An Easy Approach To Oracle Database Security Assessment

Performing routine holistic database health checks is a must – good database administrators do more than just keep their database up to PAR . I perform these health checks on a quarterly basis to analyze database capacity/resource utilization, availability, performance, and security. Oracle Database Security Assessment Tool (DBSAT) just made my life alot easier and my health checks more effective. DBSAT is a command line tool focused on identifying how securely the database is configured, who are the users and what are their entitlements, what security policies and controls are in place, and where sensitive data resides with the goal of promoting successful approaches to mitigate potential security risks. DBSAT is a lightweight utility that will not impair system performance in a measurable way.

Honetsly, using DBSAT has taken the guess work out of what to check when performing my database security checks.

Benefits of Using Oracle Database Security Assessment Tool

  • Quickly and easily assess the current security status and identify sensitive data within the Oracle Database.
  • Reduce risk exposure using proven Oracle Database Security best practices, CIS benchmark recommendations and STIG rules.
  • Leverage security findings to accelerate compliance with EU GDPR and other regulations.
  • Improve the security posture of your Oracle Databases and promote security best practices.

DBSAT Components

DBSAT has three components: CollectorReporter, and Discoverer. Collector and Reporter work together to discover risk areas and produce reports on those risk areas – Database Security Assessment report. The Discoverer is a stand-alone module used to locate and report on sensitive data – Database Sensitive Data Assessment report.

  • The Collector is responsible to collect raw data from the target database by executing SQL queries and OS commands.
  • The Reporter reads the collected data, analyzes it and produces reports with the findings. The Reporter outputs four reports in HTML, XLS, JSON and Text formats.
  • The Discoverer executes SQL queries against database dictionary views to discover sensitive data, and outputs reports in HTML and CSV formats. The Discoverer CSV report can be loaded into Oracle Audit Vault and Database Firewall starting in 12.2.0.8, to add sensitive data context to the new Data Privacy reports.

Supported Platforms

You can run the DBSAT tool on Oracle Database 10.2.0.5 and later releases on the following OS:

  • Solaris x64 and Solaris SPARC64
  • Linux x86-64
  • Windows x64
  • HP-UX IA (64-bit)
  • IBM AIX (64-bit) & Linux on zSeries (64-bit)

FYI – The database configuration collection queries run on most supported Oracle Database platforms. However, currently the OS data collection will be skipped on Windows platforms. ?

Installing DBSAT

Before installing DBSAT, ensure you have python and unzip. 

$ mkdir -p ~/dbsat
$ unzip dbsat.zip –d ~/dbsat

That’s all folks. The easiest installation of any Oracle product that I’ve ever performed.

Running Collector

I used SYS to perform the collection, however it’s best practice to create a suitable database credentials to connect to the database. Create a DBSAT database user and grant it the following privileges:

  • CREATE SESSION
  • READ or SELECT on SYS.REGISTRY$HISTORY
  • Role SELECT_CATALOG_ROLE
  • Role DV_SECANALYST (if Database Vault is enabled or if Database Vault Operations Control is enabled)
  • Role AUDIT_VIEWER (12c and later)
  • Role CAPTURE_ADMIN (12c and later)
  • READ or SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and later)
  • READ or SELECT on AUDSYS.AUD$UNIFIED (12c and later)

FYI – If you plan to run only the Collector component, you can assign only the following privileges:

  • CREATE SESSION
  • Role SELECT_CATALOG_ROLE

FYI – In order to successfully collect Database Vault information in a Database Vault protected environment, you must connect as a non-SYS user with the DV_SECANALYST role.

Set your focus on the desired database and run the following command to proceed with executing the collection –  Notice I used “-n” flag to opt out of encrypting the output. You can run “./dbsat” to see full usage of the utility

$ . orenv
$ cd ~/dbsat
$ ./dbsat collect -n "/ as sysdba" $ORACLE_SID

Running Report

Generate a report from the data collected in previous step – I assume that your ORACLE_SID variable is set. The report will come in three different formats for your viewing pleaseure – HTML, Excel, JSON. Again, notice I used the optional “-n” flag to opt out of encrypting the report. 

$ ./dbsat report -n $ORACLE_SID

Check out my HTML report for my sandbox database. There’s also a “discover” feature with DBSAT, however I haven’t played with that enough yet.