How to run DBSAT on RAC Instances

Posted in: DBA Lounge, Oracle, Technical Track

The scope of this article is to provide a brief summary of how to run Oracle Database Security Assessment Tool (DBSAT) on Oracle Real Application Cluster using the parameters to exclude sections on the Reporter to avoid duplicated information into reports from the various nodes. This is a sample based on a real-life execution. The DBSAT version used was 2.0.2 over Oracle RAC with 2 nodes version 12.1.0.

1) Install DBSAT:
If you don’t have binaries already, then get DBSAT from the Oracle support website (license-free for all Oracle clients). The following is the Document ID:

Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

User Guide Document:
https://docs.oracle.com/cd/E93129_01/SATUG/toc.htm#SATUG-GUID-EF4C8FC3-1EF2-45AC-BE07-26CCFA059E53

Then ensure the server where you installed Oracle Client has the appropriate Python version (and if you are planning on running the Discoverer option, check theJava version, as well). This version of DBSAT (2.0.2) requires Python 2.6 or later to run and because the Discoverer is a Java program, it will need the Java Runtime Environment (JRE) 1.8 (jdk8-u172) or later to run. (Note: Discoverer is only required when you want to find sensitive / private data on your database), sample check:


$ python -V
Python 2.6.6
$ java -fullversion
openjdk full version "1.8.0_191-b12"
$

Installation is pretty simple: just unzip the binaries on each node. Since Oracle is releasing newer versions of DBSAT, I suggest you create a folder that includes the version in the name, ie “ /DBSAT_202 ”. In the future, if you want to run a newer version, you can create a folder named with the next version, and so on.

You can run DBSAT with SYS user or create a user for its execution and grant the required privileges.

Check the documentation and ensure that you have granted the required privileges to the DBSAT database user according to the Oracle version:

https://docs.oracle.com/cd/E93129_01/SATUG/toc.htm#SATUG-GUID-EF4C8FC3-1EF2-45AC-BE07-26CCFA059E53

The following is a summary of the required privileges and roles:


CREATE SESSION*
READ or SELECT on SYS.REGISTRY$HISTORY
Role AUDIT_VIEWER (12c and later)
Role CAPTURE_ADMIN (12c and later)
READ or SELECT on SYS.DBA_USERS_WITH_DEFPWD (11g and later)
READ or SELECT on AUDSYS.AUD$UNIFIED (12c and later)
Role SELECT_CATALOG_ROLE (only if need to run Discoverer component)
Role DV_SECANALYST (if Vault is enabled and if need to run Discoverer component)

 

2) Run The Collector:
If you get errors related to the zip program, edit the dbsat.sh script and update the path as required. Note: commented out lines were the original set in the script, all nodes were running DBSAT. You may need to set the zip and unzip variables and run the Collector in the same way:


vi dbsat
# Default location of zip and unzip. May be modified if necessary.
#ZIP=/usr/bin/zip
#UNZIP=/usr/bin/unzip
ZIP=/u01/app/oracle/product/12.1.0/db/bin/zip
UNZIP=/u01/app/oracle/product/12.1.0/db/bin/unzip
DBZIP=${ORACLE_HOME}/bin/zip

The first argument is the component (Collector, Report or Discoverer), the second is the connection string and the third argument is the output file name:

[Node1]$ ./dbsat collect dbsatuser@Instance1 Instance1_DBSAT_Node1

[Node2]$ ./dbsat collect dbsatuser@Instance2 Instance2_DBSAT_Node2

Another way is to use SYS, for example, with Oracle’s Easy Connect Naming Method EZCONNECT:

$ ./dbsat collect 'sys/PASSWORD@//hostname/Service_Name as sysdba' ServiceName_DBSAT_HostName

 

3) Run The Reporter:
The Reporter can be executed from any server or machine. There is no need for connectivity to Instance, just ensure you have copied the json output file from the Collector. This is where the difference comes. Since there is no need to report the same Database Recommendations from each node because they will be the same, it is better to report all from Node1 and then exclude DB sections from the other nodes:

[Node1]$ ./dbsat report -a /home/oracle/working/DBSAT_202/Instance1_DBSAT_Node1

[Node2]$ ./dbsat report -x USER,PRIV,AUTH,CRYPT,ACCESS,AUDIT /home/oracle/working/DBSAT_202/Instance2_DBSAT_Node2

On each node, four reports will be created, with the formats HTML, TXT, XLSX and JSON.

On the above sample, the reports from Node1 will show all recommendations for Patching, Database, OS, Network and others.

Reports from Node2 will skip recommendations from DB since they would be the same as from Node1 but will show recommendations on Patching, OS, Network and others.

 

4) Run the Discoverer:
This component looks for sensitive data on tables and columns, so it needs to run on only one of the nodes. You will need to first to set the JAVA_HOME, below syntax sample for execution:

[Node1]$ ./dbsat discover -c /home/oracle/working/DBSAT_202/Discover/conf/RAC_dbsat.config Instance1_DBSAT_Node1_Discoverer

The file “sample_dbsat.config” needs to be updated in order to connect to the database. In the above sample, I took a copy as “RAC_dbsat.config” and edited it. You will also see the search patterns for sensitive data into the file sensitive_en.ini. I have a full blog dedicated only to how to run the Discoverer component: https://blog.pythian.com/oracle-dbsat-discoverer-feature/

I also recommend checking the following blog where I summarize new features for latest DBSAT version 2.1.0: https://blog.pythian.com/running-new-oracle-dbsat-version-2-1-0-against-autonomous-database/

 

References:
https://blogs.oracle.com/cloudsecurity/database-security-assessment-tool-dbsat-21-is-now-available
https://www.oracle.com/a/tech/docs/dbsec/dbsat/dbsat-public-faq-mar2019.pdf
https://www.oracle.com/database/autonomous-database.html
https://blog.pythian.com/oracles-database-security-assessment-tool-dbsat-version-2-2-0-1/
https://blog.pythian.com/oracle-dbsat-discoverer-feature/
https://blog.pythian.com/running-new-oracle-dbsat-version-2-1-0-against-autonomous-database/

https://blog.pythian.com/how-to-run-dbsat-against-oracle-rds-database/

email

Interested in working with Roy? Schedule a tech call.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *