Wie findet man sensitive Daten in der Oracle Datenbank? Das Database Assessment Security Tool (DBSAT 2.0.1) liefert in der Version 2.0.1 eine Antwort darauf. Die Präsentation gibt eine Einführung in DBSAT und zeigt die Verwendung. Am Ende wird noch eine Alternative vorgestellt - Data Masking und Subsetting in Oracle Database Enterprise Manager.
1. Sensitive Daten in der Oracle Datenbank
DSAT und mehr
DOAG Regio München 2018
Ulrike Schwinn
E-mail: ulrike.schwinn@oracle.com
Oracle Deutschland B.V. & Co KG
Personas: DPO, DBA, Auditor
Quickly evaluate risks to your Oracle databases
Promptly identify security misconfigurations
Reduce the attack surface and exposure to risk
Safeguard your sensitive data by following recommendations
Raise security posture for your Oracle Databases
Downloadable free tool from MOS
Put it in boxes (related)
Highlight Findings related to:
Oracle Best Practices
CIS Oracle Database Benchmark
EU GDPR
Basic Information: Instance name, CDB/PDB, Patches
User Accounts: User accounts, Users with Expired Passwords, Sample schemas, default passwords, password verifiers,
Privileges and Roles: Users and Roles with Administrative and System Privileges, Users with DBA roles, etc.
Security Feature Usage section includes rules about each of our features: Audit, DV, TDE, Redaction, RAS, etc.
Database Configuration: Security related initialization parameters, Triggers, disabled constraints, java permissions, network acls
Network Configuration: Network Encryption, Listener log and status, client nodes (invited/excluded), etc.
OS level checks: OS authentication, pmon processes, agent processes, listener processes and OS permissions in ORACLE_HOME
Both DBSAT Collector and Reporter run on Windows platforms.
The DBSAT Collector OS specific rules won’t run, so some of the Reporter rules are skipped
The skipped rules are appended to the end of the text and html report.
The Collector by default generates a password protected zip file containing the collected data in JSON format
The Reporter will take as an input the file (either JSON / Zip), analyze it and produce the output reports
Collector and Reporter do not need to be run on the same server.
Collector should be executed at the database server but then the data can be transferred to the customer laptop (or other server) for analysis.
Oracle Databases or non-oracle
on prem, cloud
Add commands + step 1,2 ,3
Show a severe risk and significant risk example
This is not just a vulnerability tool – entitlements as a differentiator
Describe that the reports are comprised of
Summary table;
Informational Tables;
the Findings[next slide]
A Finding is the result of the analysis by the DBSAT Reporter. Findings give recommendations to improve the security posture of the database or provide information for further analysis.
Each finding consists of the following:
Status – This indicates the level of risk associated with the finding (Pass, Some, Significant, Severe) or indicates that the finding is an Opportunity for improvement, such as information about an optional security feature that is not currently in use. In cases where it’s not possible to automate the finding and further analysis is needed, the status is shown as Evaluate.
Summary – Presents one-line summary of the finding.
Details – Presents the details of the results, followed by any recommendations for changes.
Remarks – Explains the reason for the rule and recommended actions for remediation if a risk is reported.