Overview

Oracle Database Security Assessment Tool (DBSAT) is a popular command-line tool that helps identify areas where your database configuration, operation, or implementation introduces risks and recommends changes and controls to mitigate those risks. DBSAT helps assess how securely the database is configured, determines who the users and their entitlements are, and identifies where sensitive data resides within the database.

The latest DBSAT 2.2.2 release can now differentiate between on-premises Oracle Databases, Autonomous Databases (Shared and Dedicated) and DBCS. Depending upon the database target type, DBSAT performs different checks and provides target-specific remarks. DBSAT 2.2.2 has also added new checks, improved accuracy of the existing checks, and clarified several remarks.

DBSAT is provided at no additional cost and enables customers to quickly find:

• Security configuration issues, and how to remediate them
• Users and their entitlements
• Location, type, and quantity of sensitive data

The figure below summarizes the security status of a sample database, and categorizes its findings by risk levels.

DBSAT analyzes information on the database and listener configuration to identify configuration settings that may unnecessarily introduce risk. DBSAT goes beyond simple configuration checking, examining user accounts, privilege and role grants, authorization control, separation of duties, fine-grained access control, data encryption and key management, auditing policies, and OS file permissions. DBSAT applies rules to quickly assess the current security status of a database and produce findings in all the areas above. For each finding, DBSAT recommends remediation activities that follow best practices to reduce or mitigate risk.

The Finding below shows which users have the powerful DBA role, and how that role was obtained (directly granted, granted via another role).

DBSAT also scans the database for sensitive data using customizable regular expression patterns, and reports on the amount and type of sensitive data found.  Besides providing the ability to search for sensitive data on English based data dictionaries (column names and comments) it also includes support for additional major European languages such as Dutch, French, Italian, German, Portuguese and Spanish.  This provides organizations with a deeper insight on how much sensitive data they have and where it resides, enabling them to then protect their databases through appropriate access controls, auditing, masking, and encryption.  The figure below shows a summary report from a scan of the database metadata.

Quick, Easy and Actionable Reports

DBSAT assists in evaluating the current security posture and helps you find out where sensitive data resides. DBSAT produces reports in multiple formats for different audiences and uses. DBSAT is easy to use and provides actionable reports with summary, detailed information, and prioritized recommendations.

Regulatory Compliance

Security configuration scanning and knowing where sensitive data resides is an essential part of regulatory compliance and key to EU General Data Protection Regulation (EU GDPR), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA/HITECH, and numerous data privacy laws. DBSAT recommendations help minimize risk, enhance the overall security posture and accelerate the path to compliance (PDF).

• Discover Sensitive and Personal data in Oracle Databases
• Map Findings to GDPR Articles/Recitals, Oracle Database STIG Rules, and CIS Benchmark recommendations
• Accelerate Data Protection Impact Assessments by assessing exposure to risk
• Recommend security controls such as encryption, segregation of duties, pseudonymization, audit, among others that might help compliance

On-Premises and in the Cloud