Database Security Assessment Tool (DBSAT) 3.1 follow-up

Posted on , updated on by Yannick Jaquier
Oracle

Table of contents

Preamble

I have already tested DBSAT in a previous post in release 2.2.2 and got a comment directly from Oracle that a new version has been release so testing it in release 3.1…

This time I have decided to test it from my Windows Laptop. Why directly from my Laptop ? Simply because the result file will end up on a local folder and can be then easily opened by your preferred browser…

My test target database is a Oracle Database 19c Enterprise Edition Release 19.19 running on Red Hat Enterprise Linux release 8.6 (Ootpa).

Let’s recall that DBSAT is a free tool from Oracle.

DBSAT Installation

You need first to install the Oracle instant client. I have chosen latest reelease at the time of writing this blog post i.e. release 21.14. I have downloaded the Basic Package and the SQL*Plus Package zip files. Unzip them in any folder I have chosen C:\Program Files\ so my My Oracle client and my ORACLE_HOME is C:\Program Files\instantclient_21_14. Set this environment variable for your profile:

PS C:\> $env:ORACLE_HOME
C:\Program Files\instantclient_21_14

You also need to have Java installed on your laptop. To avoid any licensing issue take the free one from Adoptium, I have chosen the latest 21 LTS one. Ensure JAVA_HOME is set as dbsat.bat is using the environment variable:

PS C:\> java -version
openjdk version "21.0.3" 2024-04-16 LTS
OpenJDK Runtime Environment Temurin-21.0.3+9 (build 21.0.3+9-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.3+9 (build 21.0.3+9-LTS, mixed mode, sharing)
PS C:\> $env:JAVA_HOME
C:\Program Files\Eclipse Adoptium\jdk-21.0.3.9-hotspot

From My Oracle Support note 2138254.1 download latest releease of dbsat and unzip it to any folder (D:\Download\dbsat for me).

Then you need to customize a bit the dbsat.bat file to map your environment. I do not have Winzip on my Laptop but 7-Zip instead so around line 100 I have replaced

@REM SET ZIP_CMD=%ORACLE_HOME%\bin\zip.exe
SET ZIP_CMD=%ProgramFiles%\7-Zip\7z.exe
@REM SET UNZIP_CMD=%ORACLE_HOME%\bin\unzip.exe
SET UNZIP_CMD=%ProgramFiles%\7-Zip\7z.exe

Around line 306, with the Oracle instant client the sqlplus executable is not in a bin directory but drectly in the ORACLE_HOME so change :

"%ORACLE_HOME%\bin\sqlplus" -L "%CONN_STR%" @"%CMD_DIR%\%SAT_SCRIPT%" %TEMP_OUTPUT_FILE% %SHALLOW_COLLECT_COUNT%
by
"%ORACLE_HOME%\sqlplus" -L "%CONN_STR%" @"%CMD_DIR%\%SAT_SCRIPT%" %TEMP_OUTPUT_FILE% %SHALLOW_COLLECT_COUNT%

Around lines 238, 334 and 483 the -e option is not a valid option for 7-Zip so change by a option, example:

"%ZIP_CMD%" -e "%OUTPUT_NAME%.zip" "%OUTPUT_NAME%.json"
by
"%ZIP_CMD%" a "%OUTPUT_NAME%.zip" "%OUTPUT_NAME%.json"

Last but not least around line 418 to unzip the zip fle and extract the collected JSON file you need to add the e option for 7-Zip:

REM decrypt the input file if needed.
IF %DEC_REQ% EQU 1 (
"%UNZIP_CMD%" e "%INPUT_NAME%.zip"
  IF %ERRORLEVEL% NEQ 0 (
    ECHO Error: Unexpected error occurred during unzip.
    GOTO LAST
  )
)

DBSAT Collection

Collect the information of your target database remotely with:

PS D:\Download\dbsat> ./dbsat collect yjaquier@//server1.domain.com:1531/orcl orcl
 
Database Security Assessment Tool version 3.1 (Apr 2024)
 
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.
 
Connecting to the target Oracle database...
 
 
SQL*Plus: Release 21.0.0.0.0 - Production on Fri May 31 12:23:59 2024
Version 21.14.0.0.0
 
Copyright (c) 1982, 2022, Oracle.  All rights reserved.
 
Enter password:
Last Successful login time: Thu May 30 2024 16:41:39 +02:00
 
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0
 
Setup complete.
SQL queries complete.
OS Commands Skipped.
BEGIN
*
ERROR at line 1:
ORA-20002: Complete without OS Commands.
ORA-06512: at line 4
 
 
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0
DBSAT Collector completed successfully.
 
Calling C:\Program Files\7-Zip\7z.exe to encrypt orcl.json...
 
 
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 
Scanning the drive:
1 file, 5013678 bytes (4897 KiB)
 
Creating archive: orcl.zip
 
Add new data to archive: 1 file, 5013678 bytes (4897 KiB)
 
 
Files read from disk: 1
Archive size: 443119 bytes (433 KiB)
Everything is Ok
zip completed successfully.

DBSAT Report

Run the report from the collected JSON file inside the ZIP file with:

PS D:\Download\dbsat> ./dbsat report -g -a orcl
 
Database Security Assessment Tool version 3.1 (Apr 2024)
 
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.
 
 
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 
Scanning the drive for archives:
1 file, 443119 bytes (433 KiB)
 
Extracting archive: orcl.zip
--
Path = orcl.zip
Type = zip
Physical Size = 443119
 
Everything is Ok
 
Size:       5013678
Compressed: 443119
DBSAT Reporter ran successfully.
 
Calling C:\Program Files\7-Zip\7z.exe to encrypt the generated reports...
 
 
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 
Scanning the drive:
1 file, 1437631 bytes (1404 KiB)
 
Creating archive: orcl_report.zip orcl_report.txt orcl_report.html orcl_report.xlsx
 
Add new data to archive: 1 file, 1437631 bytes (1404 KiB)
 
 
Files read from disk: 1
Archive size: 166241 bytes (163 KiB)
Everything is Ok
zip completed successfully.

You have now the result in the form on three file: html, text and Excel… The one in html has obviously my preference and below screenshot will be taken from this one…

DBSAT Result

It’s difficult to say what has been added versus 2.2.2 release I have tested 3 years back. Here what I have seen interesting in the new report:

Current patch information and where you stand:

dbsat31_1
dbsat31_1

Current grants (direct or through role) on dictionary tables:

dbsat31_2
dbsat31_2

Data in transit encryption:

dbsat31_3
dbsat31_3

References

About Post Author

Yannick Jaquier

administrator

Find more about me on social media.

See author's posts

This entry was posted in Oracle and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>