Oracle 数据库安全评估（DBSAT）简明过程

下载DBSAT

从这里下载。

实际是从MOS中下载，即：Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)。

最新版本为3.1.0 (July 2024)，名为dbsat.zip，近45MB。

$ ls -lh dbsat.zip
-rw-rw-r-- 1 oracle oinstall 45M Mar 21 03:40 dbsat.zip

DBSAT支持的操作系统包括LInux，Windows，IBM AIX，HP-UX和Solaris。
支持的数据库为11.2.0.4或以上。

安装DBSAT

文档参见这里。

以oracle用户登入。

mkdir ~/dbsat
unzip dbsat.zip -d ~/dbsat

解压目录概况：

$ cd ~
[oracle@xy23ai ~]$ du -h dbsat
796K    dbsat/xlsxwriter
232K    dbsat/Discover/conf
4.5M    dbsat/Discover/lib
60K     dbsat/Discover/bin
4.8M    dbsat/Discover
50M     dbsat

可执行程序都在dbsat里，因此可加入到PATH路径。

export PATH=$PATH:/home/oracle/dbsat

使用 DBSAT

DBSAT 可生成2类报告：

Oracle 数据库安全评估报告
Oracle 数据库敏感数据评估报告

收集器（Collector）和报告器（Reporter）用于生成“Oracle 数据库安全评估报告”。收集器收集数据，报告器分析收集器收集的数据。其架构如下：

在这里插入图片描述

发现器生成“Oracle 数据库敏感数据评估报告”。其架构如下：

在这里插入图片描述

运行DBSAT，OS用户通常用oracle，数据库用户通常用system（也可以用一特定用户，但需要赋权）。

DBSAT语法概览：

$ ./dbsat --helpDatabase Security Assessment Tool version 3.1 (July 2024)Usage: dbsat collect [ -n ] <database_connect_string> <output_file>dbsat report [ -a ] [ -n ] [ -g ] [ -x <section> ] [ -u <user> ] <input_file>dbsat discover [ -n ] -c <config_file> <output_file>Options:-a  Report with all user accounts, including locked and schema-only,Oracle-supplied users-n  No encryption for output-g  Show all grants including Common Grants in a Pluggable Database-x  Specify sections to exclude from report (may be repeated formultiple sections)-u  Specify users to exclude from report-c  Configuration file for discoverer

运行收集器

收集器必须在包含数据库的服务器上运行，因为它会执行一些操作系统命令来收集无法从数据库中获取的进程和文件系统信息。此外，必须以对 ORACLE_HOME 下的文件和目录具有读取权限。

收集器大部分的数据都来自数据库的系统视图。

运行示例：

$ ./dbsat collect system@orclpdb output_orclpdb1Database Security Assessment Tool version 3.1 (July 2024)This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.Connecting to the target Oracle database...SQL*Plus: Release 19.0.0.0.0 - Production on Fri Mar 21 05:28:21 2025
Version 19.16.0.0.0Copyright (c) 1982, 2022, Oracle.  All rights reserved.Enter password:Last Successful login time: Fri Mar 21 2025 04:11:55 +00:00Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0Setup complete.
SQL queries complete.
Warning: Exit status 256 from OS rule: dbcs_status
/bin/cat: /u01/app/oracle/product/19c/dbhome_1/network/admin/cman.ora: No such file or directory
Warning: Exit status 256 from OS rule: cman.ora
/bin/cat: /u01/app/oracle/product/19c/dbhome_1/ldap/admin/fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips1.ora
/bin/cat: /fips.ora: No such file or directory
Warning: Exit status 256 from OS rule: fips2.ora
/bin/ls: cannot access '/u01/app/oracle/product/19c/dbhome_1/rdbms/log/diag': No such file or directory
Warning: Exit status 512 from OS rule: diag_dest_home
OS commands complete.
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0
DBSAT Collector completed successfully.Calling /u01/app/oracle/product/19c/dbhome_1/bin/zip to encrypt output_orclpdb1.json...Enter password:加密输出zip包的口令
Verify password: 加密输出zip包的口令adding: output_orclpdb1.json (deflated 79%)
zip completed successfully.

这一步生成了一个zip包output_orclpdb1.zip，此zip包只包含一个json文件：

$ unzip -l output_orclpdb1.zip
Archive:  output_orclpdb1.zipLength      Date    Time    Name
---------  ---------- -----   ----443823  03-21-2025 05:28   output_orclpdb1.json
---------                     -------443823                     1 file

运行报告器

收集完后，就可以根据收集的信息生成报告了。报告器的输入可以是JSON文件或经压缩的收集器输出文件。

报告器是一Java程序，因此必须先设置JAVA_HOME，示例如下：

$ java -version
java version "1.8.0_341"
Java(TM) SE Runtime Environment (build 1.8.0_341-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.341-b10, mixed mode)$ export JAVA_HOME=/usr/java/jdk1.8.0_341-amd64

运行示例：

$ ./dbsat report output_orclpdb1Database Security Assessment Tool version 3.1 (July 2024)This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.Archive:  output_orclpdb1.zip
[output_orclpdb1.zip] output_orclpdb1.json password: 解压收集器输出包的密码inflating: output_orclpdb1.json
DBSAT Reporter ran successfully.Calling /usr/bin/zip to encrypt the generated reports...Enter password: 压缩报告器输出包的密码
Verify password: 压缩报告器输出包的密码zip warning: output_orclpdb1_report.zip not found or emptyadding: output_orclpdb1_report.txt (deflated 74%)adding: output_orclpdb1_report.html (deflated 83%)adding: output_orclpdb1_report.xlsx (deflated 2%)adding: output_orclpdb1_report.json (deflated 80%)
zip completed successfully.

此命令生成压缩包output_orclpdb1_report.zip。其内容如下：

$ unzip -l output_orclpdb1_report.zip
Archive:  output_orclpdb1_report.zipLength      Date    Time    Name
---------  ---------- -----   ----152422  03-21-2025 05:35   output_orclpdb1_report.txt262187  03-21-2025 05:35   output_orclpdb1_report.html40085  03-21-2025 05:35   output_orclpdb1_report.xlsx192868  03-21-2025 05:35   output_orclpdb1_report.json
---------                     -------647562                     4 files

其中输出了4种格式的报告，内容相同，格式不同。建议使用HTML格式的报告。

运行发现器

发现器用来分析数据库敏感数据。发现器的全称应是敏感数据发现器。

和收集器和报告器不同，连接数据库的信息需写在Discover/conf目录下的配置文件中。

由于只需连接数据库，因此发现器运行的位置可以和数据库主机不同。

例如，你可以拷贝实例配置文件并修改：

cd Discover/conf
cp sample_dbsat.config custom_dbsat.config

需要修改的部分如下，其他参数使用默认：

TNS_ADMIN = /u01/app/oracle/product/19c/dbhome_1/network/admin
NET_SERVICE_NAME = orclpdb

运行示例：

$ ./dbsat discover -c Discover/conf/custom_dbsat.config orclpdb1Database Security Assessment Tool version 3.1 (July 2024)This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.Enter username: system
Enter password:
DBSAT Discover ran successfully.
Calling /usr/bin/zip to encrypt the generated reports...Enter password: 压缩输出文件的口令
Verify password: 压缩输出文件的口令zip warning: orclpdb1_report.zip not found or emptyadding: orclpdb1_discover.html (deflated 72%)adding: orclpdb1_discover.csv (deflated 30%)
Zip completed successfully.

输出中包含2个文件：

$ unzip -l orclpdb1_report.zip
Archive:  orclpdb1_report.zipLength      Date    Time    Name
---------  ---------- -----   ----11312  03-21-2025 06:12   orclpdb1_discover.html137  03-21-2025 06:12   orclpdb1_discover.csv
---------                     -------11449                     2 files

以下为基于Oracle 19c Sample schema生成的报告：
在这里插入图片描述