Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Oracle Database Discovery on Linux hosts and specific command requirements

Tone1
Tera Expert

‎06-30-2022 05:34 AM

Hello,

i want to discover oracle databases for our CMDB following this document:

https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/discovery/concept/c_OracleDatabaseDiscovery.html

I tested the discovery as root user and it works perfect, i switched to a discovery user  and added all the required sudo commands but there is also this topic "Additional requirements" with commands like:

/u01/app/12.1.0.2/grid/bin/crsctl stat res -p | grep -v CHECK_R |grep -v error |grep -v failed

which will not work without a oracle envoirenment and/or sudo

So how do you guys set this up in a correct way on the linux machine? Are you just adding the discovery user to the oracle user group? If so i don't think this is a good solution from a security standpoint because the users in the oracle group are quite powerfull.

 

Thanks in advance.

Labels:
0 Helpfuls
  • 1,205 Views
1 REPLY 1

Eduardo Rosa1
Tera Guru

‎08-05-2022 11:35 AM

Hi Tone,

You will need 2 type of credentials for this Discovery:

  • Applicable Credential (to query the data inside your Oracle database)
  • SSH credential  (to run the commands using sqlplus for e.g.)

I've implemented using applicable credentials for a specific user inside the Oracle databases. And I've requested a few permissions/grants for this applicable user, to access some views and tables, like v$pdbs, v$instance, v$parameter etc. Check the documentation for all the tables/views.
The applicable user only have grant for reading and cannot perform any drop or alter operations.

From the OS perspective, your discovery ID must have r-x (read/execute) on the <ORA_HOME>/bin/sqlplus, otherwise I won't be able to execute the commands. 
For example, during the discovery the OS id will try to run the below command using the OS/discovery user and will replace the variables $$username$$ and $$password$$ with the Oracle applicable user that you've created.

"export TNS_ADMIN=" + $str_oracle_home + "/network/admin;export ORACLE_HOME=" + $str_oracle_home + "; echo  \"select CDB from v\$database;\" |" + "\"" + $str_oracle_home + "/bin/sqlplus\" -s " + "$$username$$/'$$password$$'@" + $computer_system.primaryHostname + ":" + $entry_point.port + "/" + $entry_point.service
 
The way I did here was using Linux ACL to allow the discovery user to access the Oracle directories (recursively) with r-x permissions. Talk to your Linux SysAdmin and check if ACL can be implemented to avoid adding the discovery user into the Oracle group. 

 
 
0 Helpfuls