AWS transform medium security documentation change
Summary
Added section on credential storage encryption, updated terminology from 'bare metal' to 'imported servers', and refined security guidance
Security assessment
The change explicitly documents a security vulnerability: stored credentials can be decrypted by attackers with root access to the discovery host. It warns users to restrict access and treat the host as privileged, indicating concrete security risks.
Diff
diff --git a/transform/latest/userguide/discover-tool-security.md b/transform/latest/userguide/discover-tool-security.md index 3786c8e08..2a02b620e 100644 --- a//transform/latest/userguide/discover-tool-security.md +++ b//transform/latest/userguide/discover-tool-security.md @@ -7 +7 @@ -Securing the discovery tool VMSecuring CredentialsUsing Auto-Connect Feature With CautionBare Metal CSV Import SecurityRevoking Access Considerations +Securing the discovery tool VMSecuring CredentialsCredential storageUsing Auto-Connect Feature With CautionCSV Import SecurityRevoking Access Considerations @@ -92,0 +93,4 @@ The discovery tool VM comes with a default login password "password" for user "d +## Credential storage + +The discovery tool encrypts stored credentials at rest using a database encryption key. On systems with systemd 250 or later, this key is encrypted using systemd-creds. On older systems, the key is stored as a permission-protected file. In both cases, an attacker with root access to the discovery tool host could access the encryption key and decrypt stored credentials. Restrict access to the discovery tool host and treat it as a privileged system in your environment. + @@ -95 +99 @@ The discovery tool VM comes with a default login password "password" for user "d -The discovery tool uses two mechanisms to assign credentials to servers during _OS-level collection_ : auto-connect and manual. OS-level collection includes the Network, Database, and OS metrics modules. These modules connect to individual servers from all sources, including VMware VMs, Hyper-V VMs, and bare metal servers. +The discovery tool uses two mechanisms to assign credentials to servers during _OS-level collection_ : auto-connect and manual. OS-level collection includes the Network, Database, and OS metrics modules. These modules connect to individual servers from all sources, including VMware VMs, Hyper-V VMs, and imported servers. @@ -137 +141 @@ Follow these guidelines: -## Bare Metal CSV Import Security +## CSV Import Security @@ -139 +143 @@ Follow these guidelines: -When you import bare metal servers by using a CSV file, consider the following security implications: +When you import servers by using a CSV file, consider the following security implications: @@ -156 +160 @@ When you revoke access, deletion is scoped to the specific source: - * Revoking vCenter access deletes only vCenter data. It does not affect Hyper-V or bare metal data. + * Revoking vCenter access deletes only vCenter data. It does not affect Hyper-V or imported server data. @@ -158 +162 @@ When you revoke access, deletion is scoped to the specific source: - * Revoking Hyper-V access deletes only Hyper-V data. It does not affect VMware or bare metal data. + * Revoking Hyper-V access deletes only Hyper-V data. It does not affect VMware or imported server data. @@ -160 +164 @@ When you revoke access, deletion is scoped to the specific source: - * Deleting bare metal servers removes them from inventory, but downstream collection data (network, database, OS metrics) is retained. + * Deleting imported servers removes them from inventory, but downstream collection data (network, database, OS metrics) is retained.