The Oracle Database Security Assessment Tool, commonly know as DBSAT tool is used to scan the complete database and provide report security configuration and vulnerability list.

The DBSAT has two components:

The collector – Its job is to collect information by running different SQL and os command against database

The Reporter – It will analyze the database and provide its findings in the report.

1. Download the DBSAT tool:

You can get this tool in oracle support website – Click  Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

2. Copy that tool and unzip it.

 unzip dbsat.zip
Archive:  dbsat.zip
  inflating: dbsat
  inflating: dbsat.bat
  inflating: sat_reporter.py
  inflating: sat_analysis.py
  inflating: sat_collector.sql
  inflating: xlsxwriter/app.py
  inflating: xlsxwriter/chart_area.py
  inflating: xlsxwriter/chart_bar.py
  inflating: xlsxwriter/chart_column.py
  inflating: xlsxwriter/chart_doughnut.py
  inflating: xlsxwriter/chart_line.py
  inflating: xlsxwriter/chart_pie.py
  inflating: xlsxwriter/chart.py
  inflating: xlsxwriter/chart_radar.py
  inflating: xlsxwriter/chart_scatter.py
  inflating: xlsxwriter/chartsheet.py
  inflating: xlsxwriter/chart_stock.py
  inflating: xlsxwriter/comments.py
  inflating: xlsxwriter/compat_collections.py
  inflating: xlsxwriter/compatibility.py
  inflating: xlsxwriter/contenttypes.py
  inflating: xlsxwriter/core.py
  inflating: xlsxwriter/drawing.py
  inflating: xlsxwriter/format.py
  inflating: xlsxwriter/__init__.py
  inflating: xlsxwriter/packager.py
  inflating: xlsxwriter/relationships.py
  inflating: xlsxwriter/shape.py
  inflating: xlsxwriter/sharedstrings.py
  inflating: xlsxwriter/styles.py
  inflating: xlsxwriter/table.py
  inflating: xlsxwriter/theme.py
  inflating: xlsxwriter/utility.py
  inflating: xlsxwriter/vml.py
  inflating: xlsxwriter/workbook.py
  inflating: xlsxwriter/worksheet.py
  inflating: xlsxwriter/xmlwriter.py
  inflating: xlsxwriter/LICENSE.txt

3. Now use collect command:

Make sure to set proper ORACLE_HOME , ORACLE_SID and PATH before running this command.

./dbsat collect {username/password} {DESTINATION_PATH}

./dbsat collect system/oracle /export/home/oracle/dbaclass

This tool is intended to assist in you in identifying potential
vulnerabilities in your system, but you are solely responsible for
your system and the effect and results of the execution of this tool
(including, without limitation, any damage or data loss). Further,
the output generated by this tool may include potentially sensitive
system configuration data and information that could be used by a
skilled attacker to penetrate your system. You are solely responsible
for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.

Connecting to the target Oracle database...


SQL*Plus: Release 12.1.0.2.0 Production on Wed May 17 15:30:03 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Last Successful login time: Mon Apr 10 2017 13:16:12 +03:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

Database Security Assessment Tool version 1.0.2 (October 2016)
Setup complete.
SQL queries complete.
/oracle/app/oracle/product/12.1.0/dbhome_1/bin/osdbagrp -r
Usage: /oracle/app/oracle/product/12.1.0/dbhome_1/bin/osdbagrp -a | -d | -o | -b | -g | -k
Warning: Exit status 256 from OS rule: sysrac_group
OS commands complete.
Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
DBSAT Collector completed successfully.

Calling /oracle/app/oracle/product/12.1.0/dbhome_1/bin/zip to encrypt dbaclass.json...

Enter password:
Verify password:
  adding: dbaclass.json (deflated 86%)
zip completed successfully.

This will generate a file called dbaclass.zip

4. Now generate the report:

./dbsat report {DESTINATION_FILE}

./dbsat  report /export/home/oracle/audit_sec

This tool is intended to assist in you in identifying potential
vulnerabilities in your system, but you are solely responsible for
your system and the effect and results of the execution of this tool
(including, without limitation, any damage or data loss). Further,
the output generated by this tool may include potentially sensitive
system configuration data and information that could be used by a
skilled attacker to penetrate your system. You are solely responsible
for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.

Archive:  bsstdba.zip
[bsstdba.zip] bsstdba.json password:
  inflating: bsstdba.json
Database Security Assessment Tool version 1.0.2 (October 2016)
DBSAT Reporter ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...

Enter password:
Verify password:
  adding: dbaclass.txt (deflated 78%)
  adding: dbaclass.html (deflated 84%)
  adding: dbaclass.xlsx (deflated 3%)
zip completed successfully.

audit_sec_report.zip file will be generated

5. How the report looks like:

While unzipping the file, it will ask for the password, (pass the same which we used while generating the report)

/export/home/oracle# unzip audit_sec_report.zip
Archive:  bsstdba_report.zip
[bsstdba_report.zip] dbaclass.txt password:
  inflating: dbaclass.txt
  inflating: dbaclass.html
  inflating: dbaclass.xlsx

 

The html will look as below: