Infrastructure wires
SaaS tenant. The MFI Suite is delivered as a fully managed service — there is nothing to install or configure at the OS level. Self-hosted one-time licence buyers receive a dedicated installation runbook with the licence delivery; this page describes the user-facing workflow only.
Two of the nine controls depend on infrastructure scripts that the Suite cannot run itself: A1.2-BACKUP needs the pgBackRest post-job hook, and CC7.1-VULN needs the OpenVAS scan-summary hook. Both ship in the repo under /infra_runbooks/scripts/; install them once and the daily/weekly cycles fill themselves.

pgBackRest hook (A1.2-BACKUP)
- Copy
soc2_backup_evidence.shto/opt/staging/scripts/on the DB host chmod 755 /opt/staging/scripts/soc2_backup_evidence.sh- Edit pgBackRest config
/etc/pgbackrest/pgbackrest.conf - Add
cmd-post = /opt/staging/scripts/soc2_backup_evidence.shto the global stanza - Verify next backup: (managed by the platform team — raise a support case if needed) while pgBackRest runs
- The script writes
mfi_soc2.last_backup_atto ICP; the check function reads it
Watching this on a SaaS tenant: open the run/job's own log tab inside the suite. For deeper inspection, raise a support case from iBANK → Get help.
OpenVAS hook (CC7.1-VULN)
- Copy
soc2_vuln_evidence.shto/opt/staging/scripts/on the GVM host - Schedule weekly (recommended Saturday 03:00):
0 3 * * 6 /opt/staging/scripts/soc2_vuln_evidence.sh- Script invokes
gvm-cli, fetches latest scan summary, posts to BridgeERP ICPs - Three keys set:
mfi_soc2.last_vuln_critical,last_vuln_high,last_vuln_medium+last_vuln_scan_at - Check function reads all four; passes when scan ≤ 7 days old AND criticals = 0
Worked scenarios
Scenario — Samuel wires the backup hook on a new tenant
| Character | Role |
|---|---|
| Samuel Kibet | IT lead doing the install |
Timeline
- Day 1 morning: Pulls the script from the repo, copies to /opt/staging/scripts, chmod 755.
- Day 1, 10:00: Edits pgBackRest config, adds cmd-post line, sudo systemctl reload pgbackrest.
- Day 1, 13:00: Manually triggers a backup to test the hook.
- Day 1, 13:05: Backup completes; tails BridgeERP log → sees 'soc2.last_backup_at written'. (ICP mfi_soc2.last_backup_at = 2026-06-13T13:05:00Z)
- Day 1, 14:00: Opens MFI → SOC 2 → Evidence; clicks Run now on A1.2-BACKUP. Returns PASS. (Evidence record created with summary 'Last backup 2026-06-13T13:05:00Z (< 24h)')
- Day 2, 02:30: Cron runs again from a scheduled backup; evidence auto-collected. (Daily cadence in steady state)
Outcome — Backup-evidence wired in 4 hours; control flips from RED to GREEN; never need to touch it again.
Reference
ICP keys written by the wires
| Key | Written by | Read by control |
|---|---|---|
| mfi_soc2.last_backup_at | soc2_backup_evidence.sh | A1.2-BACKUP |
| mfi_soc2.last_vuln_critical | soc2_vuln_evidence.sh | CC7.1-VULN |
| mfi_soc2.last_vuln_high | soc2_vuln_evidence.sh | CC7.1-VULN |
| mfi_soc2.last_vuln_medium | soc2_vuln_evidence.sh | CC7.1-VULN |
| mfi_soc2.last_vuln_scan_at | soc2_vuln_evidence.sh | CC7.1-VULN |
| mfi_soc2.last_backup_verified_at | manual via wizard | (future) A1.3-RECOVERY |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| pgBackRest hook runs but ICP not written | XML-RPC auth fails — admin_passwd changed | Update (managed by the platform team — raise a support case if needed) with the new password; or use BridgeERP Bot's OAuth token. |
| Control flips RED on a Sunday despite Saturday scan | Scan-at threshold is 7 days — Sunday is day 8 if scan was last Saturday | Tighten the cron to Friday 03:00; or move threshold to 8 days (Settings → Controls → CC7.1). |
| Hook writes ICP but check function returns FAIL | Pass threshold mismatch — criticals > 0 from the latest scan | Patch the criticals; rerun the scan; control flips on next cadence. |
See also
Was this page helpful?

