DBSAT is an Oracle-provided command line tool that evaluates how securely your database is configured. DSAT considers such things as: user roles and entitlements, security policies, and security controls.  DSAT is an easy first step to help the DBA mitigate potential security risks on sensitive databases.  DSAT reports identify short-term risks so that the DBA and cyber-security team can implement a comprehensive security strategy.

In this article, we discuss:

DSAT in action

DBSAT has three components: Collector, Reporter, and Discoverer. Collector and Reporter work together to discover risk areas and produce a reports on those risk areas--the "Database Security Assessment Report." The Discoverer is a stand-alone module used to locate and report on sensitive data. This output is called the "Database Sensitive Data Assessment Report."

First, create a database user who has all the required privileges to collect data in collaboration with DBSAT. Keep in mind that the Collector needs to execute on the server where database resides.

grant create session to dbsat identified by oracle;
grant select on sys.registry$history to dbsat;
grant select_catalog_role to dbsat;
grant audit_viewer to dbsat; grant capture_admin to dbsat;
grant select on sys.dba_users_with_defpwd to dbsat;
grant select on audsys.aud$unified to dbsat; 

First, go to http://www.oracle.com/technetwork/database/security/dbsat.html and download the dbsat zip file. Copy it to your database server destination and simply extract the file dbsat.zip

To install the Database Security Assessment Tool:

Login to the database server as oracle home owner:

mkdir –p /home/dbsat/102

mv dbsat.zip /home/ dbsat/102/

cd /home/dbsat/102

unzip dbsat.zip

Excute DBSAT collector:

./dbsat collect dbsat/oracle@test_database oracle_db

The time it takes to complete depends on the hardware and the data that needs to be collected. A database that has thousands of users and roles might take hours to run. it might take between 2 to 5 minutes. At the end of the process, you’ll be asked to provide a password twice, please do not forget it as you’ll need it when running dbsat report.

A file named oracle_db.zip is created in the directory (/home/ dbsat/102).
There is no need to unzip the file. DBSAT reporter will take either the json file (if –n was used) or the zip file.

DBSAT reporter will take as input the file generated by the collector (json or zip file) and will produce one zip file containing three reports in different formats: HTML, spreadsheet, and text.  Execute dbstat ti collect data from the database.

./dbsat report –a  oracle_db

DBSAT will prompt the user for one password – the password used when running the collector so it can unzip the file – followed by another password prompt that will be used to protect the reports zip file, plus the password confirmation.
end up with the results of the analysis inside a password protected zip file named orcl_hol_report.zip.
 unzip the file to assessment the reports  unzip orcl_hol_report.zip.

Analyze the generated report – the reporter provided analysis in the form on “findings”. For each findings , we can find below informations.

Unique ID for the Rule The ID has two parts: the prefix identifies the report section, and the suffix identifies the specific rule.
» Status You can use the status values as guidelines for implementing DBSAT recommendations. They can be used to prioritize and schedule changes based on the level of risk, and what it might mean to your organization. Severe risk might require immediate remedial action, whereas other risks might be fixed during a scheduled downtime, or bundled together with other maintenance activities.

• Pass: no error found
• Evaluate: needs manual analysis
• Some Risk: low
• Significant Risk: medium
• Severe Risk: high
• Opportunity: improve security posture by enabling additional security features and technology. Opportunity for Improvement.

The Top 10 findings from running Database Security Assessments :

1. No Database Security Policies / Strategy in place
2. No patching/patch management policy in place
3. No encryption of sensitive/regulated data
4. No monitoring/auditing in place
5. Over-privileged accounts; No personalized accounts; NO SoD
6. Weak/inexistent password policies; Weak password management
7. Data sent in clear to third parties
8. No OS hardening
9. No sensitive data anonymization in production to DEV/TEST/Training/etc.
10. Still some sample schemas in production environments out there

If database is not configured properly and provide easy access to hackers .Before hackers identified the loopholes to exploit and access your database, how you will identify them as well.
It’s now time to move to the Database Security Assessment Tool and find out how it could help to identify misconfigurations, users, roles, privileges and the overall security status. .

Its reduce risk exposure through best practices. There is no need to provide additional cost to Oracle support, its totally  free and quick to deploy. This tool supports database version 10g to 18c. I can it’s user friendly tool which assess the present security position of database before exposing to the hackers & clever enough to identify sensitive data to determine risk and appropriate security controls.