Oracle Database Discovery on Linux hosts and specific command requirements

Tone1
Tera Contributor

‎06-30-2022 05:34 AM

Hello,

i want to discover oracle databases for our CMDB following this document:

https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/discovery/concept/c_OracleDatabaseDiscovery.html

I tested the discovery as root user and it works perfect, i switched to a discovery user  and added all the required sudo commands but there is also this topic "Additional requirements" with commands like:

/u01/app/12.1.0.2/grid/bin/crsctl stat res -p | grep -v CHECK_R |grep -v error |grep -v failed

which will not work without a oracle envoirenment and/or sudo

So how do you guys set this up in a correct way on the linux machine? Are you just adding the discovery user to the oracle user group? If so i don't think this is a good solution from a security standpoint because the users in the oracle group are quite powerfull.

 

Thanks in advance.

Labels:
0 Helpfuls
  • 1,041 Views
1 REPLY 1

Eduardo Rosa1
Tera Guru

‎08-05-2022 11:35 AM

Hi Tone,

You will need 2 type of credentials for this Discovery:

  • Applicable Credential (to query the data inside your Oracle database)
  • SSH credential  (to run the commands using sqlplus for e.g.)

I've implemented using applicable credentials for a specific user inside the Oracle databases. And I've requested a few permissions/grants for this applicable user, to access some views and tables, like v$pdbs, v$instance, v$parameter etc. Check the documentation for all the tables/views.
The applicable user only have grant for reading and cannot perform any drop or alter operations.

From the OS perspective, your discovery ID must have r-x (read/execute) on the <ORA_HOME>/bin/sqlplus, otherwise I won't be able to execute the commands. 
For example, during the discovery the OS id will try to run the below command using the OS/discovery user and will replace the variables $$username$$ and $$password$$ with the Oracle applicable user that you've created.

"export TNS_ADMIN=" + $str_oracle_home + "/network/admin;export ORACLE_HOME=" + $str_oracle_home + "; echo  \"select CDB from v\$database;\" |" + "\"" + $str_oracle_home + "/bin/sqlplus\" -s " + "$$username$$/'$$password$$'@" + $computer_system.primaryHostname + ":" + $entry_point.port + "/" + $entry_point.service
 
The way I did here was using Linux ACL to allow the discovery user to access the Oracle directories (recursively) with r-x permissions. Talk to your Linux SysAdmin and check if ACL can be implemented to avoid adding the discovery user into the Oracle group. 

 
 
0 Helpfuls