下載DBSAT
從這里下載。
實際是從MOS中下載,即:Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)。
最新版本為3.1.0 (July 2024),名為dbsat.zip,近45MB。
$ ls -lh dbsat.zip
-rw-rw-r-- 1 oracle oinstall 45M Mar 21 03:40 dbsat.zip
DBSAT支持的操作系統包括LInux,Windows,IBM AIX,HP-UX和Solaris。
支持的數據庫為11.2.0.4或以上。
安裝DBSAT
文檔參見這里。
以oracle用戶登入。
mkdir ~/dbsat
unzip dbsat.zip -d ~/dbsat
解壓目錄概況:
$ cd ~
[oracle@xy23ai ~]$ du -h dbsat
796K dbsat/xlsxwriter
232K dbsat/Discover/conf
4.5M dbsat/Discover/lib
60K dbsat/Discover/bin
4.8M dbsat/Discover
50M dbsat
可執行程序都在dbsat里,因此可加入到PATH路徑。
export PATH=$PATH:/home/oracle/dbsat
使用 DBSAT
DBSAT 可生成2類報告:
- Oracle 數據庫安全評估報告
- Oracle 數據庫敏感數據評估報告
收集器(Collector)和報告器(Reporter)用于生成“Oracle 數據庫安全評估報告”。 收集器收集數據,報告器分析收集器收集的數據。其架構如下:
發現器生成“Oracle 數據庫敏感數據評估報告”。其架構如下:
運行DBSAT,OS用戶通常用oracle,數據庫用戶通常用system(也可以用一特定用戶,但需要賦權)。
DBSAT語法概覽:
$ ./dbsat --helpDatabase Security Assessment Tool version 3.1 (July 2024)Usage: dbsat collect [ -n ] <database_connect_string> <output_file>dbsat report [ -a ] [ -n ] [ -g ] [ -x <section> ] [ -u <user> ] <input_file>dbsat discover [ -n ] -c <config_file> <output_file>Options:-a Report with all user accounts, including locked and schema-only,Oracle-supplied users-n No encryption for output-g Show all grants including Common Grants in a Pluggable Database-x Specify sections to exclude from report (may be repeated formultiple sections)-u Specify users to exclude from report-c Configuration file for discoverer
運行收集器
收集器必須在包含數據庫的服務器上運行,因為它會執行一些操作系統命令來收集無法從數據庫中獲取的進程和文件系統信息。此外,必須以對 ORACLE_HOME 下的文件和目錄具有讀取權限。
收集器大部分的數據都來自數據庫的系統視圖。
運行示例:
$ ./dbsat collect system@orclpdb output_orclpdb1Database Security Assessment Tool version 3.1 (July 2024)This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.Connecting to the target Oracle database...SQL*Plus: Release 19.0.0.0.0 - Production on Fri Mar 21 05:28:21 2025
Version 19.16.0.0.0Copyright (c) 1982, 2022, Oracle. All rights reserved.Enter password:Last Successful login time: Fri Mar 21 2025 04:11:55 +00:00Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0Setup complete.
SQL queries complete.
Warning: Exit status 256 from OS rule: dbcs_status
/bin/cat: /u01/app/oracle/product/19c/dbhome_1/network/admin/cman.ora: No such file or directory
Warning: Exit status 256 from OS rule: cman.ora
/bin/cat: /u01/app/oracle/product/19c/dbhome_1/ldap/admin/fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips1.ora
/bin/cat: /fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips2.ora
/bin/ls: cannot access '/u01/app/oracle/product/19c/dbhome_1/rdbms/log/diag': No such file or directory
Warning: Exit status 512 from OS rule: diag_dest_home
OS commands complete.
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0
DBSAT Collector completed successfully.Calling /u01/app/oracle/product/19c/dbhome_1/bin/zip to encrypt output_orclpdb1.json...Enter password:加密輸出zip包的口令
Verify password: 加密輸出zip包的口令adding: output_orclpdb1.json (deflated 79%)
zip completed successfully.
這一步生成了一個zip包output_orclpdb1.zip
,此zip包只包含一個json文件:
$ unzip -l output_orclpdb1.zip
Archive: output_orclpdb1.zipLength Date Time Name
--------- ---------- ----- ----443823 03-21-2025 05:28 output_orclpdb1.json
--------- -------443823 1 file
運行報告器
收集完后,就可以根據收集的信息生成報告了。報告器的輸入可以是JSON文件或經壓縮的收集器輸出文件。
報告器是一Java程序,因此必須先設置JAVA_HOME,示例如下:
$ java -version
java version "1.8.0_341"
Java(TM) SE Runtime Environment (build 1.8.0_341-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.341-b10, mixed mode)$ export JAVA_HOME=/usr/java/jdk1.8.0_341-amd64
運行示例:
$ ./dbsat report output_orclpdb1Database Security Assessment Tool version 3.1 (July 2024)This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.Archive: output_orclpdb1.zip
[output_orclpdb1.zip] output_orclpdb1.json password: 解壓收集器輸出包的密碼inflating: output_orclpdb1.json
DBSAT Reporter ran successfully.Calling /usr/bin/zip to encrypt the generated reports...Enter password: 壓縮報告器輸出包的密碼
Verify password: 壓縮報告器輸出包的密碼zip warning: output_orclpdb1_report.zip not found or emptyadding: output_orclpdb1_report.txt (deflated 74%)adding: output_orclpdb1_report.html (deflated 83%)adding: output_orclpdb1_report.xlsx (deflated 2%)adding: output_orclpdb1_report.json (deflated 80%)
zip completed successfully.
此命令生成壓縮包output_orclpdb1_report.zip
。其內容如下:
$ unzip -l output_orclpdb1_report.zip
Archive: output_orclpdb1_report.zipLength Date Time Name
--------- ---------- ----- ----152422 03-21-2025 05:35 output_orclpdb1_report.txt262187 03-21-2025 05:35 output_orclpdb1_report.html40085 03-21-2025 05:35 output_orclpdb1_report.xlsx192868 03-21-2025 05:35 output_orclpdb1_report.json
--------- -------647562 4 files
其中輸出了4種格式的報告,內容相同,格式不同。建議使用HTML格式的報告。
運行發現器
發現器用來分析數據庫敏感數據。發現器的全稱應是敏感數據發現器。
和收集器和報告器不同,連接數據庫的信息需寫在Discover/conf
目錄下的配置文件中。
由于只需連接數據庫,因此發現器運行的位置可以和數據庫主機不同。
例如,你可以拷貝實例配置文件并修改:
cd Discover/conf
cp sample_dbsat.config custom_dbsat.config
需要修改的部分如下,其他參數使用默認:
TNS_ADMIN = /u01/app/oracle/product/19c/dbhome_1/network/admin
NET_SERVICE_NAME = orclpdb
運行示例:
$ ./dbsat discover -c Discover/conf/custom_dbsat.config orclpdb1Database Security Assessment Tool version 3.1 (July 2024)This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.Enter username: system
Enter password:
DBSAT Discover ran successfully.
Calling /usr/bin/zip to encrypt the generated reports...Enter password: 壓縮輸出文件的口令
Verify password: 壓縮輸出文件的口令zip warning: orclpdb1_report.zip not found or emptyadding: orclpdb1_discover.html (deflated 72%)adding: orclpdb1_discover.csv (deflated 30%)
Zip completed successfully.
輸出中包含2個文件:
$ unzip -l orclpdb1_report.zip
Archive: orclpdb1_report.zipLength Date Time Name
--------- ---------- ----- ----11312 03-21-2025 06:12 orclpdb1_discover.html137 03-21-2025 06:12 orclpdb1_discover.csv
--------- -------11449 2 files
以下為基于Oracle 19c Sample schema生成的報告: