dbsat how secure is your database? - amazon s3€¦ · how secure is your database? linda seley,...

DBSAT

How Secure Is Your Database?

Linda Seley, Arisant

Agenda

• Introduction

• Security Overview

• DBSAT Collect

• DBSAT Report

• DBSAT Discover

• Q&A

Founded in 2006 by, Arisant focuses on understanding business requirements to ensure the most effective implementation of the right solution

Our strategy is aimed at providing an honest and expert brand of consulting services for both the Private & Public Sectors

• HQ’d in Englewood, CO• Flexibility to Deliver across the World• Oracle Technology Focused

Managed Services➢ Database Administration➢ O/S System Administration➢ Middleware Administration➢ Storage Administration➢ Engineered System administration

Consulting Services➢ Architecture➢ Analysis➢ Design➢ Implementation➢ Project Management

Staffing/Support

Managed Cloud Services

Managed Hosting Services

Identity & Access

Management

Business Intelligence

Managed Services

Oracle

MSP Partner

Identity & Access

Management

Business Intelligence

Managed Services

Oracle’s Security Tools – Require Licenses

• Database Vault• Database Firewall and Audit Vault• Label Security• Transparent Data Encryption• Data Masking and Subsetting• Data Redaction• Key Manager

Oracle’s Security Tools – Require Licenses

• Oracle Secure Backup– RMAN Backup Encryption (restricted use)

• Oracle Cloud– DBCS

• Transparent Data Encryption

– DBCS/Database Backup/OCSCA• RMAN Backup Encryption (restricted use)

Oracle’s Security Tools - Free

• Network Encryption

– Native Network Encryption and SSL/TLS

• Kerberos, PKI, and RADIUS Authentication

• Password Wallets

• Auditing

Oracle’s Security Tools - Free

• Database Security Assessment Tool (DBSAT)

Database Security Assessment Tool

• Solaris x64 and Solaris SPARC64• Linux x86-64• Windows x64• HP-UX IA (64-bit)• IBM AIX (64-bit) & Linux on zSeries (64-bit)

Supported on Oracle Database 10.2.0.5 and later


• http://www.oracle.com/technetwork/database/ security/dbsat/downloads/index.html

• Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

http://www.oracle.com/technetwork/database/security/dbsat/downloads/index.html


drwxr-x--- 4 oracle oinstall 4096 Jan 12 02:08 ./

drwxr-x--- 8 oracle oinstall 4096 Jan 12 02:08 ../

-r-xr-xr-x 1 oracle oinstall 12433 Jan 11 11:21 dbsat*

-r-xr-xr-x 1 oracle oinstall 12579 Jan 11 11:21 dbsat.bat*

-rwxr-x--- 1 oracle oinstall 2150961 Jan 12 02:08 dbsat.zip*

drwxr-x--- 5 oracle oinstall 4096 Jan 12 02:08 Discover/

-r-xr-xr-x 1 oracle oinstall 28216 Dec 20 16:35 sat_analysis.py*

-r-xr-xr-x 1 oracle oinstall 43181 Jan 8 13:43 sat_collector.sql*

-r-xr-xr-x 1 oracle oinstall 247465 Jan 16 17:47 sat_reporter.py*

drwxr-x--- 2 oracle oinstall 4096 Jan 12 02:08 xlsxwriter/


• Collect

• Report

• Discover

Database Security Assessment Tool - Collect

– CREATE SESSION

– SELECT on SYS.REGISTRY$HISTORY

– Role SELECT_CATALOG_ROLE

– Role DV_SECANALYST (if Database Vault is enabled)

– Role AUDIT_VIEWER (12c and later)

– Role CAPTURE_ADMIN (12c and later)

– SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and later)

– SELECT on AUDSYS.AUD$UNIFIED

(12c and later)


• $TNS_ADMIN

• User password

• Zip file password

$ ./dbsat collect arisant output/orcl


• Creates a zip file that contains a json file:

$ls

total 512

drwxr-x--- 2 oracle oinstall 4096 Feb 12 02:31 ./

drwxr-x--- 5 oracle oinstall 4096 Feb 12 02:30 ../

-rw------- 1 oracle oinstall 449503 Feb 12 02:30 orcl.json

-rw------- 1 oracle oinstall 62025 Feb 12 02:30 orcl.zip

"date_and_release": {"version": 1,

"columns": ["collection_date", "release"],

"data": [["12-02-2018 11:55","12.1.0.2.0"]

]},

"db_identity": {"version": 1,

"columns": ["name", "log_mode", "platform", "dg_role", "dg_broker", "flashback", "controlfile", "switchover_status", "create

d"],

"data": [["ORCL","ARCHIVELOG","Linux x86 64-bit","PRIMARY","ENABLED","YES","CURRENT","TO STANDBY","17-02-2016 17:07"]

]},

"db_pdbs": {"version": 1,

"columns": ["con_id", "name"],

"data": [ ]},

"db_version": {"version": 1,

"columns": ["banner"],

"data": [["Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production"]

,["PL/SQL Release 12.1.0.2.0 - Production"]

,["CORE\u000912.1.0.2.0\u0009Production"]

,["TNS for Linux: Version 12.1.0.2.0 - Production"]

,["NLSRTL Version 12.1.0.2.0 - Production"]

]},

Database Security Assessment Tool - Report

• Collect zip file password

• Report zip file password

$ ./dbsat report -a output/orcl

Database Security Assessment Tool - Report

• Creates a zip file that contains html, json, txt, and xlsxfiles:

$ls

total 840



-rw------- 1 oracle oinstall 244023 Feb 12 02:33 orcl_report.html

-rw------- 1 oracle oinstall 208936 Feb 12 02:33 orcl_report.json

-rw------- 1 oracle oinstall 187015 Feb 12 02:33 orcl_report.txt

-rw------- 1 oracle oinstall 21899 Feb 12 02:33 orcl_report.xlsx

-rw------- 1 oracle oinstall 113022 Feb 12 02:35 orcl_report.zip

Database Security Assessment Tool - Discover

– CREATE SESSION

– Role SELECT_CATALOG_ROLE

– Role DV_SECANALYST (if Database Vault is enabled)


• Copy Discover/conf/sample_dbsat.config to Discover/conf/dbsat.config

– Modify dbsat.config for your database• DB_HOSTNAME = localhost

• DB_PORT = 1533

• DB_SERVICE_NAME = orcl

[Discovery Parameters]SENSITIVE_PATTERN_FILES = sensitive_en.iniSCHEMAS_SCOPE = ALLMINROWS = 1EXCLUSION_LIST_FILE =

[Sensitive Categories]PII = High RiskPII - Address = High RiskPII - IDs = High RiskPII - IT Data = High RiskPII-Linked = Medium RiskPII-Linked - Birth Details = Medium RiskJob Data = Medium RiskFinancial Data - PCI = High RiskFinancial Data - Banking = Medium RiskHealth Data = Medium Risk


• $JAVA_HOME

– export JAVA_HOME=$ORACLE_HOME/jdk

• Username

• Password

• Discover zip file password


$ ./dbsat discover –c \

Discover/conf/dbsat.config \

output/orcl_discover


• Creates a zip file that contains csv and html files:

$ls

total 60



-rw------- 1 oracle oinstall 48519 Feb 12 12:39 orcl_discover_report.zip

drwxr-x--- 2 oracle oinstall 4096 Feb 12 12:39 output/

$ls output/

total 544



-rw------- 1 oracle oinstall 180656 Feb 12 12:39 orcl_discover_discover.csv

-rw------- 1 oracle oinstall 362334 Feb 12 12:39 orcl_discover_discover.html


$ ./dbsat discover –c \

Discover/conf/dbsat.config \

output/orcl

Database Security Assessment Tool - Discoverls

total 904



-rw------- 1 oracle oinstall 249071 Feb 12 12:51 orcl_report.html

-rw------- 1 oracle oinstall 212850 Feb 12 12:51 orcl_report.json

-rw------- 1 oracle oinstall 190343 Feb 12 12:51 orcl_report.txt

-rw------- 1 oracle oinstall 22504 Feb 12 12:51 orcl_report.xlsx

-rw------- 1 oracle oinstall 164390 Feb 12 12:52 orcl_report.zip

drwxr-x--- 2 oracle oinstall 4096 Feb 12 12:52 output/

$ls output

total 544



-rw------- 1 oracle oinstall 180656 Feb 12 12:52 orcl_discover.csv

-rw------- 1 oracle oinstall 362331 Feb 12 12:52 orcl_discover.html

References:

Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

Oracle Database Security Assessment Tool Documentation:https://docs.oracle.com/cd/E93129_01/

Oracle Database 12c Security and Compliancehttps://www.oracle.com/webfolder/s/delivery_production/images/FY16H2/image23/security-compliance-wp-12c.pdf

Security Checklist: 10 Basic Steps to Make Your Database Secure from Attacks (Doc ID 1545816.1)

https://docs.oracle.com/cd/E93129_01/

https://www.oracle.com/webfolder/s/delivery_production/images/FY16H2/image23/security-compliance-wp-12c.pdf


Q&A

http://arisant.com303-330-4065

http://arisant.com/

dbsat how secure is your database? - amazon s3€¦ · how secure is your database? linda seley,...

Documents