Lin Hong's TECH Blog! 刀不磨要生锈,人不学习要落后 - Thinking ahead

[原创]Oracle DBSAT 简单介绍

2017-10-10

[原创]Oracle DBSAT简单介绍

什么DBSAT

The Oracle Database Security Assessment Tool (DBSAT) is a command line tool focused on detecting areas of potential security vulnerabilities or misconfigurations and providing recommendations on how to mitigate those potential vulnerabilities. The DBSAT focuses on the database but also examines surrounding database related system components including OS and network (listener). The tool provides a view into the current status, users, roles and policies in place, with the goal of promoting successful approaches to mitigate potential security risks.

The DBSAT has two components: the Collector and the Reporter. The Collector is responsible to collect raw data from the target database by executing SQL queries and OS commands. The Reporter will read the collected data, analyze it and produce reports with the findings. The Reporter outputs three reports in Text, HTML, and XLS formats.

怎么使用以及有什么版本限制

参考下面

DBSAT

演示操作

测试命令过程如下:(过程中有密码的输入,即zip文件的解密密码)

#### 生成json文件
[oracle@databasevm dbsat]$ ./dbsat collect system/oracle outputfile01

This tool is intended to assist in you in identifying potential 
vulnerabilities in your system, but you are solely responsible for 
your system and the effect and results of the execution of this tool 
(including, without limitation, any damage or data loss). Further, 
the output generated by this tool may include potentially sensitive 
system configuration data and information that could be used by a 
skilled attacker to penetrate your system. You are solely responsible 
for ensuring that the output of this tool, including any generated 
reports, is handled in accordance with your company's policies.

Connecting to the target Oracle database...


SQL*Plus: Release 12.2.0.1.0 Production on Thu Oct 12 12:32:00 2017

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

Last Successful login time: Mon Jul 17 2017 23:10:08 +08:00

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

Database Security Assessment Tool version 1.0.2 (October 2016)
Setup complete.

SQL queries complete.
OS commands complete.
Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
DBSAT Collector completed successfully.

Calling /opt/oracle/product/12.2.0.1/db_1/bin/zip to encrypt outputfile01.json...

Enter password: 
Verify password: 
  adding: outputfile01.json (deflated 87%)
zip completed successfully.
[oracle@databasevm dbsat]$ 

#### 生成report文件
[oracle@databasevm dbsat]$ ./dbsat report outputfile01                                                                           

This tool is intended to assist in you in identifying potential 
vulnerabilities in your system, but you are solely responsible for 
your system and the effect and results of the execution of this tool 
(including, without limitation, any damage or data loss). Further, 
the output generated by this tool may include potentially sensitive 
system configuration data and information that could be used by a 
skilled attacker to penetrate your system. You are solely responsible 
for ensuring that the output of this tool, including any generated 
reports, is handled in accordance with your company's policies.

Archive:  outputfile01.zip
[outputfile01.zip] outputfile01.json password: 
  inflating: outputfile01.json       
Database Security Assessment Tool version 1.0.2 (October 2016)
DBSAT Reporter ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...

Enter password: 
Verify password: 
  adding: outputfile01.txt (deflated 78%)
  adding: outputfile01.html (deflated 83%)
  adding: outputfile01.xlsx (deflated 3%)
zip completed successfully.
[oracle@databasevm dbsat]$ ls -ltr
total 452
-rwxrwxr-x. 1 oracle oracle   9039 Oct 12 12:30 dbsat
-rwxrwxr-x. 1 oracle oracle   9198 Oct 12 12:30 dbsat.bat
-rwxrwxr-x. 1 oracle oracle  24757 Oct 12 12:30 sat_analysis.py
-rwxrwxr-x. 1 oracle oracle  42135 Oct 12 12:30 sat_collector.sql
-rwxrwxr-x. 1 oracle oracle 229245 Oct 12 12:30 sat_reporter.py
-rwxr-xr-x. 1 oracle oracle  36563 Oct 12 12:33 outputfile01.zip
-rw-------. 1 oracle oracle  21273 Oct 12 12:38 sat_analysis.pyc
drwxrwxr-x. 2 oracle oracle   4096 Oct 12 12:38 xlsxwriter
-rw-------. 1 oracle oracle  66899 Oct 12 12:38 outputfile01_report.zip
[oracle@databasevm dbsat]$

测试报告样例_HTML

测试报告样例_TXT

测试报告样例_EXCEL

参考文档

Oracle Database Security Assessment Tool Documentation Release 1.0

~~~ LinHong 2017/10/10 ~~~~


Similar Posts

Comments