oracledba.help
Security

Database Security Assessment Tool (DBSAT)

Overview

The Oracle Database Security Assessment Tool (DBSAT) is a command line tool that evaluates your environment and provides recommendations on how to mitigate risks. DBSAT runs from your Oracle database server itself. If Oracle security is important to your environment this is the tool to start with.

The examples here use oradb for the database name. If RAC use the instance name. Change this to match your environment.

Prerequisites

  • Requires Java Runtime Environment (JRE) 1.8 (jdk8-u172) or later to run.
  • Versions earlier to 3.0.0 (November 2023) required python.
  • Ensure env vars set: ORACLE_BASE, ORACLE_HOME and ORACLE_SID
  • From MOS go to Doc ID 2138254.1 to download dbsat.zip and copy to your database server /tmp directory.

Preupgrade

Perform if already installed and upgrading to latest version.

 su -
 mv /u01/app/dbsat /u01/app/dbsat_$(date "+%Y%m%d%H%M")
 ls -l /u01/app

The above backup directory can be deleted after successful upgrade.

Installation

 su -
 mkdir /u01/app/dbsat
 chown oracle:oinstall /u01/app/dbsat
 chmod 765 /u01/app/dbsat
 chown oracle:oinstall /tmp/dbsat.zip

 su - oracle
 cp /tmp/dbsat.zip /u01/app/dbsat/
 cd /u01/app/dbsat/
 unzip dbsat.zip
 chmod 765 /u01/app/dbsat/dbsat

Do not delete dbsat.zip after unzipping!

Set JAVA_HOME

ls -l /usr/lib/jvm

 lrwxrwxrwx 1 root root 27 Jul 24 17:50 jre-1.8.0 -> /etc/alternatives/jre_1.8.0
 ...

export JAVA_HOME=/usr/lib/jvm/jre-1.8.0; echo $JAVA_HOME

Usage

Init the Collector

Format: dbsat collect <connect_string> <destination>

 su - oracle
 mkdir /u01/app/dbsat/oradb
 cd /u01/app/dbsat
 ./dbsat collect -n "/ as sysdba" /u01/app/dbsat/oradb
 Creates\updates: oradb.json

 Setup complete.
 Takes about 13 minutes after above message.

 DBSAT Collector completed successfully.

If RAC use the instance name (ex: oradb1).

Create Report Files

Format: dbsat report [-a] [-n] [-x <section>] <pathname>

 su - oracle
 cd /u01/app/dbsat
 ./dbsat report -n /u01/app/dbsat/oradb
  • Ensure ORACLE_SID set before running.
  • If RAC use the instance name (ex: oradb1).

Output Files

Report files are created in the following formats:

  • .html
  • .json
  • .txt
  • .xlsx

Example: oradb_report.html

For more examples and a listing of all the parameters go here.


Appendix: Using Ecryption Session Example

Versions Earlier than 3.0.0 (November 2023) = Python

Confirm Python Version

Linux 8 comes with Python 3.6 or later.

 cd /usr/bin
 ls -l python*
  python3.6 -> /usr/.../platform-python3.6

 ./python3.6  -V
 Python 3.6.8

Note Path: /usr/bin/python3.6

Edit dbsat Script

Change python entries(2) to match the python path\version.

 vi /u01/app/dbsat/dbsat

 -- Old
 PY_VERSION_CHECK=`python -c 'import sys; print (sys.version_info >= (2, 6))'`
 -- New
 PY_VERSION_CHECK=`/usr/bin/python3.6 -c 'import sys; print (sys.version_info >= (2, 6))'`

 -- Old
 python "$CMDDIR/sat_reporter.py" $REPORTER_OPTS "$INPUT_NAME"
 --New
 /usr/bin/python3.6 "$CMDDIR/sat_reporter.py" $REPORTER_OPTS "$INPUT_NAME"

Set Collector

 mkdir /u01/app/dbsat/oradb
 cd /u01/app/dbsat
 oracle> ./dbsat collect system/mypassword@ORADB /u01/app/dbsat/oradb

 Enter password:
 Verify password:
   adding: oradb.json (deflated 89%)
 zip completed successfully.

The the security files are encrypted. The password prompted for is required to unencrypt it.

<- Security