DBSAT consists of three primary
components: Collector, Reporter, and Discoverer, each
playing a crucial role in assessing and enhancing database security.
- Collector is the first step in the DBSAT process.
It connects to the Oracle database and gathers critical security-related
information. This includes details about users, roles, privileges,
configuration settings, and more. The data collected is then stored in an
encrypted file, ensuring that sensitive information is protected during
the assessment process.
- Reporter takes the output from the Collector and generates comprehensive reports. These reports provide an in-depth analysis of the database's security posture, highlighting vulnerabilities, misconfigurations, and areas that require attention. The Reporter component also offers prioritized recommendations for improving security, making it easier for administrators to address the most critical issues first. The Reporter outputs four reports in HTML, XLS, JSON and Text formats.
- Discoverer is focused on identifying sensitive data within the database. It scans tables and columns to detect and classify sensitive information such as personally identifiable information (PII), financial data, and other critical assets. The Discoverer executes SQL queries against database dictionary views to discover sensitive data, and outputs reports in HTML and CSV formats.
1. Prerequisites:
1.1. Python: Make sure Python is installed on your system.
I checked that Python was installed on the OS.
[root@Eclipsys ~]# python -V
Python 2.6.6
If Python isn't installed on the OS, we should install it using the following command.
[root@Mytest ~]# sudo yum install python3
OR
[root@Mytest ~]# sudo dnf install python3
1.2. Java: you need a Java 8 JDK,
I checked Java was installed on the
OS
[root@Eclipsys ~]# java -version
java version "1.8.0_172"
Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)
If Java wasn't installed on the OS, at first download for example jdk-8u202-linux-x64.tar.gz, then we should install it using the following commands.
[root@bill111 opt]# cd /opt/
[root@Mytest opt]# tar -xvf jdk-8u202-linux-x64.tar.gz
[root@Mytest opt]# cd jdk1.8.0_202/
[root@Mytest jdk1.8.0_191]# pwd
/opt/jdk1.8.0_202
[root@Mytest jdk1.8.0_202]# update-alternatives --install /usr/bin/java java /opt/jdk1.8.0_202/bin/java 0
[root@Mytest jdk1.8.0_202]# update-alternatives --config java
There is 1 program that provides 'java'.
Selection Command
-----------------------------------------------
*+ 1 /opt/jdk1.8.0_202/bin/java
Enter to keep the current selection[+], or type selection number: 1
[root@Mytest jdk1.8.0_202]# java -version
java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)
2. Configure DBSAT on the Oracle Linux
2.1. Create usr_dbsat: If you have a user with DBA privileges, you don’t need to create a new user. However, if you prefer to have a separate user for executing DBSAT, which is recommended, use the following commands to create the user and grant the necessary privileges.
create user usr_dbsat identified *****;
grant select on sys.dba_users_with_defpwd to usr_dbsat;
grant create session to usr_dbsat;
grant select_catalog_role to usr_dbsat;
grant select on sys.registry$history to usr_dbsat;
grant select on audsys.aud$unified to usr_dbsat;
grant audit_viewer to usr_dbsat;
grant capture_admin to usr_dbsat;
NOTE: If you have a container database
you should create this user in the container database you want to check using dbsat. In the following example, I had a container database on OCI DBCS.
I connected to the target PDB and created the user.
2.2. Create dbsat directory and extract the zip file in this directory
[oracle@Eclipsys dbsat]$ mkdir -p /u01/app/oracle/dbsat/{output,temp}
[oracle@Eclipsys dbsat]$ cd /u01/app/oracle/dbsat/
[oracle@Eclipsys dbsat]$ unzip dbsat.zip
[oracle@Eclipsys dbsat]$ ls
dbsat dbsat.bat dbsat.zip Discover jython-standalone-2.7.3.jar output sa.jar sat_collector.sql temp xlsxwriter
3. Run the dbsat collect command.
It is recommended that the following be added to the tnsnames:ora file.
[oracle@Eclipsys dbsat]$ vi $ORACLE_HOME/network/admin/tnsnames.ora
myservice =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <host_ip>)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SID = <sid>)
)
)
Now we can execute the collect
command using the service name, database name, or PDB name if we have a
container database.
[oracle@Eclipsys dbsat]export JAVA_HOME=/usr/lib/jvm/jre-1.8-oracle-x64/bin/java
[oracle@Eclipsys dbsat]./dbsat collect usr_dbsat@myservice myservice_output
Here is the sample output of
executing the above command.
4. Execute dbsat report command.
4.1. dbsat.zip: download the dbsat.zip file, from Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)
[oracle@Eclipsys dbsat]$ export JAVA_HOME=/usr/lib/jvm/jre-1.8-oracle-x64
[oracle@Eclipsys dbsat]$ ./dbsat report myservice_output
Here is the sample output of executing the above command.
4.2. Let's
interpret the output:
At the beginning of the report, we
have a summary that shows the number of high, medium, and low risks.
In addition, the report includes
another table that shows Security Features Utilized. This table
highlights security best practices that are not implemented in our database (Currently
used = NO), indicating gaps in those sections. Therefore, it is recommended to
identify and implement these features to strengthen our security.
5. Execute dbsat discoverer command.
To execute the Discoverer command, we first need to edit the dbsat.config
file and add our database information, as shown in the following example, where I used ORACLE_SID as the service name
[oracle@Eclipsys dbsat]$ vi Discover/conf/dbsat.config
#default is localhost
DB_HOSTNAME = tms-oda1-nd1 ###use the servername
#DB_PORT is the port at which the DBSAT tool needs to connect to
#default is 1521
DB_PORT = 1521
#DB_SERVICE_NAME is the service Name for the DB, I used ORACLE_SID
#use ORACLE_SID
DB_SERVICE_NAME = sid
Here is an example of executing the Discoverer command.