Oracle DB discovery Issue with Access on target DB


Description

You maybe facing the issue with below commands execution even when Unix admin has confirmed that Sudo access has been added  for credentials interacting when exploring Oracle DB details and setting connection to target DB server,

Below are the list of commands showing error in Horizontal discovery log.

- ps -eo user,pid,ppid,comm,args | grep -i '<PID>' | grep -v grep
- ls -l /proc/<PIOD>/exe
- ls -l /proc/<PID>/cwd
- cat: /proc/31015/environ

The Pattern being used for process is "Oracle DB on Unix" This pattern has 2 different parts . 1 section is used for identification while extension section is used to collect more details by the pattern.

The issue is noticed when its using Extension "Get Oracle Instance Size Info" step 1.

Error in Agent log:

PID to be replaced by the pattern variable or the PID of the oracle processes


2021-10-19 12:49:37: Executing SSH command as superuser: ls -l /proc/27400/exe
2021-10-19 12:49:37: Command result: Sorry, user *** is not allowed to execute '/usr/bin/ls -l /proc/<PIOD>/exe' as root on cdcld283n.adr.alcoa.com.
2021-10-19 12:49:37: Executing SSH command as superuser: ls -l /proc/27400/cwd
2021-10-19 12:49:37: Command result: Sorry, user sndisc is not allowed to execute '/usr/bin/ls -l /proc/<PID>/cwd' as root on cdcld283n.adr.alcoa.com.
2021-10-19 12:49:37: Executing SSH command as superuser: cat /proc/27400/environ | tr "\000" "\n"
2021-10-19 12:49:37: Command result: Sorry, user sndisc is not allowed to execute '/usr/bin/cat: /proc/31015/environ as root on cdcld283n.adr.alcoa.com.

Release or Environment

All

Cause

The permission for Specific /proc folder are allowed for only root user. So when user is allowed root permission the discovery works fine but not when adding same user to Group or other users group on target server.

 

Resolution

User have to be allowed to access /proc folder as root or permission have to be configured to access details within /proc folder. 

As reported the permission doesn't work if user is not given permission as root.

It needs root access. This can be granted via sudo without granting full root access to the user. Server Admin team need to add the documented commands to sudo, dzdo or pbrun whichever tool They are using for managing root access and this has to be addressed Server infra. So a fix for accessing /Read only to these target folder will be required in server infra.

Additional Information

Below commands can be used to allow permission.

 

1. Please follow Oracle Discovery Document and validate if Oracle user account is allowed in Unix server with required elevated access
https://docs.servicenow.com/bundle/rome-it-operations-management/page/product/discovery/concept/c_OracleDatabaseDiscovery.html

2. if Elevated access is missing , Please move the user to group with Elevated access to get the details and test if the user access to target Folder is working after moving them to root or other admin group.
https://docs.servicenow.com/bundle/paris-it-operations-management/page/product/service-mapping/reference/r_CommandsnCredentials.html

3. here's the link to the doc for Get a process
https://docs.servicenow.com/bundle/quebec-it-operations-management/page/product/service-mapping/task/t_GetProcessPatDef.html
In the Oracle pattern, we get the information regarding the process using PID.