Description:-
DBSAT is lightweight, easy to run and deploy and quickly provides a view on the database security configuration, the database users, their entitlements, security policies, security controls, and where sensitive data resides.
The Oracle Database Security Assessment Tool (DBSAT) is a stand-alone command line tool that accelerates the assessment and regulatory compliance process by collecting relevant types of configuration information from the database and evaluating the current security state to provide recommendations on how to mitigate the identified risks.
You can use DBSAT to implement and enforce security best practices in your organization. DBSAT reports on the state of user accounts, role and privilege grants, and policies that control the use of various security features in the database.
Oracle released the version 2.2.2 (June 2021) Database Security Assessment Tool (DBSAT)
Download the DBSAT TOOL -> Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)
Summary: Oracle DBSAT
• Quickly assess the current security status of database before hackers do
• Identify sensitive data to determine risk and appropriate security controls
• Reduce risk exposure using proven best practices
• Accelerate compliance with EU GDPR and other regulations
• Support Oracle Database 11g, 12c, 18c, 19c and 21c
• Provided at no additional cost to Oracle customers
Database Security Assessment Tool Components
Collector:-
The Collector executes SQL queries and runs operating system commands to collect data from the system to be assessed. It does this primarily by querying database dictionary views. The collected data is written to a JSON file that is used by the DBSAT Reporter in the analysis phase.
Reporter:-
The Reporter analyzes the collected data and generates a Database Security Assessment Report in HTML, Excel, JSON, and Text formats. The Reporter can run on any machine: PC, laptop, or server. You are not limited to running the Reporter on the database server or the same machine as the Collector.
Discoverer:-
The Discoverer executes SQL queries and collects data from the system to be assessed, based on the settings specified in the configuration files. It does this primarily by querying database dictionary views. The collected data is then used to generate a Database Sensitive Data Assessment Report in HTML and CSV formats. The Discoverer can run on any machine: PC, laptop, or server. You are not limited to running the Discoverer on the database server or the same machine as the Collector or Reporter.
Supported Operating Systems
The database configuration collection queries run on most supported Oracle Database platforms. However, currently the OS data collection will be skipped on Windows platforms.
Oracle DBSAT runs on:
Solaris x64 and Solaris SPARC64
Linux x86-64
Windows x64
HP-UX IA (64-bit)
IBM AIX (64-bit) & Linux on zSeries (64-bit)
Supported Database Versions
You can run the Oracle DBSAT on Oracle Database 11.2.0.4 and later releases on on-premises or in the Cloud, on Oracle Database Standard Edition 2 and Oracle Database Enterprise Edition. Oracle DBSAT can also be run against Autonomous Databases (Shared and Dedicated) and Oracle Cloud DBCS (DBSystems EE/HP/EP). Some findings will do different checks and provide targeted remarks for these databases.
Let’s Start the demo
Installing the Database Security Assessment Tool
Step1:- Log in to the database server.
Step2:- Create the dbsat directory:
[oracle@Prod22 ~]$ mkdir –p /home/oracle/dbsat
Step3:-Download or copy the dbsat.zip file to the database server, and unzip the file.
[oracle@Prod22 Desktop]$ unzip dbsat.zip -d /home/oracle/dbsat
Archive: dbsat.zip
inflating: /home/oracle/dbsat/dbsat
inflating: /home/oracle/dbsat/dbsat.bat
inflating: /home/oracle/dbsat/sat_collector.sql
inflating: /home/oracle/dbsat/sat_reporter.py
Using the Collector and Reporter
You can generate the Oracle Database Security Assessment Report and the Oracle Database Sensitive Data Assessment Report with the Collector, Reporter, and Discoverer components.
Oracle Database Security Assessment Report
The Collector and Reporter components are used to generate the Oracle Database Security Assessment Report.
Running the Collector
The Collector queries the database to collect data that will be analyzed by the Reporter.
Note: The Collector connects to the database. Ensure that the target database and listener are running before running the Collector.
[oracle@Prod22 dbsat]$ ./dbsat collect system@oradbwr /u02/statreport
Database Security Assessment Tool version 2.2.2 (June 2021)
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company’s policies.
Connecting to the target Oracle database…
SQL*Plus: Release 19.0.0.0.0 – Production on Fri Jul 16 20:10:45 2021
Version 19.11.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production
Version 19.11.0.0.0
Setup complete.
SQL queries complete.
/bin/ls: cannot access /u02/app/oracle/product/19.0.0/dbhome_1/bin/tfactl: No such file or directory
Warning: Exit status 256 from OS rule: executable_permission
/bin/cat: /u02/app/oracle/product/19.0.0/dbhome_1/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 256 from OS rule: sqlnet.ora
/bin/ls: cannot access /u02/app/oracle/product/19.0.0/dbhome_1/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 512 from OS rule: ls_sqlnet.ora
Warning: Exit status 256 from OS rule: dbcs_status
OS commands complete.
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production
Version 19.11.0.0.0
DBSAT Collector completed successfully.
Calling /u02/app/oracle/product/19.0.0/dbhome_1/bin/zip to encrypt statreport.json…
Enter password:
Verify password:
adding: statreport.json (deflated 85%)
zip completed successfully.
Running the Reporter
Note :-Python Version needs upgrade
Download Here & Steps to install Python Here
The Reporter analyses the data collected by the Collector and makes recommendations to improve the security of the database.
Step1:-You can invoke the Reporter with dbsat report.
To run the Reporter, do the following:
Check that Python version is 2.6 or later is installed.
[oracle@Prod22 dbsat]$ python -V
Python 2.7.5
[oracle@Prod22 dbsat]$ ./dbsat report /u02/statreport
Database Security Assessment Tool version 2.2.2 (June 2021)
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company’s policies.
Archive: statreport.zip
[statreport.zip] statreport.json password:
inflating: statreport.json
DBSAT Reporter ran successfully.
Calling /usr/bin/zip to encrypt the generated reports…
Enter password:
Verify password:
zip warning: statreport_report.zip not found or empty
adding: statreport_report.txt (deflated 76%)
adding: statreport_report.html (deflated 83%)
adding: statreport_report.xlsx (deflated 3%)
adding: statreport_report.json (deflated 81%)
zip completed successfully.
Running the Discoverer
Note:-Java version 1.8 or later is required
[oracle@Prod22 dbsat]$ export JAVA_HOME=/usr/java/jdk1.8.0_291-amd64
[oracle@Prod22 dbsat]$ export PATH=$JAVA_HOME/bin:$PATH
[oracle@Prod22 dbsat]$ ls -lrt
total 228
-r–r–r–. 1 oracle oinstall 27424 Jul 5 18:38 sensitive_pt.ini
-r–r–r–. 1 oracle oinstall 26302 Jul 5 18:38 sensitive_nl.ini
-r–r–r–. 1 oracle oinstall 25172 Jul 5 18:38 sensitive_it.ini
-r–r–r–. 1 oracle oinstall 27287 Jul 5 18:38 sensitive_fr.ini
-r–r–r–. 1 oracle oinstall 26829 Jul 5 18:38 sensitive_es.ini
-r–r–r–. 1 oracle oinstall 31911 Jul 5 18:38 sensitive_en.ini
-r–r–r–. 1 oracle oinstall 12642 Jul 5 18:38 sensitive_el.ini
-r–r–r–. 1 oracle oinstall 29090 Jul 5 18:38 sensitive_de.ini
-r–r–r–. 1 oracle oinstall 5902 Jul 5 18:38 sample_dbsat.config
[oracle@Prod22 conf]$ cp sample_dbsat.config dbsat.config
[oracle@Prod22 conf]$ vi dbsat.config
[oracle@Prod22 conf]$ chmod 775 dbsat.config
[oracle@Prod22 conf]$ vi dbsat.config -> Add database name and servicename
[oracle@Prod22 conf]$ cd ..
[oracle@Prod22 Discover]$ cd ..
[oracle@Prod22 dbsat]$ ./dbsat discover -c Discover/conf/dbsat.config oradbwr
Database Security Assessment Tool version 2.2.2 (June 2021)
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company’s policies.
Enter username: sys as sysdba
Enter password:
DBSAT Discover ran successfully.
Calling /usr/bin/zip to encrypt the generated reports…
Enter password:
Verify password:
zip warning: oradbwr_report.zip not found or empty
adding: oradbwr_discover.html (deflated 72%)
adding: oradbwr_discover.csv (deflated 30%)
Zip completed successfully.
Copy the HTML to local machine
Catch Me On:- Hariprasath Rajaram
LinkedIn:https://www.linkedin.com/in/hari-prasath-aa65bb19/
Facebook:https://www.facebook.com/HariPrasathdba
FB Group:https://www.facebook.com/groups/894402327369506/
FB Page: https://www.facebook.com/dbahariprasath/?
Twitter: https://twitter.com/oraclebwr