420 likes | 459 Views
DBSAT – Oracle Database Security Assessment Tool Hariprasath Rajaram. About me. Hariprasath.R More than 7 years of Oracle Database experience in IT Industry Oracle12c Database Administrator Certified Professional Oracle11g Database Administrator Certified Professional
E N D
DBSAT – Oracle Database Security Assessment Tool Hariprasath Rajaram
About me • Hariprasath.R • More than 7 years of Oracle Database experience in IT Industry • Oracle12c Database Administrator Certified Professional • Oracle11g Database Administrator Certified Professional • Oracle10g Database Administrator Certified Professional • Oracle10g Database RAC Certified Expert • Oracle9i Database Administrator Certified Professional
Agenda Database Security Assessment DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report Summary
Database Security Assessment As the primary repository for the enterprise’s most valuable information, the database is perhaps the most sensitive segment of the IT landscape. Many organizations are learning that database assets are vulnerable to both external attackers via Web applications and internal employees who take advantage of more direct privileges. Customer records, financial reports, and patient data are all at risk. In addition, compliance with regulatory requirements such as HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Sarbanes-Oxley (SOX),requires that all publicly held companies must establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment, and others require organizations to perform database security assessments.
DBSAT Overview DBSAT is a command line tool focused on detecting areas of potential security vulnerabilities or miss configurations, and providing recommendations on how to mitigate those potential vulnerabilities. The DBSAT focuses on the database but also examines surrounding database related system components including OS and network (listener). The tool provides a view into the current status, users, roles and policies in place, with the goal of promoting successful approaches to mitigate potential security risks . DBSAT has two components: Collectorand Reporter The Collector is responsible to collect raw data from the target database by executing SQL queries and OS commands. The Reporter will read the collected data, analyze it and produce reports with the findings. The Reporter outputs three reports in Text, HTML, and Excel formats.
DBSAT Overview The objective of DBSAT is to analyze the database existing security configuration, examine the potential security attackers or misconfiguration and provide the recommendation on best security practices and advice on how to mitigate those potential security issues. Pre DBSAT tool, the same can be achieved n through running multiple database scripts against the dictionary views, however, This tool has done for you without the need of running multiple scripts and also provides you the recommendations in a report of three formats. According to Oracle, the security rules are defined as shown in the image:
What does DBSAT Check? User Accounts, Privileges and Roles Authorization Control Data Encryption Fine-grained Access Control Auditing Policies Database security Configuration Listener Configuration OS File permissions (except Windows)
Agenda DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report Summary
Advantages of DBSAT Advice on security best practices Quickly identify security configuration errors in your databases Recommendations to improvise the security posture of your databases Minimize learning curve to provide decent security reporting to management. Improve the security posture of your Oracle Databases Reduce the attack surface and exposure to risk
DBSAT Requirements Database: Run with DBA role or the following privileges/roles 1. CREATE SESSION 2. SELECT on SYS.REGISTRY$HISTORY 3. SELECT on AUDSYS.AUD$UNIFIED (12c only) 4. SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and 12c) 5. Role SELECT_CATALOG_ROLE 6. Role DV_SECANALYST (if Database Vault is enabled) 7. Roles AUDIT_VIEWER (12c only) and CAPTURE_ADMIN (12c only) Operating System 1. DBSAT Collector: run with OS user who can read the ORACLE_HOME directory and files 2. DBSAT Reporter: Python 2.6 or later (can run on other machines also)
DBSAT Requirements Operating System 1. DBSAT Collector: run with OS user who can read the ORACLE_HOME directory and files Environment Variables For Windows SET ZIP_CMD=%ORACLE_HOME%\bin\zip.exe SET UNZIP_CMD=%ORACLE_HOME%\bin\unzip.exe On UnixZIP=/usr/bin/zip UNZIP=/usr/bin/unzip DBZIP=${ORACLE_HOME}/bin/zip
DBSAT Requirements Operating System 2. DBSAT Reporter: Python 2.5 or later (can run on other machines also)
DBSAT Functionality and Flow DBSAT Collector and DBSAT Reporter are the two components of DBSAT tool. The functionality of those components is outlined in the below segments. The role of the DBSAT Collector is to gather the raw data by executing SQL queries against the database dictionary views plus some OS commands, and the information is written to a JSON output file. The output file by default is password encrypted for obvious security purpose. The DBSAT Collector should be ran on the server where the database is running. The core functionality of the Reporter is to read the data, analyze the data and report its findings and recommendations to a readable file. The file is available in formats: HTML, Text and Excel sheet. On the contrary,theDBSAT Reporter can run on the DB server or on any other machine. It is a platform-independent program, requires Python 2.6 or higher on the system to run. You can use the findings to fix some immediate short-term risks or develop/improve a comprehensive security strategy.
Agenda DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report Summary
DBSAT Download At the moment, the only available option to download the DBSAT tool is to login to support.oracle.com website (with the predefined user credentials), and download it from My Oracle Support ID 21382541.1, titled ‘Oracle Database Security Assessment Tool (DBSAT). At the end of the DOWNLOAD section click on the I AGREE link and the dbsat.zip file will be downloaded on your system. It is highly recommended to look at the note from time to time to get the latest version of the tool, so that you stay up-to-date with the all security validations. Currently, the DBSAT tool is available and supported on the following Platforms: Solaris Linux x86-64 Windows x64 HP-UX IA (64-bit) IBM AIX
DBSAT Requirements Operating System 2. DBSAT Reporter: Python 2.5 or later (can run on other machines also)
Agenda DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report Summary
DBSAT Configuration Steps-Demo Usage ./dbsat report dbsat report [ -a ] [ -n ] [ -x] <input_file> Options: -a Report about all user accounts, including locked, Oracle-supplied users -n No encryption for output -x Specify sections to exclude from the report (may be repeated for multiple sections) Syntax ./dbsat report -a db04
DBSAT Configuration Steps-Demo • With –x argument, you can exclude some part of the security validations from the reports: • USER — user authentication • PRIV — Privileges and Roles • AUTH — Authentication Controls • CRYPT — Data Encryption • AUDIT — Auditing • OS — Operating System • NET — Network Configuration • CONF — Database Configuration • ACCESS — Fine-Grained Access Control • Examples: • ./dbsat report –x OS,PRIV db04 — OS & Privileges/Roles excluded from the report
Agenda DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report Summary
DBSAT Sample reports HTML Report TEXT Report EXCEL report
DBSAT Interpreting the report Each Finding consists of the following components: Title and Unique ID for the Rule The ID has two parts: the prefix identifies the report section, and the suffix identifies the specific rule. Status You can use the status values as guidelines to implementing DBSAT recommendations. They can be used to prioritize and schedule changes based on the level of risk, and what it might mean to your organization. Severe risk might require immediate remedial action, whereas other risks might be fixed during a scheduled downtime, or bundled together with other maintenance activities.
DBSAT Interpreting the report Pass: no error found Evaluate: needs manual analysis Some Risk: low Significant Risk: medium Severe Risk: high Opportunity: improve security attitudeby enabling additional security features and technology NOTE: While working with 12c multitenant container databases, data can be gathered at the root container or at the PDB level separately. If the collector script is running on the root container, only root container database is gathered, no PDBs data will be collected. You will have to run the script at the PDB level to gather data for the PDB separately.
DBSAT Interpreting the report Details This provides detailed information to explain the finding summary, typically results from the assessed database, followed by any recommendations for changes. Remarks This explains the standard used to assess the results found. It may also explain the recommended actions for remediation if a risk is reported.
DBSAT References REFERENCES Below is the list of references for documentation, download and some articles: Documentation: http://docs.oracle.com/cd/E76178_01/SATUG/toc.htm#SATUG-GUID-C7E917BB-EDAC-4123-900A-D4F2E561BFE9 Software download: Through My Oracle Support, DOC ID : Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1) Blogs: http://oracle-based.com/oracle-database-security-assessment-tool-dbsat/
Agenda DBSAT Overview and Flow Advantages How to download, configure and execute Gather data and preparing reports Interpreting the report Summary
DBSAT Conclusion Conclusion DBSAT is a lightweight security assessment tool which analyzes the database potential security Sensitive, misconfiguration, identifies the security risks and provides the recommendations to mitigate those security vulnerability issues. Furthermore, this tool does not require high level skills to produce fast and clear reports. However, it is important to look for a latest version from time to time to have latest security validations.