1.2. Java: you need a Java 8 JDK,
I checked Java was installed on the
OS
[root@Eclipsys ~]# java -version
java version "1.8.0_172"
Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)
If Java wasn't installed on the OS, at
first download for example jdk-8u202-linux-x64.tar.gz, then we should install
it using the following commands.
[root@bill111 opt]# cd /opt/
[root@Mytest opt]# tar -xvf jdk-8u202-linux-x64.tar.gz
[root@Mytest opt]# cd jdk1.8.0_202/
[root@Mytest jdk1.8.0_191]# pwd
/opt/jdk1.8.0_202
[root@Mytest jdk1.8.0_202]# update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_202/bin/java 0
[root@Mytest jdk1.8.0_202]# update-alternatives --config java
There is 1 program that provides 'java'.
Selection Command
-----------------------------------------------
*+ 1 /opt/jdk1.8.0_202/bin/java
Enter to keep the current selection[+], or type selection number: 1
[root@Mytest jdk1.8.0_202]# java -version
java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)
2. Configure DBSAT on the Oracle Linux
2.1. Create usr_dbsat: If you have a user with DBA privileges, you don’t need to create
a new user. However, if you prefer to have a separate user for executing DBSAT,
which is recommended, use the following commands to create the user and grant
the necessary privileges.
create user usr_dbsat identified *****;
grant select on sys.dba_users_with_defpwd to usr_dbsat;
grant create session to usr_dbsat;
grant select_catalog_role to usr_dbsat;
grant select on sys.registry$history to usr_dbsat;
grant select on audsys.aud$unified to usr_dbsat;
grant audit_viewer to usr_dbsat;
grant capture_admin to usr_dbsat;
NOTE: If you have a container database
you should create this user in the container database you want to check using dbsat. In the following example, I had a container database on OCI DBCS.
I connected to the target PDB and created the user.
2.2. Create dbsat
directory and extract the zip file in this directory
[oracle@Eclipsys dbsat]$ mkdir -p /u01/app/oracle/dbsat/{output,temp}
[oracle@Eclipsys dbsat]$ cd /u01/app/oracle/dbsat/
[oracle@Eclipsys dbsat]$ unzip dbsat.zip
[oracle@Eclipsys dbsat]$ ls
dbsat dbsat.bat dbsat.zip Discover jython-standalone-2.7.3.jar output sa.jar sat_collector.sql temp xlsxwriter
3. Run the dbsat collect command.
It is recommended that the following be added to the tnsnames:ora file.
[oracle@Eclipsys dbsat]$ vi $ORACLE_HOME/network/admin/tnsnames.ora
myservice =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <host_ip>)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SID = <sid>)
)
)
Now we can execute the collect
command using the service name, database name, or PDB name if we have a
container database.
[oracle@Eclipsys dbsat]export JAVA_HOME=/usr/lib/jvm/jre-1.8-oracle-x64/bin/java
[oracle@Eclipsys dbsat]./dbsat collect usr_dbsat@myservice myservice_output
Here is the sample output of
executing the above command.
4. Execute dbsat report command.
4.1. dbsat.zip: download the dbsat.zip file, from Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)
[oracle@Eclipsys dbsat]$ export JAVA_HOME=/usr/lib/jvm/jre-1.8-oracle-x64
[oracle@Eclipsys dbsat]$ ./dbsat report myservice_output
Here is the sample output of executing the above command.
4.2. Let's
interpret the output:
At the beginning of the report, we
have a summary that shows the number of high, medium, and low risks. DBSAT divides the database into several categories and checks the security assessment in each category. This can be observed in the
'Section' column of the table below.
In the subsequent sections of the report, we can see each high, medium, and low risk categorized separately. For example, we have a high risk in Network
Encryption, which is a subsection of Network Configuration in our
report.
In addition, the report includes
another table that shows Security Features Utilized. This table
highlights security best practices that are not implemented in our database (Currently
used = NO), indicating gaps in those sections. Therefore, it is recommended to
identify and implement these features to strengthen our security.
5. Execute dbsat discoverer command.
To execute the Discoverer command, we first need to edit the dbsat.config
file and add our database information, as shown in the following example, where I used ORACLE_SID as the service name
[oracle@Eclipsys dbsat]$ vi Discover/conf/dbsat.config
#default is localhost
DB_HOSTNAME = tms-oda1-nd1 ###use the servername
#DB_PORT is the port at which the DBSAT tool needs to connect to
#default is 1521
DB_PORT = 1521
#DB_SERVICE_NAME is the service Name for the DB, I used ORACLE_SID
#use ORACLE_SID
DB_SERVICE_NAME = sid
Here is an example of executing the Discoverer command.