Written by Syed Jaffer Hussain SUMMARY Let me emphasize my favorite quotes, “Data is the heart and blood for any organization”. It is undoubtedly one of the important assets to the business. At the pace that the data is growing these days is simply phenomenal and hard to restrict and control the size. The amount of data that is pumped via multiple channels is enormous, at the same time, data also being accessed through variety of channels, which brings out numerous hindrance to the organizations as well those who are responsible in the organization. One of the major obstacles that every organization, especially the financial sectors, faces is to protect the precious data from several security threats. Therefore, Organizations spend millions of dollars to protect the data at various layers, such as, network, switches, firewalls etc. On the contrary, people would pay a little attention towards the database security implementations. In my perspective and past experience, if one could have a solid security policies in-place at the database level, this could save from various security threats, and also cost less. In the light of security concerns, Oracle offers various security features to mitigate the potential security threats at the database layer. It is highly essential to validate the security from time to time at the database level. Very recently, Oracle has come-up with yet another power database tool, DBSAT, using which we can easily analyze the database security settings and get recommendations to fix those issues, as well as improve security settings etc. This paper is focused on the DBSAT tool, enlightens the following topic: DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report DBSAT Overview Oracle development team unleashed yet another powerful database tool very recently. DBSAT is a database security assessment tool which is pretty new and very simple to use. It carries out the security assessment on your databases seamlessly. It can be easily sit alongside with the other database tools, such as, ORAchk and ExaChk . What is missing in DBSAT report in contrast to the other two tools, is the overall scoring rate. Though it is not very significant, but, having a final score card could give a sense of satisfaction or curiosity to the customers to look deeper and improve the database security best practices. The objective of DBSAT is to analyze the database existing security configuration, examine the potential security vulnerabilities or misconfiguration and provide the recommendation on best security practices and advice on how to mitigate those potential security issues. Pre DBSAT tool, the same can be achieved through running multiple database scripts against the dictionary views, however, this tool has done this for you without the need of running multiple scripts and also provides you the recommendations in a report of three formats. According to Oracle, the security rules are defined as shown in the image below: Image courtesy: Oracle Advantages of DBSAT Advice on security best practices Quickly identifies the security flaws in your database Recommendations to improvise the security posture of your databases Minimize learning curve to provide decent security reporting to management. DBSAT validations Below is the action list that DBSAT examines during the data collection: Data Encryption DB User account, Roles and Privileges Auditing Policies OS File Permissions Listener configuration Database security configuration Fine-grained access control Authorization control DBSAT Functionality and Flow DBSAT Collector and DBSAT Reporter are the two components of DBSAT tool. The functionality of those components is outlined in the below segments. The role of the DBSAT Collector is to gather the raw data by executing SQL queries against the database dictionary views plus some OS commands, and the information is written to a JSON output file. The output file by default is password encrypted for obvious security purpose. The DBSAT Collector should be ran on the server where the database is running. The core functionality of the Reporter is to read the data, analyze the data and report its findings and recommendations to a readable file. The file is available in formats: HTML, Text and Excel sheet. On the contrary, the DBSAT Reporter can run on the DB server or on any other machine. It is a platform-independent program, requires Python 2.6 or higher on the system to run. You can use the findings to fix some immediate short-term risks or develop/improve a comprehensive security strategy. The image outlines the typical DBSAT functionality and its components flow: Image Courtesy: Oracle Download, Configure & Execute Download At the moment, the only available option to download the DBSAT tool is to login to support.oracle.com website (with the predefined user credentials), and download it from My Oracle Support ID 21382541.1 , titled ‘ Oracle Database Security Assessment Tool (DBSAT) . At the end of the DOWNLOAD section click on the I AGREE link and the dbsat.zip file will be downloaded on your system. It is highly recommended to look at the note from time to time to get the latest version of the tool, so that you stay up-to-date with the all security validations. Currently, the DBSAT tool is available and supported on the following Platforms: Solaris Linux x86-64 Windows x64 HP-UX IA (64-bit) IBM AIX Configure Installing the tool is a pretty simple and straightforward process. Follow through the steps below: Copy the zip file over the target database server Create a new directory (for example, dbsat ) on the target server Unzip the file to the dbsat directory (example, unzip dbsat.zip –d /dbsat ) The following files are extracted to the directory: dbsat.bat (for Windows) dbsat sat_analysis.py sat_collector.sql sat_reporter.py /xlsxwriter The DBSAT tool is compatible and run on Oracle DB version 10.2.0.5 or higher Execute Before we dive deeper into the details of launching DBSAT, how to initiate the DBSAT collector and Reporter, let’s discuss some of the prerequisites that need to be set. The following environment variables and DB user with the required privileges must be achieved: Environment Variables For Windows SET ZIP_CMD=%ORACLE_HOME%\bin\zip.exe SET UNZIP_CMD=%ORACLE_HOME%\bin\unzip.exe On Unix ZIP=/usr/bin/zip UNZIP=/usr/bin/unzip DBZIP=${ORACLE_HOME}/bin/zip Note: In the documentation the mentioned variable need to be set as a prerequisite. However, they seem to be hardcoded in the script and hence will be overwritten. I would recommend to test if the required binaries are accessible as expected and change their location in the script if necessary. OS User Authentication As stated earlier, DBSAT Collector should run on the database server with the OS user that has permissions to read the Oracle binaries under the ORACLE HOME. This is mandatory because as part of the data collection, the Collector will read the files under the Oracle home using some OS specific commands. DB Settings (user, privileges and roles) As part of data collection, the Collector queries the data dictionary views. Therefore, the DB user must have certain DB privileges, mostly read only. If you don’t want to grant the DBA plus DV_SECANALYST (if DB Vault is enabled) privileges to the user, following specific privileges are granted: CREATE SESSION SELECT ON SYS.REGISTRY$HISOTRY, AUDSYS.AUD$UNIFIED(12c), SYS.DBA_USERS_WITH_DEFPWD (11g, 12c) Roles: SELECT_CATALOG_ROLE, AUDIT_VIEWER (12c), CAPTURE_ADMIN (12c) , DV_SECANALYST DB User creation example: Below is the DB user creation example, where the user assigned the DBA role: Usage ./dbsat Usage: dbsat collect [ -n ] dbsat report [ -a ] [ -n ] [ -x ] Options: -a Report about all user accounts, including locked, Oracle-supplied users -n No encryption for output -x Specify sections to exclude from report (may be repeated for multiple sections) DBSAT collector The below segment explains the procedure with some examples to execute the data collection part on the database server: Syntax: $./dbsat collect username/password output_file Example: $./dbsat collect dbsat/welcome1 db04 This tool is intended to assist in you in identifying potential vulnerabilities in your system, but you are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Connecting to the target Oracle database... SQL*Plus: Release 12.1.0.2.0 Production on Mon Sep 26 15:25:49 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options Setup complete. SQL queries complete. OS commands complete. Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options DBSAT Collector completed successfully. Calling /u01/app/oracle/product/12.1.0.2/dbhome_1/bin/zip to encrypt db04.json... Enter password: Verify password: adding: db04.json (deflated 87%) zip completed successfully. Once the above command is successfully executed, an output file, named db04.zip . By default, the output file is password protected and encrypted for security reasons. Though, the -n argument can be used to bypass the encryption, however, Oracle doesn’t recommend this. Note: While working with 12c multitenant container databases, data can be gather at the root container or at the PDB level separately. If the collector script is ran on the root container, only root container database is gathered, no PDBs data will be collected. You will have to run the script at the PDB level to gather data for the PDB separately. ./dbsat collect -n will not encrypt the output file. DBSAT Reporter Before you launch the DBSAT reporter, ensure python v2.6 or higher is installed on the machine where you run the reporter. The following is the example to verify the version of python running on the local system, most of the OS should have the python installed already, if not, download the specific version and configure it: $ python -V Python 2.6.6 Usage ./dbsat report Usage: dbsat collect [ -n ] dbsat report [ -a ] [ -n ] [ -x ] Options: -a Report about all user accounts, including locked, Oracle-supplied users -n No encryption for output -x Specify sections to exclude from report (may be repeated for multiple sections) Syntax ./dbsat report -a db04 This tool is intended to assist in you in identifying potential vulnerabilities in your system, but you are solely responsible for your system and the effect and results of the execution of this tool (including, without limitation, any damage or data loss). Further, the output generated by this tool may include potentially sensitive system configuration data and information that could be used by a skilled attacker to penetrate your system. You are solely responsible for ensuring that the output of this tool, including any generated reports, is handled in accordance with your company's policies. Archive: /home/oracle/dbsat/db04.zip [/home/oracle/dbsat/db04.zip] db04.json password: inflating: /home/oracle/dbsat/db04.json DBSAT Reporter ran successfully . After successful execution of DBSAT report, the files below are generated. The reports are by default encrypted and password protected, which can be skipped with –n argument. The output (reports) files are available in txt, html and Excel sheet (xlsx) formats. They are all zipped together in a unique file. db04.txt db04.html db04.xlsx Note : With –x argument, you can exclude some part of the security validations from the reports: USER -- user authentication PRIV -- Privileges and Roles AUTH -- Authentication Controls CRYPT -- Data Encryption AUDIT -- Auditing OS -- Operating System NET -- Network Configuration CONF -- Database Configuration ACCESS -- Fine-Grained Access Control Examples: ./dbsat report –x OS db04 -- OS validation is excluded from the report ./dbsat report –x OS,PRIV db04 -- OS & Privileges/Roles excluded from the report Interpreting the report This part of the segment will highlight the key sections of the report and narrates important points: HTML report The HTML report is easier to navigate as you can jump to the section of interest directly. The main section of the report contains the following details: The findings are highlighted with the different levels of risk and colors : Severe Risk, Significant Risk, Pass and Some Risk , as outlined in the below images: The Basic Information Contains the following validation and analysis: Database Version Security Features configuration status in the database Latest Patch check verification User Accounts Contains the following validation and analysis: User accounts status, whether they are predefined or not Users assigned with SYSTEM or SYSAUX tablespaces Sample schemas configuration Users list wo are inactive for more than 30 days Case sensitive passwords settings Users with expired passwords and default passwords Password verification and User profiles Data Encryption Control Contains the following validation and analysis: TDE configuration Wallet details Auditing Contains the following validation and analysis: Auditing records Audit enabled statements Objects list with auditing enabled Users auditing details Accounts management auditing DB connect auditing OS Contains the following validation and analysis: OS authentication Agent process File permissions in ORACLE_HOME The report is focused mainly on addressing potential security vulnerabilities, misconfiguration, and provides the recommendation to harden the security issues on the database. REFERENCES Below is the list of references for documentation, download and some articles: Documentation http://docs.oracle.com/cd/E76178_01/SATUG/toc.htm#SATUG-GUID-C7E917BB-EDAC-4123-900A-D4F2E561BFE9 Software download: Through My Oracle Support, DOC ID : Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1) Blogs: https://www.linkedin.com/pulse/oracle-database-security-assessment-tool-dbsat-chetan-vithlani CONCLUSION DBSAT is a lightweight security assessment tool which analyzes the database potential security vulnerabilities, misconfiguration, identifies the security risks and provides the recommendations to mitigate those security vulnerability issues. Furthermore, this tool does not require high level skills to produce fast and clear reports. However, it is important to look for a latest version from time to time to have latest security validations. The test demonstrated in this paper is performed on an Exadata half-rack machine. The data collector and reporter took less than a minute time to complete and didn’t notice any performance impact. In Part 2, we will run this tool on a newly created database using the DBCA templates and demonstrates how to harden an out of the box instance to avoid basic security issues.
↧