Oracle has provided a new tool to assess the security configuration and advise on it. It is a lightweight utility and the most important thing is that it is FREE ( surprise!). As long as , we have the active support from Oracle , we should be able to download the utility .
For the first release , it is very promising , albeit the findings for Windows Operating Systems is limited. For Windows , it does not look the OS configurations.
a) First , a user needs to be created with minimalist privileges . The documentation has the sample script that could be provisioned .
create user dbsat_user identified by xxxxx;
// If Database Vault is enabled, connect as DV_ACCTMGR to run this command
grant create session to dbsat_user;
grant select_catalog_role to dbsat_user;
grant select on sys.registry$history to dbsat_user;
grant select on sys.dba_users_with_defpwd to dbsat_user; // 11g and 12c
grant select on audsys.aud$unified to dbsat_user; // 12c only
grant audit_viewer to dbsat_user; // 12c
grant capture_admin to dbsat_user;// 12c covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$
// if Database Vault is enabled, connect as DV_OWNER to run this command
grant DV_SECANALYST to dbsat_user;
b) We need to "collect" the configuration by running the commands below. As usual , this will run " as the administrator". At the event of the process , it will ask for the password . Make sure that it is secured as the file has very important information.
D:\dbsat_output>set path=%path%;d:\dbsat
D:\dbsat_output>dbsat collect dbsat_user/xxxxxxxxxx dbsat_output20171024
This tool is intended to assist in you in identifying potential
vulnerabilities in your system, but you are solely responsible for
your system and the effect and results of the execution of this tool
(including, without limitation, any damage or data loss). Further,
the output generated by this tool may include potentially sensitive
system configuration data and information that could be used by a
skilled attacker to penetrate your system. You are solely responsible
for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.
Connecting to the target Oracle database...
SQL*Plus: Release 12.1.0.2.0 Production on Tue Oct 24 13:01:05 2017
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
Database Security Assessment Tool version 1.0.2 (October 2016)
Setup complete.
SQL queries complete.
OS Commands Skipped.
BEGIN
*
ERROR at line 1:
ORA-20002: Complete without OS Commands.
ORA-06512: at line 4
Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
and Real Application Testing options
DBSAT Collector completed successfully.
Calling D:\app\oracle\product\12.1.0\dbhome_1\bin\zip.exe to encryptdbsat_output20171024.json...
Enter password:
Verify password:
adding: dbsat_output20171024.json (164 bytes security) (deflated 88%)
zip completed successfully.
D:\dbsat_output>dir
Volume in drive D is New Volume
Volume Serial Number is 32D6-96CB
Directory of D:\dbsat_output
10/24/2017 01:01 PM .
10/24/2017 01:01 PM ..
10/24/2017 01:01 PM 29,227 dbsat_output20171024.zip
1 File(s) 29,227 bytes
2 Dir(s) 223,632,429,056 bytes free
c) We need to generate a report based on the file , generated from the last step. At the completion of this step , we will have three files ( text file , excel , html ) , that lists the recommendations. Be sure to safeguard this file , as the exposure to the outside world would cause security risks that our database has now.
D:\dbsat_output>dbsat report -a -n dbsat_output20171024
This tool is intended to assist in you in identifying potential
vulnerabilities in your system, but you are solely responsible for
your system and the effect and results of the execution of this tool
(including, without limitation, any damage or data loss). Further,
the output generated by this tool may include potentially sensitive
system configuration data and information that could be used by a
skilled attacker to penetrate your system. You are solely responsible
for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.
Archive: dbsat_output20171024.zip
[dbsat_output20171024.zip] dbsat_output20171024.json password:
password incorrect--reenter:
password incorrect--reenter:
inflating: dbsat_output20171024.json
Database Security Assessment Tool version 1.0.2 (October 2016)
DBSAT Reporter ran successfully.
Also , to generate the report , you would need python installed in your machine.
My preference is to use the html as it has links to the individual sections .
It lists the vulnerability , opportunity ( to use RAS , OLS , ... )
This is one of the "Hands on Lab" sessions that I attended at OpenWorld 2017. It is worth looking into it , as it is a light weight and does the job in few minutes.
For additional information , please visit https://docs.oracle.com/cd/E76178_01/SATUG/toc.htm#SATUG-GUID-C7E917BB-EDAC-4123-900A-D4F2E561BFE9
Comments welcome.
Hi Zahir,
ReplyDeleteThanks for attending the DBSAT HOL during OOW.
Just thought to pass by and let you know that DBSAT 2.0.1 was released today.
http://www.oracle.com/technetwork/database/security/dbsat/overview/index.html
regards,
Pedro Lopes
Oracle Database Security
DBSAT PM
Thanks Pedro for your update and for your HOL session.
ReplyDelete