Oracle DB Security Assessment Tool (DBSAT)

What is Oracle Database Security Assessment Tool (DBSAT)??

  • DBSAT is lightweight useful tool, very easy to run, deploy and quickly provides a view on the database security and configuration setting.
  • It is designed to be run on a regular basis to identify and report on potential security vulnerabilities, misconfigurations, and non-compliance issues.
  • DBSAT is a command-line tool that can be run on any system with access to an Oracle Database.
  •  It performs a comprehensive security assessment of the database, analyzing a wide range of settings and configurations, including those related to authentication, authorization, network security, and data encryption.
  • You can use DBSAT to implement and enforce security best practices in your organization.
  • The tool generates a report that summarizes the security posture of the database and highlights any issues that require attention.
  • The report also provides recommendations for remediation, along with links to relevant documentation.

What are the key features of DBSAT?

  • Checks for compliance with security best practices and standards.
  • Identifies sensitive data, such as credit card numbers and social security numbers.
  • Detects misconfigurations and vulnerabilities that could be exploited by attackers.
  • Reports on the strength of encryption and integrity protection of sensitive data.
  • Identifies potential SQL injection and cross-site scripting vulnerabilities in application code.
  • Reduce risk exposure using proven best practices.
  • Good thing is, Supporting Oracle Database 10g, 11g, 12c, 18c, 19c and so on…
  • Provided at no additional cost to Oracle customers.

 

Note : DBSAT runs with the privilege of the user who run it and depending on the privilege it might not detect all vulnerabilities, misconfigurations and non-compliance issues.

What are the DBSAT components?

DBSAT has three components: Collector, Reporter, and Discoverer

Collector and Reporter work together to discover risk areas and produce reports on those risk areas – Database Security Assessment report

The Discoverer is a stand-alone module used to locate and report on sensitive data – Database Sensitive Data Assessment report.

  • The Collector is responsible to collect raw data from the target database by executing SQL queries and OS commands.
  • The Reporter reads the collected data, analyzes it and produces reports with the findings. The Reporter outputs four reports in
    HTML, XLS, JSON and Text formats.
  • The Discoverer executes SQL queries against database dictionary views to discover sensitive data, and outputs reports in HTML
    and CSV formats. The Discoverer CSV report can be loaded into Oracle Audit Vault and Database Firewall starting in 12.2.0.8,
    to add sensitive data context to the new Data Privacy reports. For more information about this functionality, 

How is DBSAT related to Data Safe?

Data Safe is a database security cloud service that provides a comprehensive suite of security capabilities. These capabilities include Security Assessment, User Assessment, Activity Monitoring, Sensitive Data Discovery, and Data Masking and work for databases running in-cloud or on-premises. DBSAT is excellent for assessing the current security state of few databases. Data Safe builds on it and addresses enterprise-level requirements. 

With Data Safe, you’ll be able to:

  • Execute periodic scheduled assessments
  • Set a database security baseline
  • See a comparison report with the drift against the baseline
  • See the history of all assessment runs
  • Get insight into user risks via the User Assessment feature
  • Address your company or regulatory requirements that require anonymizing data in non-production environments, monitor database activity, assess your database security posture, and discover sensitive data in a single unified console

 

To learn more about Oracle Data Safe, please visit https://www.oracle.com/security/database-security/data-safe/.

 

From where I can download dbsat utility?

#### Metalink note 

Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

What are the prerequisite?

  • dbsat script should run by privileged user and Database wallet should be opened.   
  • Python should be installed to generate report.

Steps to run dbsat

Two stages:

Stage 1:

[oracle@localhost ~]$ mkdir DBSAT
[oracle@localhost ~]$ cd DBSAT
[oracle@localhost DBSAT]$ ls -ltr
total 4592
-rw-r--r--. 1 oracle oinstall 4699765 Jan 11 16:23 dbsat.zip

[oracle@localhost DBSAT]$ unzip dbsat.zip                           <<<<<<<<<<<<<<<<<<<<<<<<< Unzip dbsat.zip
Archive:  dbsat.zip
  inflating: dbsat
  inflating: dbsat.bat
  inflating: sat_collector.sql
  inflating: sat_reporter.py
  inflating: sat_analysis.py
  inflating: xlsxwriter/app.py
  inflating: xlsxwriter/chart_area.py
  inflating: xlsxwriter/chart_bar.py
  inflating: xlsxwriter/chart_column.py
  inflating: xlsxwriter/chart_doughnut.py
  inflating: xlsxwriter/chart_line.py
  inflating: xlsxwriter/chart_pie.py
  inflating: xlsxwriter/chart.py
  inflating: xlsxwriter/chart_radar.py
  inflating: xlsxwriter/chart_scatter.py
  inflating: xlsxwriter/chartsheet.py
  inflating: xlsxwriter/chart_stock.py
  inflating: xlsxwriter/comments.py
  inflating: xlsxwriter/compatibility.py
  inflating: xlsxwriter/contenttypes.py
  inflating: xlsxwriter/core.py
  inflating: xlsxwriter/custom.py
  inflating: xlsxwriter/drawing.py
  inflating: xlsxwriter/exceptions.py
  inflating: xlsxwriter/format.py
  inflating: xlsxwriter/__init__.py
  inflating: xlsxwriter/packager.py
  inflating: xlsxwriter/relationships.py
  inflating: xlsxwriter/shape.py
  inflating: xlsxwriter/sharedstrings.py
  inflating: xlsxwriter/styles.py
  inflating: xlsxwriter/table.py
  inflating: xlsxwriter/theme.py
  inflating: xlsxwriter/utility.py
  inflating: xlsxwriter/vml.py
  inflating: xlsxwriter/workbook.py
  inflating: xlsxwriter/worksheet.py
  inflating: xlsxwriter/xmlwriter.py
  inflating: xlsxwriter/LICENSE.txt
  inflating: Discover/bin/discoverer.jar
  inflating: Discover/lib/ojdbc8.jar
  inflating: Discover/lib/oraclepki.jar
  inflating: Discover/lib/osdt_cert.jar
  inflating: Discover/lib/osdt_core.jar
  inflating: Discover/conf/sample_dbsat.config
  inflating: Discover/conf/sensitive_en.ini
  inflating: Discover/conf/sensitive_es.ini
  inflating: Discover/conf/sensitive_de.ini
  inflating: Discover/conf/sensitive_pt.ini
  inflating: Discover/conf/sensitive_it.ini
  inflating: Discover/conf/sensitive_fr.ini
  inflating: Discover/conf/sensitive_nl.ini
  inflating: Discover/conf/sensitive_el.ini
[oracle@localhost DBSAT]$ ls -ltr
total 5048
-r-xr-xr-x. 1 oracle oinstall   13592 Jun 16  2021 dbsat
-r-xr-xr-x. 1 oracle oinstall   13767 Aug 16  2021 dbsat.bat
-rw-rw-r--. 1 oracle oinstall  333949 Aug 16  2021 sat_reporter.py
-rw-rw-r--. 1 oracle oinstall   65138 Aug 16  2021 sat_collector.sql
-rw-rw-r--. 1 oracle oinstall   26096 Aug 16  2021 sat_analysis.py
-rw-r--r--. 1 oracle oinstall 4699765 Jan 11 16:23 dbsat.zip
drwxr-xr-x. 2 oracle oinstall    4096 Jan 11 16:23 xlsxwriter
drwxr-xr-x. 5 oracle oinstall      40 Jan 11 16:23 Discover
[oracle@localhost DBSAT]$ ls -ltr
[oracle@localhost DBSAT]$ ./dbsat collect system@XE output_XE1             <<<<<<<<<<< Running on container database having one pdb

Database Security Assessment Tool version 2.2.2 (June 2021)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Connecting to the target Oracle database...


SQL*Plus: Release 21.0.0.0.0 - Production on Wed Jan 11 17:09:19 2023
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle.  All rights reserved.

Enter password:
Last Successful login time: Wed Jan 11 2023 17:06:58 +00:00

Connected to:
Oracle Database 21c Express Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0

Setup complete.
SQL queries complete.
/bin/cat: /opt/oracle/product/21c/dbhomeXE/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 256 from OS rule: sqlnet.ora
/bin/ls: cannot access '/opt/oracle/product/21c/dbhomeXE/network/admin/sqlnet.ora': No such file or directory
Warning: Exit status 512 from OS rule: ls_sqlnet.ora
/bin/cat: /opt/oracle/product/21c/dbhomeXE/network/admin/listener.ora: No such file or directory
Warning: Exit status 256 from OS rule: listener.ora
/bin/ls: cannot access '/opt/oracle/product/21c/dbhomeXE/network/admin/listener.ora': No such file or directory
Warning: Exit status 512 from OS rule: ls_listener.ora
/bin/ar: /opt/oracle/product/21c/dbhomeXE/rdbms/lib/libknlopt.a: No such file or directory
Warning: Exit status 256 from OS rule: dbcs_status
OS commands complete.
Disconnected from Oracle Database 21c Express Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
SQL queries complete.
/bin/cat: /opt/oracle/product/21c/dbhomeXE/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 256 from OS rule: sqlnet.ora
/bin/ls: cannot access '/opt/oracle/product/21c/dbhomeXE/network/admin/sqlnet.ora': No such file or directory
Warning: Exit status 512 from OS rule: ls_sqlnet.ora
/bin/cat: /opt/oracle/product/21c/dbhomeXE/network/admin/listener.ora: No such file or directory
Warning: Exit status 256 from OS rule: listener.ora
/bin/ls: cannot access '/opt/oracle/product/21c/dbhomeXE/network/admin/listener.ora': No such file or directory
Warning: Exit status 512 from OS rule: ls_listener.ora
/bin/ar: /opt/oracle/product/21c/dbhomeXE/rdbms/lib/libknlopt.a: No such file or directory
Warning: Exit status 256 from OS rule: dbcs_status
OS commands complete.
Disconnected from Oracle Database 21c Express Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
DBSAT Collector completed successfully.

Calling /opt/oracle/product/21c/dbhomeXE/bin/zip to encrypt output_XE1.json...

Enter password:                           <<<<<<<<<< Provide any password
Verify password:
  adding: output_XE1.json (deflated 88%)
zip completed successfully.

[oracle@localhost DBSAT]$
[oracle@localhost DBSAT]$
[oracle@localhost DBSAT]$
[oracle@localhost DBSAT]$ ls -ltr
total 5152
-r-xr-xr-x. 1 oracle oinstall   13592 Jun 16  2021 dbsat
-r-xr-xr-x. 1 oracle oinstall   13767 Aug 16  2021 dbsat.bat
-rw-rw-r--. 1 oracle oinstall  333949 Aug 16  2021 sat_reporter.py
-rw-rw-r--. 1 oracle oinstall   65138 Aug 16  2021 sat_collector.sql
-rw-rw-r--. 1 oracle oinstall   26096 Aug 16  2021 sat_analysis.py
-rw-r--r--. 1 oracle oinstall 4699765 Jan 11 16:23 dbsat.zip
drwxr-xr-x. 2 oracle oinstall    4096 Jan 11 16:23 xlsxwriter
drwxr-xr-x. 5 oracle oinstall      40 Jan 11 16:23 Discover
-rw-------. 1 oracle oinstall   57340 Jan 11 17:10 dbsat4017.json
-rw-------. 1 oracle oinstall   48601 Jan 11 17:13 output_XE1.zip
 
 

Stage 2:

Prerequisite: Python should be installed on system  

[oracle@localhost DBSAT]$ ./dbsat report output_XE1   <<<<< Same file name which is generated in first step

Database Security Assessment Tool version 2.2.2 (June 2021)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Archive:  output_XE1.zip
[output_XE1.zip] output_XE1.json password:    <<<<<<<<< Provide password
  inflating: output_XE1.json
DBSAT Reporter ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...

Enter password:                     <<<<<<<<<<<<<< Provide any password 
Verify password:
        zip warning: output_XE1_report.zip not found or empty
  adding: output_XE1_report.txt (deflated 77%)
  adding: output_XE1_report.html (deflated 83%)
  adding: output_XE1_report.xlsx (deflated 3%)
  adding: output_XE1_report.json (deflated 81%)
zip completed successfully.
[oracle@localhost DBSAT]$
 

Unzip file output_XE1_report.zip by passing password and read below files 

  • output_XE1_report.txt
  • output_XE1_report.html
  • output_XE1_report.xlsx
  • output_XE1_report.json

Sample screenshots from html and xlsx file