DBSAT (short term for DataBase Security Assessment Tool) is a free utility tool that can assess the security configuration of Oracle Databases, and  deliver following a very simple installation workflow, reports,  that can be used to detect weak security configurations, easing the hardening of the oracle database.

The tool can be downloaded and installed as a separate installation, and used as such, periodically to retrieve the configuration of the associated databases .

Since the Oracle Enterprise Manager version 13.5, this tool is integrated within the Enterprise Manager, in the Compliance Standards Library, and can inspect any databases registered to the Enterprise Manager, generating reports, and detect possible security drifts of the inspected databases.

In this post we will use an Enterprises Manager 13.5RU7, and databases 19.15c, to demonstrate the DBSAT integration with EM.

The server used for this demo, is an Oracle Linux 7 server, running into the Oracle OCI.

The Enterprise Manager has been installed using the binaries of the EM 13.5 version , upgraded to the RU7.

The databases, are patched with the 19.15 patches, and they are collocated with the EM.
 

For this release of the EM, we need to install to the hosts running the databases, which will be inspected by DBSAT, the following rpm :

 

perl-XML-XPath perl-DBI

You can verify that your hosts are updated with these rpm by issuing the command :

$ rpm -qa y  perl-XML-XPath

perl-XML-XPath-1.13-22.el7.noarch

rpm -qa y  perl-DBI

perl-DBI-1.627-4.el7.x86_64

if the output of these commands is different, then install the rpm with the following command:

sudo yum install -y  perl-XML-XPath sudo yum -y install perl-DBI

Once that this step is done, go to the Enterprise Manager interface,click on Enterprise/Compliance/Library

Enterprise/Compliance/Library
 

Then click on Compliance Standards/Search.
Then click on Compliance Standards.

in the Search Field enter the word DBSAT in the Keywords textbox then click on the search button.

Compliance Standards/Search

Then click on the right side of the row “Oracle Database Security Assessment Tool”, to select this entry, then on the header row , click on the “Associate Targets” to associate the databases that have to be inspected by the DBSAT Tool.

In our configuration, a Container/Pluggable database has been already configured  with the DBSAT tool, that’s why the Association Count is already setup up to 1.

 

Container/Pluggable

After clicking on the « Associate” header a new dialog opens, then add the new target – in our case the target is called simple19c – click select,and save the association as below

Associate

Associate2

After this step the configuration of the DBSAT tool in the EM console will look as below: The Association Count is now 2.

Final_targets

 

If you’d like to run DBSAT immediateley to get some results, follow these steps:
Go to Targets => Databases and select a database e.g. in our case simple19c.

 

target1

And execute an immediate refresh of its configuration by clicking on Configuration/Latest/Refresh  

refresh2

 

When the refresh process is done the new screen will look with new entries with the DBSAT tool as :


refresh2

 

Click once to the Run DBSAT link to trigger a DBSAT inspection of the database

refr3

 

At the end of the execution of this procedure scroll down on the right window tab called Source and copy the last line, this is the directory PATH where the DBSAT Tool has generated the reports.

Log into the host server of the target database, and go to the DBSAT directory

 

dbsat-from-agent

Download the html associated file to your desktop and open it with your browser:

dbsat_reposrt1

dbsate_report_2

 

These reports can also be retrieved from the EM interface after 24 hours.

To get these reports you have to go to Enterprise/Compliance/Dashboards entry.

Then on the bottom of this screen you will see an entry about DBSAT. 

Click on the link Report on the bottom right side of the screen

 

comp_reports

compre_report2

You will get the list of the associated databases and the DBSAT generated reports.


As we have run the DBSAT right now, for the simple19c database , we have to wait 24 hours to get the updated results and the report.


For the cbd19c we have done the association the previous day, and the results with the associated report are ready for inspection.

Clicking on the DBSAT Report link of the cdb19c line, the browser will open a new window with the generated DBSAT report. There is no need to go to the host and get the report.

 

cdb19c

 

Conclusion:
With the latest version of EM 13.5, the users can now execute from a single interface the DBSAT tool, and get immediately the security configuration, and possible suggestions to improve the hardening of the Oracle Databases, monitored by the EM.