Securing database is inevitable. Companies will strongly focus on securing not only the database but the entire network and everything that's put inside it such as infrastructure, servers, application, web servers, client connections, etc., As we keep on performing tasks related to security, how well we can be confident that we have secured the database to the fullest?
That's where this wonderful tool DBSAT (Database Security Assessment Tool) from Oracle comes to the rescue. This tool is free of cost and can be downloaded from Oracle support site by visiting Doc ID 2138254.1
Pic courtesy: www.oracle.com |
In this post, we will see how to set up DBSAT and how to invoke the tool to collect and report security status and to identify sensitive data and improvement opportunities w.r.to security.
DBSAT consists of 3 components
Collector - Runs queries against DB and OS commands on system to be assessed and stores details in JSON format.
Reporter - Analyzes the collected data and generates the Oracle Database Security Assessment Report in HTML, Excel, JSON, and Text formats
Discoverer - Runs SQL queries and collects data from the system to be assessed, based on the settings specified in the configuration files. Collected data is then used to generate the Oracle Database Sensitive Data Assessment Report in HTML and CSV formats
Here is a small demo I have performed on my lab systems..
Prepare phase:
Step 1: Download dbsat from Oracle support note Doc ID 2138254.1 and transfer to server where you want to initiate dbsat from.. (central server)
Step 2: Install DBSAT tool (unzip the downloaded file)
-sh-4.2$ mkdir /oracle/media/dbsat -sh-4.2$ cd /oracle/media/dbsat -sh-4.2$ ls -lrt total 4580 -rw-r--r--. 1 oracle oinstall 4687346 Jun 3 06:40 dbsat.zip -sh-4.2$ unzip dbsat.zip Archive: dbsat.zip inflating: dbsat inflating: dbsat.bat inflating: sat_collector.sql inflating: sat_reporter.py inflating: sat_analysis.py inflating: xlsxwriter/app.py inflating: xlsxwriter/chart_area.py inflating: xlsxwriter/chart_bar.py inflating: xlsxwriter/chart_column.py inflating: xlsxwriter/chart_doughnut.py inflating: xlsxwriter/chart_line.py inflating: xlsxwriter/chart_pie.py inflating: xlsxwriter/chart.py ... ... ... inflating: Discover/conf/sensitive_de.ini inflating: Discover/conf/sensitive_pt.ini inflating: Discover/conf/sensitive_it.ini inflating: Discover/conf/sensitive_fr.ini inflating: Discover/conf/sensitive_nl.ini inflating: Discover/conf/sensitive_el.ini -sh-4.2$ ls -lrt total 5000 -r-xr-xr-x. 1 oracle oinstall 13465 May 5 2020 dbsat -rw-rw-r--. 1 oracle oinstall 296035 May 6 2020 sat_reporter.py -rw-rw-r--. 1 oracle oinstall 61823 May 6 2020 sat_collector.sql -rw-rw-r--. 1 oracle oinstall 26096 May 6 2020 sat_analysis.py -r-xr-xr-x. 1 oracle oinstall 13644 May 6 2020 dbsat.bat -rw-r--r--. 1 oracle oinstall 4687346 Jun 3 06:40 dbsat.zip drwxr-xr-x. 2 oracle oinstall 4096 Jun 3 06:42 xlsxwriter drwxr-xr-x. 5 oracle oinstall 40 Jun 3 06:42 Discover -sh-4.2$
-sh-4.2$ tnsping abc.world TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 03-JUN-2021 06:49:08 Copyright (c) 1997, 2020, Oracle. All rights reserved. Used parameter files: /oracle/grid/193/network/admin/sqlnet.ora Used TNSNAMES adapter to resolve the alias Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = abcdb)(PORT = 1527)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = ABC))) OK (0 msec) -sh-4.2$ -sh-4.2$ mkdir reports
create user dbsat_user identified by dbsat_user;--If Database Vault is enabled, connect as DV_ACCTMGR to run this commandgrant create session to dbsat_user;grant select_catalog_role to dbsat_user;grant select on sys.registry$history to dbsat_user;grant select on sys.dba_users_with_defpwd to dbsat_user; // 11g and 12cgrant audit_viewer to dbsat_user; // 12cgrant capture_admin to dbsat_user;// 12c covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$--If Database Vault is enabled, connect as DV_OWNER to run this commandgrant DV_SECANALYST to dbsat_user;
-sh-4.2$ ./dbsat collect system@abc.world ./reports/dbsat-report-abc Database Security Assessment Tool version 2.2.1 (May 2020) This tool is intended to assist you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Connecting to the target Oracle database... SQL*Plus: Release 19.0.0.0.0 - Production on Thu Jun 3 06:51:07 2021 Version 19.10.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Enter password: --> Enter password for system user Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.10.0.0.0 Setup complete. SQL queries complete. OS commands complete. Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Version 19.10.0.0.0 DBSAT Collector completed successfully. Calling /oracle/ABC/193/bin/zip to encrypt dbsat-report-abc.json... Enter password: --> Enter encryption password, will be used to decrypt later Verify password: adding: dbsat-report-abc.json (deflated 83%) zip completed successfully. -sh-4.2$
-sh-4.2$ ./dbsat report ./reports/dbsat-report-abc Database Security Assessment Tool version 2.2.1 (May 2020) This tool is intended to assist you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Archive: dbsat-report-abc.zip [dbsat-report-abc.zip] dbsat-report-abc.json password: --> Enter the encryption password provided while running collector inflating: dbsat-report-abc.json DBSAT Reporter ran successfully. Calling /usr/bin/zip to encrypt the generated reports... Enter password: --> Enter password to encrypt the reports Verify password: zip warning: dbsat-report-abc_report.zip not found or empty adding: dbsat-report-abc_report.txt (deflated 77%) adding: dbsat-report-abc_report.html (deflated 83%) adding: dbsat-report-abc_report.xlsx (deflated 3%) adding: dbsat-report-abc_report.json (deflated 81%) zip completed successfully. -sh-4.2$ -sh-4.2$ cd reports/ -sh-4.2$ ls -lrt total 176 -rw-------. 1 oracle oinstall 68997 Jun 3 06:56 dbsat-report-abc.zip -rw-------. 1 oracle oinstall 109062 Jun 3 07:01 dbsat-report-abc_report.zip -sh-4.2$
[Database]
TNS_ADMIN = /u01/orcl/122/network/admin
NET_SERVICE_NAME = orcl
WALLET_LOCATION =
DB_HOSTNAME = linux75-2
DB_PORT = 1522
DB_SERVICE_NAME = orcl
[oracle@linux75-2 dbsat]$ ./dbsat discover -c ./Discover/conf/orcl_dbsat.config ./reports/orcl-discover Database Security Assessment Tool version 2.2.1 (May 2020) This tool is intended to assist you in securing your Oracle database system. You are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Enter username: system Enter password: DBSAT Discover ran successfully. Calling /usr/bin/zip to encrypt the generated reports... Enter password: --> Enter encryption password here Verify password: zip warning: ./reports/orcl-discover_report.zip not found or empty adding: reports/orcl-discover_discover.html (deflated 81%) adding: reports/orcl-discover_discover.csv (deflated 75%) Zip completed successfully. [oracle@linux75-2 dbsat]$ cd reports [oracle@linux75-2 reports]$ ls -lrt total 12 -rw-------. 1 oracle oinstall 10450 Jun 13 00:07 orcl-discover_report.zip [oracle@linux75-2 reports]$
With this detailed report handy, we can now work on securing the data by using database techniques such as encryption, data masking, etc., That's the end for today :)
No comments:
Post a Comment