The Database Security Assessment Tool (DBSAT) is an incredible free command line tool provided by Oracle Corporation as a utility to help you verify your database for common database security issues(including security policies and controls in place), as well as helping to identify possible sensible data stored with the database. To be able to use it you need to have a valid Oracle Support CSI and download it from My Oracle Support [Doc ID 2138254.1]
The DBSAT tool contains three modules:
- Collector
- Reporter
- Discoverer
Collector and Reporter work together to discover any risk areas and will produce reports regarding those risk areas – the Database Security Assessment report. The Discoverer is a stand-alone module used to locate and report on sensible data – and will produce the Database Sensitive Data Assessment report.
Plus DBSAT include a few companion utilities (Reporter JSON output format ), they are:
- DBSAT Extract – Python program that enables you to extract findings by their identities
- DBSAT Diff – Python program that enables you to compare two reports and find the differences
You can download the above DBSAT companion modules from the same My Oracle Support document you used to download the DBSAT tool [Doc ID 2138254.1]
Prerequisites
Note that DBSAT is only certified to run on the following operating systems:
- Solaris x64 and Solaris SPARC64
- Linux x86-64
- Windows x64
- HP-UX IA (64-bit)
- IBM AIX (64-bit) & Linux on zSeries (64-bit)
You can run the DBSAT tool on any Oracle Database 10.2.0.5 or later, and it can be used on on-premises or in Cloud environments. DBSAT can also be run against Oracle Cloud DBCS (PaaS) and Autonomous Databases (ADWC and ATP).
The Zip, unzip and python software’s are required to be installed on the server. You can easily install them by issuing the below command:
# yum install -y zip unzip python
Also you can easily verify if you have Python installed (2.6 or later is required) on the server by issuing the following command at OS level:
# python -v Python 2.6.6
Finally you can verify if zip and unzip and installed already on your server by issuing the following commands.
# zip -v Copyright (c) 1990-2008 Info-ZIP - Type 'zip "-L"' for software license. This is Zip 3.0 (July 5th 2008), by Info-ZIP. Currently maintained by E. Gordon. Please send bug reports to the authors using the web page at www.info-zip.org; see README for details. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip, as of above date; see http://www.info-zip.org/ for other sites. Compiled with gcc 4.4.7 20120313 (Red Hat 4.4.7-16) for Unix (Linux ELF) on Nov 10 2015. Zip special compilation options: USE_EF_UT_TIME (store Universal Time) SYMLINK_SUPPORT (symbolic links supported) LARGE_FILE_SUPPORT (can read and write large files on file system) ZIP64_SUPPORT (use Zip64 to store large files in archives) UNICODE_SUPPORT (store and read UTF-8 Unicode paths) STORE_UNIX_UIDs_GIDs (store UID/GID sizes/values using new extra field) UIDGID_NOT_16BIT (old Unix 16-bit UID/GID extra field not used) [encryption, version 2.91 of 05 Jan 2007] (modified for Zip 3) Encryption notice: The encryption code of this program is not copyrighted and is put in the public domain. It was originally written in Europe and, to the best of our knowledge, can be freely distributed in both source and object forms from any country, including the USA under License Exception TSU of the U.S. Export Administration Regulations (section 740.13(e)) of 6 June 2002. Zip environment options: ZIP: [none] ZIPOPT: [none] # unzip -v UnZip 6.00 of 20 April 2009, by Info-ZIP. Maintained by C. Spieler. Send bug reports using http://www.info-zip.org/zip-bug.html; see README for details. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ; see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites. Compiled with gcc 4.4.7 20120313 (Red Hat 4.4.7-17) for Unix (Linux ELF) on Jan 10 2017. UnZip special compilation options: COPYRIGHT_CLEAN (PKZIP 0.9x unreducing method not supported) SET_DIR_ATTRIB SYMLINKS (symbolic links supported, if RTL and file system permit) TIMESTAMP UNIXBACKUP USE_EF_UT_TIME USE_UNSHRINK (PKZIP/Zip 1.x unshrinking method supported) USE_DEFLATE64 (PKZIP 4.x Deflate64(tm) supported) UNICODE_SUPPORT [wide-chars, char coding: UTF-8] (handle UTF-8 paths) MBCS-support (multibyte character support, MB_CUR_MAX = 6) LARGE_FILE_SUPPORT (large files over 2 GiB supported) ZIP64_SUPPORT (archives using Zip64 for large files supported) VMS_TEXT_CONV [decryption, version 2.11 of 05 Jan 2007] UnZip and ZipInfo environment options: UNZIP: [none] UNZIPOPT: [none] ZIPINFO: [none] ZIPINFOOPT: [none]
For running the discoverer module, you will need at least Java 1.8 JDK installed and running on your environment and the JAVA_HOME environment variable needs to be set.
You can check if java is running on your environment by issuing the following command:
# java -version java version "1.8.0_181" Java(TM) SE Runtime Environment (build 1.8.0_181-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.181-b12, mixed mode) # whereis java java: /usr/bin/java # export JAVA_HOME=/usr/bin/java
Next, we need to create an user with required privileges to use DBSAT as follows:
If Database Vault is enabled, connect as DV_ACCTMGR to run the commands below. SQL> CREATE USER DBSAT_USER IDENTIFIED BY OraclE##2019; SQL> GRANT CREATE SESSION to DBSAT_USER; SQL> GRANT SELECT_CATALOG_ROLE TO DBSAT_USER; SQL> GRANT SELECT ON SYS.REGISTRY$HISTORY TO DBSAT_USER; SQL> GRANT DV_SECANALYST TO DBSAT_USER; (If Database Vault is enabled) SQL> GRANT SELECT ON SYS.DBA_USERS_WITH_DEFPWD TO DBSAT_USER; (if 11G or later) SQL> GRANT AUDIT_VIEWER TO DBSAT_USER; (if 12c or later) SQL> GRANT SELECT ON AUDSYS.AUD$UNIFIED TO DBSAT_USER; (if 12c or later) SQL> GRANT CAPTURE_ADMIN TO DBSAT_USER; (if 12c or later)
Installation
The installation of DBSAT is a very simple process:
- Log in to the database server you wish to use DBSAT
- Create the DBSAT directory – $ mkdir -p /home/oracle/dbsat
- Download the dbsat.zip file and copy it to the database server and unzip it – $ unzip dbsat.zip –d /home/oracle/dbsat
- And you are ready to go
Basic Usage
Running the dbsat utility with no parameters will display the basic usage details (like a help option).
$ ./dbsat Database Security Assessment Tool version 2.1 (March 2019) Usage: dbsat collect [ -n ] <database_connect_string> <output_file> dbsat report [ -a ] [ -n ] [ -x <section> ] <input_file> dbsat discover [ -n ] -c <config_file> <output_file> Options: -a Report about all user accounts, including locked, Oracle-supplied users -n No encryption for output -x Specify sections to exclude from report (may be repeated for multiple sections) -c Configuration file for discoverer
Running the Collect Module
To run the DBSAT collect mode all you need to do is run the DBSAT executable plus the following parameters:
- collect meaning you are executing the collect module
- connect_string Specifies the connection string to connect to the database
- Destination Specifies the location and file name for the Database Security Assessment report (Do not add an extension)
When running the collector will prompt you to manually enter the database password and at the end it will ask for an encryption key (password) for the zip output file that will be generated.
$ ./dbsat collect dbsat_user@test test_output Database Security Assessment Tool version 2.1 (March 2019) This tool is intended to assist in you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation,any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company’s policies. Connecting to the target Oracle database... SQL*Plus: Release 18.0.0.0.0 - Production on Wed Mar 13 00:09:24 2019 Version 18.3.0.0.0 Copyright (c) 1982, 2018, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 18c EE Extreme Perf Release 18.0.0.0.0 - Production Version 18.3.0.0.0 Setup complete. SQL queries complete. /bin/cat:/u01/app/oracle/product/18.0.0.0/dbhome_1/network/admin/listener.ora: No such file or directory Warning: Exit status 256 from OS rule: listener.ora /bin/ls:cannot access /u01/app/oracle/product/18.0.0.0/dbhome_1/network/admin/listener.ora: No such file or directory Warning: Exit status 512 from OS rule: ls_listener.ora OS commands complete. Disconnected from Oracle Database 18c EE Extreme Perf Release 18.0.0.0.0 - Production Version 18.3.0.0.0 DBSAT Collector completed successfully. Calling /u01/app/oracle/product/18.0.0.0/dbhome_1/bin/zip to encrypt test_output.json... Enter password: Verify password: adding: test_output.json (deflated 87%) zip completed successfully. $
Running the Report Mode
The reporter mode analyzes all data collected by the Collector mode previously executed and generate recommendations to improve the security of the database.
To run the DBSAT at report mode all you need to do is run the DBSAT executable plus the following parameters:
- report meaning you are executing the report module
- -a Includes all the database user accounts in the analysis. (Locked Oracle-supplied accounts are excluded by default as they cannot be used to connect to thedatabase.)
- -n Specifies that the generated reports are not encrypted
- -x Excludes a section from the report
- USER : User Accounts
- PRIV : Privileges and Roles
- AUTH : Authorization Control
- CRYPT : Encryption
- ACCESS :Fine-Grained Access Control
- AUDIT : Auditing
- CONF : Database Configuration
- NET : Network Configuration
- OS : Operating System
- Destination Specifies the location and file name for the Database Security Assessment report (Do not add an extension)
When running the report will prompt you to manually enter the encryption password used when collecting the data from the databaseand at the end by asking for an encryption key (password) for the zip outputfile that will be generated.
$ ./dbsat report test_output Database Security Assessment Tool version 2.1 (March 2019) This tool is intended to assist in you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Archive: test_output.zip [test_output.zip] test_output.json password: inflating: test_output.json DBSAT Reporter ran successfully. Calling /usr/bin/zip to encrypt the generated reports... Enter password: Verify password: zip warning: test_output_report.zip not found or empty adding: test_output_report.txt (deflated 75%) adding: test_output_report.html (deflated 83%) adding: test_output_report.xlsx (deflated 3%) adding: test_output_report.json (deflated 80%) zip completed successfully. $
The report module will generate a new zip file containing all findings, in the above example it would be the test_output_report.zip file. You can review the findings by extracting the zip file (using the encryption password entered in the process) and looking the TXT or HTML versions of the report.
$ unzip test_output_report.zip Archive: test_output_report.zip [test_output_report.zip] test_output_report.txt password: inflating: test_output_report.txt inflating: test_output_report.html inflating: test_output_report.xlsx inflating: test_output_report.json
Running the Discover Mode
The discover mode is a cool separate Java-based tool that is able to check for any sensible data within a database.
Before running the DBSAT at discovery mode we will need to create a dbsat.config file as shown below.;
$ cd /home/oracle/dbsat $ cp Discover/conf/sample_dbsat.config Discover/conf/dbsat.config
The following will be the contents of the dbsat.config file created: [Database] DB_HOSTNAME = localhost DB_PORT = 1521 DB_SERVICE_NAME = SSL_ENABLED = FALSE SSL_TRUSTSTORE = SSL_TRUSTSTORE_TYPE = SSL_KEYSTORE = SSL_KEYSTORE_TYPE = SSL_DN = SSL_VERSION = SSL_CIPHER_SUITES = [Discovery Parameters] sensitive_pattern_files = sensitive_en.ini schema_scope = ALL minrows = 1 exclusion_list_file = [Sensitive Categories] Identification Info - National IDs = High Risk Identification Info - Personal IDs = High Risk Identification Info - Public IDs = High Risk Biographic Info - Address = High Risk Biographic Info - Family Data = High Risk Biographic Info - Extended PII = High Risk Biographic Info - Restricted Data = High Risk IT Info - User Data = High Risk IT Info - Device Data = Medium Risk Financial Info -Card Data = High Risk Financial Info - Bank Data = High Risk Health Info - Insurance Data = High Risk Health Info - Provider Data = Medium Risk Health Info - Medical Data = Medium Risk Job Info - Employee Data = High Risk Job Info - Org Data = Low Risk Job Info - Compensation Data = High Risk Academic Info - Student Data = High Risk Academic Info - Institution Data = Medium Risk Academic Info - Performance Data = Low Risk
Then edit the settings with your hostname, port and service name , and finally save and close the configuration file.
The Discover relies on table statistics to get proper row counts, so in order to get accurate row count results you should execute the DBMS_STATS package before using the Discover.
Once the config is complete you can run the discoverer, specifying the config file and the output file name. You are prompted for the database credentials and the password for encrypting the resulting zip file generated.
$ ./dbsat discover -c ./Discover/conf/dbsat.config testd Database Security Assessment Tool version 2.1 (March 2019) This tool is intended to assist in you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Enter username: dbsat_user Enter password: DBSAT Discover ran successfully. Calling /usr/bin/zip to encrypt the generated reports... Enter password: Verify password: zip warning: testd_report.zip not found or empty adding: testd_discover.html (deflated 72%) adding: testd_discover.csv (deflated 30%) Zip completed successfully. $
Now you can review the HTML report generated by the Discover module.
We can also customize the Pattern file to add new sensitive types of data we would like to find by doing the following:
- Navigate to the Discover/conf directory. Make a copy of the sensitive_en.ini file and rename the file my_sensitive_en.ini.
- Open my_sensitive_en.ini
- Customize the settings by adding new Sensitive Types and modifying existing Sensitive Types.
- Save and close my_sensitive_en.ini
- Include my_sensitive_en.ini in the Discoverer scan by adding a reference to the file in the dbsat.config file.
sensitive_pattern_files= my_sensitive_en.ini
And that’s it!!
If you liked this tutorial please share it within your peers and comunity!
Kind Regards,
Francisco Munoz Alvarez
Oracle ACE Director
Thanks Francisco, very well done.
Is this a free one to have it used. Or using this tool is licensed?
Hi,
This is a free tool, no extra license required to use it. Of course, you need to have access to My Oracle Support to download it.
Regards,
Francisco