Wednesday, September 2, 2020

Oracle Database Security Assessment Tool (DBSAT)

 Oracle Database Security Assessment Tool (DBSAT) 


Introduction:


The oracle Database security assesment tool it is known as DBSAT tool is used to scan the complete database scan and provide report security configuration and vulnerability list


DBSAT has two components


The Collector: Collector is to collect all information from the database by running SQL and OS aginst database


The Reporter : Reporter it will Analyze the database and gives the complete report for the database


Let us Start the Process


Step 1.Download the DBSAT TOOL from oracle support website in category Oracle Database security Asssement tool


Step 2.Copy the DBSAT tool and unzip it


unzip dbsat.zip

Archive:  dbsat.zip

  inflating: dbsat

  inflating: dbsat.bat

  inflating: sat_reporter.py

  inflating: sat_analysis.py

  inflating: sat_collector.sql

  inflating: xlsxwriter/app.py

  inflating: xlsxwriter/chart_area.py

  inflating: xlsxwriter/chart_bar.py

  inflating: xlsxwriter/chart_column.py

  inflating: xlsxwriter/chart_doughnut.py

  inflating: xlsxwriter/chart_line.py

  inflating: xlsxwriter/chart_pie.py

  inflating: xlsxwriter/chart.py

  inflating: xlsxwriter/chart_radar.py

  inflating: xlsxwriter/chart_scatter.py

  inflating: xlsxwriter/chartsheet.py

  inflating: xlsxwriter/chart_stock.py

  inflating: xlsxwriter/comments.py

  inflating: xlsxwriter/compat_collections.py

  inflating: xlsxwriter/compatibility.py

  inflating: xlsxwriter/contenttypes.py

  inflating: xlsxwriter/core.py

  inflating: xlsxwriter/drawing.py

  inflating: xlsxwriter/format.py

  inflating: xlsxwriter/__init__.py

  inflating: xlsxwriter/packager.py

  inflating: xlsxwriter/relationships.py

  inflating: xlsxwriter/shape.py

  inflating: xlsxwriter/sharedstrings.py

  inflating: xlsxwriter/styles.py

  inflating: xlsxwriter/table.py

  inflating: xlsxwriter/theme.py

  inflating: xlsxwriter/utility.py

  inflating: xlsxwriter/vml.py

  inflating: xlsxwriter/workbook.py

  inflating: xlsxwriter/worksheet.py

  inflating: xlsxwriter/xmlwriter.py

  inflating: xlsxwriter/LICENSE.txt


Step 3. Now use the Collect Command before that make sure to set proper ORACLE_HOME , ORACLE_SID and PATH before running this command


             ./dbsat collect {username/password} {DESTINATION_PATH}

 

./dbsat collect system/oracle /export/home/oracle/chaitanya

 

This tool is intended to assist in you in identifying potential

vulnerabilities in your system, but you are solely responsible for

your system and the effect and results of the execution of this tool

(including, without limitation, any damage or data loss). Further,

the output generated by this tool may include potentially sensitive

system configuration data and information that could be used by a

skilled attacker to penetrate your system. You are solely responsible

for ensuring that the output of this tool, including any generated

reports, is handled in accordance with your company's policies.

 

Connecting to the target Oracle database...

 

 

SQL*Plus: Release 12.1.0.2.0 Production on Tue Aug 25 15:30:03 2020

 

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

 

Last Successful login time: Tue Aug 10 2020 13:16:12 +03:00

 

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

 

Database Security Assessment Tool version 1.0.2 (October 2016)

Setup complete.

SQL queries complete.

/oracle/app/oracle/product/12.1.0/dbhome/bin/osdbagrp -r

Usage: /oracle/app/oracle/product/12.1.0/dbhome/bin/osdbagrp -a | -d | -o | -b | -g | -k

Warning: Exit status 256 from OS rule: sysrac_group

OS commands complete.

Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

DBSAT Collector completed successfully.

 

Calling /oracle/app/oracle/product/12.1.0/dbhome/bin/zip to encrypt chaitanya.json...

 

Enter password:

Verify password:

  adding: chaitanya.json (deflated 86%)

zip completed successfully.


This will generate file called chaitanya.zip

 

Step 4. Generate  the Report


           ./dbsat report {DESTINATION_FILE}


./dbsat  report /export/home/oracle/audit_sec

This tool is intended to assist in you in identifying potential

vulnerabilities in your system, but you are solely responsible for

your system and the effect and results of the execution of this tool

(including, without limitation, any damage or data loss). Further,

the output generated by this tool may include potentially sensitive

system configuration data and information that could be used by a

skilled attacker to penetrate your system. You are solely responsible

for ensuring that the output of this tool, including any generated

reports, is handled in accordance with your company's policies.

 

Archive:  bsstdba.zip

[bsstdba.zip] bsstdba.json password:

  inflating: bsstdba.json

Database Security Assessment Tool version 1.0.2 (October 2016)

DBSAT Reporter ran successfully.

 

Calling /usr/bin/zip to encrypt the generated reports...

 

Enter password:

Verify password:

  adding: chaitanya.txt (deflated 78%)

  adding: chaitanya.html (deflated 84%)

  adding: chaitanya.xlsx (deflated 3%)


zip completed successfully.

 

audit_sec_report.zip file will be generated


Step 5.  The report will  looks like:


While unzipping the file, it will ask for the password, (pass the same which we used while generating the report)



/export/home/oracle# unzip audit_sec_report.zip

Archive:  bsstdba_report.zip

[bsstdba_report.zip] chaitanya.txt password:

  inflating:chaitanya.txt

  inflating: chaitanya.html

  inflating: chaitanya.xlsx


chaitanyaoracledba blog


Note: Info on DBSAT tool it may be differ on your environment like production,testing ,development etc and naming conventions and directory structure


THANKS FOR VIEWING MY BLOG FOR MORE UPDATES FOLLOW ME OR SUBSCRIBE ME



1 comment:

  1. Hi Chaitanya,
    I’m writing to let you know that we just released DBSAT 2.2.2.

    The main effort in this release was to make DBSAT able to differentiate an Oracle Database running on-premises,
    from an autonomous database (shared or dedicated) or DBCS, and if makes sense do specific checks and recommendations.

    You can read more about it in the release notes:
    https://docs.oracle.com/en/database/oracle/oracle-database/21/satrn/#SATRN-GUID-41633A90-EEF1-419A-BA05-32D4C19FFE0F


    regards,
    Pedro Lopes
    Oracle Database Security
    DBSAT PM

    ReplyDelete

ITIL Process

ITIL Process Introduction In this Blog i am going to explain  ITIL Process, ITIL stands for Information Technology Infrastructure Library ...