MySQL/MariaDB Database Discovery
Tripl-i automatically discovers MySQL and MariaDB instances and databases on Linux servers during SSH scans, providing complete visibility into your MySQL infrastructure alongside other discovered assets.
Overview
When MySQL or MariaDB is detected on a scanned Linux server, the scanner automatically gathers instance configuration, database inventory, active connections, and replication status. The scanner automatically distinguishes between MySQL and MariaDB for accurate CPE generation and vulnerability tracking.
Key Benefits
- Complete Database Inventory - Discover all MySQL/MariaDB instances and databases across your infrastructure
- Dependency Mapping - Identify which applications and servers connect to your databases
- Replication Visibility - Detect primary/replica configurations and replication lag
- MySQL vs MariaDB Detection - Automatic engine identification for accurate vulnerability matching
- Vulnerability Management - CPE generation enables CVE tracking for both MySQL and MariaDB
- Capacity Planning - Track database sizes, table counts, and storage engine distribution
How It Works
Discovery Flow
| Step | Action |
|---|---|
| 1 | Linux server is scanned via SSH |
| 2 | MySQL/MariaDB detected via running processes (mysqld/mariadbd), listening port (3306), or installed binary (mysql) |
| 3 | Scanner authenticates to MySQL (socket auth or provided credentials) |
| 4 | Instance configuration, database inventory, connections, and replication status collected |
| 5 | DatabaseInstance and Database CIs created |
| 6 | Relationships mapped between instances, databases, and connected servers/workloads |
Automatic Triggering
Database discovery is automatically triggered when:
- A Linux server is scanned via SSH
- A running
mysqldormariadbdprocess is detected, or port 3306 is listening, ormysqlbinary is found - No additional configuration is required for servers where the SSH account has sudo access
Authentication
Default: Socket Authentication (No Extra Credentials)
The scanner uses unix socket authentication via sudo:
sudo mysql
This works on most modern MySQL/MariaDB installations where:
- The SSH scanning account has
sudoaccess - MySQL root user is configured for socket authentication (default since MySQL 5.7 and MariaDB 10.4)
No separate database credentials are required in this case.
Optional: Password Authentication
If sudo access is not available, you can configure MySQL credentials in the Scanner GUI:
- Go to Credentials tab
- Select protocol: MySQL
- Enter Username and Password
- Set Port (default: 3306)
- Set IP Range to target the database server(s)
The scanner uses the MYSQL_PWD environment variable for authentication, keeping passwords out of process listings.
Authentication Priority
| Priority | Method | When Used |
|---|---|---|
| 1 | Provided credentials (MYSQL_PWD) | When MySQL credentials are configured |
| 2 | sudo mysql (socket auth) | When SSH user has sudo access |
| 3 | mysql (current user) | Fallback if .my.cnf exists |
Required MySQL Permissions
For full discovery, the database user needs:
| Permission | Purpose |
|---|---|
| SELECT on information_schema | Database and table inventory |
| PROCESS | Active connection listing |
| REPLICATION CLIENT | Replication status (optional) |
The default root user (via socket auth) has all these permissions automatically.
Data Collected
Instance Information
| Data Point | Description |
|---|---|
| Version | Full version string (e.g., 8.0.35, 11.2.2-MariaDB) |
| Engine | mysql or mariadb (auto-detected) |
| Port | Listening port (default 3306) |
| Data Directory | Location of database files |
| Max Connections | Maximum allowed connections |
| InnoDB Buffer Pool Size | InnoDB memory buffer size |
| Character Set | Default server character set |
| Collation | Default server collation |
| Binary Log Format | ROW, STATEMENT, or MIXED |
| GTID Mode | Global Transaction ID status |
| SSL | Whether SSL is enabled |
| Is Replica | Whether this instance is a replication replica |
| CPE | Common Platform Enumeration for vulnerability matching |
Database Information
| Data Point | Description |
|---|---|
| Database Name | Name of the database (schema) |
| Character Set | Default character set |
| Collation | Default collation |
| Size | Total size in MB (data + index) |
| Table Count | Number of tables |
| System Database | mysql, information_schema, performance_schema, sys |
Connection Information
| Data Point | Description |
|---|---|
| Host | Client IP address |
| User | MySQL user account |
| Database | Target database |
| Command | Current operation (Query, Sleep, etc.) |
| Connection Count | Number of connections from this client |
Replication Information
| Data Point | Description |
|---|---|
| Is Replica | Whether this instance replicates from another |
| Source Host | Primary/master server hostname |
CI Types Created
DatabaseInstance
Represents a MySQL/MariaDB instance running on a server.
- Naming Convention:
ServerName:Port(e.g.,db-server-01:3306) - Database Engine:
mysqlormariadb
Database
Represents an individual database (schema) within an instance.
- Naming Convention:
ServerName:Port/DatabaseName(e.g.,db-server-01:3306/production)
Relationships Created
| Relationship | Source | Target | Description |
|---|---|---|---|
| Runs On | DatabaseInstance | Server | Instance runs on server |
| Part Of | Database | DatabaseInstance | Database belongs to instance |
| Uses Database | Server/Workload | DatabaseInstance | Client connects to database |
| Linked To | DatabaseInstance | DatabaseInstance | Replication partner |
Vulnerability Management
CPE Generation
The scanner auto-detects MySQL vs MariaDB and generates the appropriate CPE:
MySQL: cpe:2.3:a:oracle:mysql:{version}:*:*:*:*:*:*:*
MariaDB: cpe:2.3:a:mariadb:mariadb:{version}:*:*:*:*:*:*:*
Examples:
- MySQL 8.0.35:
cpe:2.3:a:oracle:mysql:8.0.35:*:*:*:*:*:*:* - MariaDB 11.2.2:
cpe:2.3:a:mariadb:mariadb:11.2.2:*:*:*:*:*:*:*
Best Practices
Security
- Use socket authentication when possible (no password storage needed)
- Monitor instances with
have_ssl = DISABLEDfor unencrypted connections - Review users with wildcard host access (
%) - Check for databases using
MyISAMengine (no transaction support, no crash recovery)
Monitoring Indicators
- Binary logging disabled - No point-in-time recovery possible
- GTID mode OFF - Complicates replication failover
- High connection count - May indicate connection pool issues
- Large databases without recent backups - Recovery risk
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| MySQL not discovered | Process not running or different port | Check systemctl status mysql on the target |
| Cannot connect | Socket auth not configured | Configure MySQL credentials in Scanner GUI |
| Missing databases | Insufficient permissions | Grant SELECT on information_schema |
| No connection data | Missing PROCESS privilege | Grant PROCESS to the scanning user |
| No replication status | Missing REPLICATION CLIENT | Grant REPLICATION CLIENT privilege |