Oracle Database Security Check With Database Security Assessment Tool (DBSAT)

The Oracle Database Security Assessment Tool (DBSAT) analyzes database configurations and security policies to help eliminate security risks and improve database security. Using the DBSAT tool, you can implement recommended security-related actions.

With DBSAT, you can eliminate short-term security risks, and report the necessary findings to implement a comprehensive security strategy.

DBSAT Components

DBSAT Collector: Collects data by running sql statements and operating system commands. The collected data is written to a file for use in the analysis phase.

DBSAT Reporter: Analyzes the collected data and reports its findings in different formats. These formats can be pdf, excel and text.

The following operations can be performed using the DBSAT :

  • You can quickly identify security configuration issues in your database.
  • You can apply the best recommended solutions for security.
  • You can improve the security of Oracle databases.
  • You can reduce the attack risk.

DBSAT Usage

You can download the required files for DBSAT from the link mentioned in document 2138254.1. You can use DBSAT for Solaris x64 and Solaris SPARC, Linux x86-64, Windows x64, HP-UX IA (64-bit), IBM AIX & zSeries Based Linux platforms, and Oracle Database 10.2.0.5 and later versions.

The user to connect to the database with DBSAT must have the following privileges.

  • CREATE SESSION
  • SELECT on SYS.REGISTRY$HISTORY
  • Role SELECT_CATALOG_ROLE
  • Role DV_SECANALYST (If Database Vault is Used)
  • Role AUDIT_VIEWER (Only 12c)
  • Role CAPTURE_ADMIN (Only 12c)
  • SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and 12c)
  • SELECT on AUDSYS.AUD$UNIFIED (Only 12c)

Python 2.6 or higher is required for reporting. You can find the Python version in the system with the following command.

You must extract the dbsat.zip file downloaded from the link in the document, in the Oracle home directory. You can use the dbsat tool by setting environment variables. ORACLE_HOME and ORACLE_SID

The DBSAT Collector can be run as follows.

The full file path should be specified with the destination and a name must be given to the database.

Example: for exadb database,

When you run the command, it will ask for the password to be specified for the zip file. After the command runs, a file (exadb.zip) will be created in the specified directory (/ home / oracle / dbsat) with the specified name. This file contains the data to be used for reporting.

DBSAT Reporter can be run as follows.

With -a, it includes all users in the database during analysis. Unless specified by -a, it does not include users who cannot access the database, such as expired or locked users.

With -n, it is ensured that the report is not encrypted.

With -x, it ensures that some sections are not included in the report. These sections are as follows:

– USER : User Accounts
– PRIV : Privileges and Roles
– AUTH : Authorization Control
– CRYPT : Encryption
– ACCESS :Fine-Grained Access Control
– AUDIT : Auditing
– CONF : Database Configuration
– NET : Network Configuration
– OS : Operating System

Sample Usage: : 

Example: for exadb ,

When the command is executed, a file named “<pathname> _report.zip” (exadb_report.zip) will be created in the same directory. The password for this compressed file is the password that is issued when the command is executed. There are reports in html, excel and text format in the file.

dbtut
Author: dbtut

We are a team with over 10 years of database management and BI experience. Our Expertises: Oracle, SQL Server, PostgreSQL, MySQL, MongoDB, Elasticsearch, Kibana, Grafana.

Leave a Reply

Your email address will not be published. Required fields are marked *