Enabling Custom Scripts

Overview

Custom scripts let you customize the way SecureChange reacts to the progress of tickets in a workflow. You can use various triggers that start external tasks based on the workflow progress or send information to external systems about ticket progress. For example, your custom script can collect ticket information and send it in an email message or save it to a file (see Using Scripts).

In TOS Aurora, the SecureChange service runs in a Kubernetes pod. Since Kubernetes pods do not retain changes upon restart, the ways that you interact with the TOS Aurora SecureChange pod are more limited than the flexibility required for custom scripts. Tufin has created the mediator script to use HTTP/HTTPS communication from the SecureChange pod to another location - either the TOS Aurora host or an external server. This removes the limitations of running custom scripts within a pod while maintaining the ability to use standalone executable scripts. The script will be executed by an external process at the operating system level, passing data to STDIN. This solution allows running the scripts on TOS Aurora similar to how they ran on TOS Classic.

To use this solution, you must:

  • Install the Tufin mediator script on the SecureChange pod.

  • Install the web service and the custom scripts (and their dependencies) in the same location, which could be on the TOS Aurora server or on an external server.

Who Should Use This Topic?

It is recommended that the Tufin system administrator, or a user with a similar skill-set, use this topic. The ideal user is someone who is comfortable with command-line Linux and scripting, and knows how services are created.

How Does It Work?

Tufin provides a template that you can use to write the mediator script. The mediator script gets custom script identifiers from SecureChange as well as ticket information attributes. The mediator script passes this information to a web service that runs required customized scripts, and then passes the results back to the mediator script, which then passes the results to SecureChange.

For your reference, this link, https://gitlab.com/tufinps/tos2/trigger-example, contains example files including the mediator script and sample custom scripts.

If you have any questions about custom scripts and the migration process from TOS Classic to TOS Aurora, you can send a question in the Tufin Developer community in the Aurora Migration category.

Trigger Types

There are several types of scripts triggers in SecureChange. This list includes some of the trigger types that the mediator script supports:

Important Notes

  • The mediator and web service scripts are working examples that are provided by Tufin as a courtesy. By downloading and using these scripts, you agree to take responsibility for implementation and maintenance

  • The host where the web service is installed must have an Internet connection when the web service is installed and the first time that the process is run.

  • The sample web service is designed to run on a node in the cluster, and will only respond to requests from the SecureChange pod using the Kubernetes library. These examples assume that the scripts are installed on the same host where TOS cluster runs.

    If you prefer that the web service and customized scripts reside on different hosts, you should implement security measures such as encryption and authentication according to your organization's regulations.

  • Customized scripts will not be able to access the TOS database directly.

  • These scripts are intended to allow TOS-specific addons only. Scripts should be designed to utilize the TOS APIs or web service to interact with the software.

  • Customized scripts should not impede the performance or functionality of TOS. If Tufin Support provides assistance with troubleshooting or performance issues, you may be asked to disable custom scripts as part of the troubleshooting process.

  • On high availability (HA) deployments, the web service should be installed on a data node.

  • You can install this solution on a node in the cluster or a separate external server; this topic includes both options.

Enable Custom Scripts

Run this procedure on the server on which you will run the custom scripts (TOS Aurora or external).

  1. Get root privileges.

    Either use your own password,

    [<ADMIN> ~]$ sudo su -
    sudo su -

    or use the root password (RHEL/Rocky Linux only),

    [<ADMIN> ~]$ su -
    su -
  2. Navigate to your main working directory. The examples in this topic use /opt as the main working directory. You can select any directory, which you should use instead of /opt when following these procedures.
    [<ADMIN> ~]# cd /opt
    cd /opt
  3. Clone the sample mediator script and related files:

    [<ADMIN> ~]# mkdir -p trigger-service && curl "https://gitlab.com/api/v4/projects/tufinps%2Ftos2%2Ftrigger-example/repository/archive.tar.gz" | tar -zx -C trigger-service --strip-components 1
    mkdir -p trigger-service && curl "https://gitlab.com/api/v4/projects/tufinps%2Ftos2%2Ftrigger-example/repository/archive.tar.gz" | tar -zx -C trigger-service --strip-components 1
  4. Run the following to set up Python and Poetry in the required directory.

    [<ADMIN> ~]# cd trigger-service && \
    python3 -m venv venv && \
    source venv/bin/activate && \
    pip3 install --upgrade pip &&\
    pip3 install poetry && \
    poetry install && \
    deactivate
    cd trigger-service && \ python3 -m venv venv && \ source venv/bin/activate && \ pip3 install --upgrade pip &&\ pip3 install poetry && \ poetry install && \ deactivate
  5. At this point, you can continue custom script configuration on either a TOS Aurora server or on an external server.

Configure the SecureChange Engine to Run Custom Scripts

To run custom scripts in SecureChange with the mediator script, you need to define the path to the mediator script and create a list of scripts that should be run with it. When SecureChange runs a script, it checks the following:

  • Is the Mediator Script defined?

  • Is the customized script to be run listed in the Mediator Script Allow list (whitelist in the API)?

If both of these criteria are met, SecureChange runs the mediator script path and passes the script-to-be-run identifier as an argument. The mediator script, in turn, issues a web call to a server that implements the logic of the script.

If either of these criteria are not met, SecureChange runs the script on its path in the same way that the script would have run in TOS Classic.

  1. To define where the mediator is installed on the pod:

    [<ADMIN> ~]# curl -k -X PUT -u <user name>:<password> "https://<IP Address>/securechangeworkflow/api/securechange/internal/configuration/set?insert=true&key=webHookMediatorScriptFullPath&value=/opt/tufin/data/securechange/scripts/mediator.sh"
    curl -k -X PUT -u <user name>:<password> "https://<IP Address>/securechangeworkflow/api/securechange/internal/configuration/set?insert=true&key=webHookMediatorScriptFullPath&value=/opt/tufin/data/securechange/scripts/mediator.sh"

    where:

    • <user name> and <password>: SecureChange credentials for a user with Admin privileges

    • <IP Address>: TOS VIP Address

    Here is an example of the expected output:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <configuration_change>
        <key>webHookMediatorScriptFullPath</key>
        <new_value>/opt/tufin/data/securechange/scripts/mediator.sh</new_value>
    </configuration_change>
  2. Register the scripts:

    [<ADMIN> ~]# curl -k -X PUT -u <user name>:<password> "https://<IP Address>/securechangeworkflow/api/securechange/internal/configuration/set?insert=true&key=webHookMediatorScriptWhitelist&value=/opt/trigger-service/MyScript1.sh;/opt/trigger-service/MyScript2.sh" 
    curl -k -X PUT -u <user name>:<password> "https://<IP Address>/securechangeworkflow/api/securechange/internal/configuration/set?insert=true&key=webHookMediatorScriptWhitelist&value=/opt/trigger-service/MyScript1.sh;/opt/trigger-service/MyScript2.sh"

    where:

    • <user name> and <password> - SecureChange credentials for a user with Admin Privileges

    • <IP Address> – TOS VIP Address

    • /opt/trigger-service/MyScript1.sh;/opt/trigger-service/MyScript2.sh - Script identifiers, multiple values are separated by a semicolon (;). The value must correspond with the value in the Full Path field of the script in SecureChange or in the external server.

    Here is an example of the expected output:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <configuration_change>
        <key>webHookMediatorScriptWhitelist</key>
        <new_value>/opt/trigger-service/MyScript1.sh;/opt/trigger-service/MyScript2.sh</new_value>
    </configuration_change>

    If the parameter is missing or has no value, SecureChange will use the Path field for the triggered script, and will not use the mediator script. SecureChange can work in hybrid mode, some scripts can be run locally, while some scripts are run externally by the mediator script.

    If you want to retrieve the current settings and modify them, use this command:

    [<ADMIN> ~]# curl -k -X GET -u <user name>:<password> "https://<IP Address>/securechangeworkflow/api/securechange/internal/configuration/load?key=webHookMediatorScriptWhitelist"
    curl -k -X GET -u <user name>:<password> "https://<IP Address>/securechangeworkflow/api/securechange/internal/configuration/load?key=webHookMediatorScriptWhitelist"
  3. Configure the script in SecureChange. For example, if the script is for a Workflow event, configure as follows:

    1. In SecureChange, select Settings > SecureChange API.

    2. In the Full Path field enter the full path where the script resides on the host outside the TOS cluster.

      The full path for the script is the full path where the script is located. The web service should be installed in the same common path.

  4. In SecureChange, click Test to confirm that SecureChange is able to run the script.

Specify Script in SecureChange and Test

Now that the service is running, you can modify SecureChange to point to the full-path location of your custom script. In the following example, the full path is /opt/trigger-service/SecureChangeTestScript.sh.

After testing, you should also see a hit in the systemctl status trigger command: