Benefits of Using Oracle Database Security Assessment Tool
Benefits of Using Oracle Database Security Assessment Tool
1
Note:
DBSAT is a light weight utility that will not impair system performance in a
measurable way.
2
Figure DBSAT Components, Sources, and Reports
HTML
Collector, Reporter,
Discoverer
10g, 11g, 12c, 18c
Text
JSON
For more information about the Collector, Reporter, and Discoverer, see Using the
Database Security Assessment Tool (page 7).
Prerequisites
The following sections outline the prerequisites for the Database Security Assessment
Tool:
• Supported Operating Systems (page 3)
• Supported Database Versions (page 4)
• Security Requirements (page 4)
• Database Security Assessment Tool Prerequisites (page 4)
3
• HP-UX IA (64-bit)
• IBM AIX (64-bit) & Linux on zSeries (64-bit)
Security Requirements
DBSAT output files are sensitive because they may reveal weaknesses in the security
posture of your database. To prevent unauthorized access to these files, you must
implement the following security guidelines:
• Ensure that the directories holding these files are secured with the appropriate
permissions.
• Delete the files securely after you implement the recommendations they contain.
• Share them with others in their (by default) encrypted form.
• Grant user permissions on a short-term basis and revoke these when no longer
necessary.
Caution:
This tool is intended to assist in you in identifying potential sensitive data and
vulnerabilities in your system. Further, the output generated by this tool may
include potentially sensitive system configuration data and information that
could be used by a skilled attacker to penetrate your system. You are solely
responsible for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.
4
Note:
The Unzip utility is not included in Oracle Database 12.2 and higher. Ensure
that you have installed an utility such as WinZip or WinRar, and add the path
to the utility in the SET UNZIP_CMD parameter.
The following are the prerequisites for the components of the Database Security
Assessment Tool:
• Collector Prerequisites (page 5)
• Reporter Prerequisites (page 6)
• Discoverer Prerequisites (page 6)
Collector Prerequisites
In order to collect complete data, the DBSAT Collector must be run on the server that
contains the database, because it executes some operating system commands to
collect process and file system information that cannot be obtained from the database.
In addition, the DBSAT Collector must be run as an OS user with read permissions on
files and directories under ORACLE_HOME in order to collect and process file system data
using OS commands.
The DBSAT Collector collects most of its data by querying database views. It must
connect to the database as a user with sufficient privileges to select from these views.
You can grant the DBSAT user the individual privileges in the following list, or you can
grant this user the DBA role plus the DV_SECANALYST role if needed.
If you plan to run only the Discoverer component, you can use just the privileges
marked with an asterisk (*) below.
Required privileges and roles:
• CREATE SESSION*
• Role SELECT_CATALOG_ROLE*
• Role DV_SECANALYST* (if Database Vault is enabled)
• Role AUDIT_VIEWER (12c and later)
• Role CAPTURE_ADMIN (12c and later)
• READ or SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and later)
5
Note:
In order to successfully collect Database Vault information in a Database
Vault protected environment, you must connect as a non-SYS user with the
DV_SECANALYST role.
Reporter Prerequisites
Discoverer Prerequisites
The Discoverer is a Java program and requires the Java Runtime Environment (JRE)
1.8 (jdk8-u172) or later to run.
The Discoverer collects metadata from database dictionary views and matches them
against the patterns specified to discover sensitive data. The Discoverer must connect
to the database as a user with sufficient privileges to select from these views. For
more information about DBSAT user privileges, see Collector Prerequisites (page 5).
Note:
The Discoverer relies on table statistics to get row counts. In order to get
accurate row count results, DBMS_STATS should be executed by the Database
Administrator before the DBSAT user runs the Discoverer.
3. Download or copy the dbsat.zip file to the database server, and unzip the file.
unzip dbsat.zip –d /home/oracle/dbsat
Where -d refers to the directory path.
The Database Security Assessment Tool (DBSAT) is installed on the database server.
You can run the Collector, Reporter, and Discoverer from the /home/oracle/dbsat
directory.
6
You can also add this directory to your PATH and skip the step of going to the directory
every time you want to run the tool.
HTML
Text
JSON
7
Figure Discoverer Components and Architecture
DBSAT HTML
SQL Discoverer
Spreadsheet
Note:
The Collector connects to the database. Ensure that the target database and
listener are running before running the Collector.
The dbsat collect command has the following options and arguments:
• connect_string
Specifies the location and file name for the Database Security Assessment
report.
Example: /home/oracle/dbsat/db04
8
2. Run the Collector.
$ ./dbsat collect dbsat@orcl db04
Enter password:
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
Setup complete.
SQL queries complete.
OS commands complete.
Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 -
64bit Production
DBSAT Collector completed successfully.
Note:
If you do not want to encrypt the file invoke the dbsat collect script with
the -n option. This is not recommended.
Running the Collector in the root container in a multitenant container
database collects data specific to the root container and not from its
pluggable databases. If you need to access specific pluggable
databases, you must run the Collector for these pluggable databases
separately.
9
[oracle@db04 sat]$ python -V
Where the argument pathname stands for the full or relative path name to the data
file db04 produced by the DBSAT Collector. If this file was encrypted during data
collection, you will need to supply the encryption password when prompted by the
Reporter.
The Reporter supports the following command-line options:
• -a means: include all the database user accounts in the analysis. (Locked
Oracle-supplied accounts are excluded by default as they cannot be used to
connect to the database.)
• -n means: do not encrypt the reports generated by the analysis.
– AUDIT : Auditing
– OS : Operating System
Or:
—x USER —x PRIV
10
Calling /usr/bin/zip to encrypt the generated reports...
Enter password:
Verify password:
zip warning: db04_report.zip not found or empty
adding: db04_report.txt (deflated 82%)
adding: db04_report.html (deflated 86%)
adding: db04_report.xlsx (deflated 3%)
adding: db04_report.json (deflated 85%)
zip completed successfully.
4. Specify a password for the .zip file.
The .zip file is created.
Note:
The .zip file is used for Reporter and Discoverer output. To avoid
confusion, it is recommended that you use the same password while
creating both outputs.
5. Extract the contents of the .zip file to access the Database Security Assessment
Report. When prompted, enter the password for the .zip file specified in Step 4.
The contents of the .zip file are extracted.
Configuring dbsat.config
The settings in the configuration file determine the behavior of the Discoverer.
To configure the Discoverer, do the following:
11
1. Access the directory where DBSAT is installed.
2. Navigate to the Discover/conf directory. Make a copy of the sample_dbsat.config
file and rename the file to match your site–specifc requirements. For example, you
can rename the file custom_dbsat.config.
Note:
Creating a duplicate file ensures that your custom settings are not
overwritten during reinstallation.
3. Open dbsat.config.
The following are the contents of the configuration file:
[Database]
DB_HOSTNAME = localhost
DB_PORT = 1521
DB_SERVICE_NAME =
SSL_ENABLED = FALSE
SSL_TRUSTSTORE =
SSL_TRUSTSTORE_TYPE =
SSL_KEYSTORE =
SSL_KEYSTORE_TYPE =
SSL_DN =
SSL_VERSION =
SSL_CIPHER_SUITES =
[Discovery Parameters]
sensitive_pattern_files = sensitive_en.ini
schemas_scope = ALL
minrows = 1
exclusion_list_file =
[Sensitive Category]
PII = High Risk
PII - Address = High Risk
PII - IDs = High Risk
PII - IT Data = High Risk
PII-Linked = Medium Risk
PII-Linked - Birth Details = Medium Risk
Job Data = Medium Risk
Financial Data - PCI = High Risk
Financial Data - Banking = Medium Risk
Health Data = Medium Risk
4. Configure the settings. For more information about the configuration settings, see
Configuration Settings (page 13).
5. Save and close the configuration file.
12
Configuration Settings
The following table describes the configuration settings in the dbsat.config file:
13
SSL_KEYSTORE <Absolute path to Specifies the absolute
the KeyStore/ path to the KeyStore,
KeyStore filename> and the KeyStore file
Example: /opt/ name.
oracle/wallets/ If SSL_KEYSTORE is not
keystore.jks specified, the value
specified in
SSL_TRUSTSTORE is
used.
Mandatory if the
Database server
requires client
authentication.
SSL_KEYSTORE_TYPE PKCS12 | JKS | SSO Specifies the type of
KeyStore.
Use PKCS12 if the
KeyStore is a Wallet.
Use JKS if the
KeyStore is a Java
KeyStore.
Use SSO if the
KeyStore is an auto-
login SSO Wallet.
14
SSL_CIPHER_SUITES <cipher_suite1>,<ci Specifies the
pher_suite2> Cryptographic
Example: Algorithms to be used.
TLS_RSA_WITH_AES_25 Multiple entries can be
6_CBC_SHA256 , specified as a comma-
SSL_RSA_WITH_RC4_12 separated list.
8_MD5 This is an optional
argument.
For information about
supported
cryptographic suites,
see https://
docs.oracle.com/
javase/8/docs/
technotes/guides/
security/
SunProviders.html.
[Discovery SENSITIVE_PATTERN_F <file_name> | Specifies the pattern
Parameters] ILES <file_name1>, files to be used.
<file_name2> Multiple files can be
The default is specified as a comma-
sensitive_en. separated list. The
limit is 10 files.
For more information
about configuring the
Sensitive Data Type
pattern file, see
Pattern File
Configuration
(page 16).
SCHEMAS_SCOPE ALL | Specifies the schemas
<schema1>,<schema2> to be scanned.
The default is ALL. Multiple schemas can
be specified as a
comma-separated list.
MINROWS <numerical value> Specifies the minimum
The default is 1. number of rows in a
table for that table to
be scanned.
Tables with a number
of rows less than what
is specified in the
minrows parameter
are excluded from the
scan.
15
EXCLUSION_LIST_FILE <exclusion_list_fil Specifies the file to be
ename>.ini used to exclude
schemas, tables, or
columns from the
scan.
For more information
about configuring the
Exclusion List file, see
Configuring the
Exclusion List file
(page 20).
[Sensitive_Category] The
[Sensitive_Category]
section defines which
Sensitive Categories
are used. The default
risk levels are:
• Low Risk
• Medium Risk
• High Risk
The types of sensitive
data are defined in the
Sensitive Data Type
pattern file. For more
information about
configuring the
Sensitive Data Type
pattern file, see
Pattern File
Configuration
(page 16).
Pattern files contain the patterns to search for. A Pattern file is grouped into sections,
defined by the section heading format [SENSITIVE_TYPE_NAME]. Each section constitutes
a Sensitive Type.
The following example shows a sample Sensitive Type section for FULL_NAME.
16
[FULL_NAME]
COL_NAME_PATTERN = ^(PERSON|FULL).*NAME$
COL_COMMENT_PATTERN = (Full|Person).*Name
SENSITIVE_CATEGORY = PII
COL_NAME_PATTERN
The COL_NAME_PATTERN parameter specifies the text to search for in the Regular
Expression (RegExp) patterns of the database column names.
(^LNAME$)|((LAST|FAMILY|SUR|PATERNAL).*NAME$)
In the example above, the following text will be searched for in the RegExp patterns of
the database column names:
• (^LNAME$) — Searches for a column titled LNAME.
COL_COMMENT_PATTERN
The COL_COMMENT_PATTERN parameter specifies the text to search for in the Regular
Expression (RegExp) patterns of the database column comments.
SENSITIVE_CATEGORY
The SENSITIVE_CATEGORY parameter specifies the type of sensitive data. The risk levels
associated with exposing types of sensitive data are specified in the
sample_dbsat.config file. The risk levels are:
• Low Risk
• Medium Risk
• High Risk
For more information about configuring the sample_dbsat.config file, see Configuration
Settings (page 13).
17
2. Navigate to the Discover/conf directory. Make a copy of the sensitive_en.ini file
and rename the file my_sensitive_en.ini.
3. Open my_sensitive_en.ini.
4. Customize the settings by adding new Sensitive Types and modifying existing
Sensitive Types.
For more information about adding new Sensitive Types and Sensitive Categories
to the Pattern file, see About Sensitive Types (page 16) and Configuration Settings
(page 13).
5. Save and close my_sensitive_en.ini.
The Pattern file is configured.
6. Include my_sensitive_en in the Discoverer scan by adding a reference to the file in
the mydbsat.config file.
sensitive_pattern_files = my_sensitive_en.ini
For more information about referencing the Pattern file in the mydbsat.config file, see
Configuring dbsat.config (page 11).
The search parameters are defined using Regular Expressions such as Character
Classes, Quantifiers, and Boundary Matchers. Regular Expressions are used to
specify COL_NAME_PATTERN and COL_COMMENT_PATTERN parameters.
Boundary Matchers
Boundary Matchers are used to make pattern matches more precise by specifying the
location in the string to search for the pattern match.
Boundary Matchers
18
Table (Cont.) Boundary Matchers
Example: ELECTORAL searches for database column names and column comments
containing ELECTORAL. The search identifies occurrences such as ELECTORAL_ID,
ID_ELECTORAL, and ELECTORALID.
Example: ^ADDRESS$ searches for database column names and column comments
containing ADDRESS. The search identifies occurrences such as PRIMARY_ADDRESS and
ADDRESS_HOME. Occurrences such as ADDRESSES and EMPLOYEEADDRESS are ignored.
Logical Operators
Example: NAME DESIGNATION searches for database column names and column
comments containing NAME AND DESIGNATION. NAME | DESIGNATION searches for
database column names and column comments containing NAME OR DESIGNATION.
Character Classes
Character classes are used to specify a character search. DBSAT supports predefined
Regex character classes.
The most used one is the dot (.). The dot (.) searches for database column names and
column comments containing any character. Used in conjunction with *, the search
identifies occurrences of any character any number of times.
Example: JOB.* searches for database column names and column comments
containing JOB followed by any other character.
Quantifiers
19
Table Quantifiers
Quantifiers
Quantifier Description
X? Searches for occurrences of specified text X
once or not at all.
Example: ID_?CARD searches for database
column names and column comments
containing occurrences such as IDCARD and
ID_CARD.
X* Searches for occurrences of specified text X
zero or more times.
Example: TERM.*DATE searches for database
column names and column comments
containing occurrences such as
TERMINAL_DATE and LAST_TERMIN_DATE.
(^JOB.*(TITLE|PROFILE|POSITION)$)|^POSITION
In the example above, the search will identify database column names and column
comments beginning with JOB, followed by zero or more occurrences of any character,
and ending with TITLE, PROFILE, or POSITION. The search will also identify database
column names and column comments beginning with POSITION.
Note:
Use a backslash (“\”) to escape meta characters in regular expressions.
20
The following is a sample of the contents of the Exclusion List file.
PAYROLL
IT.ENTITLEMENTS
HR.EMPLOYEE.MARITAL_STATUS
HR.JOB.CANDIDATE
In the example above, PAYROLL excludes the PAYROLL schema from the discovery
scan; IT.ENTITLEMENTS excludes the ENTITLEMENTS table in IT schema;
HR.EMPLOYEE.MARITAL_STATUS excludes column MARITAL_STATUS from the
HR.EMPLOYEE table. Similarly, HR.JOB.CANDIDATE excludes column CANDIDATE
from HR.JOB table.
Tip:
The Discoverer CSV report includes a column with the fully qualified
column names (FULLY_QUALIFIED_COLUMN_NAME). This column
can be used to create the exclusion list file contents and speed up the
removal of unwanted columns or false positives from the report in a
subsequent run.
For increased security, Oracle Database provides Secure Sockets Layer (SSL)
support to encrypt the connection between clients and server. If SSL (TLS) encryption
is configured on the Database Server, the Discoverer needs to be configured in order
to connect and discover data. Configuration parameters for SSL can be found in the
dbsat.config file.
To establish an SSL connection with the Discoverer, the Database Server sends its
certificate, which is stored in its wallet. The client may or may not need a certificate or
wallet, depending on the server configuration.
Note:
Configuring certificates and wallets is an optional step and needs to be
performed only when using SSL to connect to the Oracle Database server.
For more information about configuring certificates and wallets, see Support for SSL in
the Oracle Database JDBC Developer's Guide.
21
Running the Discoverer
The dbsat discover command has the following options and arguments:
• -n
Specifies the name of the configuration file to be used. For more information
about the dbsat.config file, see Configuring dbsat.config (page 11).
• destination
Specifies the full or relative path name to create the .zip file.
Example:
/home/oracle/dbsat/discover1
2. Run the Discoverer.
$ ./dbsat discover -c Discover/conf/dbsat.config db04
Note:
The .zip file is used for Reporter and Discoverer output. To avoid
confusion, it is recommended that you use the same password while
creating both outputs.
4. Extract the contents of the .zip file to access the Database Sensitive Data
Assessment Report. When prompted, enter the password for the .zip file specified
in Step 3.
22
The contents of the .zip file are extracted.
DBSAT Reports
DBSAT produces output in multiple formats for various audiences and purposes.
Topics:
• Database Security Assessment Reports (page 23)
• Database Sensitive Data Assessment Report (page 26)
23
Figure Database Security Assessment Report — Summary
24
• Title and Unique ID for the Rule
The ID has two parts: the prefix identifies the report section, and the suffix
identifies the specific rule.
• Status
You can use the status values as guidelines to implementing DBSAT
recommendations. They can be used to prioritize and schedule changes based on
the level of risk, and what it might mean to your organization. High risk might
require immediate remedial action, whereas other risks might be fixed during a
scheduled downtime, or bundled together with other maintenance activities.
– Pass: no error found
– Evaluate: needs manual analysis
– Low Risk
– Medium Risk
– High Risk
– Advisory: improve security posture by enabling additional security features and
technology. Poses an opportunity for improvement.
• Summary
A brief summary of the finding. When the finding is informational, the summary
typically reports only the number of data elements that were examined.
• Details
Provides detailed information to explain the finding summary, typically results from
the assessed database, followed by any recommendations for changes.
• Remarks
Explains the reason for the rule and recommended actions for remediation. It may
also explain the recommended actions for remediation if a risk is reported.
• References
Provides information on whether the finding is related to a CIS Oracle Database
Benchmark 12c v2.0.0 recommendation or related to a GDPR Article/Recital.
25
Note:
These recommendations reflect best practices for database security and
should be part of any strategy for Data Protection by Design and by Default.
The tool recommendations may help in addressing Articles 25 and 32 of the
EU General Data Protection Regulation as well as other data privacy
regulations. Technical controls alone are not sufficient for compliance.
Passing all findings does not guarantee compliance.
Based on Oracle Database security best practices, DBSAT highlights
findings that relate to the CIS Oracle Database 12c Benchmark v2.0.0. In
some cases DBSAT rules relate to multiple CIS Benchmark
recommendations. DBSAT does not execute all CIS Benchmark checks.
26
Figure Database Sensitive Data Assessment Report — High-Level Summary
Section Description
Assessment Displays when the Sensitive Data Assessment report was generated. The
Time & Date DBSAT Discoverer version is also displayed.
Database Displays the details of the database assessed by the Discoverer.
Identity
Database Displays the version of the database assessed by the Discoverer.
Version
Discovery Displays the Discovery Parameters specified in the configuration file. For more
Parameters information about Discovery Parameters, see Configuration Settings (page 13).
27
Figure Database Sensitive Data Assessment Report — Summary
Note:
A single database table could contain columns or column comments that
match more than one Sensitive Category, causing a higher number to be
displayed in the # Sensitive Tables and # Sensitive Rows columns. However,
the Total row displays the unique number of tables and rows identified as
sensitive data.
For more information about configuring Sensitive Categories, see Pattern File
Configuration (page 16).
28
Figure Database Sensitive Data Assessment Report — Sensitive Data
Entries for custom sensitive categories will also be present in this report section.
The Database Sensitive Data Assessment Report — Sensitive Data section contains
the following information:
Section Description
Risk Level(s) Displays the Risk Level(s) of the sensitive data identified in the schema or table
of the database assessed by the Discoverer.
Summary Displays a summary of the occurrence of sensitive data in the schema or table.
Location Displays the names of the schemas or tables containing sensitive data.
29
Figure Database Sensitive Data Assessment Report — Schema View
30
Figure Database Sensitive Data Assessment Report — Sensitive Column
Details
Purpose
Create a DBSAT user to run the DBSAT Collector script with required privileges.
Sample Script
create user dbsat_user identified by dbsat_user;
// If Database Vault is enabled, connect as DV_ACCTMGR to run this command
grant create session to dbsat_user;
grant select_catalog_role to dbsat_user;
grant select on sys.registry$history to dbsat_user;
grant select on sys.dba_users_with_defpwd to dbsat_user; // 11g and 12c
grant select on audsys.aud$unified to dbsat_user; // 12c only
grant audit_viewer to dbsat_user; // 12c
grant capture_admin to dbsat_user;// 12c covers sys.dba_priv_captures,
sys.priv_capture$, sys.capture_run_log$
31
// if Database Vault is enabled, connect as DV_OWNER to run this command
grant DV_SECANALYST to dbsat_user;
Known Issues
The following are the Known Issues in Database Security Assessment Tool Release
2.0.2:
• MS Excel Font Size Display (page 32)
• Collector and Reporter - Windows OS Commands (page 32)
Or, you may send an email to Oracle using this form. Your request should include:
The name of the component or binary file(s) for which you are requesting the source
code
32
The name and version number of the Oracle product
The date you received the Oracle product
Your name
Your company name (if applicable)
Your return mailing address and email
A telephone number in the event we need to reach you
We may charge you a fee to cover the cost of physical media and processing. Your
request must be sent (i) within three (3) years of the date you received the Oracle
product that included the component or binary file(s) that are the subject of your
request, or (ii) in the case of code licensed under the GPL v3, for as long as Oracle
offers spare parts or customer support for that product model
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle
Accessibility Program website at http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=docacc.
33
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support
through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/
lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs
if you are hearing impaired.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws.
Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit,
perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for
interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is
applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation,
delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental
regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on
the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous
applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take
all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by
use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of
SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered
trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates
are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable
agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-
party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
34