How to schedule uploading audit results via FTP on macOS

Introduced in 8.6

Alloy Discovery offers the ability to deliver audit snapshots from remote sites over FTP, FTPS, or SFTP. However, the feature is supported only for Windows computers. This article describes how to set up the audit of macOS computers so that it regularly runs and delivers audit snapshots via FTP.

Here are the steps you should take:

  1. Prepare an audit package

  2. Create a bash script

  3. Schedule the audit

  4. Receive the audit results

Prepare an audit package

First, launch Alloy Discovery, set up an audit source and prepare a deployable audit package for macOS audit.

  1. If you already have an FTP Audit Source in Alloy Discovery, you can use your existing source that already receives audit snapshots from remote Windows computers or sites. That source can also receive audit results from macOS computers.

    If you don't have such a source or you want different settings for receiving macOS snapshots, create a new audit source as follows:

    1. Open the properties of a site and click New > FTP under Audit Sources.

    2. On the General tab, type in a source name.

      TIP: Keep the Audit Profile setting to the default value, because macOS audit does not apply any audit profile settings anyway.

    3. Switch to the FTP tab and specify FTP settings under Incoming Server for audit snapshots. Provide the credentials for an account that has read access to the specified FTP resource, and test your connection.

      TIP: In theory, you don't need to fill out the Outgoing Server for the Audit Agent section, because you will tell the audit agent which outgoing FTP server to use later, in a bash script. But since the Outgoing Server for the Audit Agent settings are mandatory, you must still specify them, and they will automatically appear under Incoming Server for audit snapshots as long as the Use same settings as my Outgoing Server check box is selected.

    4. To enable the Inventory Server to check the FTP server for new snapshots automatically, keep the Check for new snapshots every check box selected and specify the frequency for checking the FTP server. That frequency is also called the upload interval.

    5. Click OK to close the dialog box. Your audit source is ready.

      INFO: For detailed instructions on creating FTP audit sources, see Adding FTP Audit Sources.

  2. In Alloy Discovery, create a deployable audit package.

    The Remote Audit with the FTP delivery method is not intended to audit macOS computers. That is why the package that could be created from the FTP audit source would not contain the audit agent for macOS, whose code name is ina_mac. To create an audit package for macOS, create an additional audit source.

    1. In your site's window, click New > Portable under Audit Sources.

    2. Type in any source name and click Apply to apply your changes.

    3. Click Create Package and create an audit package in any folder on your local computer.

      INFO: For detailed instructions on creating portable audit sources, see Adding Portable Audit Sources.

  3. Get to your destination folder and locate these two items:

    • AuditData - the folder in which audit snapshots are stored before loading or sending them to the database,
    • ina_mac — the audit agent for macOS (also called the Mac Inventory Analyzer).

  4. Copy the AuditData folder and the ina_mac file to one of your macOS machines. For example, here: /usr/local/bin/.

  5. On the macOS machine, in the Terminal window, run chmod +x ina_mac. This will make ina_mac executable.

Create a bash script

Second, create a bash script that launches Alloy audit agent and uploads the audit results via FTP. It could require a bit of programming skills should you decide to modify it in any way.

  1. Create a new file named run-ina-mac.

  2. Open the run-ina-mac file you created in a text editor and copy and paste the following code.

    run-ina-mac
    #running ina_mac
    cd /usr/local/bin
    ./ina_mac
     
    #getting the snapshot
    dir="/usr/local/bin/AuditData"
    filename=$(find "$dir" -type d | awk '{print "find "$0"/*.adt -type f | head -1"}' | sh | uniq | head -n 1)
    #echo "$filename"
     
    #sending the snapshot to FTP
    curl --upload-file "$filename" [ftp://{user}:{password}@{ip-address}]ftp://{user}:{password}@{ip-address}

    where:

    • /usr/local/bin/ - the path to the audit package,
    • {user} and {password} - the credentials of a user having Write access to your FTP server,
    • {ip-address} - the IP address or name of your FTP server.

    IMPORTANT: Marked red are the placeholders for the FTP credentials and the FTP server address. You must replace those values with your actual ones.

  3. Save the file and then make it executable by running chmod +x run-ina-mac in the Terminal window.

Schedule the audit

Finally, schedule the audit using the launchd daemon, an advanced system process manager.

INFO: For additional information about using launchd, see Creating MacOS startup jobs with launchd.

You can use the plist file below as a template.

plist
<?xmlversion="1.0" encoding="UTF-8"?>
<!DOCTYPEplist PUBLIC "-//AppleComputer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plistversion="1.0">
	<dict>
		<key>Label</key>
		<string>ina_mac daily</string>
		<key>ProgramArguments</key>
		<array>
			<string>/usr/local/bin/run-ina-mac</string>
		</array>
		<key>LowPriorityIO</key>
		<true/>
		<key>Nice</key>
		<integer>1</integer>
		<key>UserName</key>
		<string>root</string>
		<key>StartCalendarInterval</key>
		<dict>
			<key>Hour</key>
			<integer>11</integer>
			<key>Minute</key>
			<integer>30</integer>
		</dict>
	</dict>
</plist>

where:

  • /usr/local/bin/ - the path to the run-ina-mac file,
  • <key>Hour</key>, <integer>11</integer>, <key>Minute</key>, <integer>30</integer> - the schedule to start the audit every day at 11:30 AM.

NOTE: You may need to replace the sample values with your actual ones.

Receive the audit results

Once you have set up the FTP audit source and automated the audit of macOS machines using the launchd daemon, the Inventory Server instance associated with the site will automatically check the FTP Server for new snapshots and upload audit snapshots to Alloy Discovery.

If you have disabled auto-upload in the audit source or when you do not want to wait until the current upload interval ends, you can check the audit source manually and immediately receive all pending audit data as follows.

  1. In Alloy Discovery, select Audit > Receive Snapshots from the main menu. The Receive Snapshots dialog box opens.

  2. Select the source to check and click OK. As soon as the Inventory Server instance finishes the new "Check" task, new snapshots (if any were available at the moment) will appear in Alloy Discovery.

INFO: For details on receiving snapshots, see Administration Guide: Checking Audit Sources for New Snapshots.