How To Use Oracle Database Security Assessment Tool (DBSAT)

Ensuring data security within your organization is crucial if you are to remain compliant against the increasing data security regulations, as well as ensuring that you maintain a good relationship with your customers. Protecting your customer's information and ensuring full confidence in your data security measures will put you in good stead for protection against data loss and data security breaches.

Oracle DBSAT is a powerful tool that will help you to achieve your data security compliance by analyzing data, configurations, users, entitlements, and security policies and identifying where sensitive data resides to uncover security risks and improve the security posture of Oracle Database within an organization.

Oracle DBSAT consists of the following components:

• Collector: The Collector executes SQL queries, dictionary views, and runs operating system commands to collect data from the system to be assessed. The collected data is written to a JSON file that is used by the DBSAT Reporter in the analysis phase.
• Reporter: The Reporter analyzes the collected data and generates the Database Security Assessment Report in HTML, Excel, JSON, and Text formats.
• Discoverer: The Discoverer executes SQL queries, dictionary views, and collects metadata from the database to be assessed, based on the settings specified in the configuration files. The collected data is then used to generate the Database Sensitive Data Assessment Report in HTML and CSV formats.
  
  

Oracle Database Security Assessment Tool Prerequisites

Oracle DBSAT runs on the following Operating Systems:

• Solaris x64 and Solaris SPARC64
• Linux x86-64 and Linux 64-bit Arm
• Windows x64
• HP-UX IA (64-bit)
• IBM AIX (64-bit) and Linux on zSeries (64-bit)

Oracle DBSAT runs on Oracle Database versions and editions:

• Oracle Database 11.2.0.4 and later releases on-premise or in the Cloud
• Oracle Database Standard Edition 2 and Oracle Database Enterprise Edition
• Autonomous Databases (Serverless, Dedicated, and Cloud@Customer), Autonomous JSON Database, Oracle Exadata Database Service (Dedicated and Cloud@Customer), and Oracle Base Database Service (BaseDB Enterprise Edition and Standard Edition).

Collector Prerequisites

To gather all necessary data, run the Oracle DBSAT Collector on the server that hosts the database. The Collector uses operating system commands to gather process and file system information that the database alone cannot provide. Besides, the Oracle DBSAT Collector must be run as an OS user with read permissions on files and directories under ORACLE_HOME using SQL*Plus (through Oracle Database or Instant Client) to collect and process file system data using OS commands.

Reporter Prerequisites

The Reporter is a Java program and requires the Java Runtime Environment (JRE) 1.8 (jdk8-u172) or later to run.

Discoverer Prerequisites

The Discoverer is a Java program and requires the Java Runtime Environment (JRE) 1.8 (jdk8-u172) or later to run.

The Discoverer collects metadata from database dictionary views and matches them against the patterns specified to discover sensitive data. The Discoverer must connect to the database as a user with sufficient privileges to select from these views. 

Oracle Database Security Assessment Tool Installation

For this article, I’m using an Oracle Linux 7 Machine and an Oracle Database 21c Enterprise Edition with a CDB Database called ORCL and a Pluggable database called ORCLPDB.

1. Download the DBSAT binaries from Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1). The current release is 3.1.0 (January 2024).
   
   
2. Create the DBSAT directory:
   mkdir -p /home/oracle/dbsat
   
   
3. Move the dbsat.zip file to your database server and unzip the file:
   unzip dbsat.zip –d /home/oracle/dbsat

Using the Collector

1. Create a DBSAT user to run the Oracle DBSAT Collector script with required privileges:

$ sqlplus / as sysdba

alter session set container=ORCLPDB;

create user dbsat_user identified by dbsat_password;

grant create session to dbsat_user;

grant select_catalog_role to dbsat_user;

grant select on sys.registry$history to dbsat_user;

grant read on sys.dba_audit_mgmt_config_params to dbsat_user;

grant select on sys.dba_users_with_defpwd to dbsat_user;

grant read on sys.dba_credentials to dbsat_user;

grant execute on sys.dbms_sql to dbsat_user;

grant audit_viewer to dbsat_user; // 12c and later

grant capture_admin to dbsat_user;// 12c and later covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$

--If Database Vault is enabled, connect as DV_OWNER to run this command

grant DV_SECANALYST to dbsat_user;

2. Go to the DBSAT installation directory and run the Collector:

$ cd /home/oracle/dbsat

$ ./dbsat collect <database_connect_string> <output_file>

I will use:

database_connect_string: dbsat_user@orclpdb

output_file: dbsat_out

[oracle@ol-stby1 dbsat]$ ./dbsat collect dbsat_user@orclpdb dbsat_out

Database Security Assessment Tool version 3.1 (Jan 2024)

This tool is intended to assist you in securing your Oracle database

system. You are solely responsible for your system and the effect and

results of the execution of this tool (including, without limitation,

any damage or data loss). Further, the output generated by this tool may

include potentially sensitive system configuration data and information

that could be used by a skilled attacker to penetrate your system. You

are solely responsible for ensuring that the output of this tool,

including any generated reports, is handled in accordance with your

company's policies.

Connecting to the target Oracle database...

SQL*Plus: Release 21.0.0.0.0 - Production on Tue Apr 9 15:11:18 2024

Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.

Enter password:

Connected to:

Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production

Version 21.3.0.0.0

Setup complete.

SQL queries complete.

Warning: Exit status 256 from OS rule: dbcs_status

OS commands complete.

Disconnected from Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production

Version 21.3.0.0.0

DBSAT Collector completed successfully.

Calling /u01/app/oracle/product/21.0.0/dbhome_1/bin/zip to encrypt dbsat_out.json...

Enter password:

Verify password:

adding: dbsat_out.json (deflated 86%)

zip completed successfully.

Note: DBSAT can display warnings informing that some checks were skipped. These can be safely ignored as the execution proceeds. Some reasons to skip checks include wrong permissions, missing .ora files, not applicable to that target type, and more.

If you do not want to encrypt the file, invoke the dbsat collect script with the -n option. But, this is not recommended.

Running the Reporter

We will need the output file generated by the Collector.

1. Check that Java Runtime Environment (JRE) 1.8 (jdk8-u172) or later is installed. Check the version:
   $ java -version

I got the following result:
openjdk version "11.0.22" 2024-01-16 LTS

2. Run the Reporter:
   $ dbsat report [-a] [-n] [-g] [-x <section>] [-u <user> ] <input_file>
   
   

   Parameter
   -a	Runs the report for all database accounts (including locked and schema only accounts)
   -n	Specifies no encryption
   -g	Shows all grants, including common grants, in a pluggable database
   -u	Specify a user or list of users to exclude from a report
   -x	Excludes a section or list of sections from the report: Valid sections are: USER: User Accounts PRIV: Privileges and Roles AUTHZ: Authorization Control ENCRYPT: Encryption ACCESS: Fine-Grained Access Control AUDIT: Auditing CONF: Database Configuration NET: Network Configuration OS: Operating System

   
   I will use only the output file:
   output_file: dbsat_out
   
   [oracle@ol-stby1 dbsat]$ ./dbsat report dbsat_out
   
   Database Security Assessment Tool version 3.1 (Jan 2024)
   
   This tool is intended to assist you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies.
   
   DBSAT Reporter ran successfully.
   
   Calling /usr/bin/zip to encrypt the generated reports...
   
   Enter password:
   Verify password:
       zip warning: dbsat_out_report.zip not found or empty
   adding: dbsat_out_report.txt (deflated 76%)
   adding: dbsat_out_report.html (deflated 83%)
   adding: dbsat_out_report.xlsx (deflated 1%)
   adding: dbsat_out_report.json (deflated 81%)
   zip completed successfully.
   
   

3. Specify a password to encrypt the output report .zip file.
   A .zip file is created.
   
   
4. Extract the contents of the .zip file to access the Oracle Database Security Assessment Report. Use the password you set in step 3.
   
   The contents of the .zip file are extracted.
   
   
5. Use the appropriate tools to read the recommendations from the report files.

This is the file in HTML format:

You will also get the report in xlsx, JSON, and txt format.

Running the Discoverer

The Discoverer executes SQL queries and collects data from the system to be assessed based on the settings specified in the configuration and pattern files.

1. Check that Java Runtime Environment (JRE) 1.8 (jdk8-u172) or later is installed:
   $ java -version

I got the following result: 
openjdk version "11.0.22" 2024-01-16 LTS

2. Specify the arguments to run the Discoverer:
   $ dbsat discover [-n] -c <config_file> <output_file>
   
   

   Parameter
   -n	Specifies no encryption.
   -c	Specifies the name of the configuration file used for Discoverer.
   output_file	Specifies the full or relative path name to create the .zip file. Do not add an extension.

   
   
   For the configuration file, navigate to the Discover/conf directory. Make a copy of the sample_dbsat.config file and rename the file to match your site–specific requirements.

 As a minimum, you will need the following parameters in the conf file:

[Database]
       DB_HOSTNAME = <hostname>
       DB_PORT = <port>
       DB_SERVICE_NAME = <db_service_name>

I will use:

[Database]

       DB_HOSTNAME = ol-stby1

       DB_PORT = 1521

       DB_SERVICE_NAME = orclpdb

3. Run the Discoverer
   
   $ ./dbsat discover -c /home/oracle/dbsat/conf/custom_dbsat.config out_disc

DBSAT Discover ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...

Enter password:

Verify password:

adding: PDB1_discover.html (deflated 86%)

adding: PDB1_discover.csv (deflated 86%)

Zip completed successfully.

4. Specify a password to encrypt the .zip file.
   A zip file named <destination>_report.zip is created.
   
   
5. Extract the contents of the .zip file to access the Database Sensitive Data Assessment Report. When prompted, enter the password to decrypt the .zip file specified in Step 4.
   The contents of the .zip file are extracted.
   
   
6. Use the appropriate tools to read the Database Sensitive Data Assessment Report. 
   
   

Final Recommendations:

• Note that if the Collector is executed remotely, it will not collect operating system data. It is recommended to run it in the database server to collect all relevant data.
• You are not limited to running the Reporter on the database server or the same machine as the Collector.
• You are not limited to running the Discoverer on the database server or the same machine as the Collector or Reporter.
• Caution: The Oracle DBSAT tool is intended to assist you in identifying potential sensitive data and vulnerabilities in your system. Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies.