Table of contents
Preamble
I have already tested DBSAT in a previous post in release 2.2.2 and got a comment directly from Oracle that a new version has been release so testing it in release 3.1…
This time I have decided to test it from my Windows Laptop. Why directly from my Laptop ? Simply because the result file will end up on a local folder and can be then easily opened by your preferred browser…
My test target database is a Oracle Database 19c Enterprise Edition Release 19.19 running on Red Hat Enterprise Linux release 8.6 (Ootpa).
Let’s recall that DBSAT is a free tool from Oracle.
DBSAT Installation
You need first to install the Oracle instant client. I have chosen latest reelease at the time of writing this blog post i.e. release 21.14. I have downloaded the Basic Package and the SQL*Plus Package zip files. Unzip them in any folder I have chosen C:\Program Files\ so my My Oracle client and my ORACLE_HOME is C:\Program Files\instantclient_21_14. Set this environment variable for your profile:
PS C:\> $env:ORACLE_HOME C:\Program Files\instantclient_21_14 |
You also need to have Java installed on your laptop. To avoid any licensing issue take the free one from Adoptium, I have chosen the latest 21 LTS one. Ensure JAVA_HOME is set as dbsat.bat is using the environment variable:
PS C:\> java -version openjdk version "21.0.3" 2024-04-16 LTS OpenJDK Runtime Environment Temurin-21.0.3+9 (build 21.0.3+9-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.3+9 (build 21.0.3+9-LTS, mixed mode, sharing) PS C:\> $env:JAVA_HOME C:\Program Files\Eclipse Adoptium\jdk-21.0.3.9-hotspot |
From My Oracle Support note 2138254.1 download latest releease of dbsat and unzip it to any folder (D:\Download\dbsat for me).
Then you need to customize a bit the dbsat.bat file to map your environment. I do not have Winzip on my Laptop but 7-Zip instead so around line 100 I have replaced
@REM SET ZIP_CMD=%ORACLE_HOME%\bin\zip.exe SET ZIP_CMD=%ProgramFiles%\7-Zip\7z.exe @REM SET UNZIP_CMD=%ORACLE_HOME%\bin\unzip.exe SET UNZIP_CMD=%ProgramFiles%\7-Zip\7z.exe |
Around line 306, with the Oracle instant client the sqlplus executable is not in a bin directory but drectly in the ORACLE_HOME so change :
"%ORACLE_HOME%\bin\sqlplus" -L "%CONN_STR%" @"%CMD_DIR%\%SAT_SCRIPT%" %TEMP_OUTPUT_FILE% %SHALLOW_COLLECT_COUNT% by "%ORACLE_HOME%\sqlplus" -L "%CONN_STR%" @"%CMD_DIR%\%SAT_SCRIPT%" %TEMP_OUTPUT_FILE% %SHALLOW_COLLECT_COUNT% |
Around lines 238, 334 and 483 the -e option is not a valid option for 7-Zip so change by a option, example:
"%ZIP_CMD%" -e "%OUTPUT_NAME%.zip" "%OUTPUT_NAME%.json" by "%ZIP_CMD%" a "%OUTPUT_NAME%.zip" "%OUTPUT_NAME%.json" |
Last but not least around line 418 to unzip the zip fle and extract the collected JSON file you need to add the e option for 7-Zip:
REM decrypt the input file if needed. IF %DEC_REQ% EQU 1 ( "%UNZIP_CMD%" e "%INPUT_NAME%.zip" IF %ERRORLEVEL% NEQ 0 ( ECHO Error: Unexpected error occurred during unzip. GOTO LAST ) ) |
DBSAT Collection
Collect the information of your target database remotely with:
PS D:\Download\dbsat> ./dbsat collect yjaquier@//server1.domain.com:1531/orcl orcl Database Security Assessment Tool version 3.1 (Apr 2024) This tool is intended to assist you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Connecting to the target Oracle database... SQL*Plus: Release 21.0.0.0.0 - Production on Fri May 31 12:23:59 2024 Version 21.14.0.0.0 Copyright (c) 1982, 2022, Oracle. All rights reserved. Enter password: Last Successful login time: Thu May 30 2024 16:41:39 +02:00 Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.19.0.0.0 Setup complete. SQL queries complete. OS Commands Skipped. BEGIN * ERROR at line 1: ORA-20002: Complete without OS Commands. ORA-06512: at line 4 Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.19.0.0.0 DBSAT Collector completed successfully. Calling C:\Program Files\7-Zip\7z.exe to encrypt orcl.json... 7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20 Scanning the drive: 1 file, 5013678 bytes (4897 KiB) Creating archive: orcl.zip Add new data to archive: 1 file, 5013678 bytes (4897 KiB) Files read from disk: 1 Archive size: 443119 bytes (433 KiB) Everything is Ok zip completed successfully. |
DBSAT Report
Run the report from the collected JSON file inside the ZIP file with:
PS D:\Download\dbsat> ./dbsat report -g -a orcl Database Security Assessment Tool version 3.1 (Apr 2024) This tool is intended to assist you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. 7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20 Scanning the drive for archives: 1 file, 443119 bytes (433 KiB) Extracting archive: orcl.zip -- Path = orcl.zip Type = zip Physical Size = 443119 Everything is Ok Size: 5013678 Compressed: 443119 DBSAT Reporter ran successfully. Calling C:\Program Files\7-Zip\7z.exe to encrypt the generated reports... 7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20 Scanning the drive: 1 file, 1437631 bytes (1404 KiB) Creating archive: orcl_report.zip orcl_report.txt orcl_report.html orcl_report.xlsx Add new data to archive: 1 file, 1437631 bytes (1404 KiB) Files read from disk: 1 Archive size: 166241 bytes (163 KiB) Everything is Ok zip completed successfully. |
You have now the result in the form on three file: html, text and Excel… The one in html has obviously my preference and below screenshot will be taken from this one…
DBSAT Result
It’s difficult to say what has been added versus 2.2.2 release I have tested 3 years back. Here what I have seen interesting in the new report:
Current patch information and where you stand:
Current grants (direct or through role) on dictionary tables:
Data in transit encryption:
References
- Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)
- Database Security Assessment Tool User Guide