DBSAT Security Series – Part 2: Identifying Sensitive Data Using DBSAT Discover

Introduction

DBSAT Discover is a standalone, Java-based component of the Database Security Assessment Tool that identifies sensitive data within your database. Unlike the Collector and Reporter, Discover works independently and focuses on scanning tables and columns for patterns that match PII, financial, or other confidential information. Building on the foundation covered in Part 1 of this series, EnhancingQuery Performance: Leveraging In-Memory Optimized Dates in Oracle 23ai, where we explored configuring and using the main DBSAT tool, Discover, helps you take the next step by revealing exactly where sensitive data resides, so you can strengthen your overall security posture.

Prepare the dbsat.config File

Discover requires a dbsat.config file, and a sample version (sample_dbsat.config) is provided in the Discover/conf/sample_dbsat.config directory. You can simply copy this file to Discover/conf/dbsat.config and modify it to suit your environment and requirements.

[oracle@Mytest  dbsat]$ cd /u01/app/oracle/dbsat/
[oracle@Mytest  dbsat]$ cp Discover/conf/sample_dbsat.config Discover/conf/dbsat.config

You will need to edit the contents of the Discover/conf/dbsat.config file to match your environment and requirements. At a minimum, you must set the essential connection and scanning parameters so that DBSAT Discover can connect to your database and correctly identify sensitive data. 

First, you should comment out the TNS_ADMIN, NET_SERVICE_NAME, WALLET_LOCATION   parameters in the dbsat.config file. 

#####################comment  TNS_ADMIN
  ##      TNS_ADMIN =

#NET_SERVICE_NAME is the Network Service name to be used to make
#connection
#####################comment  NET_SERVICE_NAME
    ##    NET_SERVICE_NAME = 

#WALLET_LOCATION is the location of wallets for secured connections
#via SSL or SEPS(Secure External Password Store).

#WALLET_LOCATION should be set to SSL or SEPS wallet locations
#####################comment  WALLET_LOCATION
    ##    WALLET_LOCATION =

Then we should locate and modify the DB_HOSTNAME, DB_PORT, DB_SERVICE_NAME parameters.

NOTE: For the DB_SERVICE_NAME parameter, use ORACLE_SID instead, as assigning the service name did not work for me.

#Use DB_HOSTNAME, DB_PORT and DB_SERVICE_NAME to connect using
#password at the prompt

#DB_IP is the IP address or FQDN for the DB Server
#default is localhost

        DB_HOSTNAME = Mytest      ###use the servername

#DB_PORT is the port at which the DBSAT tool needs to connect to
#default is 1521

        DB_PORT = 1521

#DB_SERVICE_NAME is the service Name for the DB  ==> I used ORACLE_SID
#use ORACLE_SID

        DB_SERVICE_NAME = dbsid        ##==> this is ORACLE_SID

Once the configuration is complete, we should run the following command to execute the discoverer, specifying the configuration file and the output file name. You will be prompted to enter the database credentials and the password for the resulting zip file.

[oracle@tms-oda1-nd1 dbsat]$ export JAVA_HOME=/usr/java/jdk1.8.0_172-amd64

[oracle@tms-oda1-nd1 dbsat]$ ./dbsat discover -c ./Discover/conf/dbsat.config myservice_discovery

Database Security Assessment Tool version 3.1 (Jan 2024)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Enter username: usr_dbsat
Enter password: *******
Connection Failed - Retrying regarding "****" as SID.
DBSAT Discover ran successfully.
Calling /usr/bin/zip to encrypt the generated reports...

Enter password: ******
Verify password: ******
        zip warning: myservice_discovery_report.zip not found or empty
  adding: myservice_discovery_discover.html (deflated 93%)
  adding: myservice_discovery_discover.csv (deflated 91%)
Zip completed successfully.

As a result, it will generate the myservice_discovery_report.zip file. Below is a sample of the report output.

Conclusion

DBSAT Discover empowers database administrators and security teams to pinpoint sensitive data with precision, complementing the broader capabilities of the DBSAT suite. By scanning tables and columns for PII (Personally Identifiable Information), financial, and other confidential information, Discover provides actionable insights that help organizations proactively protect critical data.