Key Features in Release 3.0

An overview of the improvements and new functions:

1. STIG V2R8 compliance: This update includes 30 new STIG findings and revised STIG group IDs to ensure compliance with the latest Security Technical Implementation Guide standards.
2. Enhanced Auditing and Security: DBSAT 3.0 introduces new auditing results, with five specific additions, and updates all existing ones. Of particular note is the focus on Sensitive Data and Transparent Sensitive Data Protection (TSDP) and the integration of the Oracle Database 23c SQL Firewall.
3. Sensitive Data Discovery: The tool is now able to identify Indian PAN and Aadhaar numbers, expanding its scope when searching for sensitive information.
4. Improved Clarity and Quality: Each check now comes with a one-line summary outlining the objective of the check. Results are labeled according to Oracle best practices, and there is a specific note on unsupported features in Oracle Database 23c.
5. Operational Enhancements: DBSAT 3.0 provides a new option (-u) to exclude certain users from reports, removes dependency on Python, and provides performance optimizations for faster data collection. It is also compatible with Linux 64-bit Arm and supports Oracle Database 23c.

DBSAT 3.0 in Action

Let’s go through a simple example of using DBSAT 3.0 to evaluate a database with Oracle 19c. As a test, I’ll use my database container on my MacBook Pro with Oracle Database 19c for ARM Linux, which is now also supported by DBSat.

Download and Install DBSAT 3.0

The easiest way to find DB Sat is to access the product page Oracle Database Security Assessment Tool DBSat. From there you are directed to a corresponding Oracle support document 2138254.1 for download. However, you need a corresponding Oracle account for the download.

As mentioned above, Python is no longer required for execution. You only need an Oracle Database, corresponding credentials and a JDK. The JDK in the Oracle home directory is all you need.

Let’s unzip the package to the $ORACLE_BASE/product directory

unzip dbsat.zip -d $ORACLE_BASE/product/dbsat_3.0.0

If not yet set define the JAVA_HOME environment variable

export JAVA_HOME=$ORACLE_HOME/jdk
export PATH=$JAVA_HOME/bin:$PATH

Verify if we can run dbsat and display its new usage.

$ORACLE_BASE/product/dbsat_3.0.0/dbsat -h

If successfully you should see something linke this.

oracle@cdbua190:~/ [CDBUA190] $ORACLE_BASE/product/dbsat_3.0.0/dbsat -h

Database Security Assessment Tool version 3.0 (Nov 2023)

    Usage: dbsat collect [ -n ] <database_connect_string> <output_file>
           dbsat report [ -a ] [ -n ] [ -g ] [ -x <section> ] [ -u <user> ] <input_file>
	   dbsat discover [ -n ] -c <config_file> <output_file>

    Options:
       -a  Report with all user accounts, including locked and schema-only,
           Oracle-supplied users
       -n  No encryption for output
       -g  Show all grants including Common Grants in a Pluggable Database
       -x  Specify sections to exclude from report (may be repeated for
           multiple sections)
       -u  Specify users to exclude from report
       -c  Configuration file for discoverer

Run the Assessment

As before, dbsat can be run in three execution modes. I.e. collect, report and discover:

1. dbsat collect: Gathers data from the specified database.
2. dbsat report: Generates a security assessment report.
3. dbsat discover: Identifies sensitive data within the database.

Let’s gather data from the container database CDBUA190 as user system

$ORACLE_BASE/product/dbsat_3.0.0/dbsat collect -n system@CDBUA190 $HOME/CDBUA190_v1.1

Here is an excerpt from the output of the DBsat call without the license and version information:

Setup complete.
SQL queries complete.
Warning: Exit status 256 from OS rule: dbcs_status
/bin/cat: /u00/app/oracle/product/19.0.0.0/ldap/admin/fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips1.ora
/bin/cat: /fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips2.ora
/bin/ls: cannot access '/u00/app/oracle/product/19.0.0.0/rdbms/log/diag': No such file or directory
Warning: Exit status 512 from OS rule: diag_dest_home
OS commands complete.
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0
DBSAT Collector completed successfully.

As you can see, there are a few warnings for certain OS checks, particularly regarding the FIPS configuration and a Diag directory located below $ORACLE_HOME. These warnings can typically be ignored, especially if FIPS is not being utilized in your environment.

If desired, you have the option to process the JSON document that was generated. However, creating a report from this data tends to be more straightforward. DBSAT offers the flexibility to create reports in various formats, including JSON, text, HTML, or Excel. It’s crucial to be in the DBSat directory when generating the report to ensure the tool can locate the xlsxwriter. Following the previous dbsat collect command, you can create the report as shown below.

cp $HOME/CDBUA190_v1.1.json  $ORACLE_BASE/product/dbsat_3.0.0/
cd $ORACLE_BASE/product/dbsat_3.0.0/
./dbsat report -n -a -g CDBUA190_v1.1

More variations on how to use DBSat can be found in the online documentation User Guide.

Analyze the Report

When viewing the HTML report, you can immediately see the additional information for the individual findings. Below an example for the rule checking for the latest security patch.

Overall, DBSat has expanded its scope to more than 120 deliverables, which include not only STIG and CIS recommendations, but also Oracle Best Practice (OBP) topics. This inclusion is particularly beneficial considering that Oracle’s feature and release cycle does not always coincide with updates to existing standards and frameworks. Of particular importance is the fact that Oracle introduces new features with each release, which require appropriate configuration and can significantly impact the security of the database.

For those who manage databases with an extensive history that includes multiple migrations, DBSAT offers a notable advantage. It provides relevant desupport information related to the latest Oracle database version, 23c. This feature is particularly valuable in ensuring that even the most complex, historically grown databases remain compatible and secure with the latest Oracle technologies.

Conclusion

DBSAT 3.0 represents a significant leap forward and offers numerous enhancements that improve not only functionality but also usability. A standout feature is the newfound independence from Python, which simplifies deployment directly on the DB server or remotely from a DBA workstation.

The security checks have been carefully enhanced and prepare the tool for the upcoming Oracle Database 23c. Updates such as STIG-V2R6 compliance and Oracle Best Practice tagging help to interpret and prioritize results. The revised format of the report, which now includes clear explanations, risk levels and best practice guidance for each finding, greatly aids understanding and remediation of security issues.

In addition, DBSAT 3.0 provides flexibility in handling large-scale findings. Users can streamline assessments and reports by excluding specific users or areas and focusing on critical areas.

Additionally, DBSAT’s integration with Oracle Data Safe, Oracle Audit Vault and Database Firewall underscores its importance. The enhancements in DBSAT 3.0 not only increase the standalone capabilities, but also enrich the security capabilities of these integrated Oracle products.

Additional Resources

Some links and references related to this topic.

• Oracle Database Security a technical primer
• Oracle Database Security Assessment Tool DBSat
• Oracle Database Security Assessment Tool 3.0.0 Books
• LiveLabs – Database Security Assessment Tool (DBSAT)
• Oracle Support Document 2138254.1 Oracle Database Security Assessment Tool (DBSAT)
• Oracle Support Document 2484219.1 Common Questions and Issues For Oracle Database Security Assessment Tool (DBSAT)
• Oracle Support Document 2651827.1 Does DBSAT Scan for all of the STIG And CIS Benchmark Controls?