Database Security Assessment Tool (DBSAT) hands-on

Preamble

DBSAT stand for Database Security Assessment Tool. I had already seen this tool by myself in an Oracle communication and it has been also mentioned in one of our quarterly meeting with Oracle. This free tool aim as performing a security assessment of your database.

We do already have a set of rules that we control with Qualys but it is always good to compare with other tool if we may have forgotten something.

There is a PaaS equivalent of this tool called Data Safe. The standalone DBSAT is neat but for big organization where I currently work what it really lacks is a central repository to aggregate results of multiple databases. And this is really on this point where Data Safe outshine…

Testing has been done on a 8 cores / 64 GB server running Red Hat Enterprise Linux release 8.6 (Ootpa). My test database release (non-CDB) is 19c (19.15).

DBSAT running

Unzip the downloaded zip file and I have added the tool path in my Oracle account profile dynamically. Then collect information with dbsat collect (-n to avoid having a password to open zip file):

[oracle@server01 dbsat]$ export PATH=/home/oracle/yannick/dbsat:$PATH
[oracle@server01 yannick]$ dbsat collect -n '/ as sysdba' output_orcl
 
Database Security Assessment Tool version 2.2.2 (June 2021)
 
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.
 
Connecting to the target Oracle database...
 
 
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Jun 27 11:47:36 2022
Version 19.15.0.0.0
 
Copyright (c) 1982, 2022, Oracle.  All rights reserved.
 
 
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0
 
Setup complete.
SQL queries complete.
/bin/ls: cannot access '/oracle/software/bin/tfactl': No such file or directory
Warning: Exit status 256 from OS rule: executable_permission
Warning: Exit status 256 from OS rule: dbcs_status
OS commands complete.
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.15.0.0.0
DBSAT Collector completed successfully.

This generate a JSON output file:

[oracle@server01 yannick]$ ll
total 609
drwxr-x--- 4 oracle dba   1024 Jun 27 11:45 dbsat
-rw------- 1 oracle dba 622088 Jun 27 11:47 output_orcl.json

DBSAT reporting

To generate reports ensure you have Python 2.6+:

[oracle@server01 yannick]$ python -V
Python 3.6.8

Generate reports with dbsat report command:

[oracle@server01 yannick]$ dbsat report -a -n ./output_orcl.json
 
Database Security Assessment Tool version 2.2.2 (June 2021)
 
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.
 
Error: ./output_orcl.json.json or ./output_orcl.json.zip not found.
[oracle@server01 yannick]$ dbsat report -a -n output_orcl
 
Database Security Assessment Tool version 2.2.2 (June 2021)
 
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.
 
DBSAT Reporter ran successfully.

This generate four reports in html, json,txt and xlsx:

[oracle@server01 yannick]$ ll
total 1269
drwxr-x--- 5 oracle dba   1024 Jun 27 11:53 dbsat
-rw------- 1 oracle dba 622088 Jun 27 11:47 output_orcl.json
-rw------- 1 oracle dba 251728 Jun 27 11:53 output_orcl_report.html
-rw------- 1 oracle dba 208587 Jun 27 11:53 output_orcl_report.json
-rw------- 1 oracle dba 188107 Jun 27 11:53 output_orcl_report.txt
-rw------- 1 oracle dba  26238 Jun 27 11:53 output_orcl_report.xlsx

DBSAT result

Obviously the most convenient one is the html report that I have download on my laptop::

dbsat01
dbsat01

Where you might find some interesting information ranked by level of risk. Of course this red risk is something that is already part of our basic security rules check:

dbsat02
dbsat02

But the Excel version is also not too bad, let say it could be easier to share with non-It people:

dbsat03
dbsat03

References

About Post Author

This entry was posted in Oracle and tagged . Bookmark the permalink.

2 thoughts on “Database Security Assessment Tool (DBSAT) hands-on

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>