Download and use the Oracle Database Security Assessment Tool

I visit customers on a regular basis. And when we sit together in front of the machine I sometimes spot tiny little things which may impose a security risk. This could be things such as SEC_CASE_SENSITIVE_LOGON=FALSE or the use of UTL_FILE_DIR or something else. To detect such sensitive spots you should download and use the Oracle Database Security Assessment Tool (DBSAT).

 CREATE SESSION SELECT on SYS.REGISTRY$HISTORY Role SELECT_CATALOG_ROLE Role DV_SECANALYST (wenn Database Vault aktiviert ist) Role AUDIT_VIEWER (nur 12c) Role CAPTURE_ADMIN (nur 12c) SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g und 12c) SELECT on AUDSYS.AUD$UNIFIED (nur 12c)

DBSAT – Oracle Database Security Assessment Tool – Collector and Reporter Components

Download and use the Oracle Database Security Assessment Tool

First of all, you need to download the tool from MyOracle Support:

Afterwards you please may check the documentation:

Requirements and Database Releases

To execute the tool you will need the following database privileges and roles:

  • CREATE SESSION
  • SELECT on SYS.REGISTRY$HISTORY
  • SELECT_CATALOG_ROLE
  • DV_SECANALYST role (in case Database Vault is active)
  • AUDIT_VIEWER role (since Oracle 12c)
  • CAPTURE_ADMIN role (since Oracle 12c)
  • SELECT on SYS.DBA_USERS_WITH_DEFPWD (since Oracle 11g)
  • SELECT on AUDSYS.AUD$UNIFIED (since Oracle 12c)

The tool has two components:

  1. The DBSAT Collector executes SQL queries and runs operating system commands to collect data from the system to be assessed. It does this primarily by querying database dictionary views. The collected data is written to a file that is used by the DBSAT Reporter in the analysis phase.
  2. The DBSAT Reporter analyzes the collected data and reports its findings and recommendations in multiple formats: PDF, Excel, and Text. The Reporter can run on any machine: PC, laptop, or server. You are not limited to running it on the same server as the Collector.

You can run the DBSAT on database since Oracle Database 10.2.0.5 and on SPARC and Intel Solaris, Linux, Windows, HP-IA, AIX and zLinux.

Installation

Copy the zip file to a directory and unzip it, for example:

mkdir -p /home/oracle/dbsat
unzip dbsat.zip –d /home/oracle/dbsat
cd /home/oracle/dbsat
Execute the DBSAT Collector

Once you have ensured that the user you’ll use to execute DBSAT has all the above mentioned privileges and roles, you can execute it:

$ ./dbsat collect -n "/ as sysdba" dbsatrep

Another option would be for instance: ./dbsat collect scott /tmp/collect_result which interactively will ask you for scott’s password then.

Please see the entire command syntax for dbsat here:

Usage: dbsat collect [ -n ]  
       dbsat report [ -a ] [ -n ] [ -x :section:]

Options: 
       -a Report about all user accounts, including locked, Oracle-supplied users
       -n No encryption for output
       -x Specify sections to exclude from report (may be repeated for multiple sections)
Execute the DBSAT Reporter

Generating a report is simple and straight forward – by default it will be password protected unless you will use the -n option.

./dbsat report dbsatrep

The result reports gives you summary information first:

Download / use Oracle Database Security Assessment Tool DBSAT

DBSAT – Report Summary

And then you should watch out for yellow, orange and especially red marked entries such as:

Download / use Oracle Database Security Assessment Tool DBSAT

DBSAT Report – Audit Record Finding – marked in RED so please pay attention

And you’ll get also green messages when something is setup or used in the right way – and we know that this is crucial. Just speaking of old password versions:

Download and use the Oracle Database Security Assessment Tool

DBSAT Report: No outdated PASSWORD_VERSIONS user accounts found – this is very good

Some remarks and findings

First of all, the report seem to run in CDB$ROOT at first unless you direct it to specific PDBs. In my understanding it means you’ll have to execute DBSAT on a per-PDB basis. This makes sense of course. But I’d rather would have expected an option to run it in all containers in one pass and generate a consolidated report allowing to break down when necessary. This is the call to execute DBSAT in my PDB1:

 ./dbsat collect -n "sys/oracle@pdb1  as sysdba" dbsatpdb1

This works fine.

And finally, this struck me a bit:

Download / use Oracle Database Security Assessment Tool DBSAT

Red alert for PSUs – but my RU (was BP before) has the PSU and much more

Hm … DBSAT does not seem to be aware that BPs and RUs are a super-set of PSUs and RURs. My database is in better shape – I should get an extra star for applying RUs instead of RURs (or PSUs), and no RED ALERT should be shown.

Well, there’s always some room for improvement.

Summary

Finally, the Database Security Assessment Tool is very helpful and highly recommend. The warnings you get are mostly helpful and may signal some undetected risks and issues in your database. It will help you securing your database. And a few things need to be read with a grain of salt.

–Mike

11 thoughts on “Download and use the Oracle Database Security Assessment Tool

  1. Hi Mike,
    thanks for reviewing DBSAT. We are working to fix the patch finding rule.
    I’ll let you know as the next release becomes available so you can give it a try.

    Cheers,
    Pedro

  2. Hi Mike,

    nice article about DBSAT. I already tried it myself and it works fine – at least on 12.1.0.2 databases on Linux x86-64. Unfortunately, with all 11.2.0.4 databases I have issues with DBSAT and e.g. “SP2-0676: Bind variable length cannot exceed 1000 characters”. I hence already raised a question in the DB Sec community (https://community.oracle.com/message/14746286), waiting for anybody to have an idea on the source of the issue. But it was interesting to see that you encountered some (minor) findings with DBSAT.

    Thanks and best regards,
    Patrick

      • Hi Mike,

        as I played around and found out myself, in the file “sat_collector.sql” there are some definitions that exceed some limit in (my) 11.2.0.4 databases:

        var v_spool_file VARCHAR2(4000);
        var err_buf VARCHAR2(4000);

        Changing the 4000 value into 1000 leads to successful run 🙂

        I already provided this feedback to MOS Doc ID 2138254.1 and will update the MOS community thread (link given above) accordingly.
        If you have any other feedback, it would be nice to know.

        Thanks and best regards,
        Patrick

        • Hi Patrick,

          We aim to give a seamless experience and have tested DBSAT on Oracle Databases 10.2.0.5 and higher (18c is already certified). I’m sorry you have run into this.

          Since it’s the first time I’m seeing this issue, would you be kind to let us know if you have set NLS_LANG env variable?

          We’d like to reproduce the problem and provide an appropriate fix.

          Best,
          Pedro Lopes
          DBSAT Product Manager
          Oracle Database Security

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox to comply with GDPR is required

*

I agree