Online Help

Segment audit credentials

This article describes how to set up credentials for accessing computers and devices within the segment. Credentials can be configured for the following platforms:

All credentials you enter here are encrypted and never leave your local network. AlloyScan never stores passwords or secrets in the cloud.

TIP: On the Usage tab, you can see the list of audit services that use a particular set of credentials.

Windows credentials

These credentials are used for auditing Windows computers. The audit account you define must be a member of the local Administrators group on each Windows client computer, either directly or through membership in a Windows domain group.

Consider using a domain administrator's account. Note that Windows computers must belong to the same domain as the computer running the audit service.

TIP: Avoid using real user accounts. Instead, we recommend that you create a special domain user solely for the purpose of auditing your domain (the "audit account").

ClosedLearn about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available Windows audit credentials.

  • Login : The login name for the audit account. To specify a domain account, we recommend using this format:
    DomainName\LoginName

  • Password: The password for the specified audit account.

Linux and macOS credentials

These credentials are used to audit Linux and macOS computers in your segment. Credentials must allow logging on to these computers and executing the commands necessary for data collection.

AlloyScan uses certain commands that require the use of sudo (for example, to collect hardware or system information). For complete data collection, provide credentials for a user authorized to execute sudo and enable the Use sudo option for these credentials in AlloyScan.

ClosedLearn about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available Linux and macOS credentials.

  • Port: By default, AlloyScan accesses client Linux and macOS computers over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.

  • Login : The login name.

  • Authentication type: Select an authentication type.

    • Password:

      • Password: The account password.

      • Confirm password Re-enter the account password to confirm.

      • Use sudo: Select this option to allow the account to run commands with administrative privileges using sudo.

    • Private key:

      • Private key: Browse to select the key file.

      • Passphrase: Enter the passphrase for the key if the key is encrypted.

      • Use sudo: Select this option to allow the account to run commands with administrative privileges using sudo.

      • Sudo password: Enter the password required by sudo, if applicable.

        IMPORTANT: To reliably identify Linux machines, AlloyScan collects the computer UUID. Even if the Use sudo checkbox is not selected, AlloyScan may still invoke sudo exclusively for this operation. Ensure that the account is included in the sudoers list for UUID collection. The Sudo password may be required for this operation. This sudo invocation applies only to UUID collection on Linux machines.

Hypervisor credentials

These credentials are used to audit ESXi/vSphere and Citrix hypervisors. Credentials must allow logging on to these hypervisors. Consider using an account with administrative privilege and, for Citrix hypervisors, SSH access to the host system.

ClosedLearn more about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available Hypervisor credentials.

  • Port: By default, AlloyScan accesses client hypervisors over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.

  • Login : The login name.

  • Password: The account password.

  • Private Key: This field is read-only. It displays information about the uploaded private key file.

  • Browse: Click this button to choose your private key file.

  • Clear: Clears the Private Key field.

  • Use sudo: Select this option if the account requires sudo to run commands with administrative privileges.

  • Sudo password: Enter the password required by sudo, if applicable.

SNMP credentials

These credentials are used to collect inventory data about networked printers, scanners, hubs, routers, and other devices. AlloyScan detects and identifies those network devices via SNMP.

ClosedLearn more about controls and options

  • Title : The name (title) for the credential record. It will appear in the list of available SNMP credentials.

  • Under Version v1/v2c, specify the following information for community-based SNMPv1 or SNMPv2c:

    • Community: The SNMP community.

      NOTE: Most SNMP v1 and v2c devices are shipped with the community string set to "public". It is standard practice for system administrators to change the community strings so that unauthorized users cannot access information about the internal network.

  • Under Version v3, specify the following information for user-based SNMPv3:

    • User Name: The SNMP user name.

    • Security Level: The SNMP security level:

      • No Authentication, No Privacy: Uses a user name for authentication and transmits credentials in clear text.

      • Authentication, No Privacy: Provides packet authentication and message integrity, but no encryption. Select the authentication algorithm (MD5 or SHA) in the Protocol list and type in the pass phrase.

      • Authentication, Privacy: Provides the maximal security by combining authentication, message integrity, and encryption. Under Authentication, select the authentication algorithm (MD5 or SHA) and type in the pass phrase. Under Privacy, select the encryption algorithm (DES or AES) and type in the pass phrase.

AWS credentials

AWS credentials allow the specified audit service to access and audit the specified AWS resources using a dedicated IAM user or role. For the minimal permissions required for the IAM user or role, see AWS minimal permissions.

ClosedLearn about controls and options

  • Title: The name (title) for the credential record. It will appear in the list of available AWS credentials.

  • Access key ID: The access key ID for the IAM user or role.

  • Secret access key: The secret access key for the IAM user or role.

Azure credentials

Azure credentials allow the specified audit service to access and audit the specified Microsoft Azure resources using a dedicated service principal. For the minimal permissions required, see Azure minimal permissions.

ClosedLearn about controls and options

  • Title: The name (title) for the credential record. It will appear in the list of available Azure credentials.

  • Tenant ID: The unique identifier of your organization’s Azure AD tenant (Microsoft Entra ID).

  • Client ID: The application (client) ID of the service principal.

  • Client secret: The client secret associated with the service principal.

Google credentials

Google credentials allow the selected Audit Service to access and audit the specified Google Cloud resources using a dedicated service account. For the minimal permissions required, see Google Cloud minimal permissions.

ClosedLearn about controls and options

  • Title: The name (title) for the credential record. It will appear in the list of available Google credentials when configuring segments.

  • Choose how to provide your service account credentials: by uploading a JSON key file or manually.

    • Upload JSON key file (recommended):

      • Under Upload service account JSON, upload the service account JSON key file generated in Google Cloud (see Create a JSON key).

        The system automatically populates the required fields.

    • If you do not have a JSON key file or prefer not to upload it, enter the service account details manually.

      • Project ID: The unique identifier of your Google Cloud project. This defines which project’s resources AlloyScan will access.

      • Client email: The email address of the service account.

      • Private key: The private key associated with the service account.