How to Run DBSAT 2.2.0 on Oracle Cloud PDB using Wallet

The Oracle Database Security Assessment Tool (DBSAT) is a command-line tool focused on identifying how securely the database is configured and where sensitive data resides with the goal of promoting successful approaches to mitigating potential security risks.

DBSAT requires no special installation, is easy to use, and produces clear, understandable reports. Furthermore, it’s provided to licensed Oracle customers by Oracle support (and is downloadable from My Oracle Support) for no additional charge.

Overview of DBSAT and New Features in Version 2.2.0

DBSAT has three components: Collector, Reporter, and Discoverer. The scope of this blog post is to show how to run the new version 2.2.0 of DBSAT using an Oracle Wallet so that no database user password is needed during its execution. We'll be using an Oracle 19c Cloud Database Instance (OCI) at the PDB level.

What’s new in DBSAT version 2.2.0?

This latest version was released in September 2019. DBSAT is now certified for the latest Oracle database versions 18c and 19c, for both on-premises and cloud databases, including DBCS (PaaS) and the Oracle Autonomous Database.

The general list of new features in this release includes:

• Analysis of common and local privileges and roles granted in a pluggable database.
• Added Code Based Access Control (CBAC) roles and privileges granted to stored procedures, functions, and packages.
• Added roles with enabled unified audit policies.
• Improved remarks for all findings.

New Features for the Discoverer Component

• Retrieval of database username/password from Secure External Password Store (SEPS).
• Support for TNS_ADMIN and TNS aliases.
• Sample pattern file for the Greek language.

1) OCI Database Instance Creation

When creating a database within the OCI web console, you have three primary options:

VM Server (IaaS)

Choosing a compute shape with only an OS included. A VM server can be created automatically from the OCI dashboard menu: “Core Infrastructure => Compute -> Instances.” Once the VM is created, you could manually install the desired database version, then access it via SSH using RSA keys.

Autonomous DB

From the OCI Dashboard menus: “Database => Autonomous Data Warehouse” or “Database => Autonomous Transaction Processing.” Once ready, you can access it directly from your computer using an Oracle client (SQL Plus or SQL Developer) after downloading the connectivity package.

DB SYSTEM (DBaaS or “DBCS”)

From the OCI Dashboard menu: “Database => BareMetal, VM and Exadata.” This results in a server with a database already up and running, created automatically from OCI.

Exadata Cloud at Customer

There is also an option to create an Exadata Cluster behind your firewall: “Database => Exadata Cloud at Customer.” This enables you to apply the combined power of Exadata and Oracle Cloud inside your own data center, with Oracle managing the Exadata infrastructure.

2) Setting Up for DBSAT Execution

Download DBSAT from the Oracle Support website (Document ID: 2138254.1).

System Requirements

• Collector: Requires sufficient privileges (or run as SYSDBA).
• Reporter: Requires Python version 2.6 or later.
• Discoverer: Requires Java Runtime Environment (JRE) 1.8.

Database User and Permission Setup

For this test, we create a specific DB User at the PDB level:

SQL> ALTER SESSION SET CONTAINER=SECDATA; SQL> create user DBSAT identified by *********************; SQL> grant CREATE SESSION to DBSAT; SQL> grant SELECT_CATALOG_ROLE to DBSAT; SQL> grant SELECT on SYS.REGISTRY$HISTORY to DBSAT; SQL> grant SELECT on SYS.DBA_USERS_WITH_DEFPWD to DBSAT; SQL> grant AUDIT_VIEWER to DBSAT; SQL> grant CAPTURE_ADMIN to DBSAT; SQL> grant SELECT on AUDSYS.AUD$UNIFIED to DBSAT; 

Configuring TNS and Oracle Wallet (SEPS)

Add a TNS entry and create the credentials in the wallet:

[oracle@royserver ~]$ mkstore -wrl /u01/app/oracle/admin/DBRSV19c/wallets -createCredential DISCOVER_SEC DBSAT [oracle@royserver ~]$ mkstore -wrl /u01/app/oracle/admin/DBRSV19c/wallets -listCredential 

3) Running the Collector

We don’t need to initiate an administrative connection (SYSDBA) or manually provide credentials since the utility will get the username from the Oracle credential wallet.

[oracle@royserver DBSAT_22]$ ./dbsat collect "/@DISCOVER_SEC" SECDATA-PDB_DBSAT22 

4) Running the Reporter

For the Reporter, no database connection is required; hence, there is no need to use the wallet here

[oracle@royserver DBSAT_22]$ ./dbsat report ./SECDATA-PDB_DBSAT22 

5) Running the Discoverer

The Discoverer component requires Java and specific configuration in the parameter files. You must update WALLET_LOCATION and TNS_ADMIN in the .config file to run without a password prompt.

[oracle@royserver DBSAT_22]$ ./dbsat discover -c ./Discover/conf/new_dbsat.config DISCOVER_SEC_Report 

The file sample_dbsat.config needs to be updated for database connectivity. In the above sample, I copied it as new_dbsat.config and edited it. Also, you may have to review and update the search patterns for sensitive data in the file sensitive_en.ini.

Oracle Database Consulting Services

Ready to optimize your Oracle Database for the future?