Changes in This Release for Oracle Database Security Assessment Tool

The Oracle Database Security Assessment Tool 4.0 (July 2025) release has been enhanced to address the Defense Information Systems Agency (DISA) Oracle Database 19c Security Technical Implementation Guide (STIG) V1R1 requirements.

  • Highlights

    • Expanded Compliance: Enhanced support for DISA STIG for Oracle Database 19c and new checks for Oracle Database 23ai features, CDB$ROOT, and Database Vault.

    • Direct Documentation Links: Each DBSAT finding now includes direct links to Oracle Database 19c and 23ai documentation, allowing in-context investigation and quicker remediation.

    • Enhanced Security Coverage: Adds 13 new security checks and improves existing ones, further strengthening Oracle Database security posture.

  • New checks:

    • USER.LOCALAUTH (STIG)

      Identifies users authenticated locally and managed by the database.

    • USER.NEW (STIG)

      Identify users who have not logged in

    • USER.TOEXPIRE

      Checks for users with passwords about to expire (30 days)

    • PRIV.CONTAINERACCESS

      Lists users with the SET CONTAINER privilege

    • PRIV.SCHEMA

      To help with moving ANY system privileges to schema-level privileges

    • AUTHZ.DATABASEVAULTSOD

      Database Vault roles segregation of duties

    • CONF.ASSESSMENT (STIG)

      To ensure all DBSAT findings are reviewed as referred by STIG

    • CONF.DATABASEVAULT

      Checks Database Vault configuration integrity, including invalid objects and dangling rules/rulesets.

    • CONF.DIRECTORYSEPARATION (STIG)

      Check for data files, audit files, and redo files location

    • CONF.LOCKDOWNPROFILES

      PDB lockdown profiles settings

    • CONF.RESOURCEMANAGER

      Lists resource manager plans and users that can manage them

    • CONF.SGA

      Checks for OSDBA group access to the SGA

    • OS.LISTENERPORTS (STIG)

      Checks for known Listener ports

  • Updated sections/checks:

    • Database Identity table: Database startup time and time zone.

    • INFO.PATCH: Enhanced with CVE detection for comprehensive vulnerability assessment.

    • User Accounts table: New column highlights read-only users.

    • USER.SHARED: Improved representation of Proxy Users

    • USER.TABLESPACE: Includes check for Indexes, partitions, clusters, and other objects in SYSAUX and SYSTEM table spaces

    • PRIV.DBA: Now includes proxy users

    • PRIV: All findings updated to represent better the privileges granted via DBA role

    • AUDIT: All findings now highlight Traditional Audit desupport notice

    • ACCES.REDACT: Now includes check on ADMINISTER REDACTION POLICY privilege

    • ENCRYPT.TDE: Lists tablespaces in XTS Encryption Mode (23ai only)

    • ACCESS.LABELSECURITY: Highlight risk with LBACSYS owned DML triggers

    • CONF.DATABASELINKS: Moved container IDs to container names

    • Status ratings: Improved for findings such as AUTHZ.PASSWORDSCRIPTS)

    • All findings: Documentation links added for Oracle Database 19c and 23ai targets.

  • New command line options:

    • DBSAT extract: New utility for compression and encryption, replacing zip/unzip dependencies.

    • -f <file_format>: Generates the report just in one specified format (JSON, HTML, TXT, XLSX).

    • -d: Display additional diagnostics and generate a log file.

    • -r: Limit the maximum number of rows collected per collector query (minimum value: 1).

  • Discoverer Updates

    • Improved Sensitivity Patterns: Updated English patterns to reduce false positives.

    • Enhanced Report Details: Report now includes view columns in both summary and detailed tables.

    • New output format: Reports can now be generated in JSON.

  • General:

    • JRE Requirement: Java Runtime Environment (JRE) 17 (jdk17) is now the minimum prerequisite.

    • Best Practices Terminology: "Oracle Best Practices (OBP)" findings are now labeled "Oracle Recommended Practices (ORP)".

Downloading and Installing Oracle Database Security Assessment Tool

  • To download the Oracle Database Security Assessment Tool, visit oracle.com, and click the Download DBSAT link. Alternatively, go to My Oracle Support and browse Doc ID 2138254.1.

Known Issues

MS Excel Font Size Display

Some versions of Microsoft Excel may display text on the screen with a font too large to fit in spreadsheet cells, even though it prints at the correct size output. If this happens, resize the columns slightly to make the text visible.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customer access to and use of Oracle support services will be pursuant to the terms and conditions specified in their Oracle order for the applicable services.