Infrastructure wires

SaaS tenant. The MFI Suite is delivered as a fully managed service — there is nothing to install or configure at the OS level. Self-hosted one-time licence buyers receive a dedicated installation runbook with the licence delivery; this page describes the user-facing workflow only.

Two of the nine controls depend on infrastructure scripts that the Suite cannot run itself: A1.2-BACKUP needs the pgBackRest post-job hook, and CC7.1-VULN needs the OpenVAS scan-summary hook. Both ship in the repo under /infra_runbooks/scripts/; install them once and the daily/weekly cycles fill themselves.

Evidence wires
Automated evidence collection wires.

pgBackRest hook (A1.2-BACKUP)

  1. Copy soc2_backup_evidence.sh to /opt/staging/scripts/ on the DB host
  2. chmod 755 /opt/staging/scripts/soc2_backup_evidence.sh
  3. Edit pgBackRest config /etc/pgbackrest/pgbackrest.conf
  4. Add cmd-post = /opt/staging/scripts/soc2_backup_evidence.sh to the global stanza
  5. Verify next backup: (managed by the platform team — raise a support case if needed) while pgBackRest runs
  6. The script writes mfi_soc2.last_backup_at to ICP; the check function reads it

Watching this on a SaaS tenant: open the run/job's own log tab inside the suite. For deeper inspection, raise a support case from iBANK → Get help.

OpenVAS hook (CC7.1-VULN)

  1. Copy soc2_vuln_evidence.sh to /opt/staging/scripts/ on the GVM host
  2. Schedule weekly (recommended Saturday 03:00):
  3. 0 3 * * 6 /opt/staging/scripts/soc2_vuln_evidence.sh
  4. Script invokes gvm-cli, fetches latest scan summary, posts to BridgeERP ICPs
  5. Three keys set: mfi_soc2.last_vuln_critical, last_vuln_high, last_vuln_medium + last_vuln_scan_at
  6. Check function reads all four; passes when scan ≤ 7 days old AND criticals = 0

Worked scenarios

Scenario — Samuel wires the backup hook on a new tenant

Setting: First-time setup of SOC 2 evidence on a new prod tenant.

CharacterRole
Samuel KibetIT lead doing the install

Timeline

  1. Day 1 morning: Pulls the script from the repo, copies to /opt/staging/scripts, chmod 755.
  2. Day 1, 10:00: Edits pgBackRest config, adds cmd-post line, sudo systemctl reload pgbackrest.
  3. Day 1, 13:00: Manually triggers a backup to test the hook.
  4. Day 1, 13:05: Backup completes; tails BridgeERP log → sees 'soc2.last_backup_at written'. (ICP mfi_soc2.last_backup_at = 2026-06-13T13:05:00Z)
  5. Day 1, 14:00: Opens MFI → SOC 2 → Evidence; clicks Run now on A1.2-BACKUP. Returns PASS. (Evidence record created with summary 'Last backup 2026-06-13T13:05:00Z (< 24h)')
  6. Day 2, 02:30: Cron runs again from a scheduled backup; evidence auto-collected. (Daily cadence in steady state)

Outcome — Backup-evidence wired in 4 hours; control flips from RED to GREEN; never need to touch it again.

Reference

ICP keys written by the wires

KeyWritten byRead by control
mfi_soc2.last_backup_atsoc2_backup_evidence.shA1.2-BACKUP
mfi_soc2.last_vuln_criticalsoc2_vuln_evidence.shCC7.1-VULN
mfi_soc2.last_vuln_highsoc2_vuln_evidence.shCC7.1-VULN
mfi_soc2.last_vuln_mediumsoc2_vuln_evidence.shCC7.1-VULN
mfi_soc2.last_vuln_scan_atsoc2_vuln_evidence.shCC7.1-VULN
mfi_soc2.last_backup_verified_atmanual via wizard(future) A1.3-RECOVERY

Troubleshooting

SymptomLikely causeFix
pgBackRest hook runs but ICP not writtenXML-RPC auth fails — admin_passwd changedUpdate (managed by the platform team — raise a support case if needed) with the new password; or use BridgeERP Bot's OAuth token.
Control flips RED on a Sunday despite Saturday scanScan-at threshold is 7 days — Sunday is day 8 if scan was last SaturdayTighten the cron to Friday 03:00; or move threshold to 8 days (Settings → Controls → CC7.1).
Hook writes ICP but check function returns FAILPass threshold mismatch — criticals > 0 from the latest scanPatch the criticals; rerun the scan; control flips on next cadence.

See also

Was this page helpful?