Updated for the Oracle Database 19c CIS Benchmark v1.2
Oracle Database customers rely on DBSAT as their go-to tool for evaluating the security status of their Oracle databases and to help guide their risk mitigation efforts. By assessing the database configuration, user entitlements, and sensitive data, DBSAT empowers you to identify potential security risks.
With the previous release of DBSAT 3.0 in November 2023, we updated DBSAT’s evaluation of the US Department of Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Oracle Database to enhance its capabilities further. You can read more about it here.
In this newest release, DBSAT 3.1, we focused on updating DBSAT to close the gap towards Center for Internet Security (CIS) Benchmark v1.2 for Oracle Database 19c. This update expands DBSAT's security assessment capabilities, allowing it to report on 132 checks along with remarks that help you mitigate identified risks.
Added support for the Oracle Database 19c CIS Benchmark v1.2
The CIS Benchmark for the Oracle Database is a prescriptive configuration recommendation that helps you protect your databases against threats. The CIS Benchmark represents a consensus-based effort of 3rd party cybersecurity experts globally.
DBSAT now brings valuable checks and recommendations that come from the Oracle Best Practices, STIG (V2R8), and the latest CIS Benchmark. Also, DBSAT highlights the database features and other Oracle Database security products you can leverage to address EU GDPR articles and recitals.
With DBSAT, you get security assessments targeted to the specific Oracle Database version and type. When evaluating a database, DBSAT will consider the database version, use the relevant data dictionary views (and columns), and provide targeted recommendations so you can act on the findings, considering the applicable best practices. For example, with DBSAT, you get the proper advice for your Autonomous Database and on-premises targets.
In this release, we added 10 findings based on CIS recommendations, updated all CIS-related findings to reflect changes to CIS finding numbers, and removed mappings for obsolete/deleted CIS recommendations. There is also a new finding for pre-authenticated URL requests in cloud databases.
Revoke EXECUTE grants to PUBLIC?
Not so fast. Revoking grants from PUBLIC is not something you should do lightly as it may impact your application’s availability and Oracle's ability to support your database. You might inadvertently break something, which is one of the reasons it’s better to do due diligence and check with the application vendor and Oracle Support before revoking these default grants. In most cases, the risk of grants to PUBLIC may be mitigated by other means.
DBSAT 3.1 checks EXECUTE grants to PUBLIC on a CIS-developed list of packages. DBSAT also checks the existence of system and object privilege grants relevant to those packages to provide a complete picture – not just the grants, but the additional privileges required to use those packages.
As an example, merely granting EXECUTE privileges to a database user isn't sufficient for them to utilize UTL_FILE to read or tamper files in the file system. A user will need to be able to have READ/WRITE access on a DIRECTORY object, and that can come from having an explicit object grant on a DIRECTORY or due to having ADVISOR, CREATE ANY DIRECTORY, or READ ANY DIRECTORY system privileges. DBSAT checks these additional conditions in addition to checking for an EXECUTE privilege grant. Another example is the grant of the UTL_HTTP package to PUBLIC. To exfiltrate data using UTL_HTTP, a database user not only requires EXECUTE privileges on the package (directly, indirectly, or through PUBLIC) but also needs explicit authorization via a network ACL. Network ACLs can limit UTL_HTTP usage to a specific user and IP address.
Figure 1: Network Packages Granted to Public
DBSAT leverages multiple standards as a foundation. When CIS Benchmark recommendations tailored for 19c databases are pertinent to older or newer versions, DBSAT accurately verifies them by relying on the existing data dictionary views and columns. If these recommendations aren't relevant, DBSAT intelligently bypasses the check.
DBSAT’s popularity, reflected in over 90,000 downloads, shows that DBSAT is widely used, relevant, and adds significant value by bringing actionable recommendations. DBSAT’s popularity and high-value results have resulted in several other Oracle products adopting DBSAT.
DBSAT currently powers Audit Vault and Database Firewall database security posture management, Oracle Data Safe Security Assessment, DBSAT compliance standards in Enterprise Manager, and the security assessment part of the Autonomous Health Framework.
DBSAT is a simple standalone tool that helps assess the security configuration of a single Oracle Database. What if you want to automate assessments across your fleet, track deviations from approved baselines, get alerts, keep history, and do comparisons all in one interface? Use Oracle Data Safe or Oracle Audit Vault and Database Firewall to go the extra mile in assessments.
You can use Oracle Data Safe to assess the security of your databases running on the cloud and on-premises. Data Safe is a database security cloud service that provides a comprehensive suite of security capabilities, including user and security assessments. Data Safe's tightly integrated assessment capabilities allow you to run assessments on multiple databases simultaneously, schedule assessments, establish a security baseline, and get a comparison report highlighting the drift between that baseline and the current database security assessment. You can also use Data Safe APIs to automate and integrate database security assessments into your CI/CD pipelines. To learn more about Data Safe, please visit https://www.oracle.com/security/database-security/data-safe/.
Oracle Audit Vault and Database Firewall (AVDF) 20.9 introduced Database Security Posture Management. Besides collecting audit records and allowing for the provisioning of audit policies, reports, and alerts, AVDF now provides enterprises with a centralized security assessment solution by integrating DBSAT for Oracle Databases. The full-featured assessment with compliance mappings and recommendations will help organizations understand their security posture for all their Oracle Databases in one central place. To learn more about Audit Vault and Database Firewall, please visit https://www.oracle.com/security/database-security/audit-vault-database-firewall/.
DBSAT is now more critical than ever. It’s at the core of Oracle Database security assessment technologies. Audit Vault and Database Firewall, and Data Safe both leverage the rules defined in DBSAT as part of their assessment framework.
You should run regular security assessments to help safeguard the security and integrity of your data. Running periodic security assessments enables you to understand your database misconfigurations, who are the privileged users, identify and mitigate risks, and, ultimately, help you on your path toward regulatory compliance, potentially saving your organization significant time and money from compliance failures or data loss.
If you’re an Oracle customer, you can start assessing your databases for free today. To download or to get more information on DBSAT, see Oracle Database Security Assessment Tool.
Pedro Lopes is in the Oracle Database Security Product Management group. He covers Europe, Middle East, and Africa (EMEA), and Latin America regions for all Database Security features and products and manages the Security Assessment technologies (DBSAT, Data Safe). He has played numerous roles at Oracle, from consulting to presales, during the last 20 years. Pedro is helping customers protect their data with Oracle Data Safe and Database security features and products.