Database Security Assessment Tool (DBSAT)
Overview
The Oracle Database Security Assessment Tool (DBSAT) is a command line tool that evaluates your environment and provides recommendations on how to mitigate risks. DBSAT runs from your Oracle database server itself. If Oracle security is important to your environment this is the tool to start with.
The examples here use oradb for the database name. If RAC use the instance name. Change this to match your environment.
Prerequisites
- Ensure Python Version 2.6 or later installed.
python -V - Ensure env vars set: ORACLE_BASE, ORACLE_HOME and ORACLE_SID
- From MOS go to Doc ID 2138254.1 to download dbsat.zip and copy to your database server /tmp directory.
Preupgrade
Perform if already installed and upgrading to latest version.
su - mv /u01/app/dbsat /u01/app/dbsat_$(date "+%Y%m%d%H%M") ls -l /u01/app
The above backup directory can be deleted after successful upgrade.
Installation
su - mkdir /u01/app/dbsat chown oracle:oinstall /u01/app/dbsat chmod 765 /u01/app/dbsat chown oracle:oinstall /tmp/dbsat.zip su - oracle cp /tmp/dbsat.zip /u01/app/dbsat/ cd /u01/app/dbsat/ unzip dbsat.zip chmod 765 /u01/app/dbsat/dbsat
Do not delete dbsat.zip after unzipping!
Python Changes
Confirm Python Version
Linux 8 comes with Python 3.6 or later.
cd /usr/bin ls -l python* python3.6 -> /usr/.../platform-python3.6 ./python3.6 -V Python 3.6.8
Note Path: /usr/bin/python3.6
Edit dbsat Script
Change python entries(2) to match the python path\version.
vi /u01/app/dbsat/dbsat -- Old PY_VERSION_CHECK=`python -c 'import sys; print (sys.version_info >= (2, 6))'` -- New PY_VERSION_CHECK=`/usr/bin/python3.6 -c 'import sys; print (sys.version_info >= (2, 6))'` -- Old python "$CMDDIR/sat_reporter.py" $REPORTER_OPTS "$INPUT_NAME" --New /usr/bin/python3.6 "$CMDDIR/sat_reporter.py" $REPORTER_OPTS "$INPUT_NAME"
Usage
Init the Collector
Format: dbsat collect <connect_string> <destination>
su - oracle mkdir /u01/app/dbsat/oradb cd /u01/app/dbsat ./dbsat collect -n "/ as sysdba" /u01/app/dbsat/oradb Creates\updates: oradb.json
If RAC use the instance name (ex: oradb1).
Create Report Files
Format: dbsat report [-a] [-n] [-x <section>] <pathname>
su - oracle cd /u01/app/dbsat ./dbsat report -n /u01/app/dbsat/oradb
- Ensure ORACLE_SID set before running.
- If RAC use the instance name (ex: oradb1).
Output Files
Report files are created in the following formats:
- .html
- .json
- .txt
- .xlsx
Example: oradb_report.html
For more examples and a listing of all the parameters go here.
Appendix: Using Ecryption Session Example
Set Collector
mkdir /u01/app/dbsat/oradb cd /u01/app/dbsat oracle> ./dbsat collect system/mypassword@ORADB /u01/app/dbsat/oradb Enter password: Verify password: adding: oradb.json (deflated 89%) zip completed successfully.
The the security files are encrypted. The password prompted for is required to unencrypt it.