How-to

How to deliver audit snapshots over FTP

Introduced in Alloy Audit Tools 7.0

Updated in Alloy Audit Tools 2022.2

Overview

Starting with Alloy Audit Tools version 7.0, the Windows audit agent is able to transfer audit snapshots over FTP, FTPS, or SFTP. With this method, you can regularly audit offsite computers and remote networks that have no direct connection to the local network. Linux and macOS audit agents support FTP delivery starting with Alloy Audit Tools version 2022.

Although the FTP delivery method requires Alloy Discovery Enterprise or Alloy Navigator Enterprise or Express, you can use it in Alloy Discovey Express 8 as well. This article explains how to do it.

FTP server

First of all, you need to have an FTP server installed and configured. Data and other communications from the client should reach the FTP server. So, make sure you allow the outgoing data and other communications from the client to go to the FTP server. You can use FTP protocol of your choice: FTP, FTPS, or SFTP.

Configuring Alloy Discovey Express

First, you will need to configure your inventory analyzers to transfer audit results via email, and then edit their configuration files, replacing email configuration settings with FTP settings. This approach will help you easily encrypt your FTP password for the FTP server authentication so that only the audit agent can read it.

After you have created the Inventory Analyzer package, you will need to perform the next two steps: deploying the package to the target network and automating the audit for producing snapshots on a regular basis.

Once the audit is set up, you will need to feed audit results to Alloy Discovey Express. Set up mirroring of audit snapshots from the FTP site to a network folder that Alloy Discovey Express can access, and configure Alloy Discovey Express to check that network folder for audit data.

Follow the steps below for detailed instructions.

To configure Alloy Discovey Express to transfer audit snapshots over FTP:

  1. In Alloy Discovey Express, make sure you have completed the audit settings as needed (select Audit > Audit Settings from the main menu and complete the Audit Configuration tab). The Inventory Analyzer will use those settings to run the audit.

  2. In Alloy Discovey Express, build the Inventory Analyzer package as follows:

    1. Create a new audit group using the Automated audit via e-mail method.

      This approach helps you encrypt your FTP password for the FTP server authentication so that only the Inventory Analyzer can read it.

    2. On the Outgoing Mail Server page, select Server Requires Authentication check box.

    3. Enter the username and password that you use for the FTP server authentication.

      IMPORTANT: The encrypted password will be stored in the SmtpPassword field within the configuration file. You will need this value for specifying the FtpPassword in Step 3.

    4. Enter other settings required to create the group.

    5. Make sure to keep the Build Inventory Analyzer package(s) when finished check box selected and click Finish. The Portable Audit wizard starts.

    6. Complete the Portable Audit Wizard to create the Inventory Analyzer package for Windows audit.

      TIP: You will not be needing that audit group anymore, so you can delete it now.

  3. Go to the output folder you have specified for the Inventory Analyzer package and locate the configuration file for the Windows Inventory Analyzer. The file name is ina32.cfg.

    Open the ina32.cfg file with a text editor (for example, Microsoft Notepad), add the [FTP] section and configure the following FTP parameters:

    FtpType=[ServerType]

    The type for the server: SFTP or FTP.

    FtpServer=[ServerName]

    The FTP server name.

    FtpPort=[PortNumber]

    The port number.

    If this option is not specified, the default port number is used. For secure connection via SFTP, the default port number is 22. For secure connection via FTP, the default port number is 990. For non-secure connection via FTP, the default port number is 21.

    ABOUT FTP PORT 21: Actually, FTP service utilizes two ports, a "data port" and a "command port" (also called the "control port"). For non-secure connection, these are port 20 for the data port and port 21 for the command port. However, you may also need to open other ports as well, depending on your security settings. For details, see https://slacksite.com/other/ftp.html. However, to be sure, please contact your FTP Server administrator and ask for directions.

    ABOUT FTPS PORTS: Depending on your FTPS Server configuration, you will need to open ports 990 and 989 (implicit FTPS) or 21 (explicit FTPS). However, to be sure, please contact your FTPS Server administrator and ask for directions.

    FtpDirectory=[Path]

    The path to the folder where to store audit snapshots.

    FtpUser=[UserName]

    The user ID for authorization on the FTP server.

    IMPORTANT: Use the name from the SmtpUser field of the [EMail] section.

    FtpPassword=[Password]

    The password for authorization on the FTP server.

    IMPORTANT: Use the encrypted password from the SmtpPassword field of the [EMail] section.

    UseSSL=[NO|SSL]

    Enables FTP over SSL support.

    Valid values:

    • NO - This establishes an insecure (plain text) connection.
    • SSL - The server will attempt to establish a secure connection. If the FTP server does not support SSL, a connection is not established.

    PassiveMode=1

    Enables passive mode.

    For example:

    	[FTP]
    	FtpType=FTP
    	FtpServer=SERVER1
    	FtpPort=21
    	FtpDirectory=/home/user/AUDITDATA
    	FtpUser=user1
    	FtpPassword=enc300D5CC82524DBEAD1C1BED3D4FE10F426G
    	PassiveMode=1
    	UseSSL=NO

    IMPORTANT: After specifying FTP parameters, make sure to delete the [EMail] section from the ina32.cfg file.

  4. Deploy the Inventory Analyzer package to the remote network:

    1. On the remote site, create a network folder on the dedicated file server.

      This network folder will serve as an intermediary repository, and it must have both the Modify permission and the Change Permissions special permission assigned for your account. Share this folder and grant the Full Control share permission to the Everyone group for this network share.

    2. Set the minimally necessary permissions for the network folder. These minimally necessary permissions are used for the audit method to create the most secure environment for the network share and audit snapshot files stored there.

      INFO: For details, see Alloy Discovery Enterprise Administration Guide: Minimally Necessary Permissions.

    3. Deploy the Inventory Analyzer Package to the remote network, and automate the audit using domain logon scripts or scheduled tasks.

      INFO: For details, see Alloy Discovery Enterprise Administration Guide: Automating the Network Folder Audit.

  5. Set up mirroring of audit snapshots from the FTP site to a network folder that Alloy Discovey Express can access. Audit data must be copied to the AuditData subfolder under that network folder.

  6. In Alloy Discovey Express, create a Scriptable Audit Group and configure it to check that network folder for audit snapshots.