“There should be no on/off button for security, it should always be on, everything should always be encrypted – there should be no option to turn security off” – Larry Ellison
If you would like to check how secure your Oracle database it, just run the free tool called Oracle Database Security Assessment Tool (DBSAT)!
First, download it for free from MOS Doc ID 2138254.1. Check also the DBSAT documentation.
The Oracle Database Security Assessment Tool is a simple command line tool showing how securely your database is configured, who are the users and what are their privileges, what security policies and controls are in place, and where sensitive data resides with the goal of promoting successful approaches to mitigate potential security risks.
DBSAT has three components: Collector, Reporter, and Discoverer.
Here are the steps of how to produce the report in Oracle Database 20c. DBSAT supports also Oracle Database versions Oracle 10.2 through Oracle 19c.
1. Make sure first you have zip, unzip and python on the database server:
[root@julian ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@julian ~]# cd /home/oracle/
[root@julian oracle]# yum install -y zip unzip python
Loaded plugins: ulninfo, versionlock
mysql-connectors-community | 2.6 kB 00:00
mysql-tools-community | 2.6 kB 00:00
mysql80-community | 2.6 kB 00:00
ol7_UEKR5 | 2.5 kB 00:00
ol7_latest | 2.7 kB 00:00
(1/3): mysql-connectors-community/x86_64/primary_db | 68 kB 00:00
(2/3): mysql80-community/x86_64/primary_db | 128 kB 00:00
(3/3): mysql-tools-community/x86_64/primary_db | 83 kB 00:00
(1/5): ol7_UEKR5/x86_64/updateinfo | 41 kB 00:00
(2/5): ol7_UEKR5/x86_64/primary_db | 7.6 MB 00:00
(3/5): ol7_latest/x86_64/updateinfo | 3.1 MB 00:00
(4/5): ol7_latest/x86_64/group | 660 kB 00:00
(5/5): ol7_latest/x86_64/primary_db | 30 MB 00:00
Excluding 262 updates due to versionlock (use “yum versionlock status” to show them)
Package zip-3.0-11.el7.x86_64 already installed and latest version
Package unzip-6.0-20.el7.x86_64 already installed and latest version
Package python-2.7.5-86.0.1.el7.x86_64 already installed and latest version
Nothing to do
[root@julian oracle]#
2. Create a database user for running the Security Assessment Tool. You can also run it as sysdba but I would rather have a separate user:
create user dbsat_user identified by dbsat_user;
grant create session to dbsat_user;
grant select_catalog_role to dbsat_user;
grant select on sys.registry$history to dbsat_user;
grant select on sys.dba_users_with_defpwd to dbsat_user;
grant select on audsys.aud$unified to dbsat_user;
grant audit_viewer to dbsat_user;
grant capture_admin to dbsat_user;
grant dv_secanalyst to dbsat_user;
3. Run the tool:
[oracle@julian dbsat]$ ./dbsat collect dbsat_user/dbsat_user@//localhost:1521/xxxxx.oraclevcn.com dbsat_output
Database Security Assessment Tool version 2.2.1 (May 2020)
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company’s policies.
Connecting to the target Oracle database…
SQL*Plus: Release 20.0.0.0.0 – Production on Tue Nov 10 08:35:00 2020
Version 20.2.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Connected to:
Oracle Database 20c EE High Perf Release 20.0.0.0.0 – Production
Version 20.2.0.0.0
Setup complete.
SQL queries complete.
…….
OS commands complete.
Disconnected from Oracle Database 20c EE High Perf Release 20.0.0.0.0 – Production
Version 20.2.0.0.0
DBSAT Collector completed successfully.
Calling /u01/app/oracle/product/20.0.0/dbhome_1/bin/zip to encrypt dbsat_output.json…
Enter password:
Verify password:
adding: dbsat_output.json (deflated 88%)
zip completed successfully.
[oracle@julian dbsat]$
4. Generate the report:
[oracle@julian dbsat]$ ./dbsat report dbsat_output
Database Security Assessment Tool version 2.2.1 (May 2020)
This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company’s policies.
Archive: dbsat_output.zip
[dbsat_output.zip] dbsat_output.json password:
inflating: dbsat_output.json
DBSAT Reporter ran successfully.
Calling /usr/bin/zip to encrypt the generated reports…
Enter password:
Verify password:
zip warning: dbsat_output_report.zip not found or empty
adding: dbsat_output_report.txt (deflated 78%)
adding: dbsat_output_report.html (deflated 84%)
adding: dbsat_output_report.xlsx (deflated 3%)
adding: dbsat_output_report.json (deflated 82%)
zip completed successfully.
5. Extract (for example) the .html file:
[oracle@julian dbsat]$ unzip dbsat_output_report.zip
Archive: dbsat_output_report.zip
[dbsat_output_report.zip] dbsat_output_report.txt password:
inflating: dbsat_output_report.txt
inflating: dbsat_output_report.html
inflating: dbsat_output_report.xlsx
inflating: dbsat_output_report.json
6. View the report, note that most areas will probably be in PASS status, some will be with LOW RISK, some might be even classified as HIGH RISK:
Although in ADB we have no OS access, you can still run the Database Security Assessment Tool. Roy Salazar explained on the Pythian blog how to run DBSAT against Autonomous Database.
You need to have the Instant Client installed and then use the ADMIN database user from Autonomous DB.
Clearly, you will get “ORA-20002: Complete without OS Commands” as the execution of the Collector was on the client server instead of on the underlying DB server to which we have no access.
The security of Autonomous Database is so high that you most likely will get a very different report from what we usually see on-premises.
Read MoreJulian Dontcheff’s Database Blog