Changes in This Release for Oracle Database Security Assessment Tool
Oracle Database Security Assessment Tool 3.1.0 (January 2024) focuses on addressing the Center for Internet Security (CIS) Benchmark v1.2 for Oracle Database 19c recommendations. DBSAT 3.1 adds 10 findings based on CIS recommendations, with updated references, as necessary. There is also a new finding for pre-authenticated URL request details in Autonomous Database Serverless, along with other minor improvements.
- New findings:
USER.DEFAULTPROFILE
Lists the DEFAULT user profile limits.
PRIV.NETPACKAGEPUBLIC
Checks for EXECUTE grant on DBMS_LDAP, UTL_HTTP, UTL_INADDR, UTL_SMTP, and UTL_TCP packages to PUBLIC. It also checks, when applicable, for users who are authorized to execute these packages via ACLs.
PRIV.FILESYSTEMPACKAGEPUBLIC
Checks for EXECUTE grant on DBMS_LOB, UTL_FILE, and DBMS_ADVISOR packages to PUBLIC. It also checks for system privilege grants of CREATE ANY DIRECTORY and DROP ANY DIRECTORY to users.
PRIV.ENCRYPTPACKAGEPUBLIC
Checks for EXECUTE grant on DBMS_CRYPTO, DBMS_OBFUSCATION_TOOLKIT, and DBMS_RANDOM to PUBLIC.
PRIV.JAVAPACKAGEPUBLIC
Checks for EXECUTE grant on DBMS_JAVA and DBMS_JAVA_TEST packages to PUBLIC. Also, it checks for grants of JAVA_ADMIN role to users.
PRIV.JOBSCHPACKAGEPUBLIC
Checks for DBMS_SCHEDULER and DBMS_JOB EXECUTE grants to PUBLIC and Scheduler/Job system privileges (CREATE JOB, MANAGE SCHEDULER, CREATE EXTERNAL JOB, CREATE ANY JOB) grants to PUBLIC.
PRIV.QUERYPACKAGEPUBLIC
Checks for EXECUTE grant on DBMS_XMLQUERY, DBMS_XMLSAVE, DBMS_XMLSTORE, DBMS_REDACT, DBMS_XMLGEN, and DBMS_SQL packages to PUBLIC.
PRIV.CREDPACKAGEPUBLIC
Checks for EXECUTE grant on DBMS_CREDENTIAL package to PUBLIC. It also checks for privilege grants of CREATE CREDENTIAL and CREATE ANY CREDENTIAL to users.
AUDIT.SYNONYMS
Checks if create/alter/drop SYNONYM is audited.
CONF.DEFAULTPDBOSUSER
Checks for the operating system user defined in PDB_OS_CREDENTIAL.
CONF.PREAUTHREQUESTURL
Displays pre-authenticated URL information for Autonomous Database Serverless databases including who can manage them via the DBMS_DATA_ACCESS package.
- Improved findings:
USER.NOEXPIRE
Improved logic and summary.
USER.APPOWNER
Optimizations to improve performance and reduce the level of detail.
ENCRYPT.TDE
Updated remarks to clarify the usage of the
TABLESPACE_ENCRYPTION
parameter and recommendations when upgrading to Oracle Database 23c and you are using a de-supported algorithm.
Downloading and Installing Oracle Database Security Assessment Tool
-
To download the Oracle Database Security Assessment Tool, go to Oracle Technology Network, and click the Download Oracle Database Security Assessment Tool link.
-
See Oracle Database Security Assessment Tool User Guide for information about completing the installation of Database Security Assessment Tool.
MS Excel Font Size Display
Some versions of Microsoft Excel may display text on the screen using a font that is too large to fit in the spreadsheet cells, even though it is sized correctly in printed output. If this happens, you can resize columns to be slightly wider in order to make the text visible.
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Database Security Assessment Tool Release Notes, Release 3.1.0
F22336-10
January 2024
Copyright © 2015, 2024, Oracle and/or its affiliates.
Primary Author: Dominique Jeunot
Contributors: Anant Bhasu, Abhinav Singh, Gopal Mulagund, Pedro Lopes, Shyamsundar KG, Vivek PV