Testing DBSAT 3.0 - What's New ?

Roy Salazar

November 16, 2023

Tags: Oracle, Dbsat, DBSAT 3, Cyber Security

Overview

DBSAT is a great database security assessment tool available since 2016. Within that time, it has evolved to keep on the track with the CyberSecurity standards (like CIS and STIG) and more recently to help keep in compliance with Data Regulation Laws, in particular for sensitive data protection.

The last version of DBSAT was released this November 16th 2023 and here I want to highlight some improvements that have brought my attention and also want to show, in one blog, how to run its three components: Collector, Reporter, and Discoverer. In my testing, I have run it against a 19c database and a 23c pluggable database.

Reminder on why it’s so important to protect sensitive data

Sensitive data is information that you want to keep from being publicly available. Releasing it can be harmful, leading to identity theft, frauds, business disruptions, reputation risk, and several other misuses. Therefore, governments worldwide have created mandatory regulations that may require your compliance depending on your business area. For example, The European Union General Data Protection Regulation (GDPR) has been in enforcement since May 2018. Also, industry reports say that one-third of attacks are performed by internal players (or “bad actors”) and half of those are on databases. As a result, you should be worried about who can see and change what into your environments, for both Production and Non-Production.

In order to help you find what kind of sensitive information you have and where it is stored, DBSAT has the Discoverer module, which provides a report with insights and suggestions to improve the monitoring and protection of this kind of data (besides the general security assessment provided by running the Collector and Report modules).

Sample on how to install and run DBSAT 3.0:

1) Installing is as easy as to unzip the file dbsat.zip in your preferred path by executing the dbsat.sh (or .bat if Windows OS), it will show the help manual for usage:

[oracle@localhost DBSAT30]$ pwd
/home/oracle/DBSAT30
[oracle@localhost DBSAT30]$ unzip dbsat.zip
Archive:  dbsat.zip
  inflating: dbsat                
  inflating: dbsat.bat            
  *
  *
  * 
[oracle@localhost DBSAT30]$
[oracle@localhost DBSAT30]$ ls
dbsat  dbsat.bat  dbsat.zip  Discover  jython-standalone-2.7.3.jar  sa.jar  sat_collector.sql  xlsxwriter
[oracle@localhost DBSAT30]$
[oracle@localhost DBSAT30]$ ./dbsat


Database Security Assessment Tool version 3.0 (Nov 2023)


 Usage: dbsat collect [ -n ] <database_connect_string> <output_file>
        dbsat report [ -a ] [ -n ] [ -g ] [ -x <section> ] [ -u <user> ] <input_file>
    dbsat discover [ -n ] -c <config_file> <output_file>


 Options:
    -a  Report with all user accounts, including locked and schema-only,
        Oracle-supplied users
    -n  No encryption for output
    -g  Show all grants including Common Grants in a Pluggable Database
    -x  Specify sections to exclude from report (may be repeated for
        multiple sections)
    -u  Specify users to exclude from report
    -c  Configuration file for discoverer    


[oracle@localhost DBSAT30]$


[oracle@localhost DBSAT30]$ java -version
java version "11.0.19" 2023-04-18 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.19+9-LTS-224)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.19+9-LTS-224, mixed mode)
[oracle@localhost DBSAT30]$
[oracle@localhost DBSAT30]$ which java
~/java/jdk-11.0.19/bin/java
[oracle@localhost DBSAT30]$

2) First you need to run the Collector. It will create a .json file that the next module will interpret to run, which is the Reporter. For the following example, I used the Oracle 23c pre-built Developer Oracle VM and ran the DBSAT for the PDB “FREEPDB1”. You have to specify the name for the output file:

[oracle@localhost DBSAT30]$ sqlplus /nolog
SQL*Plus: Release 23.0.0.0.0 - Production
Version 23.3.0.23.09
Copyright (c) 1982, 2023, Oracle.  All rights reserved.


SQL> conn sys@FREE as sysdba
Enter password:
Connected.
SQL>
SQL> show pdbs


 CON_ID CON_NAME       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
     2 PDB$SEED       READ ONLY  NO
     3 FREEPDB1       READ WRITE NO
SQL>
SQL> conn sys@FREEPDB1 as sysdba
Enter password:
Connected.
SQL>
SQL> select count(*), object_type from dba_objects where owner='HR' group by object_type;


  COUNT(*) OBJECT_TYPE
---------- -----------------------
     7 TABLE
    19 INDEX
     3 SEQUENCE
     1 VIEW
     2 PROCEDURE
     3 TRIGGER


6 rows selected.


SQL>


[oracle@localhost DBSAT30]$ pwd
/home/oracle/DBSAT30
[oracle@localhost DBSAT30]$
[oracle@localhost DBSAT30]$ ./dbsat collect -n "sys@FREEPDB1 as sysdba" testing_dbsat30_PDB23c


Database Security Assessment Tool version 3.0 (Nov 2023)
Connecting to the target Oracle database…
SQL*Plus: Release 23.0.0.0.0 - Production 
Version 23.3.0.23.09
Copyright (c) 1982, 2023, Oracle.  All rights reserved.


Enter password:
Connected to:
Oracle Database 23c Free Release 23.0.0.0.0 - Develop, Learn, and Run for Free
Version 23.3.0.23.09


Setup complete.
SQL queries complete.
OS commands complete.
Disconnected from Oracle Database 23c Free Release 23.0.0.0.0 - Develop, Learn, and Run for Free
Version 23.3.0.23.09
DBSAT Collector completed successfully.


[oracle@localhost DBSAT30]$
[oracle@localhost DBSAT30]$ ls
dbsat   dbsat.zip  jython-standalone-2.7.3.jar  sat_collector.sql         xlsxwriter
dbsat.bat  Discover   sa.jar                    testing_dbsat30_PDB23c.json
[oracle@localhost DBSAT30]$

3) The next step is to run the Reporter. This can be done directly from the server same as the Collector or from any Machine or PC. The only requirement now in DBSAT 3.0 is to have Java (JRE 1.8 or later) for both the Reporter and the Discoverer. There is no longer a need to have Python installed for the Reporter. It receives as argument the name of the .json file generated in previous step, the output report is generated in four different formats: Text, HTML, Excel and JSON:

[oracle@localhost DBSAT30]$ ./dbsat report -a -n -g testing_dbsat30_PDB23c

Database Security Assessment Tool version 3.0 (Nov 2023)
DBSAT Reporter ran successfully.

[oracle@localhost DBSAT30]$ ls
dbsat      jython-standalone-2.7.3.jar  testing_dbsat30_PDB23c.json         testing_dbsat30_PDB23c_report.xlsx
dbsat.bat  null                         testing_dbsat30_PDB23c_report.html  xlsxwriter
dbsat.zip  sa.jar                       testing_dbsat30_PDB23c_report.json
Discover   sat_collector.sql            testing_dbsat30_PDB23c_report.txt
[oracle@localhost DBSAT30]$

4) The module in charge of finding which tables and columns may have Sensitive Data is the Discoverer. This one is executed in a single step, so when it runs it connects to the Database and creates the output report in two different formats: HTML and delimited CSV file. The html file provides more recommendations and is easier to read.

The Discoverer module uses a strings pattern file named like “sensitive_**.ini”, DBSAT provides this file for eight languages: English, Spanish, Italian, Portuguese, French, Greek, German, and Dutch. Those patterns are used to infer, based on object names and comments, what kind of sensitive information is stored there.

This mode also requires configuring connectivity into another configuration file called “dbsat.config.” Minimum parameters to set there are the Listener Port, Service Name and Server Name from where the DBSAT Discoverer is being executed (it can run from a remote machine if it has connectivity to the Database).

[oracle@localhost DBSAT30]$ cd Discover/conf
[oracle@localhost conf]$ ls
sample_dbsat.config  sensitive_el.ini  sensitive_es.ini  sensitive_it.ini  sensitive_pt.ini
sensitive_de.ini     sensitive_en.ini  sensitive_fr.ini  sensitive_nl.ini
[oracle@localhost conf]$ cp sample_dbsat.config DBSAT30_Test_PDB23c.config
[oracle@localhost conf]$ vi DBSAT30_Test_PDB23c.config
[oracle@localhost conf]$
[oracle@localhost conf]$ cat DBSAT30_Test_PDB23c.config | grep DB_SERVICE_NAME
#Use DB_HOSTNAME, DB_PORT and DB_SERVICE_NAME to connect using
#DB_SERVICE_NAME is the service Name for the DB
        DB_SERVICE_NAME = FREEPDB1
[oracle@localhost conf]$
[oracle@localhost conf]$ cat DBSAT30_Test_PDB23c.config | grep DB_PORT
#Use DB_HOSTNAME, DB_PORT and DB_SERVICE_NAME to connect using
#DB_PORT is the port at which the DBSAT tool needs to connect to
        DB_PORT = 1521
[oracle@localhost conf]$
[oracle@localhost conf]$ cat DBSAT30_Test_PDB23c.config | grep DB_HOSTNAME
#Use DB_HOSTNAME, DB_PORT and DB_SERVICE_NAME to connect using
        DB_HOSTNAME = localhost
[oracle@localhost conf]$

[oracle@localhost DBSAT30]$ ./dbsat discover -n -c /home/oracle/DBSAT30/Discover/conf/DBSAT30_Test_PDB23c.config Discover_testing_dbsat30_PDB23c

Database Security Assessment Tool version 3.0 (Nov 2023)

Enter username: sys as sysdba
Enter password:
DBSAT Discover ran successfully.
[oracle@localhost DBSAT30]$
[oracle@localhost DBSAT30]$ ls
dbsat                                          sa.jar
dbsat.bat                                      sat_collector.sql
dbsat.zip                                      testing_dbsat30_PDB23c.json
Discover                                       testing_dbsat30_PDB23c_report.html
discoverer.log                                 testing_dbsat30_PDB23c_report.json
Discover_testing_dbsat30_PDB23c_discover.csv   testing_dbsat30_PDB23c_report.txt
Discover_testing_dbsat30_PDB23c_discover.html  testing_dbsat30_PDB23c_report.xlsx
jython-standalone-2.7.3.jar                    xlsxwriter
null
[oracle@localhost DBSAT30]$

What’s new on DBSAT 3.0?

One of the best improvements for the user experience is the hint of what is required to be done for each of the finding keys in the Assessment Report, although each item has a summary, detailed description and remarks (plus reference to a security standard and or data regulation law), they have now a straightforward instruction of what exactly is needed, for example:

Above shows in few words what is wrong and hence what needs to be fixed: “Ensure password verify function is set in user profiles”, so even less experienced DBAs can understand easier each of the security assessments findings and the change recommended.

The References section now includes mapping to “Oracle Best Practice” (where applicable), which is great to understand where some recommendations come from, similar to the mapping to CIS, STIG, GDPR, and others; In this same context there is also an update for all the STIG references, they map better to the DISA STIG rules Vulnerability Number, this is very useful to analyze more in deep and or to justify a change on the Database environment in order to achieve a more secure configuration.

For the record: DISA STIG refers to the organization “DISA — Defense Information Systems Agency” that provides the STIG - Security Technical Implementation Guides. DISA is part of the Department of Defense (DoD).

New item specifically for Oracle 23c Database, is the recommendation of enabling the SQL Firewall, this is a powerful utility recently integrated into the new 23c release, to protect against common database attacks, it captures a set of accepted SQL statements and generates an allow-list for them, then DBSAT 3.0 is now checking and suggesting to have it enabled, following an example from my test report:

There are more Audit Findings in this new release and also more concise explanation in the Remarks section on the importance of monitoring the activities being performed in the database, specially for privileged users, for example:

Following brought my attention in particular, this new item is not only suggesting to care about DBA roles at CDB and PDB level, but it also suggests creating a custom DBA Role with very minimum privileges that might be the only ones truly needed for the actual DBAs:

Last change noted that I want to highlight from the Report module, is the ability to exclude users from the report with the new argument “-u“, which can be helpful to skip some schemas or users that might not be desired into the report. For the complete list of changes and improvements on new DBSAT 3.0, you can check the Release Notes in the official Oracle DBSAT 3.0 Documentation.

From the Discover report, I see two major improvements. One is that now it provides an item specifically to suggest the level of auditing and actions to take regarding how critical is the sensitive data in your tables and the other is a new column in the chart for findings that shows the risk level of each finding per column per table per schema.

Following from my DBSAT 3.0 Discover sensitive data report to illustrate:

Conclusions:

Oracle DBSAT 3.0 is a powerful tool that allows you to evaluate your configuration based on the industry best practices for Cyber Security, Data Security, and Oracle Best Practices recommendations for security.
Oracle DBSAT 3.0 Discover module helps you specifically to meet Data Protection Regulations like the GDPR and or can help you find tables and columns with data that can be very sensitive for your organization and that should be audited and protected for non-approved usage, control access, and changes and to hide visibility or convert it to non-real data when copied to a non-production environment.
DBSAT keeps in constant update and improvement to help you keep in compliance with security standards, best practices and data regulation laws.
You can download DBSAT 3.0 and try it yourself from MOS: Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

You can test it on a free Lab using following link or the QA code:

https://apexapps.oracle.com/pls/apex/dbpm/r/livelabs/view-workshop?wid=699