Changes in This Release for Oracle Database Security Assessment Tool

Oracle Database Security Assessment Tool 3.1.0 (January 2024) focuses on addressing the Center for Internet Security (CIS) Benchmark v1.2 for Oracle Database 19c recommendations. DBSAT 3.1 adds 10 findings based on CIS recommendations, with updated references, as necessary. There is also a new finding for pre-authenticated URL request details in Autonomous Database Serverless, along with other minor improvements.

  • New findings:
    • USER.DEFAULTPROFILE

      Lists the DEFAULT user profile limits.

    • PRIV.NETPACKAGEPUBLIC

      Checks for EXECUTE grant on DBMS_LDAP, UTL_HTTP, UTL_INADDR, UTL_SMTP, and UTL_TCP packages to PUBLIC. It also checks, when applicable, for users who are authorized to execute these packages via ACLs.

    • PRIV.FILESYSTEMPACKAGEPUBLIC

      Checks for EXECUTE grant on DBMS_LOB, UTL_FILE, and DBMS_ADVISOR packages to PUBLIC. It also checks for system privilege grants of CREATE ANY DIRECTORY and DROP ANY DIRECTORY to users.

    • PRIV.ENCRYPTPACKAGEPUBLIC

      Checks for EXECUTE grant on DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT, and DBMS_RANDOM to PUBLIC.

    • PRIV.JAVAPACKAGEPUBLIC

      Checks for EXECUTE grant on DBMS_JAVA and DBMS_JAVA_TEST packages to PUBLIC. Also, it checks for grants of JAVA_ADMIN role to users.

    • PRIV.JOBSCHPACKAGEPUBLIC

      Checks for DBMS_SCHEDULER and DBMS_JOB EXECUTE grants to PUBLIC and Scheduler/Job system privileges (CREATE JOB, MANAGE SCHEDULER, CREATE EXTERNAL JOB, CREATE ANY JOB) grants to PUBLIC.

    • PRIV.QUERYPACKAGEPUBLIC

      Checks for EXECUTE grant on DBMS_XMLQUERY, DBMS_XMLSAVE, DBMS_XMLSTORE, DBMS_REDACT, DBMS_XMLGEN, and DBMS_SQL packages to PUBLIC.

    • PRIV.CREDPACKAGEPUBLIC

      Checks for EXECUTE grant on DBMS_CREDENTIAL package to PUBLIC. It also checks for privilege grants of CREATE CREDENTIAL and CREATE ANY CREDENTIAL to users.

    • AUDIT.SYNONYMS

      Checks if create/alter/drop SYNONYM is audited.

    • CONF.DEFAULTPDBOSUSER

      Checks for the operating system user defined in PDB_OS_CREDENTIAL.

    • CONF.PREAUTHREQUESTURL

      Displays pre-authenticated URL information for Autonomous Database Serverless databases including who can manage them via the DBMS_DATA_ACCESS package.

  • Improved findings:
    • USER.NOEXPIRE

      Improved logic and summary.

    • USER.APPOWNER

      Optimizations to improve performance and reduce the level of detail.

    • ENCRYPT.TDE

      Updated remarks to clarify the usage of the TABLESPACE_ENCRYPTION parameter and recommendations when upgrading to Oracle Database 23c and you are using a de-supported algorithm.

Downloading and Installing Oracle Database Security Assessment Tool

Known Issues

MS Excel Font Size Display

Some versions of Microsoft Excel may display text on the screen using a font that is too large to fit in the spreadsheet cells, even though it is sized correctly in printed output. If this happens, you can resize columns to be slightly wider in order to make the text visible.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.