Playing with Oracle Database Security Assessment Tool (DBSAT)

The Database Security Assessment Tool (DBSAT) is an incredible free command line tool provided by Oracle Corporation as a utility to help you verify your database for common database security issues(including security policies and controls in place), as well as helping to identify possible sensible data stored with the database. To be able to use it you need to have a valid Oracle Support CSI and download it from My Oracle Support [Doc ID 2138254.1]

The DBSAT tool contains three modules:

  • Collector
  • Reporter
  • Discoverer

Collector and Reporter work together to discover any risk areas and will produce reports regarding those risk areas – the Database Security Assessment report. The Discoverer is a stand-alone module used to locate and report on sensible data – and will produce the Database Sensitive Data Assessment report.

Plus DBSAT include a few companion utilities (Reporter JSON output format ), they are:

  • DBSAT Extract – Python program that enables you to extract findings by their identities
  • DBSAT Diff – Python program that enables you to compare two reports and find the differences

You can download the above DBSAT companion modules from the same My Oracle Support document you used to download the DBSAT tool [Doc ID 2138254.1]

Prerequisites

Note that DBSAT is only certified to run on the following operating systems:

  • Solaris x64 and Solaris SPARC64
  • Linux x86-64
  • Windows x64
  •  HP-UX IA (64-bit)
  • IBM AIX (64-bit) & Linux on zSeries (64-bit)

You can run the DBSAT tool on any Oracle Database 10.2.0.5 or later, and it can be used on on-premises or in Cloud environments. DBSAT can also be run against Oracle Cloud DBCS (PaaS) and Autonomous Databases (ADWC and ATP).

The Zip, unzip and python software’s are required to be installed on the server. You can easily install them by issuing the below command:

# yum install -y zip unzip python

Also you can easily verify if you have Python installed (2.6 or later is required) on the server by issuing the following command at OS level:

# python -v

Python
2.6.6

Finally you can verify if  zip and unzip and installed already on your server by issuing the following commands.

# zip -v
 
Copyright (c) 1990-2008 Info-ZIP - Type 'zip "-L"' for software license.
This is Zip 3.0 (July 5th 2008), by Info-ZIP. Currently maintained by E. Gordon.  Please send bug reports to the authors using the web page at www.info-zip.org; see README for details.
 
Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip, as of above date; see http://www.info-zip.org/ for other sites.
 
Compiled with gcc 4.4.7 20120313 (Red Hat 4.4.7-16) for Unix (Linux ELF) on Nov 10 2015.
 
Zip special compilation options:
        USE_EF_UT_TIME       (store Universal Time)
        SYMLINK_SUPPORT      (symbolic links supported)
        LARGE_FILE_SUPPORT   (can read and write large files on file system)
        ZIP64_SUPPORT        (use Zip64 to store large files in archives)
        UNICODE_SUPPORT      (store and read UTF-8 Unicode paths)
        STORE_UNIX_UIDs_GIDs (store UID/GID sizes/values using new extra field)
        UIDGID_NOT_16BIT     (old Unix 16-bit UID/GID extra field not used)
      [encryption, version 2.91 of 05 Jan 2007] (modified for Zip 3)


Encryption notice:

      The encryption code of this program is not copyrighted and is put in the public domain.  It was originally written in Europe and, to the best of our knowledge, can be freely distributed

      in both source and object forms from any country, including the USA under License Exception TSU of the U.S. Export Administration Regulations (section 740.13(e)) of 6 June 2002.

Zip environment options:

             ZIP:  [none]

          ZIPOPT:  [none]


# unzip -v

UnZip 6.00 of 20 April 2009, by Info-ZIP. 
Maintained by C. Spieler.  Send

bug reports using http://www.info-zip.org/zip-bug.html; see README for details.

Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ;

see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites.

Compiled with gcc 4.4.7 20120313 (Red Hat 4.4.7-17) for Unix (Linux ELF) on Jan 10 2017.

UnZip special compilation options:

        COPYRIGHT_CLEAN (PKZIP 0.9x unreducing method not supported)

        SET_DIR_ATTRIB

        SYMLINKS (symbolic links supported, if RTL and file system permit)

        TIMESTAMP

        UNIXBACKUP

        USE_EF_UT_TIME

        USE_UNSHRINK (PKZIP/Zip 1.x unshrinking method supported)

        USE_DEFLATE64 (PKZIP 4.x Deflate64(tm) supported)

        UNICODE_SUPPORT [wide-chars, char coding: UTF-8] (handle UTF-8 paths)

        MBCS-support (multibyte character support, MB_CUR_MAX = 6)

        LARGE_FILE_SUPPORT (large files over 2 GiB supported)

        ZIP64_SUPPORT (archives using Zip64 for large files supported)

        VMS_TEXT_CONV

        [decryption, version 2.11 of 05 Jan 2007]

UnZip and ZipInfo environment options:

           UNZIP:  [none]

        UNZIPOPT:  [none]

         ZIPINFO:  [none]

      ZIPINFOOPT:  [none]

For running the discoverer module, you will need at least Java 1.8 JDK installed and running on your environment and  the JAVA_HOME environment variable needs to be set.

You can check if java is running on your environment by issuing the following command:

# java -version

java version "1.8.0_181"

Java(TM)
SE Runtime Environment (build 1.8.0_181-b12)

Java HotSpot(TM) 64-Bit Server VM (build 25.181-b12, mixed mode) # whereis java

java: /usr/bin/java

# export JAVA_HOME=/usr/bin/java

Next, we need to create an user with required privileges to use DBSAT as follows:

If Database Vault is enabled, connect as DV_ACCTMGR to run the commands below.
 
SQL> CREATE USER DBSAT_USER IDENTIFIED BY OraclE##2019;
SQL> GRANT CREATE SESSION to DBSAT_USER;
SQL> GRANT SELECT_CATALOG_ROLE TO DBSAT_USER;
SQL> GRANT SELECT ON SYS.REGISTRY$HISTORY TO DBSAT_USER;
SQL> GRANT DV_SECANALYST TO DBSAT_USER; (If Database Vault is enabled)
SQL> GRANT SELECT ON SYS.DBA_USERS_WITH_DEFPWD TO DBSAT_USER; (if 11G or later)
SQL> GRANT AUDIT_VIEWER TO DBSAT_USER; (if 12c or later)
SQL> GRANT SELECT ON AUDSYS.AUD$UNIFIED TO DBSAT_USER; (if 12c or later)
SQL> GRANT CAPTURE_ADMIN TO DBSAT_USER; (if 12c or later)

Installation

The installation of DBSAT is a very simple process:

  1. Log in to the database server you wish to use DBSAT
  2. Create the DBSAT directory – $ mkdir -p /home/oracle/dbsat
  3. Download the dbsat.zip file and copy it to the database server and unzip it – $ unzip dbsat.zip –d /home/oracle/dbsat
  4. And you are ready to go

Basic Usage

Running the dbsat utility with no parameters will display the basic usage details (like a help option).

$ ./dbsat

Database Security Assessment Tool version 2.1 (March 2019)

    Usage: dbsat collect [ -n ] <database_connect_string> <output_file>

           dbsat report [ -a ] [ -n ] [ -x <section> ] <input_file>

        
dbsat discover [ -n ] -c <config_file> <output_file>

    Options:

       -a Report about all user accounts, including locked, Oracle-supplied users

       -n No encryption for output

       -x Specify sections to exclude from report (may be repeated for multiple sections)

       -c Configuration file for discoverer

 

Running the Collect Module

To run the DBSAT collect mode all you need to do is run the DBSAT executable plus the following parameters:

  • collect meaning you are executing the collect module
  • connect_string Specifies the connection string to connect to the database
  • Destination  Specifies the location and file name for the Database Security Assessment report (Do not add an extension)

When running the collector will prompt you to manually enter the database password and at the end it will ask for an encryption key (password) for the zip output file that will be generated.

$ ./dbsat collect dbsat_user@test test_output

Database Security Assessment Tool version 2.1 (March 2019)

This tool is intended to assist in you in securing your Oracle database system.
You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation,any
damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that
could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including
any generated reports, is handled in accordance with your company’s policies.

Connecting to the target Oracle database...

SQL*Plus:
Release 18.0.0.0.0 - Production on Wed Mar 13 00:09:24 2019 Version 18.3.0.0.0

Copyright (c) 1982, 2018, Oracle.  All rights reserved.

Enter password:

Connected to:

Oracle Database 18c EE Extreme Perf Release 18.0.0.0.0 - Production Version 18.3.0.0.0

Setup complete.

SQL queries complete.

/bin/cat:/u01/app/oracle/product/18.0.0.0/dbhome_1/network/admin/listener.ora: No such
file or directory

Warning:
Exit status 256 from OS rule: listener.ora

/bin/ls:cannot access
/u01/app/oracle/product/18.0.0.0/dbhome_1/network/admin/listener.ora: No such
file or directory

Warning: Exit status 512 from OS rule: ls_listener.ora

OS commands complete.

Disconnected
from Oracle Database 18c EE Extreme Perf Release 18.0.0.0.0 - Production Version 18.3.0.0.0

DBSAT Collector completed successfully.


Calling /u01/app/oracle/product/18.0.0.0/dbhome_1/bin/zip to encrypt
test_output.json...

Enter password:

Verify password:

  adding: test_output.json (deflated 87%)

zip
completed successfully.

$

Running the Report Mode

The reporter mode analyzes all data collected by the Collector mode previously executed and generate recommendations to improve the security of the database.

To run the DBSAT at report mode all you need to do is run the DBSAT executable plus the following parameters:

  • report meaning you are executing the report module
  • -a Includes all the database user accounts in the analysis. (Locked Oracle-supplied accounts are excluded by default as they cannot be used to connect to thedatabase.)
  • -n Specifies that the generated reports are not encrypted
  • -x Excludes a section from the report
    • USER : User Accounts
    • PRIV : Privileges and Roles
    • AUTH : Authorization Control
    • CRYPT : Encryption
    • ACCESS :Fine-Grained Access Control
    • AUDIT : Auditing
    • CONF : Database Configuration
    • NET : Network Configuration
    • OS : Operating System
  • Destination  Specifies the location and file name for the Database Security Assessment report (Do not add an extension)

When running the report will prompt you to manually enter the encryption password used when collecting the data from the databaseand at the end by asking for an encryption key (password) for the zip outputfile that will be generated.

$ ./dbsat report test_output
 

Database Security Assessment Tool version 2.1 (March 2019)

This tool is intended to assist in you in securing your Oracle database system.
You are solely responsible for your system and the effect and results
of the execution of this tool (including, without limitation, any
damage or data loss). Further, the output generated by this tool may include
potentially sensitive system configuration data and information that
could be used by a skilled attacker to penetrate your system. You are
solely responsible for ensuring that the output of this tool, including
any generated reports, is handled in accordance with your company's
policies.

Archive:  test_output.zip

[test_output.zip] test_output.json password:

  inflating: test_output.json

DBSAT Reporter ran successfully.


Calling /usr/bin/zip to encrypt the generated reports...


Enter password:

Verify password:

      zip warning: test_output_report.zip not found or empty

  adding: test_output_report.txt (deflated 75%)

  adding: test_output_report.html (deflated 83%)

  adding: test_output_report.xlsx (deflated 3%)

  adding: test_output_report.json (deflated 80%)

zip
completed successfully.

$

The report module will generate a new zip file containing all findings, in the above example it would be the test_output_report.zip file. You can review the findings by extracting the zip file (using the encryption password entered in the process) and looking the TXT or HTML versions of the report.

$ unzip test_output_report.zip

Archive:  test_output_report.zip

[test_output_report.zip]
test_output_report.txt password:

  inflating: test_output_report.txt

  inflating: test_output_report.html

  inflating: test_output_report.xlsx

  inflating: test_output_report.json

Running the Discover Mode

The discover mode is a cool separate Java-based tool that is able to check for any sensible data within a database.

Before running the DBSAT at discovery mode we will need to create a dbsat.config file as shown below.;

$ cd /home/oracle/dbsat
$ cp Discover/conf/sample_dbsat.config Discover/conf/dbsat.config
 The following will be the contents of the dbsat.config file created:
 
 [Database]

      DB_HOSTNAME = localhost

      DB_PORT = 1521

      DB_SERVICE_NAME =

      SSL_ENABLED = FALSE

      SSL_TRUSTSTORE =

      SSL_TRUSTSTORE_TYPE =

      SSL_KEYSTORE =

      SSL_KEYSTORE_TYPE =

      SSL_DN =

      SSL_VERSION =

      SSL_CIPHER_SUITES =

[Discovery Parameters]

      sensitive_pattern_files = sensitive_en.ini

      schema_scope = ALL

      minrows = 1

      exclusion_list_file =       

[Sensitive Categories]

    Identification Info - National IDs = High Risk

    Identification Info - Personal IDs = High Risk

    Identification Info - Public IDs = High Risk

    Biographic Info - Address = High Risk

    Biographic Info - Family Data = High Risk

    Biographic Info - Extended PII = High Risk

    Biographic Info - Restricted Data = High Risk

    IT Info - User Data = High Risk

    IT Info - Device Data = Medium Risk

    Financial Info -Card Data = High Risk

    Financial Info - Bank Data = High Risk

    Health Info - Insurance Data = High Risk

    Health Info - Provider Data = Medium Risk

    Health Info - Medical Data = Medium Risk

    Job Info - Employee Data = High Risk

    Job Info - Org Data = Low Risk

    Job Info - Compensation Data = High Risk

    Academic Info - Student Data = High Risk

    Academic Info - Institution Data = Medium Risk

    Academic Info - Performance Data = Low Risk

Then edit the settings with your hostname, port and service name , and finally save and close the configuration file.

The Discover relies on table statistics to get proper row counts, so in order to get accurate row count results you should execute the DBMS_STATS package before using the Discover.

Once the config is complete you can run the discoverer, specifying the config file and the output file name. You are prompted for the database credentials and the password for encrypting the resulting zip file generated.

$ ./dbsat discover -c
./Discover/conf/dbsat.config testd

Database Security Assessment Tool version 2.1 (March 2019)


This tool is intended to assist in you in securing your Oracle database system.
You are solely responsible for your system and the effect and results
of the execution of this tool (including, without limitation, any
damage or data loss). Further, the output generated by this tool may include
potentially sensitive system configuration data and information that
could be used by a skilled attacker to penetrate your system. You are
solely responsible for ensuring that the output of this tool, including
any generated reports, is handled in accordance with your company's
policies.

Enter username: dbsat_user

Enter password:

DBSAT Discover ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...


Enter password:

Verify password:

      zip warning: testd_report.zip not found or empty

  adding: testd_discover.html (deflated 72%)

  adding: testd_discover.csv (deflated 30%)

Zip completed successfully.

$

Now you can review the HTML report generated by the Discover module.

We can also customize the Pattern file to add new sensitive types of data we would like to find by doing the following:

  1. Navigate to the Discover/conf directory. Make a copy of the sensitive_en.ini file and rename the file my_sensitive_en.ini.
  2. Open my_sensitive_en.ini
  3. Customize the settings by adding new Sensitive Types and modifying existing Sensitive Types.
  4. Save and close my_sensitive_en.ini
  5. Include my_sensitive_en.ini in the Discoverer scan by adding a reference to the file in the dbsat.config file.
sensitive_pattern_files= my_sensitive_en.ini

And that’s it!!

If you liked this tutorial please share it within your peers and comunity!

Kind Regards,

Francisco Munoz Alvarez

Oracle ACE Director

Oracle ACE Director and President of LAOUC, NZOUG and CLOUG. Organizer of LA and APAC OTN Tours,

Tagged with: , ,
Posted in 11gR2, 12c, 18c, Security, Tutorials
One comment on “Playing with Oracle Database Security Assessment Tool (DBSAT)
  1. Thanks Francisco, very well done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: