Oracle or SQL Database Audit – Have we found them all?

Whether it’s an Oracle Audit, ULA certification, Microsoft True-up or simply updating your CMDB you will need to complete an inventory of all the database instances you have deployed. Whatever tool or method you use to collect the information your Software Asset Management (SAM) team are going to have to be able to answer a very important question from the vendor or auditor:

How do you know you have found all the databases?

In a large complex networks this is not always easy but here are some techniques to help you verify your results.

Past Inventory

Cross check with the results from last time. This is especially valuable where the previous results were used in a true-up or audit situation as it’s the starting point a vendor will use also.

Other Asset Management System

Most organizations have multiple systems tracking their assets so use the results from one to cross check the other. The most common one is to compare the CMDB updated by Change Management or Service Desk with the SAM system. You will certainly need this information to assign status (production or non-production) for license measurement later.

Backup Schedule

Where there’s a database there’s a backup. This method is particularly useful in finding standby databases or databases not accessible by other methods or tools. The records are also usually easily gotten for comparison.

IT Security Scans

Your IT security will typically have records of all activity on the network, in particular port scans. All databases listen on particular ports so it’s a matter of getting a list of ports from the DBAs and these servers listening on these port from the IT security team. Although not perfect, it will narrow the search considerably

Ask the DBAs

Sometimes forgotten, ask the teams who maintain the databases for lists of systems they manage. Especially ask them for details on cold (off-line), clustered or cloned systems. It’s also worth asking them for details of any databases they plan to bring online or take off-line in the future.

Configuration and Change Management

Aside from their CMDB, Configuration and Change Management will also have records of changes planned to the network. This will be needed to identify databases that are in transition (development to pre-production) or who’s production status is about to change.

Other sources

Other sources that can help with a cross check are Project Office, Procurement & M&A

Takeaway

By having multiple inventory sources to cross check results for Oracle databases, you will be confident in your rebuttal to any vendor auditor who might question the completeness of your software inventory. Did you find this useful, if so please tweet

« | »

Piaras MacDonnell