[原创]Oracle DBSAT简单介绍
什么DBSAT
The Oracle Database Security Assessment Tool (DBSAT) is a command line tool focused on detecting areas of potential security vulnerabilities or misconfigurations and providing recommendations on how to mitigate those potential vulnerabilities. The DBSAT focuses on the database but also examines surrounding database related system components including OS and network (listener). The tool provides a view into the current status, users, roles and policies in place, with the goal of promoting successful approaches to mitigate potential security risks.
The DBSAT has two components: the Collector and the Reporter. The Collector is responsible to collect raw data from the target database by executing SQL queries and OS commands. The Reporter will read the collected data, analyze it and produce reports with the findings. The Reporter outputs three reports in Text, HTML, and XLS formats.
怎么使用以及有什么版本限制
参考下面
演示操作
测试命令过程如下:(过程中有密码的输入,即zip文件的解密密码)
#### 生成json文件
[oracle@databasevm dbsat]$ ./dbsat collect system/oracle outputfile01
This tool is intended to assist in you in identifying potential
vulnerabilities in your system, but you are solely responsible for
your system and the effect and results of the execution of this tool
(including, without limitation, any damage or data loss). Further,
the output generated by this tool may include potentially sensitive
system configuration data and information that could be used by a
skilled attacker to penetrate your system. You are solely responsible
for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.
Connecting to the target Oracle database...
SQL*Plus: Release 12.2.0.1.0 Production on Thu Oct 12 12:32:00 2017
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Last Successful login time: Mon Jul 17 2017 23:10:08 +08:00
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
Database Security Assessment Tool version 1.0.2 (October 2016)
Setup complete.
SQL queries complete.
OS commands complete.
Disconnected from Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
DBSAT Collector completed successfully.
Calling /opt/oracle/product/12.2.0.1/db_1/bin/zip to encrypt outputfile01.json...
Enter password:
Verify password:
adding: outputfile01.json (deflated 87%)
zip completed successfully.
[oracle@databasevm dbsat]$
#### 生成report文件
[oracle@databasevm dbsat]$ ./dbsat report outputfile01
This tool is intended to assist in you in identifying potential
vulnerabilities in your system, but you are solely responsible for
your system and the effect and results of the execution of this tool
(including, without limitation, any damage or data loss). Further,
the output generated by this tool may include potentially sensitive
system configuration data and information that could be used by a
skilled attacker to penetrate your system. You are solely responsible
for ensuring that the output of this tool, including any generated
reports, is handled in accordance with your company's policies.
Archive: outputfile01.zip
[outputfile01.zip] outputfile01.json password:
inflating: outputfile01.json
Database Security Assessment Tool version 1.0.2 (October 2016)
DBSAT Reporter ran successfully.
Calling /usr/bin/zip to encrypt the generated reports...
Enter password:
Verify password:
adding: outputfile01.txt (deflated 78%)
adding: outputfile01.html (deflated 83%)
adding: outputfile01.xlsx (deflated 3%)
zip completed successfully.
[oracle@databasevm dbsat]$ ls -ltr
total 452
-rwxrwxr-x. 1 oracle oracle 9039 Oct 12 12:30 dbsat
-rwxrwxr-x. 1 oracle oracle 9198 Oct 12 12:30 dbsat.bat
-rwxrwxr-x. 1 oracle oracle 24757 Oct 12 12:30 sat_analysis.py
-rwxrwxr-x. 1 oracle oracle 42135 Oct 12 12:30 sat_collector.sql
-rwxrwxr-x. 1 oracle oracle 229245 Oct 12 12:30 sat_reporter.py
-rwxr-xr-x. 1 oracle oracle 36563 Oct 12 12:33 outputfile01.zip
-rw-------. 1 oracle oracle 21273 Oct 12 12:38 sat_analysis.pyc
drwxrwxr-x. 2 oracle oracle 4096 Oct 12 12:38 xlsxwriter
-rw-------. 1 oracle oracle 66899 Oct 12 12:38 outputfile01_report.zip
[oracle@databasevm dbsat]$
参考文档
Oracle Database Security Assessment Tool Documentation Release 1.0
~~~ LinHong 2017/10/10 ~~~~