Soumya's Database Blog : Overview of DBSAT(Database Security Assessment Tool)

What is DBSAT?

Database Security Assessment Tool aka DBSAT is a free tool that basically scan your database and find out security loop holes and it also gives recommendation to mitigate those loop holes. DBSAT automatically collects information and displays it as HTML,Excel,Json or text format.

How to Download:-

MOS Note:2138254.1 – Oracle Database Security Assessment Tool (DBSAT)

You can download the tool from above My Oracle Support Note ID.

DBSAT Components:-

· Collector:- As the name states , the collector basically collects data by executing various SQL queries and OS commands from the target database. By meaning target database here I refer to the database for which we are going to generate a DBSAT report. Once data is collected it saves in a JSON file which is used by another component namely Reporter.

· Reporter:-Reporter basically analysed the data collected by collector and generates a Database Security Assessment Report in HTML, Excel ,Text or Json format.

· Discoverer:- The Discoverer executes SQL queries and collects data from the system to be assessed, based on the settings specified in the configuration files. It does this primarily by querying database dictionary views. The collected data is then used to generate a Database Sensitive Data Assessment Report in HTML and CSV formats.

Prerequisites: -

DBSAT runs on:

· Solaris x64 and Solaris SPARC64

· Linux x86-64

· Windows x64

· HP-UX IA (64-bit)

· IBM AIX (64-bit) & Linux on zSeries (64-bit)

Supported Database Versions

We can execute DBSAT tool from 10.2.0.5 release onwards.

Security Requirements

DBSAT output files are sensitive because they may reveal weaknesses in the security posture of your database. To prevent unauthorized access to these files, you must implement the following security guidelines:

· Ensure that the directories holding these files are secured with the appropriate permissions.

· Delete the files securely after you implement the recommendations they contain.

· Share them with others in their (by default) encrypted form.

· Grant user permissions on a short-term basis and revoke these when no longer necessary.

Installation

Step 1.

Create directory to extract the DBSAT tool

[devdb@server1]$mkdir -p /DEV/backup/DBSAT

[devdb@server1]$ unzip dbsat.zip -d /DEV/backup/DBSAT

Archive: dbsat.zip

inflating: /DEV/backup/DBSAT/dbsat

inflating: /DEV/backup/DBSAT/dbsat.bat

inflating: /DEV/backup/DBSAT/sat_collector.sql

inflating: /DEV/backup/DBSAT/sat_reporter.py

inflating: /DEV/backup/DBSAT/sat_analysis.py

inflating: /DEV/backup/DBSAT/xlsxwriter/app.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_area.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_bar.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_column.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_doughnut.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_line.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_pie.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_radar.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_scatter.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chartsheet.py

inflating: /DEV/backup/DBSAT/xlsxwriter/chart_stock.py

inflating: /DEV/backup/DBSAT/xlsxwriter/comments.py

inflating: /DEV/backup/DBSAT/xlsxwriter/compatibility.py

inflating: /DEV/backup/DBSAT/xlsxwriter/contenttypes.py

inflating: /DEV/backup/DBSAT/xlsxwriter/core.py

inflating: /DEV/backup/DBSAT/xlsxwriter/custom.py

inflating: /DEV/backup/DBSAT/xlsxwriter/drawing.py

inflating: /DEV/backup/DBSAT/xlsxwriter/exceptions.py

inflating: /DEV/backup/DBSAT/xlsxwriter/format.py

inflating: /DEV/backup/DBSAT/xlsxwriter/__init__.py

inflating: /DEV/backup/DBSAT/xlsxwriter/packager.py

inflating: /DEV/backup/DBSAT/xlsxwriter/relationships.py

inflating: /DEV/backup/DBSAT/xlsxwriter/shape.py

inflating: /DEV/backup/DBSAT/xlsxwriter/sharedstrings.py

inflating: /DEV/backup/DBSAT/xlsxwriter/styles.py

inflating: /DEV/backup/DBSAT/xlsxwriter/table.py

inflating: /DEV/backup/DBSAT/xlsxwriter/theme.py

inflating: /DEV/backup/DBSAT/xlsxwriter/utility.py

inflating: /DEV/backup/DBSAT/xlsxwriter/vml.py

inflating: /DEV/backup/DBSAT/xlsxwriter/workbook.py

inflating: /DEV/backup/DBSAT/xlsxwriter/worksheet.py

inflating: /DEV/backup/DBSAT/xlsxwriter/xmlwriter.py

inflating: /DEV/backup/DBSAT/xlsxwriter/LICENSE.txt

inflating: /DEV/backup/DBSAT/Discover/bin/discoverer.jar

inflating: /DEV/backup/DBSAT/Discover/lib/ojdbc8.jar

inflating: /DEV/backup/DBSAT/Discover/lib/oraclepki.jar

inflating: /DEV/backup/DBSAT/Discover/lib/osdt_cert.jar

inflating: /DEV/backup/DBSAT/Discover/lib/osdt_core.jar

inflating: /DEV/backup/DBSAT/Discover/conf/sample_dbsat.config

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_en.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_es.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_de.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_pt.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_it.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_fr.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_nl.ini

inflating: /DEV/backup/DBSAT/Discover/conf/sensitive_el.ini

Step 2.

Run the collector to gather data

            Syntax : dbsat collect <connect_string> <destination>

The dbsat collect command has the following options and arguments:

· connect_string which specifies the connection string to connect to the database.

Example: user@tns_alias

· destination

Specifies the location and file name for the Database Security Assessment report.

Example: /u01/dbsat/db04

Note: Collector will prompt for password to protect the .zip file it will create. It will ask for password again when running reporter process later.

[devdb@server1 DBSAT]$ ./dbsat collect system@DEV dbsat_report_201220

Database Security Assessment Tool version 2.2.1 (May 2020)

This tool is intended to assist you in securing your Oracle database

system. You are solely responsible for your system and the effect and

results of the execution of this tool (including, without limitation,

any damage or data loss). Further, the output generated by this tool may

include potentially sensitive system configuration data and information

that could be used by a skilled attacker to penetrate your system. You

are solely responsible for ensuring that the output of this tool,

including any generated reports, is handled in accordance with your

company's policies.

Connecting to the target Oracle database...

SQL*Plus: Release 11.2.0.4.0 Production on Sun Dec 20 20:33:58 2020

Enter password:

Connected to:

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

Setup complete.

SQL queries complete.

OS commands complete.

Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

DBSAT Collector completed successfully.

Calling /DEV/R12DEV/db/tech_st/11.2.0.4/bin/zip to encrypt dbsat_report_201220.json...

Enter password:

Verify password:

adding: dbsat_report_201220.json (deflated 90%)

zip completed successfully.

Step 3.

Run the reporter to generate report

Syntax. dbsat report <pathname>

Note. Here provide the zip file name that was created in last step . But do not use the .zip extension else it will error out.

[devdb@server1 DBSAT]$ ./dbsat report /DEV/backup/DBSAT/dbsat_report_201220