23 Oracle Database Security Assessment Tool Compliance Standard

Is a popular command-line tool that identifies areas where your database configuration, operation, or implementation introduce risk. DBSAT recommends changes and controls to mitigate risks. DBSAT helps assess how secure the database is configured, determines who the users and their entitlements are, and identifies where sensitive data resides within the database.

With Oracle Enterprise Manager 24.1ai Release 1 (24.1) DBSAT 3.1 is integrated as a Compliance Standard. This will allow you to associate your database targets, run the security assessment through the existing Compliance functionality and view it's results directly in Enterprise Manager through the Security Assessment Report.

The Sensitive Data Assessment report is also available for EM 24.1ai further enhancing DBSAT offerings in Enterprise Manager. There are no additional DBSAT association actions to be performed to generate this second report.

With EM 24.1ai, DBSAT can also be used with Pluggable databases (PDB) and Real Application Cluster (RAC) databases.

Note:

DBSAT rules will show as user-defined rules, but will work as system-defined rules. For these rules to function properly you need to deploy configuration extensions into the agent. For more information on configuration extensions see: Working with Configuration Extensions

For more information on DBSAT see: Oracle Database Security Assessment Tool.

Oracle DBSAT Compliance Standard Prerequisites

The following are a list of prerequisites required for Oracle DBSAT to be deployed as a Compliance Standard.

  • Oracle DBSAT Compliance Standard in Enterprise Manager is supported only on host platforms running Oracle Linux 7 or later
  • The DBSAT Standard must be associated to the database target which is being monitored by EM agent running on the same host OS.
  • Oracle DBSAT Compliance Standard requires a minimum version of Oracle Enterprise Manager 13 Release 5 Update 5 (13.5.0.5) for single instance and CDBs. Oracle Enterprise Manager 13 Release 5 update 22 (13.5.0.22) is required for PDBs and RAC databases.
  • Oracle Enterprise Manager 13 Release 5 Update 11 (13.5.0.11) is required to use the Sensitive Data Assessment Report.
  • Oracle DBSAT Compliance Standard requires PERL installed on the database target being monitored by the EM agent.
    1. Verify PERL is installed:
      perl -v

      Note:

      If PERL is already installed in the database target being monitored by EM, there is no further action to be taken.
    2. To install the PERL modules use the following commands:
      sudo yum -y install perl-DBI
sudo yum install -y perl-XML-XPath
      If the installation is correct, the following messages will be displayed:
      Loaded plugins: langpacks, ulninfo Package perl-DBI-1.627-4.el7.x86_64 already installed and latest version
Loaded plugins: langpacks, ulninfo Package perl-XML-XPath-1.13-22.el7.noarch
  • In order for the integrated reported to with the Enterprise Manager integrated DBSAT, Python needs to installed.
    1. Unzip Python onto the server:
      yum install -y zip unzip python
    2. Check the Python version installed, it must be 2.7.5 or higher:
      python -V
      It will return the installed version:
      
Python 2.7.5
  • If you are planning on using Discoverer with DBSAT, a Java 8 JDK environment is required. The JAVA_HOME environment variable needs to be set with the following command:
    JAVA_HOME=/u01/jdk1.8.0_181

For further information on prerequisites for the DBSAT tool see: Oracle Database Security Assessment Tool Prerequisites.

Oracle DBSAT Compliance Standard Results

DBSAT Compliance Standard Overview

You can review the compliance information collected by Oracle DBSAT under Compliance Results, by navigating to Database Security Assessment Tool. Here the information collected is presented in an easy to read template within Enterprise Manager. Showing Scorecard, Rule Evaluation, Target Violations, Targets and Evaluation Date.

Figure 23-1 DBSAT Compliance Standard Overview

DBSAT Compliance Standard Overview

DBSAT Compliance Standard Reports

In addition to the standard HTML Compliance report, you can also open the raw HTML reports generated by the DBSAT tool. To verify both of these reports (Security Assessment Report and Sensitive Data Assessment Report) follow these steps:
  1. Navigate to Enterprise, highlight Compliance and click on Dashboard.
  2. In the Compliance Dashboard scroll down to the Compliance Summary and select either the Standards or Targets tab.
  3. Click on the number below Compliant Targets or Non-Compliant Targets.
  4. In the pop up select DBSAT Report for the raw HTML DBSAT report.
  5. In the DBSAT Report pop up there are two report options Security Assessment Report and Sensitive Data Assessment Report, click on the report of your choosing.

Figure 23-2 HTML Report Options

HTML Report Options for both Compliance and DBSAT RAW

Figure 23-3 Oracle Database Security Assessment Report

Report detailing DBSAT compliance violations

Figure 23-4 Oracle Database Sensitive Data Assessment

Oracle Database Sensitive Data Assessment report details

In order to setup Oracle DBSAT Compliance Standard see: About Compliance Standards in Oracle Enterprise Manager Database Lifecycle Management Administrator's Guide.

Oracle DBSAT Compliance Standard Known Issues

The following is a list of known issues and their most common solutions for Oracle DBSAT Compliance Standard.

  • In some instance Compliance score initially states 100% for all targets. There are several ways to verify that your Oracle DBSAT Compliance Standards are configured correctly:
    • Verify Run DBSAT settings:
      1. From the Targets menu, select Databases. On the Databases page, select Database Name.
      2. On the selected Database page, go to the Oracle Database drop down menu, select Configuration, then select Latest.
      3. On the Database page with Identity Latest Configuration, click on Database, select Oracle Database Security Assessment Tool (2.2.2) Configuration then select 2_Run_DBSAT. This shows the current run execution of DBSAT any errors will be listed here.

      Figure 23-5 Run DBSAT Settings

      Run DBSAT Settings
    • Verify DBSAT Result settings:
      1. From the Targets menu, select Databases. On the Databases page, select Database Name.
      2. On the selected database page, go to the Oracle Database drop down menu, select Configuration, then select Latest.
      3. On Database page with Identity Latest Configuration components, click on Database, select Oracle Database Security Assessment Tool (2.2.2) Configuration then select 3_Result_DBSAT. If the Source field is blank, DBSAT execution failed to generate valid results. Check the errors displayed in Run DBSAT for possible remediation.

      Figure 23-6 DBSAT Results Settings

      DBSAT Results Settings
  • Required Data Available shows No even though a report was successfully generated. There are situations where the DBSAT script runs and creates the expected data and report, but the script also reports non-zero exist status which causes the Enterprise Manager agent to report an error. To verify go to Enterprise then select Compliance and click on Results. This opens the Compliance Results page, every row represents one standard associated to a number of targets. Clicking a standard opens the results for that combination, for DBSAT even when valid results data is obtained, the column shows No. This is because the DBSAT script reports a false error even though it managed to collect the required data.

    Figure 23-7 Required Data Available

    Required Data Available issues with DBSAT

    There is no remedial action to take, do not trust the Required Data Available column only for DBSAT. Instead verify the status of the actual DBSAT command by following the steps previously outlined.

  • DBSAT data is sent by the DBSAT target every 24 hours. This data is collected in a central store by the management server as it arrives from each target. The Compliance Evaluation is performed every 4 hours by referring to the latest DBSAT data available in the central store at that time. To verify that the jobs are running properly go to Enterprise, then Job and click on Activity. On Jobs Page, in the Available Criteria components panel, select Name and Search by entering value CCSREEVALDATA, information will show targets with their respective associated standards. If there are none or missing, reassociate targets to their respective standards.

    Figure 23-8 DBSAT Job Overview

    DBSAT Job Overview
  • DBSAT and the Enterprise Manager integration tool do not work if there is a space character in the database monitoring user's password. Common database password guidelines discourage usage of a space character in password. To remedy change the password of the Oracle Database monitoring user (typically DBSNMP).