AWS transform documentation change
Summary
Updated documentation for discovery tool security: 1) Clarified SQL Server collection requires local admin access while OS metrics don't; 2) Added new Oracle credentials section with security best practices; 3) Updated credential assignment mechanisms and retry behaviors; 4) Modified CSV import columns to separate OS and Oracle credentials.
Security assessment
The changes enhance security documentation by adding Oracle-specific best practices (least privilege, read-only access, password rotation) and clarifying permission requirements. However, there's no evidence of addressing a specific vulnerability. The updates promote secure configurations but don't reference any CVE, incident, or vulnerability fix.
Diff
diff --git a/transform/latest/userguide/discover-tool-security.md b/transform/latest/userguide/discover-tool-security.md index 2a02b620e..7f37627a7 100644 --- a//transform/latest/userguide/discover-tool-security.md +++ b//transform/latest/userguide/discover-tool-security.md @@ -75 +75 @@ The discovery tool VM comes with a default login password "password" for user "d - * Avoid using domain administrator or local administrator accounts when Database (SQL Server) collection is not needed. Database collection recommends Local Administrator because it queries multiple WMI namespaces and uses elevated commands. For OS metrics without database discovery, a non-administrator account with Remote Management Users, Performance Monitor Users, and WMI read access to `root\cimv2` is sufficient. See [Required permissions for the discovery tool](./discovery-tool-permissions.html) for per-module details. + * Avoid using domain administrator or local administrator accounts unless you need SQL Server collection. SQL Server collection requires Local Administrator access because it queries multiple WMI namespaces and uses elevated commands. For OS metrics without SQL Server discovery, a non-administrator account with Remote Management Users, Performance Monitor Users, and WMI read access to `root\cimv2` is sufficient. See [Required permissions for the discovery tool](./discovery-tool-permissions.html) for per-module details. @@ -92,0 +93,13 @@ The discovery tool VM comes with a default login password "password" for user "d +**Oracle credentials** + + * Use a dedicated read-only service account with only SELECT_CATALOG_ROLE. Do not use DBA, SYSDBA, or SYSOPER privileges. + + * The discovery tool performs only read operations and never writes to the Oracle database. + + * The discovery tool does not access Diagnostics Pack or Tuning Pack views, so no additional Oracle license is required. + + * Rotate the Oracle service account password regularly and update the credential in the discovery tool. + + + + @@ -99 +112 @@ The discovery tool encrypts stored credentials at rest using a database encrypti -The discovery tool uses two mechanisms to assign credentials to servers during _OS-level collection_ : auto-connect and manual. OS-level collection includes the Network, Database, and OS metrics modules. These modules connect to individual servers from all sources, including VMware VMs, Hyper-V VMs, and imported servers. +The discovery tool uses two mechanisms to assign credentials to servers during _OS-level collection_ : auto-connect and manual. OS-level collection includes the Network, SQL Server, Oracle Database, and OS metrics modules. These modules connect to individual servers from all sources, including VMware VMs, Hyper-V VMs, and imported servers. @@ -101 +114 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ -**Manual** : a server can be manually associated with a specific credential. In this case, the discovery tool will use that credential only, failure or success. The user has to manually monitor collection status for that server and make adjustment. +**Manual** : a server can be manually associated with a specific credential. In this case, the discovery tool uses that credential only, regardless of success or failure. You must manually monitor collection status for that server and make adjustments. @@ -103 +116 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ -**Auto-connect** : if no credential is manually associated with the server, the discovery tool will use auto-connect mechanism for that server. That means: +**Auto-connect** : if no credential is manually associated with the server, the discovery tool uses the auto-connect mechanism for that server. That means: @@ -105 +118 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ - * at the start of each collection round, the discovery tool will get a list of credentials available for that server (based on OS types) and also configured to be "auto-connectable". + * At the start of each collection round, the discovery tool gets a list of credentials available for that server (based on OS types) and also configured to be "auto-connectable". @@ -107 +120 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ - * The discovery tool will then test all credentials against the server in a loop. + * The discovery tool then tests all credentials against the server in a loop. @@ -109 +122 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ - * If a working credential is found, the collection round for the server is successful, the discovery tool remembers it and will try it first next time. + * If a working credential is found, the collection round for the server is successful. The discovery tool remembers it and tries it first next time. @@ -111 +124 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ - * If no working credential is found, the collection round for the server has failed + * If no working credential is found, the collection round for the server has failed. @@ -113 +126 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ - * Network module: the server will use a backoff schedule, starting next collection round in 3 min, 30 min, 2 hours, and 6 hours following each failure (similar to exponential backoff). + * Network module: the server uses a backoff schedule, starting next collection round in 3 min, 30 min, 2 hours, and 6 hours following each failure (similar to exponential backoff). @@ -115 +128 @@ The discovery tool uses two mechanisms to assign credentials to servers during _ - * Database collection: there is no retry. The discovery tool will make 1 attempt for each server every day. + * SQL Server collection: The discovery tool does not retry. It makes one attempt per server each day. @@ -147 +160 @@ When you import servers by using a CSV file, consider the following security imp - * The `credential_name` column references preconfigured or to be configured credentials by friendly name. The CSV does not contain secrets. + * The `os_credential_name` and `oracle_credential_name` columns reference preconfigured credentials by friendly name. The CSV does not contain secrets. @@ -151 +164 @@ When you import servers by using a CSV file, consider the following security imp - * Imported servers are immediately visible in the inventory and eligible for collection. Ensure that OS credentials are correctly scoped before you import. + * Imported servers are immediately visible in the inventory and eligible for collection. Ensure that OS and Oracle credentials are correctly scoped before you import.