DBSAT脚本快速收集方法

DBSAT是Oracle官方提供的脚本，用于数据库的安全评估检查，用户可以放心下载使用。

下载链接具体参见MOS：

• Oracle Database Security Assessment Tool (DBSAT) (Doc ID 2138254.1)

下面介绍DBSAT脚本快速收集方法：

• 1.上传dbsat脚本并解压到指定目录
• 2.使用dbsat采集必要信息
• 3.生成报告文件(可选)

1.上传dbsat脚本并解压到指定目录

将从官方下载的DBSAT工具上传到数据库服务器主机，并创建相应的目录：

使用Oracle用户登录数据库服务器，创建相应目录

mkdir -p /home/oracle/dbsat

将DBSAT工具包进行解压

unzip dbsat.zip -d /home/oracle/dbsat

2.使用dbsat采集必要信息

DBSAT只对数据库执行查询，不会在数据库中创建对象。
之前文档写的示例是用system用户收集，但需要用户提供system用户密码。
但实际情况，很多客户或实际操作人员并不清楚system用户的密码，或是需要时间去确认，这会严重影响收集效率。
所以，更好的方法是可以使用SYS用户，实现免密码采集。
这里的前提是客户环境支持 `sqlplus / as sysdba` 登陆的情况下（大部分客户默认都适用），否则还是需要提供密码。

$ ./dbsat collect sys output_DEMO

实际执行如下：

[oracle@bogon dbsat]$ ./dbsat collect sys output_DEMO

Database Security Assessment Tool version 2.2.2 (June 2021)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Connecting to the target Oracle database...

SQL*Plus: Release 19.0.0.0.0 - Production on Thu Mar 30 16:08:50 2023
Version 19.16.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Enter password: <--- 这里只需要输入 as sysdba 回车即可。

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0

Setup complete.
SQL queries complete.
Warning: Exit status 256 from OS rule: dbcs_status
OS commands complete.
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0
DBSAT Collector completed successfully.

Calling /u01/app/oracle/product/19.3.0/db_1/bin/zip to encrypt output_DEMO.json...

Enter password: <--- 这里需要指定压缩包的密码，随意，我这里就用oracle
Verify password: <--- 这里再次输入密码确认
  adding: output_DEMO.json (deflated 82%)
zip completed successfully.
[oracle@bogon dbsat]$ ls
dbsat  dbsat.bat  Discover  output_DEMO.zip  sat_analysis.py  sat_collector.sql  sat_reporter.py  xlsxwriter

3.生成报告文件(可选)

这一步不需要在服务端执行，只需把上一步生成的文件拿到自己的机器解析，或是直接发给我们即可。
当然要记得把上面设置的压缩密码也告诉我们。

生成报告文件需要Python 2.6以上的环境。

执行报告的生成：

$ ./dbsat report output_DEMO

我这里环境具备，直接执行，实际执行过程如下：

[oracle@bogon dbsat]$ ./dbsat report output_DEMO

Database Security Assessment Tool version 2.2.2 (June 2021)

This tool is intended to assist you in securing your Oracle database
system. You are solely responsible for your system and the effect and
results of the execution of this tool (including, without limitation,
any damage or data loss). Further, the output generated by this tool may
include potentially sensitive system configuration data and information
that could be used by a skilled attacker to penetrate your system. You
are solely responsible for ensuring that the output of this tool,
including any generated reports, is handled in accordance with your
company's policies.

Archive:  output_DEMO.zip
[output_DEMO.zip] output_DEMO.json password: <--- 这里需要输入前面压缩包的密码oracle
  inflating: output_DEMO.json
DBSAT Reporter ran successfully.

Calling /usr/bin/zip to encrypt the generated reports...

Enter password: <--- 这里需要指定压缩包的密码，随意，我这里示例就还用oracle
Verify password: <--- 这里再次输入密码确认
        zip warning: output_DEMO_report.zip not found or empty
  adding: output_DEMO_report.txt (deflated 77%)
  adding: output_DEMO_report.html (deflated 83%)
  adding: output_DEMO_report.xlsx (deflated 3%)
  adding: output_DEMO_report.json (deflated 81%)
zip completed successfully.

最后将这个output_DEMO_report.zip和对应解压密码发给我们即可。