The Oracle Database Security Assessment Tool (DBSAT) is a command-line tool focused on identifying how securely the database is configured and where sensitive data resides with the goal of promoting successful approaches to mitigating potential security risks.
DBSAT requires no special installation, is easy to use, and produces clear, understandable reports. Furthermore, it’s provided to licensed Oracle customers by Oracle support (and is downloadable from My Oracle Support) for no additional charge.
DBSAT has three components: Collector, Reporter, and Discoverer. The scope of this blog post is to show how to run the new version 2.2.0 of DBSAT using an Oracle Wallet so that no database user password is needed during its execution. We'll be using an Oracle 19c Cloud Database Instance (OCI) at the PDB level.
This latest version was released in September 2019. DBSAT is now certified for the latest Oracle database versions 18c and 19c, for both on-premises and cloud databases, including DBCS (PaaS) and the Oracle Autonomous Database.
The general list of new features in this release includes:
When creating a database within the OCI web console, you have three primary options:
Choosing a compute shape with only an OS included. A VM server can be created automatically from the OCI dashboard menu: “Core Infrastructure => Compute -> Instances.” Once the VM is created, you could manually install the desired database version, then access it via SSH using RSA keys.
From the OCI Dashboard menus: “Database => Autonomous Data Warehouse” or “Database => Autonomous Transaction Processing.” Once ready, you can access it directly from your computer using an Oracle client (SQL Plus or SQL Developer) after downloading the connectivity package.
From the OCI Dashboard menu: “Database => BareMetal, VM and Exadata.” This results in a server with a database already up and running, created automatically from OCI.
There is also an option to create an Exadata Cluster behind your firewall: “Database => Exadata Cloud at Customer.” This enables you to apply the combined power of Exadata and Oracle Cloud inside your own data center, with Oracle managing the Exadata infrastructure.
Download DBSAT from the Oracle Support website (Document ID: 2138254.1).
For this test, we create a specific DB User at the PDB level:
SQL> ALTER SESSION SET CONTAINER=SECDATA; SQL> create user DBSAT identified by *********************; SQL> grant CREATE SESSION to DBSAT; SQL> grant SELECT_CATALOG_ROLE to DBSAT; SQL> grant SELECT on SYS.REGISTRY$HISTORY to DBSAT; SQL> grant SELECT on SYS.DBA_USERS_WITH_DEFPWD to DBSAT; SQL> grant AUDIT_VIEWER to DBSAT; SQL> grant CAPTURE_ADMIN to DBSAT; SQL> grant SELECT on AUDSYS.AUD$UNIFIED to DBSAT; Add a TNS entry and create the credentials in the wallet:
[oracle@royserver ~]$ mkstore -wrl /u01/app/oracle/admin/DBRSV19c/wallets -createCredential DISCOVER_SEC DBSAT [oracle@royserver ~]$ mkstore -wrl /u01/app/oracle/admin/DBRSV19c/wallets -listCredential We don’t need to initiate an administrative connection (SYSDBA) or manually provide credentials since the utility will get the username from the Oracle credential wallet.
[oracle@royserver DBSAT_22]$ ./dbsat collect "/@DISCOVER_SEC" SECDATA-PDB_DBSAT22 For the Reporter, no database connection is required; hence, there is no need to use the wallet here
[oracle@royserver DBSAT_22]$ ./dbsat report ./SECDATA-PDB_DBSAT22 The Discoverer component requires Java and specific configuration in the parameter files. You must update WALLET_LOCATION and TNS_ADMIN in the .config file to run without a password prompt.
[oracle@royserver DBSAT_22]$ ./dbsat discover -c ./Discover/conf/new_dbsat.config DISCOVER_SEC_Report The file sample_dbsat.config needs to be updated for database connectivity. In the above sample, I copied it as new_dbsat.config and edited it. Also, you may have to review and update the search patterns for sensitive data in the file sensitive_en.ini.
Ready to optimize your Oracle Database for the future?