I received an email suggesting that I run a “Security Assessment” by using Oracle’s Database Security Assessment Tool. The tool promises to
“analyzes database configurations, users, their entitlements, security policies and identifies where sensitive data resides to uncover security risks and improve the security posture of Oracle Databases within your organization.”
The tool can be downloaded for free from support.oracle.com reference Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1).
After you, agree, a zip file will be downloaded to your laptop. I choose to unzip the file and then FTP the contents to a directory on my database server. (I suggest creating a separate directory.)
The contents of the directory will be:
[snoopy_test-TSTRAC2] ls -l total 352 -rw-r--r-- 1 oracle dba 12433 Mar 15 18:11 dbsat -rw-r--r-- 1 oracle dba 12579 Mar 15 18:11 dbsat.bat drwxr-xr-x 5 oracle dba 40 Mar 15 18:15 Discover -rw-r--r-- 1 oracle dba 28216 Mar 15 18:11 sat_analysis.py -rw-r--r-- 1 oracle dba 43181 Mar 15 18:11 sat_collector.sql -rw-r--r-- 1 oracle dba 247465 Mar 15 18:11 sat_reporter.py drwxr-xr-x 2 oracle dba 4096 Mar 15 18:15 xlsxwriter
chmod the files to add execute permissions.
The tool has 3 components:
Collector collects data on the system being assessed
Reporter analyzes the above output
Discoverer generates the Database Sensitive Data Assessment Report
Running the Collector
Run the collector with the below command. In my example, I ran this as sysdba with my ORACLE_HOME set to the RAC instance that I intended to execute the DBSAT tool:
./dbsat collect -n "/ as sysdba" /TSTRAC2/dean/dbsat/dbsat_collect
| | |
No encryption ---+ | |
| |
location for the output ---------+ |
|
name of report file ---------------------------------+
The output will be written to a file named dbsat_collect.json
Running the Reporter
The reporter needs Python version 2.6 or later. This can be verified with
[snoopy_test-TSTRAC2] python -V Python 2.7.5
Run the report with the below command:
./dbsat report -a -n /TSTRAC2/dean/dbsat/dbsat_collect Note: a. Paste the above command into notepad. I used word to write this blog entry and word sometimes replaces the “-“ to a non-unix compatible character. b. The file name from the Collector is specified without the extension
The below files will be generated:
dbsat_collect_report.txt
dbsat_collect_report.html
dbsat_collect_report.xlsx
The html file is probably the nicest format to review and will contain a large amount of information classified by level of risk.
Using the Discoverer
To run this part of the tool, you have to set up the
/TSTRAC2/dean/dbsat/Discover/conf/sample_dbsat.config File which contains the information on the database connection and the location of the sensitive_en.ini file which contains the patterns that will be used to query database column names, column comments etc. These patterns are specified as regex and logical operators as documented in Section 1.4.3.1.2 Pattern File Configuration of the Database Security Assessment Tool User Guide.
Based on the parameters specified in the config files, the tool will then scan the database looking for column, comments etc. that match the patterns specified.
