3. How secure is your data (What do you know)?
Access controls? Encryption?
Known Exploits and
routes in? ( “Create
any Trigger” anyone?)
Known default logins?
Known configuration
issues?
Auditing?
Patching?
Capgemini 2022 3
4. Attackers don’t
attack your city
walls
• Attackers don’t attack your strengths, they attack your weaknesses.
• Knowing that your defensive strengths – encryption/audits etc are in
place is half the battle. Constantinople 1453 taken by the Ottoman
Empire.
Capgemini 2022 4
6. What DBSAT
does
• Scans your databases, listeners & ORACLE_HOME
for known exploits, vulnerabilities and “suboptimal
configuration”.
• Grades vulnerabilities against a set of known issues,
matching them to GDPR, DP, PCI-DSS, Oracle STIG,
CIS Benchmarks etc
• Makes recommendations for remediation.
• ALSO tells you where configuration is good!
• Scans the database to identify sensitive data
(financial, personal, health etc) using customizable
regular expression patterns.
Capgemini 2022 6
7. “ A Grand
Don’t Come
For Free”
• …But DBSAT is! (Kinda).
• DBSAT was once part of the Database Vault Option
but separated out in 2018. Freely available for
anyone with a current Oracle RDBMS license.
• Downloadable from MOS, Oracle Database
Security Assessment Tool (DBSAT) (Doc ID
2138254.1)
Capgemini 2022 7
8. DBSAT –
Benefits?
• Quickly and easily assess your current security
status.
• Can be used as part of a comprehensive security
strategy for frequent confirmation of your security
status.
• Promote Security Best practices.
• Reduce risk to your estate and data.
• Comply with GDPR, PCI, CIS with reports.
• Check for a changing security position using DBSAT
“diff” tools.
• Supplied and maintained by Oracle themselves.
Use as part of a wider security
checking/confimation service perhaps?
Capgemini 2022 8
9. What DBSAT is
• Oracle provided and maintained set of shell, SQL, Python and Java scripts wrapped
into command line executable (dbsat ).
• Can be run from Windows, Linux, Solaris and HPUX
• Downloaded from My Oracle Support (DocID 2138254.1). Latest version 2.2.2, June
2021
• Runs vs 10.2.0.5 to 21c
• Check databases on-prem and in cloud (OCI autonomous databases, RDS in AWS).
• Check single instance and RAC databases
• Doesn’t change anything in the database.
• ONLY looks at metadata/data dictionary and doesn’t query the actual data.
Capgemini 2022 9
10. What it
actually
checks
• User accounts, privileges, role grants , separation
of duties
• Database Configuration
• Listener and Network (TNS) Configuration
• Operating System Configuration, file permissions
• Fine-Grained Access Control
• Auditing policies
• Encryption
• Patching
Capgemini 2022 10
11. What it
doesn’t do
• It doesn’t do your job for you;- It doesn't itself
close any vulnerabilities, lock accounts, patch your
database or implement auditing, encryption
• Instead it tells you what is or could be an issue and
makes suggestions for remediating them.
Capgemini 2022 11
12. Using
DBSAT
Two Uses, 3 Modes
• Collector & Reporter –
Collects and analyses the
security information
• Discovery Mode- Uses
pattern matching against
data metadata to look for
sensitive and PII data.
Capgemini 2022 12
13. Using
DBSAT;-
Collector
• Is a set of SQL queries and OS commands/bat/shell
scripts.
• The Collector gets raw data from the target database,
primarily by querying data dictionary views. Doesn’t
look at the actual data - only metadata.
• Output is a JSON file which is encrypted by default.
• To get the full output it must be run on the database
server. (otherwise misses patch info/server config info)
by a user that can read ORACLE_HOME files.
• It can be run from anywhere that can connect to the
database.
• Used to get an errors if running on a server that’s not
the database server (ORA-20002: Complete without OS
Commands.) but coded to skip in latest version (2.2.2)
(bug 19c)
Capgemini 2022 13
14. Using
DBSAT:-
Reporter
• Is actually a Python Program
• The Reporter reads the collected data in the JSON
file, analyses it and produces reports with the
findings.
• The Reporter outputs four reports in all of
HTML, XLS, JSON and Text formats.
• Grades vulnerabilities as Pass, Low Risk, Medium
Risk, High Risk or Advisory.
• Output includes both what issues you have
covered off, and what issues need attention.
• Can run on any machine (doesn’t have to be the
collector machine)
• Output encrypted by default but can skip (don’t).
Capgemini 2022 14
15. Using
DBSAT:-
Discoverer
• Java program JRE 1.8.
• User customisable pattern matching;- For if you
know of additional patterns specific to your
datasets.
• Various language files so pattern matching is
language specific.
• Looks for names, addresses, job & role, salary,
health, disability, card, payments, employment, NI,
email, telephone.
• Queries database dictionary views to discover
sensitive data, it doesn’t query the actual data.
• Outputs both a html and csv file, encrypted by
default.
• From experience it can give rafts of false-positives
so takes a lot of time to review.
Capgemini 2022 15
16. DBSAT
Security
Considerations
Findings are extremely sensitive…
• Encrypt the output. Only share in encrypted form.
Output is encrypted (zip password) by default.
• Delete the files as soon as not needed.
• Use a specific DB account with minimum
permissions, and audit it.
• Only Grant permissions to the Oracle DBSAT DB
user, while needed and revoke when done. Or lock
and change password. Or drop after use.
• Ensure that the directories holding output files are
secured with the appropriate permissions.
Capgemini 2022 16
18. Reporter -
Output
• Header info and then Findings
• Findings categorised as Pass, Low Risk, Medium
Risk, High Risk, Advisory
• Finding anatomy ;- Summary, Remarks, Details, and
a References section.
Capgemini 2022 18
32. Running the Reporter
dbsat report [ -a ] [ -n ] [ -g ] [ -x <section> ] <input_file>
Options:
-a Report about all user accounts, including locked,
Oracle-supplied users
-n No encryption for output
-g Show all Grants including Common grants in a PDB
-x Specify sections to exclude from report
Prompted for the password to decrypt input and again to encrypt the output.
Capgemini 2022 32
34. Running the Discoverer
dbsat discover [ -n ] [ -c ] <config_file> <output_file>
Options:
-n No encryption for output
-c Configuration file for discoverer
• Configuration file stores Host/Port/Service name of target and wallet location is using SSL
etc.
• Sample config file in Discoverer/conf/sample_dbsat.config
• Prompted for database username and password.
Capgemini 2022 34
36. DBSAT “Companion Utilities”
• dbsat_extract enables you to extract findings by their identifiers.
• dbsat_diff enables you to compare two reports and find the differences.
Capgemini 2022 36
37. Collector
Pre-reqs
Collector Prerequisites
• ZIP/UNZIP in path
• Oracle Client Install
Account with the following (SYSTEM works just
fine.. but create a separate account)
• CREATE SESSION
• READ or SELECT on SYS.REGISTRY$HISTORY
• Role SELECT_CATALOG_ROLE
• Role AUDIT_VIEWER (12c and later)
• Role CAPTURE_ADMIN (12c and later)
• SELECT on SYS.DBA_USERS_WITH_DEFPWD
(11g and later)
Capgemini 2022 37
38. Reporter & Discoverer Pre-reqs
Reporter Pre Requisites
• Is a platform independent Python program; Python 2.6 needed
Python –V shows version
Discoverer Prerequisites
• Java Runtime Environment (JRE) 1.8
• Relies on Stats in the database – DBMS_STATS should be run if necessary.
• There is a configuration file (.conf) to edit in the discoverer/conf directory;- add in the
host/port/service_name for the database
Capgemini 2022 38
39. But…..
• Maintained by Oracle – a bit of a black box
• How much of the various standards can it/does it
check (GDPR, DP, PCI-DSS, Oracle STIG, CIS
Benchmarks ) ?
• Cant tell us whether a particular user is supposed
to have access to a table or a certain permission.
• DBSAT is a good starting point to your approach
to security – its NOT the whole story.
Capgemini 2022 39
40. Constantinople falls
to the Ottomans
• https://www.ancient.eu/article/
1180/1453-the-fall-of-
constantinople/
References
Capgemini 2022 40