Key Features in Release 3.1.0

With the major release of version 3.0.0, Oracle had already made significant improvements to DBSat. This included support for Oracle 23c and over 30 new STIG findings, to name just a few enhancements. Now, with the most recent update, Oracle has introduced several improvements and added new findings, especially for the 23c version.

The latest version focuses on the following improvements:

• Alignment with CIS Benchmark v1.2: Included 10 new findings based on CIS recommendations for Oracle Database 19c, with updated references.
• New Finding for Autonomous Database Serverless: Introduction of a finding related to pre-authenticated URL requests.
• Comprehensive Security Checks: New checks for user profile limits, EXECUTE permissions on various packages to PUBLIC, and database security and administration-related permissions.
• Auditing and Operating System User Configurations: Addition of checks for auditing actions on synonyms and operating system user configurations in pluggable databases.
• Enhanced Existing Findings: Improved logic in user expiry checks, optimizations in application owner assessments, and updated TDE recommendations for Oracle Database 23c.

New Findings

Seven of the new findings focus on EXECUTE privilege grants to Public, assessing whether critical packages have been inappropriately granted to Public. The selection of packages for these checks is guided by recommendations from the CIS and encompasses a range of areas including network, file system, encryption, Java, job scheduling, helper functions, and credentials packages.

The following example demonstrates how the finding PRIV.NETPACKAGEPUBLIC identifies network packages that have been granted EXECUTE privileges to PUBLIC.

Additional findings are detailed in the report’s ‘Privileges and Roles’ chapter. Beyond the network packages mentioned earlier, the report also examines other critical packages, such as DBMS_JAVA, DBMS_JAVA_TEST, JAVA_ADMIN, DBMS_LOB, UTL_FILE, and DBMS_ADVISOR, among others. Furthermore, it assesses other crucial permissions that may have been granted to Public, like CREATE ANY DIRECTORY and DROP ANY DIRECTORY, where relevant.

The additional new checks introduced in DBSAT cover several key aspects:

• USER.DEFAULTPROFILE: This check details the limitations defined in the DEFAULT user profile.
• AUDIT.SYNONYMS: It determines if actions such as creating, altering, or dropping SYNONYMs are audited.
• CONF.DEFAULTPDBOSUSER: This evaluates the operating system user designated in the PDB_OS_CREDENTIAL.
• CONF.PREAUTHREQUESTURL: It provides insights into pre-authenticated URLs for Autonomous Database Serverless, including which users are authorized to manage these URLs via the DBMS_DATA_ACCESS package.

• USER.DEFAULTPROFILE: Enumerates the limits set in the DEFAULT user profile.
• AUDIT.SYNONYMS: Verifies whether actions like create, alter, or drop SYNONYM are being audited.
• CONF.DEFAULTPDBOSUSER: Evaluates the operating system user specified in the PDB_OS_CREDENTIAL. Particularly important if DB users are allowed to use DBMS_SCHEDULER in a multitenant environment.
• CONF.PREAUTHREQUESTURL: Shows details of pre-authenticated URLs for Autonomous Database Serverless, including identification of users who can manage them through the DBMS_DATA_ACCESS package.

Below are more examples of these new findings and their representation in the DBSAT report.

In addition to the new findings, existing checks have also been revised and updated. These include the following three:

• USER.APPOWNER: Optimizations have been made to enhance performance and streamline the level of detail.
• USER.NOEXPIRE: The logic and summary of this check have been improved for better clarity.
• ENCRYPT.TDE: The remarks have been updated to clarify the use of the TABLESPACE_ENCRYPTION parameter, providing specific recommendations for those upgrading to Oracle Database 23c and transitioning away from deprecated algorithms.

Missing Stuff

The major release 3.0.0 and its latest update 3.1.0 of DBSAT largely fulfill all expectations. DBSAT covers the latest standards and best practices and is also ready for Oracle 23c. However, there are minor issues that one might encounter during initial use. For instance, when gathering information with dbsat collect, warnings may appear if FIPS configuration files are not found. Generally, these can be safely ignored.

Additionally, DBSAT requires Java for the Report or Discover Mode. If a JAVA_HOME variable is not set, DBSAT will terminate with an error. It would be beneficial if DBSAT could default to using the JVM in ORACLE_HOME, at least on the Oracle database server. You can find more on this in my blog post What You Need to Know About Oracle DB SAT Release 3.0.

Conclusion

DBSAT 3.0.0 and its update 3.1.0 represent a significant development and improve both functionality and usability. One of the most important improvements is the independence from Python, which allows for easier deployment. The tool is now ready for Oracle Database 23c with updated security checks, STIG-V2R6 compliance and Oracle Best Practice tagging for result interpretation. The revised report format with clear explanations and guidance simplifies the identification and resolution of security issues. DBSAT also enables customized assessments by excluding specific users or areas. In addition, integration with Oracle Data Safe, Oracle Audit Vault and Database Firewall extends the standalone capabilities and strengthens the security framework of these Oracle products.

If you haven’t reviewed your database security configuration yet, now is the perfect time to begin with DBSAT 3.1.0.

Additional Resources

Some links and references related to this topic.

• DBSAT on oracle.com
• Database Security Assessment Tool User Guide
• Download DBSAT MOS Note 2138254.1 Oracle Database Security Assessment Tool (DBSAT)
• Security Assessment Tool Release Notes
• DBSAT Data Sheet
• DBSAT on FAQ
• DBSAT workshop on Oracle LiveLabs
• DBSAT Overview Presentation by Oracle PM
• Oracle Database Security a technical primer comprehensive overview of Oracle Security products and measures provided by the Oracle PM’s for Database Security.