05 March, 2024

Installing and Running DBSAT on 21c

 DBSAT is Oracle's "Database Security Assessment Tool" that you can get from Oracle Support Document "Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)" .

This is the User Guide for the current release (3.1)

It does checks against "proven Oracle Database Security best practices, CIS benchmark recommendations and STIG rules". 

See Oracle Support Document "Does DBSAT Scan for all of the STIG And CIS Benchmark Controls? (Doc ID 2651827.1)" for a disclaimer.

Here I demonstrate quick installation :



[oracle@node2 ~]$ cd /u01/app/oracle
[oracle@node2 oracle]$ cd DB*
[oracle@node2 DBSAT_Installer]$ pwd
/u01/app/oracle/DBSAT_Installer
[oracle@node2 DBSAT_Installer]$ ls -l
total 45180
-rwxr-x---. 1 oracle dba 46264143 Mar  5 22:15 DBSAT.zip
[oracle@node2 DBSAT_Installer]$ which unzip
/bin/unzip
[oracle@node2 DBSAT_Installer]$
[oracle@node2 DBSAT_Installer]$ unzip DBSAT.zip
Archive:  DBSAT.zip
  inflating: dbsat
  inflating: dbsat.bat
  inflating: sat_collector.sql
  inflating: sa.jar
  inflating: jython-standalone-2.7.3.jar
  inflating: xlsxwriter/app.py
  inflating: xlsxwriter/chart_area.py
  inflating: xlsxwriter/chart_bar.py
  inflating: xlsxwriter/chart_column.py
....
....
deleted a few lines of output of the unzip command
  inflating: Discover/conf/sensitive_en.ini
  inflating: Discover/conf/sensitive_es.ini
  inflating: Discover/conf/sensitive_de.ini
  inflating: Discover/conf/sensitive_pt.ini
  inflating: Discover/conf/sensitive_it.ini
  inflating: Discover/conf/sensitive_fr.ini
  inflating: Discover/conf/sensitive_nl.ini
  inflating: Discover/conf/sensitive_el.ini
[oracle@node2 DBSAT_Installer]$

--- create the default script from the User Guide
[oracle@node2 DBSAT_Installer]$ cat > DBSAT_User.sql
create user dbsat_user identified by dbsat_user;
--If Database Vault is enabled, connect as DV_ACCTMGR to run this command
grant create session to dbsat_user;
grant select_catalog_role to dbsat_user;
grant select on sys.registry$history to dbsat_user;
grant read on sys.dba_audit_mgmt_config_params to dbsat_user;
grant select on sys.dba_users_with_defpwd to dbsat_user;
grant read on sys.dba_credentials to dbsat_user;
grant execute on sys.dbms_sql to dbsat_user;
grant audit_viewer to dbsat_user; // 12c and later
grant capture_admin to dbsat_user;// 12c and later covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$
[oracle@node2 DBSAT_Installer]$

--- verify the script
[oracle@node2 DBSAT_Installer]$ cat DBSAT_User.sql
create user dbsat_user identified by dbsat_user;
--If Database Vault is enabled, connect as DV_ACCTMGR to run this command
grant create session to dbsat_user;
grant select_catalog_role to dbsat_user;
grant select on sys.registry$history to dbsat_user;
grant read on sys.dba_audit_mgmt_config_params to dbsat_user;
grant select on sys.dba_users_with_defpwd to dbsat_user;
grant read on sys.dba_credentials to dbsat_user;
grant execute on sys.dbms_sql to dbsat_user;
grant audit_viewer to dbsat_user; // 12c and later
grant capture_admin to dbsat_user;// 12c and later covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$
[oracle@node2 DBSAT_Installer]$

-- I then create this user in my custom PDB

[oracle@node2 DBSAT_Installer]$ sqlplus / as sysdba

SQL*Plus: Release 21.0.0.0.0 - Production on Tue Mar 5 22:30:29 2024
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle.  All rights reserved.


Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0

SQL> alter session set container=HEMANTPDB;

Session altered.

SQL> @DBSAT_User.sql

User created.


Grant succeeded.


Grant succeeded.


Grant succeeded.


Grant succeeded.


Grant succeeded.


Grant succeeded.


Grant succeeded.

SQL>


I am now ready to run the Collector.



[oracle@node2 DBSAT_Installer]$ ./dbsat collect dbsat_user/dbsat_user@hemantpdb

Database Security Assessment Tool version 3.1 (Jan 2024)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.


    Usage: dbsat collect [ -n ] -lt database_connect_string > -lt output_file >
           dbsat report [ -a ] [ -n ] [ -g ] [ -x -lt section > ] [ -u -lt user > ] -lt input_file >
           dbsat discover [ -n ] -c -lt config_file > -lt output_file >

    Options:
       -a  Report with all user accounts, including locked and schema-only,
           Oracle-supplied users
       -n  No encryption for output
       -g  Show all grants including Common Grants in a Pluggable Database
       -x  Specify sections to exclude from report (may be repeated for
           multiple sections)
       -u  Specify users to exclude from report
       -c  Configuration file for discoverer



[oracle@node2 DBSAT_Installer]$  ./dbsat collect dbsat_user/dbsat_user@hemantpdb hemantpdb_DBSAT_Report

Database Security Assessment Tool version 3.1 (Jan 2024)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Connecting to the target Oracle database...


SQL*Plus: Release 21.0.0.0.0 - Production on Tue Mar 5 22:34:39 2024
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle.  All rights reserved.


Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0

Setup complete.
SQL queries complete.
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 256 from OS rule: sqlnet.ora
/bin/ls: cannot access /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 512 from OS rule: ls_sqlnet.ora
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/listener.ora: No such file or directory
Warning: Exit status 256 from OS rule: listener.ora
/bin/ls: cannot access /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/listener.ora: No such file or directory
Warning: Exit status 512 from OS rule: ls_listener.ora
Warning: Exit status 256 from OS rule: dbcs_status
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/cman.ora: No such file or directory
Warning: Exit status 256 from OS rule: cman.ora
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/ldap/admin/fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips1.ora
/bin/cat: /fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips2.ora
/bin/ls: cannot access /diag: No such file or directory
Warning: Exit status 512 from OS rule: diag_dest_base
/bin/ls: cannot access /u01/app/oracle/product/21.3.0.0/dbhome_1/rdbms/log/diag: No such file or directory
Warning: Exit status 512 from OS rule: diag_dest_home
OS commands complete.
Disconnected from Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
DBSAT Collector completed successfully.

Calling /u01/app/oracle/product/21.3.0.0/dbhome_1/bin/zip to encrypt hemantpdb_DBSAT_Report.json...

Enter password:
Verify password:	
  adding: hemantpdb_DBSAT_Report.json (deflated 86%)
zip completed successfully.
[oracle@node2 DBSAT_Installer]$


So, apparently it assumes the old convention of the network folders being under ORACLE_HOME. 
Since this is a RAC install, the listener.ora is from the Grid Home and tnsnames.ora (in 19c) is not under $ORACLE_HOME.

I'll just re-run with ORACLE_BASE set for the diag_dest_base



[oracle@node2 DBSAT_Installer]$ rm hemantpdb_DBSAT_Report.json
[oracle@node2 DBSAT_Installer]$ ORACLE_BASE=/u01/app/oracle;export ORACLE_BASE
[oracle@node2 DBSAT_Installer]$ ./dbsat collect dbsat_user/dbsat_user@hemantpdb hemantpdb_DBSAT_Report

Database Security Assessment Tool version 3.1 (Jan 2024)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Connecting to the target Oracle database...


SQL*Plus: Release 21.0.0.0.0 - Production on Tue Mar 5 23:00:54 2024
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle.  All rights reserved.

Last Successful login time: Tue Mar 05 2024 23:00:00 +08:00

Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0

Setup complete.
SQL queries complete.
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 256 from OS rule: sqlnet.ora
/bin/ls: cannot access /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/sqlnet.ora: No such file or directory
Warning: Exit status 512 from OS rule: ls_sqlnet.ora
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/listener.ora: No such file or directory
Warning: Exit status 256 from OS rule: listener.ora
/bin/ls: cannot access /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/listener.ora: No such file or directory
Warning: Exit status 512 from OS rule: ls_listener.ora
Warning: Exit status 256 from OS rule: dbcs_status
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/network/admin/cman.ora: No such file or directory
Warning: Exit status 256 from OS rule: cman.ora
/bin/cat: /u01/app/oracle/product/21.3.0.0/dbhome_1/ldap/admin/fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips1.ora
/bin/cat: /fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips2.ora
/bin/ls: cannot access /u01/app/oracle/product/21.3.0.0/dbhome_1/rdbms/log/diag: No such file or directory
Warning: Exit status 512 from OS rule: diag_dest_home
OS commands complete.
Disconnected from Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
DBSAT Collector completed successfully.

Calling /u01/app/oracle/product/21.3.0.0/dbhome_1/bin/zip to encrypt hemantpdb_DBSAT_Report.json...

Enter password:
Verify password:
  adding: hemantpdb_DBSAT_Report.json (deflated 86%)
zip completed successfully.
[oracle@node2 DBSAT_Installer]$


I can afford to ignore the network/admin lookups under $ORACLE_HOME as they are not valid.  I might go back and check the "diag_dest_home" check (e.g. review "sat_collector.sql")


I need to add Java to my path. I know that I have it in the Grid installation so I can use that to generate the report.



[oracle@node2 DBSAT_Installer]$ PATH=/u01/app/21.3.0.0/grid/jdk/bin:$PATH;export PATH
[oracle@node2 DBSAT_Installer]$ java -version
java version "1.8.0_291"
Java(TM) SE Runtime Environment (build 1.8.0_291-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.291-b09, mixed mode)
[oracle@node2 DBSAT_Installer]$
[oracle@node2 DBSAT_Installer]$ JAVA_HOME=/u01/app/21.3.0.0/grid/jdk;export JAVA_HOME
[oracle@node2 DBSAT_Installer]$ ./dbsat report hemantpdb_DBSAT_Report

Database Security Assessment Tool version 3.1 (Jan 2024)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

DBSAT Reporter ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...

Enter password:
Verify password:
        zip warning: hemantpdb_DBSAT_Report_report.zip not found or empty
  adding: hemantpdb_DBSAT_Report_report.txt (deflated 76%)
  adding: hemantpdb_DBSAT_Report_report.html (deflated 83%)
  adding: hemantpdb_DBSAT_Report_report.xlsx (deflated 2%)
  adding: hemantpdb_DBSAT_Report_report.json (deflated 81%)
zip completed successfully.
[oracle@node2 DBSAT_Installer]$
[oracle@node2 DBSAT_Installer]$ unzip -l hemantpdb_DBSAT_Report_report.zip
Archive:  hemantpdb_DBSAT_Report_report.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   161417  03-05-2024 23:09   hemantpdb_DBSAT_Report_report.txt
   261378  03-05-2024 23:09   hemantpdb_DBSAT_Report_report.html
    36732  03-05-2024 23:09   hemantpdb_DBSAT_Report_report.xlsx
   197620  03-05-2024 23:09   hemantpdb_DBSAT_Report_report.json
---------                     -------
   657147                     4 files
[oracle@node2 DBSAT_Installer]$
[oracle@node2 DBSAT_Installer]$ unzip hemantpdb_DBSAT_Report_report.zip hemantpdb_DBSAT_Report_report.txt
Archive:  hemantpdb_DBSAT_Report_report.zip
[hemantpdb_DBSAT_Report_report.zip] hemantpdb_DBSAT_Report_report.txt password:
  inflating: hemantpdb_DBSAT_Report_report.txt
[oracle@node2 DBSAT_Installer]$
[oracle@node2 DBSAT_Installer]$ more hemantpdb_DBSAT_Report_report.txt
### Oracle Database Security Assessment - Highly Sensitive ###

* Assessment Date & Time *
Date of Data Collection            Date of Report                     Reporter Version
---------------------------------- ---------------------------------- ---------------------
Tue Mar 05 2024 23:00:54 UTC+08:00 Tue Mar 05 2024 23:09:51 UTC+08:00 3.1 (Jan 2024) - b73a

* Database Identity *
Name     Container (Type:ID) Platform         Database Role Log Mode     Created
-------- ------------------- ---------------- ------------- ------------ ----------------------------------
DB21CRAC HEMANTPDB (PDB:3)   Linux x86 64-bit PRIMARY       NOARCHIVELOG Fri Jan 19 2024 15:12:46 UTC+08:00

### Summary ###

Section                     Pass Evaluate Advisory Low Risk Medium Risk High Risk Total Findings
--------------------------- ---- -------- -------- -------- ----------- --------- --------------
Basic Information              0        0        0        0           0         1              1
User Accounts                  7        8        1        3           2         1             22
Privileges and Roles           6       23        1        0           0         0             30
Authorization Control          0        3        1        0           0         0              4
Fine-Grained Access Control    0        0        5        0           0         0              5
Auditing                       0        2        9        3           0         0             14
Encryption                     0        3        1        0           0         0              4
Database Configuration         7        9        0        2           2         0             20
Network Configuration          0        0        0        0           0         1              1
Operating System               4        3        0        1           1         0              9
Total                         24       51       18        9           5         3            110

### Basic Information ###

* Database Version *
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production Version 21.3.0.0.0




The TXT format of the report is 161,417 bytes and the HTML format is 261,378 bytes.

The 3 "High Risk" entries (with corresponding CIS and STIG references) are :


* Patch Check *  -  The Oracle Database should be patched
Status: High Risk
Summary:
    Oracle Database version is supported but latest patch is missing.
    Latest comprehensive patch has not been applied.
Details:
    Latest patch not applied for a supported database version.
Remarks:
    Unsupported commercial and database systems should not be used because
    fixes to newly identified bugs will not be implemented by the vendor.
    The lack of support can result in potential vulnerabilities. Systems at
    unsupported servicing levels or releases will not receive security
    updates for new vulnerabilities, which leaves them subject to
    exploitation. When maintenance updates and patches are no longer
    available, the database software is no longer considered supported and
    should be upgraded or decommissioned.

    It is vital to keep the database software up-to-date with security
    fixes as they are released. Oracle issues comprehensive patches in the
    form of Release Updates on a regular quarterly schedule. These updates
    should be applied as soon as they are available.
References:
    Oracle Best Practice
    CIS Benchmark: Recommendation 1.1
    DISA STIG: V-237697, V-237748, V-251802



* Users with Default Passwords *  -  User accounts should not have default passwords
Status: High Risk
Summary:
    Found 1 unlocked user account with default password.
Details:
    Users with default password: HR
Remarks:
    Default passwords for predefined Oracle accounts are well known and
    provide a trivial means of entry for attackers. Database or account
    administrators should also change well-known passwords for locked
    accounts. Having default passwords can lead to unauthorized data
    manipulation and theft of confidential information.

    Note that if a script creates the database and the SYS or SYSTEM user
    password remains unchanged, these users are considered to possess a
    default password. Your database may be at risk due to the password
    presence within the script. Change the password to improve security.
References:
    Oracle Best Practice
    CIS Benchmark: Recommendation 4.1
    DISA STIG: V-237698



* Network Encryption *  -  Check configurations used for Native Network Encryption
Status: High Risk
Summary:
    Found unencrypted connections. Clients can connect to the database
        using unencrypted communication channels.
Details:
    Found 3 connections established over unencrypted channel.
Remarks:
    Network encryption is crucial for protecting the confidentiality and
    integrity of communication between a database server and its clients.
    Connections to a database instance must be established using the
    encrypted channels.
References:
    Oracle Best Practice
    CIS Benchmark: Recommendation 2.3.1, 2.3.2
    DISA STIG: V-219841, V-220263, V-220291, V-237699, V-237700, V-237723



Of course, the Report goes on to detail the 110 "findings".


And, of course, I DROP the user after I generate the report.


[oracle@node2 DBSAT_Installer]$ sqlplus / as sysdba

SQL*Plus: Release 21.0.0.0.0 - Production on Tue Mar 5 23:18:49 2024
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle.  All rights reserved.


Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0

SQL> alter session set container=HEMANTPDB;

Session altered.

SQL> drop user dbsat_user;

User dropped.

SQL> quit
Disconnected from Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
[oracle@node2 DBSAT_Installer]$


So, DBSAT does reference CIS and STIG in its report.








2 comments:

Carlos J said...

Nice post

Anonymous said...

Thank you..this is helpful