Oracle Database Discovery

Tripl-i automatically discovers Oracle Database instances, pluggable databases (PDBs), tablespaces, and active connections on Linux servers during SSH scans.

Overview

When Oracle Database is detected on a scanned Linux server, the scanner automatically gathers instance configuration, database inventory (PDBs for multitenant architecture), tablespace information, active connections, and Data Guard status. This data creates DatabaseInstance and Database CIs with full dependency mapping.

Key Benefits

• Complete Oracle Inventory - Discover all Oracle instances across your infrastructure, including multitenant CDB/PDB architecture
• Dependency Mapping - Identify which applications and servers connect to your databases
• Data Guard Visibility - Detect primary/standby roles and protection modes
• Tablespace Tracking - Monitor tablespace sizes, autoextend status, and capacity
• Vulnerability Management - CPE generation enables CVE tracking for Oracle versions
• Multi-Instance Support - Discover all instances from /etc/oratab and running PMON processes

How It Works

Discovery Flow

Step	Action
1	Linux server is scanned via SSH
2	Oracle detected via ora_pmon_* processes, /etc/oratab, or sqlplus binary
3	All instances discovered from /etc/oratab and running PMON processes
4	For each instance: configuration, PDBs/databases, tablespaces, connections, and Data Guard status collected
5	DatabaseInstance and Database CIs created
6	Relationships mapped between instances, databases, and connected servers/workloads

Automatic Triggering

Database discovery is automatically triggered when:

• A Linux server is scanned via SSH
• Running ora_pmon_* processes are detected, or /etc/oratab exists, or sqlplus binary is found
• No additional configuration is required for servers where the SSH account has sudo access to the oracle OS user

Authentication

Default: OS Authentication (No Extra Credentials)

The scanner uses OS authentication via the oracle OS user:

sudo su - oracle -c "sqlplus -S / as sysdba"

This works on most Oracle installations where:

• The SSH scanning account has sudo access
• The oracle OS user exists and is configured for SYSDBA authentication
• $ORACLE_HOME and $ORACLE_SID are set in the oracle user's environment

No separate database credentials are required in this case.

Optional: Password Authentication

If sudo access is not available, you can configure Oracle credentials in the Scanner GUI:

1. Go to Credentials tab
2. Select protocol: Oracle
3. Enter Username and Password
4. Set Port (default: 1521)
5. Enter SID / Service Name (e.g., ORCL, PRODDB)
6. Set IP Range to target the database server(s)

Authentication Priority

Priority	Method	When Used
1	Provided credentials (sqlplus user/pass@SID)	When Oracle credentials are configured
2	sudo su - oracle + sqlplus / as sysdba	When SSH user has sudo access
3	sqlplus / as sysdba (current user)	If running as oracle user

Required Oracle Permissions

For full discovery with SYSDBA (default OS auth):

• All required views are accessible automatically

For non-SYSDBA users:

Permission	Purpose
SELECT on v$instance	Instance information
SELECT on v$database	Database configuration
SELECT on v$session	Active connections
SELECT on v$pdbs	Pluggable database inventory (12c+)
SELECT on dba_tablespaces	Tablespace information
SELECT on dba_data_files	Data file sizes
SELECT on v$version	Version banner
SELECT on nls_database_parameters	Character set information

Data Collected

Instance Information

Data Point	Description
Version	Oracle version (e.g., 19.0.0.0.0)
SID	System Identifier
Service Name	Database service name
DB Unique Name	Unique database name (for Data Guard)
Open Mode	READ WRITE, READ ONLY, MOUNTED
Log Mode	ARCHIVELOG or NOARCHIVELOG
Instance Role	PRIMARY_INSTANCE or SECONDARY_INSTANCE
Platform	Operating system platform
Character Set	NLS character set
Edition	Enterprise, Standard, Express
Is CDB	Whether this is a Container Database (multitenant)
Data Guard Role	PRIMARY, PHYSICAL STANDBY, LOGICAL STANDBY
Protection Mode	MAXIMUM PERFORMANCE, AVAILABILITY, PROTECTION
CPE	Common Platform Enumeration for vulnerability matching

Database/PDB Information

For multitenant (CDB) instances, each Pluggable Database is discovered:

Data Point	Description
PDB Name	Pluggable database name
Open Mode	READ WRITE, READ ONLY, MOUNTED
Container ID	PDB container ID
Size	Total PDB size in MB

For non-CDB instances, the database itself is tracked as a single entry.

Tablespace Information

Data Point	Description
Tablespace Name	Name of the tablespace
Status	ONLINE, OFFLINE, READ ONLY
Size	Current allocated size in MB
Max Size	Maximum autoextend size in MB
Contents	PERMANENT, TEMPORARY, UNDO

Connection Information

Data Point	Description
Machine	Client machine name
Program	Connecting application (e.g., JDBC Thin Client, sqlplus)
Username	Oracle database user
Connection Count	Number of sessions from this client

CI Types Created

DatabaseInstance

Represents an Oracle Database instance (SID) running on a server.

• Naming Convention: ServerName/SID (e.g., oradb-01/PRODDB)
• Database Engine: oracle

Database

For CDB instances, each PDB becomes a Database CI. For non-CDB, the database itself is a single CI.

• Naming Convention: ServerName/SID/PDBName (e.g., oradb-01/PRODDB/HRPDB)

Relationships Created

Relationship	Source	Target	Description
Runs On	DatabaseInstance	Server	Instance runs on server
Part Of	Database (PDB)	DatabaseInstance	PDB belongs to CDB
Uses Database	Server/Workload	DatabaseInstance	Client connects to database
Linked To	DatabaseInstance	DatabaseInstance	Data Guard partner

Cross-Boundary Dependencies

Connections from Kubernetes workloads to Oracle databases are automatically resolved:

K8s Workload (epys/api-service) ──Uses Database──> DatabaseInstance (oradb-01/PRODDB)
    program: "JDBC Thin Client"
    username: "EPYS_APP"

Multi-Instance Support

The scanner discovers all Oracle instances on a server:

1. Parses /etc/oratab for configured instances and their ORACLE_HOME paths
2. Scans running ora_pmon_* processes for active instances not in oratab
3. Scans each instance independently with the correct ORACLE_HOME and ORACLE_SID

Excluded: ASM instances (+ASM, +APX) are skipped as they are storage infrastructure, not application databases.

Vulnerability Management

CPE Generation

Format: cpe:2.3:a:oracle:database_server:{version}:*:*:*:{edition}:*:*:*

Examples:

• Oracle 19c Enterprise: cpe:2.3:a:oracle:database_server:19.0.0.0.0:*:*:*:enterprise:*:*:*
• Oracle 21c Standard: cpe:2.3:a:oracle:database_server:21.0.0.0.0:*:*:*:standard:*:*:*

Best Practices

Security

• Use OS authentication (SYSDBA) when possible (no password storage needed)
• Monitor instances with NOARCHIVELOG mode (no point-in-time recovery possible)
• Review Data Guard protection mode for critical databases
• Check for non-CDB instances on 12c+ (may indicate legacy configurations)

Monitoring Indicators

• NOARCHIVELOG mode - No point-in-time recovery, data loss risk
• Data Guard MAXIMUM PERFORMANCE - May have data loss window during failover
• Tablespace autoextend OFF - Risk of space exhaustion
• PDBs in MOUNTED state - Not accessible to applications
• High session counts from single machine - Connection pool issues

Troubleshooting

Issue	Cause	Solution
Oracle not discovered	No PMON process and no /etc/oratab	Verify Oracle is running: ps -ef | grep pmon
Cannot connect to instance	ORACLE_HOME not set correctly	Check /etc/oratab has correct paths
Permission denied	SSH user cannot sudo to oracle	Configure Oracle credentials in Scanner GUI
No PDB data	Instance is non-CDB or Oracle < 12c	Expected behavior; database appears as single entry
No tablespace data	Missing DBA privileges	Connect as SYSDBA or grant SELECT on dba_tablespaces
Missing connections	v$session access denied	Grant SELECT on v$session

Related Documentation

• SQL Server Database Discovery
• PostgreSQL Database Discovery
• MySQL/MariaDB Database Discovery
• Credential Management