Privileges/Roles excluded from the report

Interpreting the report

This part of the segment will highlight the key sections of the report and narrates important points:

The Basic Information

Contains the following validation and analysis:

  • Database Version
  • Security Features configuration status in the database
  • Latest Patch checks verification

User Accounts

Contains the following validation and analysis:

  • User accounts status, whether they are predefined or not
  • Users assigned with SYSTEM or SYSAUX tablespaces
  • Sample schemas configuration
  • Users list who are inactive for more than 30 days
  • Case sensitive passwords settings
  • Users with expired passwords and default passwords information
  • Password verification and User profiles data

Data Encryption Control

 Contains the following validation and analysis:

  • TDE configuration
  • Wallet details

Auditing

Contains the following validation and analysis:

  • Auditing records
  • Audit enabled statements
  • Objects list with auditing enabled
  • Users auditing details
  • Accounts management auditing
  • DB connect auditing

OS

Contains the following validation and analysis:

  • OS authentication
  • Agent process
  • File permissions in ORACLE_HOME

The report is focused mainly on addressing potential security vulnerabilities, misconfiguration, and provides the recommendation to harden the security issues on the database.

REFERENCES

Below is the list of references for documentation, download, and some articles:

Documentation

http://docs.oracle.com/cd/E76178_01/SATUG/toc.htm#SATUG-GUID-C7E917BB-EDAC-4123-900A-D4F2E561BFE9

Software download:

Through My Oracle Support, DOC ID : Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

CONCLUSION

DBSAT is a light-weight safety evaluation tool which analyzes the database potential security vulnerabilities, misconfiguration, identifies the safety risks and gives the suggestions to mitigate these safety vulnerability issues. Moreover, this tool doesn’t require excessive level expertise to provide quick and clear studies. Nonetheless, you will need to search for a modern model infrequently to have newest security validations.

The check demonstrated in this paper is carried out on an Exadata half rack machine. The info collector and reporter took lower than a minute time to finish and didn’t discover any efficiency impression.

 

 

Check Also

DBSAT Reports Analysis

DBSAT build output in multiple formats for different audiences and reasons. The HTML report provides …

Leave a Reply