ZAHIR MOHIDEEN: DBSAT in 12c .

Oracle has provided a new tool to assess the security configuration and advise on it. It is a lightweight utility and the most important thing is that it is FREE ( surprise!). As long as , we have the active support from Oracle , we should be able to download the utility .

For the first release , it is very promising , albeit the findings for Windows Operating Systems is limited. For Windows , it does not look the OS configurations.

a) First , a user needs to be created with minimalist privileges . The documentation has the sample script that could be provisioned .

create user dbsat_user identified by xxxxx;

// If Database Vault is enabled, connect as DV_ACCTMGR to run this command

grant create session to dbsat_user;

grant select_catalog_role to dbsat_user;

grant select on sys.registry$history to dbsat_user;

grant select on sys.dba_users_with_defpwd to dbsat_user; // 11g and 12c

grant select on audsys.aud$unified to dbsat_user; // 12c only

grant audit_viewer to dbsat_user; // 12c

grant capture_admin to dbsat_user;// 12c covers sys.dba_priv_captures, sys.priv_capture$, sys.capture_run_log$

// if Database Vault is enabled, connect as DV_OWNER to run this command

grant DV_SECANALYST to dbsat_user;

b) We need to "collect" the configuration by running the commands below. As usual , this will run " as the administrator". At the event of the process , it will ask for the password . Make sure that it is secured as the file has very important information.

D:\dbsat_output>set path=%path%;d:\dbsat

D:\dbsat_output>dbsat collect dbsat_user/xxxxxxxxxx dbsat_output20171024

This tool is intended to assist in you in identifying potential

vulnerabilities in your system, but you are solely responsible for

your system and the effect and results of the execution of this tool

(including, without limitation, any damage or data loss). Further,

the output generated by this tool may include potentially sensitive

system configuration data and information that could be used by a

skilled attacker to penetrate your system. You are solely responsible

for ensuring that the output of this tool, including any generated

reports, is handled in accordance with your company's policies.

Connecting to the target Oracle database...

SQL*Plus: Release 12.1.0.2.0 Production on Tue Oct 24 13:01:05 2017

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics

and Real Application Testing options

Database Security Assessment Tool version 1.0.2 (October 2016)

Setup complete.

SQL queries complete.

OS Commands Skipped.

BEGIN

ERROR at line 1:

ORA-20002: Complete without OS Commands.

ORA-06512: at line 4

Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics

and Real Application Testing options

DBSAT Collector completed successfully.

Calling D:\app\oracle\product\12.1.0\dbhome_1\bin\zip.exe to encryptdbsat_output20171024.json...

Enter password:

Verify password:

adding: dbsat_output20171024.json (164 bytes security) (deflated 88%)

zip completed successfully.

D:\dbsat_output>dir

Volume in drive D is New Volume

Volume Serial Number is 32D6-96CB

Directory of D:\dbsat_output

10/24/2017 01:01 PM .

10/24/2017 01:01 PM ..

10/24/2017 01:01 PM 29,227 dbsat_output20171024.zip

1 File(s) 29,227 bytes

2 Dir(s) 223,632,429,056 bytes free

c) We need to generate a report based on the file , generated from the last step. At the completion of this step , we will have three files ( text file , excel , html ) , that lists the recommendations. Be sure to safeguard this file , as the exposure to the outside world would cause security risks that our database has now.

D:\dbsat_output>dbsat report -a -n dbsat_output20171024