Introduction to Oracle Database Security Assessment Tool (DBSAT)
Introduction
DBSAT is an Oracle-provided command line tool that evaluates how securely your database is configured. DSAT considers such things as: user roles and entitlements, security policies, and security controls. DSAT is an easy first step to help the DBA mitigate potential security risks on sensitive databases. DSAT reports identify short-term risks so that the DBA and cyber-security team can implement a comprehensive security strategy.
In this article, we discuss:
- DBSAT & its components
- Implementation
- Report output
- How to interpret the results.
DSAT in action
DBSAT has three components: Collector, Reporter, and Discoverer. Collector and Reporter work together to discover risk areas and produce a reports on those risk areas--the "Database Security Assessment Report." The Discoverer is a stand-alone module used to locate and report on sensitive data. This output is called the "Database Sensitive Data Assessment Report."
Implementation
First, create a database user who has all the required privileges to collect data in collaboration with DBSAT. Keep in mind that the Collector needs to execute on the server where database resides.
User Setup
grant create session to dbsat identified by oracle;
grant select on sys.registry$history to dbsat;
grant select_catalog_role to dbsat;
grant audit_viewer to dbsat; grant capture_admin to dbsat;
grant select on sys.dba_users_with_defpwd to dbsat;
grant select on audsys.aud$unified to dbsat;
Installation
First, go to http://www.oracle.com/technetwork/database/security/dbsat.html and download the dbsat zip file. Copy it to your database server destination and simply extract the file dbsat.zip.
To install the Database Security Assessment Tool, perform these steps:
mkdir –p /home/dbsat/102
mv dbsat.zip /home/ dbsat/102/
cd /home/dbsat/102
unzip dbsat.zip
Excute DBSAT collector: ./dbsat collect dbsat/oracle@test_database oracle_db
The time it takes to complete depends on the hardware and the data that needs to be collected. A database that has thousands of users and roles might take hours to run. At the end of the process, you’ll be asked to provide a password twice. Do not forget it as you’ll need it when running dbsat report.
A file named oracle_db.zip is created in the directory (/home/ dbsat/102). There is no need to unzip the file. DBSAT reporter will take either the json file (if –n was used) or the zip file.
DSAT Reporter
DBSAT Reporter will take as input the file generated by the collector (json or zip file). The Reporter and will produce one zip file containing three reports in different formats: HTML, spreadsheet, and text.
It is a simple command to run Reporter: ./dbsat report –a oracle_db
DBSAT will prompt the user for one password--the same password used when running the collector. Another prompt will ask for password to protect the reports zip file. The results will be placed in a password protected zip file named orcl_hol_report.zip.
Report Findings
The report details the level of risk
• Pass: no error found
• Evaluate: needs manual analysis
• Some Risk: low
• Significant Risk: medium
• Severe Risk: high
• Opportunity: improve security posture by enabling additional security features.
Ten common findings from DSAT include:
- No Database Security Policies
- No patching/patch management policy in place
- No encryption of sensitive/regulated data
- No monitoring/auditing in place
- Over-privileged accounts; No personalized accounts; NO SoD
- Weak/inexistent password policies; Weak password management
- Data sent in clear text to third parties
- No OS hardening
- No sensitive data anonymization in production to DEV/TEST/Training/etc.
- Sample schemas in production environments/
Conclusion
If your Oracle database is not configured properly, you are giving easy access to hackers. Try the Database Security Assessment Tool and see what it finds in your databases. DSAT is totally free and quick to deploy. The tool supports database version from 10g onwards.
