Custom scripts allow you to run commands outside of those provided by a default node scan. The configuration output from a custom script is displayed alongside default node scan data allowing you to extend a node scan in any way you choose (or can script!). Custom scripts can be provided as a scan option or placed directly on the target node. For comparable Windows based functionality, refer to our PowerShell Queries article.

Using Scan Options

Recursive File Integrity Check

/usr/bin/find /bin \! -type d -a \! -type s | sort | xargs md5sum

Recursive File Permissions

/usr/bin/find /bin \! -type d -a \! -type s|sort|xargs stat -c '%n - %a'

Placing Scripts in scan.d

Nodes running an agent or the SSH connection manager can have user created scripts executed and “appended” to the default node scan. Using this method to ingest configuration will allow you to display configuration in the UpGuard UI in a couple of different ways. How you choose to organize your configuration is up to you.

  1. On the target node, create the scan.d folder. The ci-category1 folder is used to label the CI (Configuration Item) category. Configuration items will appear under this label in the UpGuard UI. You can name it anything you like.

    mkdir -p /etc/scriptrock/scan.d/ci-category1
  2. Place your script in the ci-category1 folder:

    ubuntu@hostname:/etc/scriptrock/scan.d/ci-category1$ ls -lh
    -rw-r--r-- 1 root root  141 Apr  6 22:44
  3. Give the script execute permissions so that the guardrail user can run the script:

    chmod +x

Scripts can be created in any language. Ensure that you include the relevant hash bang at the top of the script. If you are referencing any library files (or gems), ensure that the guardrail user has the required access as this is the user that node scans will be performed with.

Script Name Labeling


To have configuration be listed under the name of your script, use the following as a template.


import json

print json.dumps({"ci-attribute-name1": "ci-attribute-value1", "ci-attribute-name2": "ci-attribute-value2"})

Key/Value Labeling


To have configuration be listed as seperate configuration items, use the following as a template.


import json

print json.dumps({"ci-category-name1": {"ci-attribute-name1": "ci-attribute-value1"}, "ci-category-name2": {"ci-attribute-name2": "ci-attribute-value2"}})