Post on 22-May-2020
DBSAT
How Secure Is Your Database?
Linda Seley, Arisant
Agenda
• Introduction
• Security Overview
• DBSAT Collect
• DBSAT Report
• DBSAT Discover
• Q&A
Founded in 2006 by, Arisant focuses on understanding business requirements to ensure the most effective implementation of the right solution
Our strategy is aimed at providing an honest and expert brand of consulting services for both the Private & Public Sectors
• HQ’d in Englewood, CO• Flexibility to Deliver across the World• Oracle Technology Focused
Managed Services➢ Database Administration➢ O/S System Administration➢ Middleware Administration➢ Storage Administration➢ Engineered System administration
Consulting Services➢ Architecture➢ Analysis➢ Design➢ Implementation➢ Project Management
Staffing/Support
Managed Cloud Services
Managed Hosting Services
Identity & Access
Management
Business Intelligence
Managed Services
Oracle
MSP Partner
Identity & Access
Management
Business Intelligence
Managed Services
Oracle’s Security Tools – Require Licenses
• Database Vault• Database Firewall and Audit Vault• Label Security• Transparent Data Encryption• Data Masking and Subsetting• Data Redaction• Key Manager
Oracle’s Security Tools – Require Licenses
• Oracle Secure Backup– RMAN Backup Encryption (restricted use)
• Oracle Cloud– DBCS
• Transparent Data Encryption
– DBCS/Database Backup/OCSCA• RMAN Backup Encryption (restricted use)
Oracle’s Security Tools - Free
• Network Encryption
– Native Network Encryption and SSL/TLS
• Kerberos, PKI, and RADIUS Authentication
• Password Wallets
• Auditing
Oracle’s Security Tools - Free
• Database Security Assessment Tool (DBSAT)
Database Security Assessment Tool
• Solaris x64 and Solaris SPARC64• Linux x86-64• Windows x64• HP-UX IA (64-bit)• IBM AIX (64-bit) & Linux on zSeries (64-bit)
Supported on Oracle Database 10.2.0.5 and later
Database Security Assessment Tool
• http://www.oracle.com/technetwork/database/ security/dbsat/downloads/index.html
• Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)
Database Security Assessment Tool
drwxr-x--- 4 oracle oinstall 4096 Jan 12 02:08 ./
drwxr-x--- 8 oracle oinstall 4096 Jan 12 02:08 ../
-r-xr-xr-x 1 oracle oinstall 12433 Jan 11 11:21 dbsat*
-r-xr-xr-x 1 oracle oinstall 12579 Jan 11 11:21 dbsat.bat*
-rwxr-x--- 1 oracle oinstall 2150961 Jan 12 02:08 dbsat.zip*
drwxr-x--- 5 oracle oinstall 4096 Jan 12 02:08 Discover/
-r-xr-xr-x 1 oracle oinstall 28216 Dec 20 16:35 sat_analysis.py*
-r-xr-xr-x 1 oracle oinstall 43181 Jan 8 13:43 sat_collector.sql*
-r-xr-xr-x 1 oracle oinstall 247465 Jan 16 17:47 sat_reporter.py*
drwxr-x--- 2 oracle oinstall 4096 Jan 12 02:08 xlsxwriter/
Database Security Assessment Tool
• Collect
• Report
• Discover
Database Security Assessment Tool - Collect
– CREATE SESSION
– SELECT on SYS.REGISTRY$HISTORY
– Role SELECT_CATALOG_ROLE
– Role DV_SECANALYST (if Database Vault is enabled)
– Role AUDIT_VIEWER (12c and later)
– Role CAPTURE_ADMIN (12c and later)
– SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and later)
– SELECT on AUDSYS.AUD$UNIFIED
(12c and later)
Database Security Assessment Tool - Collect
• $TNS_ADMIN
• User password
• Zip file password
$ ./dbsat collect arisant output/orcl
Database Security Assessment Tool - Collect
• Creates a zip file that contains a json file:
$ls
total 512
drwxr-x--- 2 oracle oinstall 4096 Feb 12 02:31 ./
drwxr-x--- 5 oracle oinstall 4096 Feb 12 02:30 ../
-rw------- 1 oracle oinstall 449503 Feb 12 02:30 orcl.json
-rw------- 1 oracle oinstall 62025 Feb 12 02:30 orcl.zip
"date_and_release": {"version": 1,
"columns": ["collection_date", "release"],
"data": [["12-02-2018 11:55","12.1.0.2.0"]
]},
"db_identity": {"version": 1,
"columns": ["name", "log_mode", "platform", "dg_role", "dg_broker", "flashback", "controlfile", "switchover_status", "create
d"],
"data": [["ORCL","ARCHIVELOG","Linux x86 64-bit","PRIMARY","ENABLED","YES","CURRENT","TO STANDBY","17-02-2016 17:07"]
]},
"db_pdbs": {"version": 1,
"columns": ["con_id", "name"],
"data": [ ]},
"db_version": {"version": 1,
"columns": ["banner"],
"data": [["Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production"]
,["PL/SQL Release 12.1.0.2.0 - Production"]
,["CORE\u000912.1.0.2.0\u0009Production"]
,["TNS for Linux: Version 12.1.0.2.0 - Production"]
,["NLSRTL Version 12.1.0.2.0 - Production"]
]},
Database Security Assessment Tool - Report
• Collect zip file password
• Report zip file password
$ ./dbsat report -a output/orcl
Database Security Assessment Tool - Report
• Creates a zip file that contains html, json, txt, and xlsxfiles:
$ls
total 840
drwxr-x--- 2 oracle oinstall 4096 Feb 12 02:35 ./
drwxr-x--- 5 oracle oinstall 4096 Feb 12 02:33 ../
-rw------- 1 oracle oinstall 244023 Feb 12 02:33 orcl_report.html
-rw------- 1 oracle oinstall 208936 Feb 12 02:33 orcl_report.json
-rw------- 1 oracle oinstall 187015 Feb 12 02:33 orcl_report.txt
-rw------- 1 oracle oinstall 21899 Feb 12 02:33 orcl_report.xlsx
-rw------- 1 oracle oinstall 113022 Feb 12 02:35 orcl_report.zip
Database Security Assessment Tool - Discover
– CREATE SESSION
– Role SELECT_CATALOG_ROLE
– Role DV_SECANALYST (if Database Vault is enabled)
Database Security Assessment Tool - Discover
• Copy Discover/conf/sample_dbsat.config to Discover/conf/dbsat.config
– Modify dbsat.config for your database• DB_HOSTNAME = localhost
• DB_PORT = 1533
• DB_SERVICE_NAME = orcl
[Discovery Parameters]SENSITIVE_PATTERN_FILES = sensitive_en.iniSCHEMAS_SCOPE = ALLMINROWS = 1EXCLUSION_LIST_FILE =
[Sensitive Categories]PII = High RiskPII - Address = High RiskPII - IDs = High RiskPII - IT Data = High RiskPII-Linked = Medium RiskPII-Linked - Birth Details = Medium RiskJob Data = Medium RiskFinancial Data - PCI = High RiskFinancial Data - Banking = Medium RiskHealth Data = Medium Risk
sensitive_en.ini
[FULL_NAME]COL_NAME_PATTERN = ^(PERSON|FULL).*NAME$COL_COMMENT_PATTERN = (Full|Person).*NameSENSITIVE_CATEGORY = PII
[FIRST_NAME]COL_NAME_PATTERN = (^FNAME$)|((FIRST|GIVEN).*NAME$)COL_COMMENT_PATTERN = (First|Given|Cust).*NameSENSITIVE_CATEGORY = PII
[LAST_NAME]COL_NAME_PATTERN = (^LNAME$)|((LAST|FAMILY|SUR|PATERNAL).*NAME$)COL_COMMENT_PATTERN = (Last|Family|Sur|Paternal).*NameSENSITIVE_CATEGORY = PII
Database Security Assessment Tool - Discover
• $JAVA_HOME
– export JAVA_HOME=$ORACLE_HOME/jdk
• Username
• Password
• Discover zip file password
Database Security Assessment Tool - Discover
$ ./dbsat discover –c \
Discover/conf/dbsat.config \
output/orcl_discover
Database Security Assessment Tool - Discover
• Creates a zip file that contains csv and html files:
$ls
total 60
drwxr-x--- 3 oracle oinstall 4096 Feb 12 12:39 ./
drwxr-x--- 10 oracle oinstall 4096 Feb 12 12:39 ../
-rw------- 1 oracle oinstall 48519 Feb 12 12:39 orcl_discover_report.zip
drwxr-x--- 2 oracle oinstall 4096 Feb 12 12:39 output/
$ls output/
total 544
drwxr-x--- 2 oracle oinstall 4096 Feb 12 12:39 ./
drwxr-x--- 3 oracle oinstall 4096 Feb 12 12:39 ../
-rw------- 1 oracle oinstall 180656 Feb 12 12:39 orcl_discover_discover.csv
-rw------- 1 oracle oinstall 362334 Feb 12 12:39 orcl_discover_discover.html
Database Security Assessment Tool - Discover
$ ./dbsat discover –c \
Discover/conf/dbsat.config \
output/orcl
Database Security Assessment Tool - Discoverls
total 904
drwxr-x--- 3 oracle oinstall 4096 Feb 12 12:52 ./
drwxr-x--- 11 oracle oinstall 4096 Feb 12 12:52 ../
-rw------- 1 oracle oinstall 249071 Feb 12 12:51 orcl_report.html
-rw------- 1 oracle oinstall 212850 Feb 12 12:51 orcl_report.json
-rw------- 1 oracle oinstall 190343 Feb 12 12:51 orcl_report.txt
-rw------- 1 oracle oinstall 22504 Feb 12 12:51 orcl_report.xlsx
-rw------- 1 oracle oinstall 164390 Feb 12 12:52 orcl_report.zip
drwxr-x--- 2 oracle oinstall 4096 Feb 12 12:52 output/
$ls output
total 544
drwxr-x--- 2 oracle oinstall 4096 Feb 12 12:52 ./
drwxr-x--- 3 oracle oinstall 4096 Feb 12 12:52 ../
-rw------- 1 oracle oinstall 180656 Feb 12 12:52 orcl_discover.csv
-rw------- 1 oracle oinstall 362331 Feb 12 12:52 orcl_discover.html
References:
Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)
Oracle Database Security Assessment Tool Documentation:https://docs.oracle.com/cd/E93129_01/
Oracle Database 12c Security and Compliancehttps://www.oracle.com/webfolder/s/delivery_production/images/FY16H2/image23/security-compliance-wp-12c.pdf
Security Checklist: 10 Basic Steps to Make Your Database Secure from Attacks (Doc ID 1545816.1)
Database Security Assessment Tool
Q&A