Skip to content

Using Database Security Assessment Tool (DBSAT)

    The Database Security Assessment Tool (DBSAT) is provided by Oracle as a utility to help you check for common database security issues, as well as helping to identify sensitive data stored in the database.

    Prerequisites

    You need to have zip, unzip and python on the server.

    yum install -y zip unzip python

    Check you have Python installed on the server.

    $ python -V
    Python 2.7.5
    $

    You can check for zip and unzip using the following commands.

    zip -v
    unzip -v

    If you are planning on running discoverer, you will need a Java 8 JDK, with the JAVA_HOME environment variable set. On my test box I did the following.

    export JAVA_HOME=/u01/jdk1.8.0_181

    You will need suitable database credentials to connect to the database. When I ran this against some real databases I just used my DBA user and it worked fine. The documentation gives an example of the privileges needed if you want to create a user specifically for running this utility.

    create user dbsat_user identified by dbsat_user;
    -- If Database Vault is enabled, connect as DV_ACCTMGR to run this command
    grant create session to dbsat_user;
    grant select_catalog_role to dbsat_user;
    grant select on sys.registry$history to dbsat_user;
    -- 11g and 12c
    grant select on sys.dba_users_with_defpwd to dbsat_user;
    -- 12c only
    grant select on audsys.aud$unified to dbsat_user;
    grant audit_viewer to dbsat_user;
     -- 12c covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$ 
    grant capture_admin to dbsat_user;
    -- If Database Vault is enabled, connect as DV_OWNER to run this command 
    grant DV_SECANALYST to dbsat_user;

    In a clean instance I created a test user with a password matching the username to give me an obvious failure.

    CREATE USER test IDENTIFIED BY test DEFAULT TABLESPACE users QUOTA UNLIMITED ON users;
    
    GRANT CREATE SESSION, CREATE TABLE, CREATE VIEW, CREATE SEQUENCE, CREATE PROCEDURE, CREATE TYPE, CREATE JOB, CREATE MATERIALIZED VIEW TO test;
    Installation

    All you need to do is unzip the Database Security Assessment Tool (DBSAT) tool into a location on the server. Some tools can be run on the client, but I find it easier to keep it on the server.

    mkdir -p /home/oracle/dbsat
    unzip -o /tmp/dbsat.zip -d /home/oracle/dbsat
    cd /home/oracle/dbsat

    You can add this location to the path if you like, but I don’t bother with that.

    Basic Usage

    Running the dbsat utility with no parameters will display the basic usage.

    $ ./dbsat
    
    Database Security Assessment Tool version 2.0.2 (May 2018)
    
        Usage: dbsat collect [ -n ] <database_connect_string> <output_file>
               dbsat report [ -a ] [ -n ] [ -x <section> ] <input_file>
               dbsat discover [ -n ] -c <config_file> <output_file>
    
        Options:
           -a  Report about all user accounts, including locked,
               Oracle-supplied users
           -n  No encryption for output
           -x  Specify sections to exclude from report (may be repeated for
               multiple sections)
           -c  Configuration file for discoverer
    
    $

    We can see there three main actions (collect, report and discover).

    Collect

    Running the collector gathers information from the database and generates a JSON file containing all the information. The collector should be run on the database server. It will prompt you for the database password, then when the password to protect the resulting zip file. The “-n” option means you are not prompted for a zip file encryption password, but from a security perspective you should probably use one.

    $ ./dbsat collect [email protected] pdb1_output
    
    Database Security Assessment Tool version 2.0.2 (May 2018)
    
    This tool is intended to assist in you in securing your Oracle database
    system. You are solely responsible for your system and the effect and
    results of the execution of this tool (including, without limitation,
    any damage or data loss). Further, the output generated by this tool may
    include potentially sensitive system configuration data and information
    that could be used by a skilled attacker to penetrate your system. You
    are solely responsible for ensuring that the output of this tool,
    including any generated reports, is handled in accordance with your
    company's policies.
    
    Connecting to the target Oracle database...
    
    
    SQL*Plus: Release 12.2.0.1.0 Production
    
    Copyright (c) 1982, 2016, Oracle.  All rights reserved.
    
    Enter password:
    
    Connected to:
    Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
    
    Setup complete.
    SQL queries complete.
    OS commands complete.
    Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
    DBSAT Collector completed successfully.
    
    Calling /u01/app/oracle/product/12.2.0.1/db_1/bin/zip to encrypt pdb1_output.json...
    
    Enter password:
    Verify password:
    updating: pdb1_output.json (deflated 88%)
    zip completed successfully.
    $
    Report

    The reporter takes the output file from the collector and converts it into HTML, Excel, JSON, and Text formats. The reporter doesn’t need to be run on the database server, but since you have to run the collector there it probably makes sense to run this on the server too. Notice we’ve used the same file name prefix to call the reporter as we did when running the collector. You are prompted for the password of the source zip file, and the password for the destination zip file.

    $ ./dbsat report pdb1_output
    
    Database Security Assessment Tool version 2.0.2 (May 2018)
    
    This tool is intended to assist in you in securing your Oracle database
    system. You are solely responsible for your system and the effect and
    results of the execution of this tool (including, without limitation,
    any damage or data loss). Further, the output generated by this tool may
    include potentially sensitive system configuration data and information
    that could be used by a skilled attacker to penetrate your system. You
    are solely responsible for ensuring that the output of this tool,
    including any generated reports, is handled in accordance with your
    company's policies.
    
    Archive:  pdb1_output.zip
    [pdb1_output.zip] pdb1_output.json password:
      inflating: pdb1_output.json
    DBSAT Reporter ran successfully.
    
    Calling /usr/bin/zip to encrypt the generated reports...
    
    Enter password:
    Verify password:
            zip warning: pdb1_output_report.zip not found or empty
      adding: pdb1_output_report.txt (deflated 78%)
      adding: pdb1_output_report.html (deflated 84%)
      adding: pdb1_output_report.xlsx (deflated 3%)
      adding: pdb1_output_report.json (deflated 82%)
    zip completed successfully.
    $

    Looking at the resulting HTML file we can see a summary of the findings.

    DBSAT - Summary

    Each test results in output indicating the risk level. Here is an example of a high risk we created intentionally.

    DBSAT - High Risk

    Discover

    The discoverer is essentially a separate Java-based tool, not reliant on the collector and reporter, that checks for sensitive data in the database. First you need to create a dbsat.config file. You can call it anything you want as you will be referencing it explicitly later.

    cd /home/oracle/dbsat
    cp Discover/conf/sample_dbsat.config Discover/conf/dbsat.config

    You will need to edit the contents of the “Discover/conf/dbsat.config” file. At a minimum you will need to set the following.

    [Database]
            DB_HOSTNAME = localhost
            DB_PORT = 1521
            DB_SERVICE_NAME = pdb1

    The “Discover/conf/sensitive_en.ini” file contains a list of potentially sensitive categories of data, each with an associated pattern for column names. You should review this file and consider adding extra sections or patterns as necessary.

    Once the config is complete you can run the discoverer, specifying the config file and the output file name. You are prompted for the database credentials and the password for the resulting zip file.

    $ export JAVA_HOME=/u01/jdk1.8.0_181
    $ ./dbsat discover -c ./Discover/conf/dbsat.config pdb1_discovery
    
    Database Security Assessment Tool version 2.0.2 (May 2018)
    
    This tool is intended to assist in you in securing your Oracle database
    system. You are solely responsible for your system and the effect and
    results of the execution of this tool (including, without limitation,
    any damage or data loss). Further, the output generated by this tool may
    include potentially sensitive system configuration data and information
    that could be used by a skilled attacker to penetrate your system. You
    are solely responsible for ensuring that the output of this tool,
    including any generated reports, is handled in accordance with your
    company's policies.
    
    Enter username: dbsat_user
    Enter password:
    DBSAT Discover ran successfully.
    Calling /usr/bin/zip to encrypt the generated reports...
    
    Enter password:
    Verify password:
            zip warning: pdb1_discovery_report.zip not found or empty
      adding: pdb1_discovery_discover.html (deflated 73%)
      adding: pdb1_discovery_discover.csv (deflated 30%)
    Zip completed successfully.
    $

    Issues

    I experienced some issues with the current version (2.0.2).

    • The current version of discoverer doesn’t seem to like Java 10. If you don’t use Java 8 you get this error.”Error: Java version 1.8 or later is required.”
    • The current version of reporter seems to have issues with Oracle 18c. There is a date comparison that produces the following error. I’m not sure if this affects the output though, as it looked like the output was complete.Traceback (most recent call last): File “/home/oracle/dbsat/./sat_reporter.py”, line 6372, in <module> fn() File “/home/oracle/dbsat/./sat_reporter.py”, line 338, in patch_checks bundle_date = max_date(bundle_date, x[reldate]) File “/home/oracle/dbsat/./sat_reporter.py”, line 6198, in max_date return max(date1, date2) TypeError: can’t compare datetime.datetime to unicode

    Also See:

    ORAchk