PURPOSE
Overview of the Oracle Database Security Assessment Tool (DBSAT)
The Oracle Database Security Assessment Tool (DBSAT) is a command line tool focused on identifying how securely the database is configured, who are the users and what are their entitlements, what security policies and controls are in place, and where sensitive data resides with the goal of promoting successful approaches to mitigate potential security risks.
DBSAT has three components: Collector, Reporter, and Discoverer. Collector and Reporter work together to discover risk areas and produce reports on those risk areas - Database Security Assessment report. The Discoverer is a stand-alone module used to locate and report on sensitive data - Database Sensitive Data Assessment report.
- The Collector is responsible to collect raw data from the target database by executing SQL queries and OS commands.
- The Reporter reads the collected data, analyzes it and produces reports with the findings. The Reporter outputs four reports in
HTML, XLS, JSON and Text formats.
- The Discoverer executes SQL queries against database dictionary views to discover sensitive data, and outputs reports in HTML
and CSV formats. The Discoverer CSV report can be loaded into Oracle Audit Vault and Database Firewall starting in 12.2.0.8,
to add sensitive data context to the new Data Privacy reports. For more information about this functionality, see Importing
Sensitive Data Into AVDF Repository in the Oracle Audit Vault and Database Firewall Auditor's Guide.
For more information about DBSAT, please see the documentation below.
DOWNLOAD
Download the Oracle Database Security Assessment Tool (DBSAT)
NOTE: You must read and click the I AGREE link below in order to download the tool.
This tool provides information and recommendations that may be helpful in securing your Oracle database system. The tool provides a view on the current status. The results shown are provided for informational purposes only and should not be used as a substitute for a thorough analysis or interpreted to contain any legal or regulatory advice or guidance. You are solely responsible for your system, and the data and information gathered during the production of the reports. You are also solely responsible for the execution of software to produce this report, and for the effect and results of the execution of any mitigating actions identified herein. Oracle provides this analysis on an "as is" basis without warranty of any kind and Oracle hereby disclaims all warranties and conditions whether express, implied or statutory.
By clicking the I AGREE link below, you confirm the following:
Oracle is providing the Oracle Database Security Assessment Tool on an “as is” basis without warranty of any kind and Oracle hereby disclaims all warranties and conditions with respect to the DBSAT tool whether express, implied or statutory. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE DBSAT TOOL IS AT YOUR SOLE RISK. In no event will Oracle be liable for personal injury, or any incidental, special, indirect, consequential or punitive damages whatsoever, including, without limitation, damages for loss of profits, loss of data, business interruption or any other damages or losses arising out of or related to the DBSAT tool, however caused.
You acknowledge that the DBSAT is an Oracle tool that cannot be interpreted as, or used as, a substitute for a security scan of the system analyzed or be interpreted to contain any legal or regulatory advice or guidance. Your usage of the DBSAT tool complies with all of Your applicable rules and policies regarding use of outside technology and handling of security sensitive information.
I AGREE
DOCUMENTATION
DBSAT documentation is available here
INTEGRITY CHECK
DBSAT zip file integrity
To make sure that the content is transferred correctly and has not been tampered or damaged during the download process you can validate if the SHA256 checksum on the downloaded dbsat.zip file matches the value in the table bellow.
DBSAT Release |
SHA256 checksum |
2.2.1 (May 2020) |
cf619633b092b19ca8541b14e73b2059033041d248d789634004cb65ce04b96c |
2.2 (September 2019) |
711ecfd7b96914525089a62c962e0dd46a890768 |
2.1 (March 2019) |
ddd071ada201c8ea6dda4257d6ff9bd4948baa0e0592a89dbb4d5c2d32c13bfc |
2.0.2 (May 2018) |
54f33fe1a5a8aeb2d2dfd39542e77a4f330042e46eb84b79e83e92f3855f1b16 |
2.0.1 (December 2017) |
a485cfbf14ac9ffcf70cd0f0a8c101055b27eb30edb54cb8040a4b4bbfb71165 |
1.0.2 (October 2016) |
cca0d9fa7d446d837472e2321310a6b3342d420da7b34225507cc91db59d5a2e |
1.0.1 (June 2016) |
0ea517275102742e4b98679ff54e6ec317d02c2c4c316d68717132693beb7a33 |
If the values do not match, your downloaded dbsat.zip file is broken or was tampered. Please try the download again, and recheck.
DBSAT Reporter integrity
The generated reports includes the checksum of the Reporter used to generate it (4 digits in the Reporter Version column). If it doesn't match the published version, the Reporter script has been modified locally after installation, and you should reinstall.
DBSAT Release |
Reporter Checksum |
General Notes |
2.2.1 (May 2020) |
f3a1 |
* Added USER.SESSIONS - To report on the number of user sessions that are allowed to be open concurrently.
* Enhanced AUDIT.UNIFIED - Now lists if audit policies are enabled on role(s). Object Actions are now listed.
* Amended findings for Autonomous Databases.
* Updated Severity for findings - USER.AUTHVERS, USER.VERIFIERS, USER.NOLOCK, PRIV.CBAC,
PRIV.USER, PRIV.EXFIL, AUTH.PRIV, ACCESS.REDACT, ACCESS.VPD, ACCESS.TSDP,
CONF.BKUP, CONF.DIR, AUDIT: All, NET: All - to better reflect industry standards.
* Improved checks for PUBLIC grants on: AUTH.PRIV, ACCESS.REDACT, ACCESS.VPD, ACCESS.TSDP, AUDIT.FGA.
* Updated Remarks and recommendations.
* Discoverer: Performance improvement in Sensitive Data Discovery. |
2.2 (September 2019) |
673d |
* Show Comprehensive Grants for multi-tenant architecture.
* Added Code Based Access Control (CBAC) roles and privileges granted to program units.
* Added Roles with enabled Unified Audit policies.
* Improved remarks for all the findings.
* Improved version mismatch (collector & reporter) handling.
* Can now retrieve Database username/password from SEPS (Secure External Password Store).
* Adds support for TNS_ADMIN and TNS aliases.
* Discoverer: Now includes sensitive pattern files for Greek. |
2.1 (March 2019) |
7a38 |
* Now certified with Oracle Database 18c, 19c and Autonomous Databases.
* Added references to STIG Rules in Reporter findings.
* Users with directly granted system privileges are now marked with (D).
* System privileges grants to Public now reported as High Risk.
* PDB runs show only Roles and Privileges that can be acted upon for quicker remediation.
* Enhanced checks for Audit Configuration and Audit Trail Management.
* Updated Remarks and recommendations.
* Added CONF.PWDFILE rule to report on REMOTE_LOGIN_PASSWORDFILE.
* Added CONF.INSTNM to report usage of database version on instance name.
* Added CONF.BKUP to report backup records in the last 90 days.
* Added PRIV.AUDOBJ to report Users with privs that can directly access and modify objects with audit data.
* Added PRIV.AUDMGMT to report Users with execute privileges on DBMS_AUDIT_MGMT.
* Discoverer: Added support for Java 9 and 10.
* Discoverer: Added support for discovering sensitive data in data models in: Dutch, French, German, Italian, Portuguese, and Spanish.
* Discoverer: Added/Updated Sensitive Types, Categories and Subcategories.
* Discoverer: Added Recommended controls per Risk Level category. |
2.0.2 (May 2018) |
a2c6 |
* Added Discoverer support for connecting to Database servers over SSL channel. |
2.0.1 (December 2017) |
d526 |
* Added Discoverer module to find sensitive data.
* Added references to GDPR articles/recitals in Reporter findings.
* Added references to CIS Benchmark in Reporter findings.
* Added JSON format to Reporter output to simplify programmatic access to report output.
* Simplified Status terms to include Low, Medium, and High Risk.
* Added USER.PARAM rule to report about systemwide user parameters.
* Added PRIV.DBMGMT to report about database management privileges.
* Added CONF.TRACE rule to report about access to trace files. |
1.0.2 (October 2016) |
7409 |
* Added exception handling so that a bug in one Reporter rule will not abort the entire report.
* Added DBSAT version number to Collector and Reporter output. |
1.0.1 (June 2016) |
13f9 |
* Added -x option to dbsat report to exclude report sections.
* Added PRIV.PASSWD rule to report access to tables containing password verifiers.
* Added AUDIT.PRIVUSE rule to report auditing of powerful system privileges.
* Renamed AUDIT.SECMGMT rule to AUDIT.DBMGMT and broadened its scope to cover auditing of database management actions. |
1.0.0 (May 2016) |
b875 |
Initial release |
DBSAT COMPANION UTILITIES
The Reporter JSON output format introduced in DBSAT 2.0.1 opens new possibilities for further processing the findings data.
Here is an example on what you could achieve with dbsat_extract and dbsat_diff sample python programs.
DBSAT extract
dbsat_extract enables you to extract findings by their identifiers.
How to run:
$ python dbsat_extract Usage: dbsat_extract [-i id] [-v] file ... Options: -i id Identifier of finding to extract (option may be repeated) -v Verbose: include Details section of each finding
Usage example:
$ python dbsat_extract -i CRYPT.TDE -i INFO.PATCH -v orcldb_report.json === orcldb_report.json: ORCL12C ORCL (PDB:3) Mon Feb 19 2018 07:59:00 CRYPT.TDE: Transparent Data Encryption | Status: Advisory | Summary: | Found 1 encrypted tablespace. No encrypted columns found. Examined 1 | initialization parameter. | Details: | Encrypted tablespaces: DVTDE_TS (AES128) | Unencrypted tablespaces: APEX_1941389856444596, EXAMPLE, SYSAUX, | SYSTEM, TEMP, UNDOTBS1, USERS | | ENCRYPT_NEW_TABLESPACES=CLOUD_ONLY. Recommended value is ALWAYS. INFO.PATCH: Patch Check | Status: High Risk | Summary: | Latest comprehensive patch not found. | Details: | Binary Patch Inventory: | (none) | | SQL Patch History: | (none)
DBSAT diff
dbsat_diff enables you to compare two reports and find the differences.
How to Run:
$ python dbsat_diff Usage: dbsat_diff file1 file2
Usage example:
< db18b_report.json: DB Wed Jan 17 2018 15:43:00 --- > db18a_report.json: DB Wed Jan 03 2018 14:12:00 Assessment Date & Time < Date of Data Collection Date of Report Reporter Version < ------------------------ ------------------------ ---------------------------- < Wed Jan 17 2018 15:43:00 Wed Jan 17 2018 15:44:41 2.0.1 (December 2017) - d526 --- > Date of Data Collection Date of Report Reporter Version > ------------------------ ------------------------ ---------------------------- > Wed Jan 03 2018 14:12:00 Wed Jan 03 2018 14:26:05 2.0.1 (December 2017) - 2a66 AUDIT.RECORDS: Audit Records < Status: Evaluate < Summary: < Examined 3 audit trails. Found records in 1 audit trail. No errors < found in audit initialization parameters. < Details: < Traditional Audit Trail: In use, 381 records found (Nov 30 2017 - Jan < 17 2018) < FGA Audit Trail: No records found < Unified Audit Trail: No records found < < AUDIT_FILE_DEST=/ade/b/112380286/oracle/rdbms/audit < AUDIT_SYSLOG_LEVEL is not set. < AUDIT_TRAIL=DB --- > Status: Evaluate > Summary: > Examined 3 audit trails. Found records in 1 audit trail. No errors > found in audit initialization parameters. > Details: > Traditional Audit Trail: In use, 377 records found (Nov 30 2017 - Jan > 03 2018) > FGA Audit Trail: No records found > Unified Audit Trail: No records found > > AUDIT_FILE_DEST=/ade/b/112380286/oracle/rdbms/audit > AUDIT_SYSLOG_LEVEL is not set. > AUDIT_TRAIL=DB
Download DBSAT companion utilities here