Oracle Database Security Assessment Tool

AIM:

The aim of the documentation is to guide on how to run the security assessment on Oracle Databases using the Oracle Database Security Assessment Tool.

ABSTRACT:

With data breaches growing every day along with the evolving set of data protection and privacy regulations, protecting business sensitive and regulated data is mission critical. However, knowing whether the database is securely configured, who can access it, and where sensitive personal data resides is a challenge for most organizations. As part of Oracle’s defense in depth capabilities, the Oracle Database Security Assessment Tool (DBSAT) helps identify areas where your database configuration, operation, or implementation introduces risks and recommends changes and controls to mitigate those risks.

COMPONENTS OF DBSAT AND FLOW:

DBSAT consists of two components, the DBSAT Collector and the DBSAT Reporter that correspond to the

functions of data collection and data analysis respectively:

The DBSAT Collector executes SQL queries and runs operating system commands to collect data from the system to be assessed. It does this primarily by querying database dictionary views. The collected data is written to a file that is used by the DBSAT Reporter in the analysis phase.
The DBSAT Reporter analyzes the collected data and reports its findings and recommendations in multiple formats: HTML, Excel, and Text. The Reporter can run on any machine: PC, laptop, or server. You are not limited to running it on the same server as the Collector.

REGULATORY COMPLIANCE:

Security configuration scanning and knowing where sensitive data resides is an important part of regulatory compliance and key to EU General Data Protection Regulation (EU GDPR), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA/HITECH, and numerous data privacy laws. DBSAT recommendations help minimize risk, enhance the overall security posture and accelerate the path to compliance.

Discover Sensitive and Personal data in Oracle Databases
Map Findings to GDPR Articles/Recitals, Oracle Database STIG Rules and CIS Benchmark

recommendations

Accelerate Data Protection Impact Assessments by assessing exposure to risk

Recommend security controls such as encryption, segregation of duties, pseudonymization, audit among others that might help compliance

IMPLEMENTATION:

In the implementation of the tool, you shall need an Oracle Database set up with all the proper configurations in place. The scope of this paper is based on Linux and Unix based systems. Our demonstration involves the deployment of the tool in Oracle Linux 7.6.

We will be running DBSAT with the oracle OS user and will create a database user (dbsat) with the privileges as mentioned below that are strictly needed for the execution of the assessment.

In the terminal, type

mkdir –p /home/oracle/dbsat

Move the zip file from the download location to the created folder

mv dbsat.zip /home/oracle/dbsat

cd /home/oracle/dbsat

unzip dbsat.zip

In our case below, we have the folder /home/oracle, so we simply go on to make the directory for dbsat

Validate that the unzipped files match the following list.

You can now run the DBSAT Collector and DBSAT Reporter from here.

To view all the DBSAT execution parameters please type:

./dbsat

As you can see, dbsat takes different input parameters depending on the component you are running. Unless specified (-n), the output files will be stored in a password protected zip file.

Let’s run dbsat to collect data from the Robert pdb (pluggable database)

./dbsat collect dbsat/oracle@Robert /home/oracle/dbsat/dbtest

The time it takes to complete depends on the hardware and the data that needs to be collected. A database that has thousands of users and roles might take hours to run. At the end of the process, you’ll be asked to provide a password twice (please use oracle). If you choose a different one, please do not forget it as you’ll need it when running dbsat report.

The expected output is given below:

A file named dbtest.zip is created in the directory (/home/oracle/dbsat).

You don’t need to unzip the file. DBSAT reporter will take either the json file (if –n was used) or the zip file.

The next step is to analyze the collected data using dbsat reporter.

./dbsat report dbtest

DBSAT will prompt the user for one password – the password used when running the collector so it can unzip the file – followed by another password prompt that will be used to protect the reports zip file, plus the password confirmation.