Thanks, Paul. This is the right thing to do, we should never use -k in any sort of production environment. You could also include the CA bundle as part of the script configuration to avoid extra CLI accesses.
Original Message:
Sent: Fri April 11, 2025 02:13 PM
From: Paul Goffar
Subject: custom action script that calls ms api
Hey there,
Just following up. Of course we always want to avoid disabling security checks when possible and after much head scratching, I was able to make a similar idea work by copying the CA bundle into the CHROOT jail environment. I'm not 100% positive that it will persist after patching but its definitely working now without bypassing any security controls.
Note that QRadar uses a jail shell (CHROOT) in order to safely execute custom actions away from production services. This means that the scripts being executed have no permission into the underlying RHEL system. Because of this, the CA bundle must be copied into the CHROOT jail and explicitly referenced in scripts.
After copying the bundle, I added a variable into my bash script and called it into CURL. Hope this helps someone else!
caBundlePath="/home/customactionuser/ca-bundle.crt"curl --cacert "$caBundlePath" -X POST -H "Content-Type: application/json" -d "do stuff" "https://my.api.internet.orwhatever"
Steps to Copy CA Bundle:
This ensures that the script can access the CA bundle and maintain SSL integrity when interacting with external sites.
cp /etc/pki/tls/certs/ca-bundle.crt /opt/qradar/bin/ca_jail/home/customactionuser/ca-bundle.crt
------------------------------
Paul
Original Message:
Sent: Tue December 05, 2023 09:48 PM
From: QRD
Subject: custom action script that calls ms api
Had to disable SSL checks as per URL error in custom action script | IBM Security QRadar, I was able to fix the issue by adding -k to the curl command.
------------------------------
QRD
Original Message:
Sent: Fri December 01, 2023 06:09 AM
From: Paul Ford-Hutchinson
Subject: custom action script that calls ms api
To actually test the script (as opposed to the QRadar invocation of the script) in the chroot() environment - you can start a chroot() shell up with a command like:
# chroot --userspec=customactionuser /opt/qradar/bin/ca_jail<o:p></o:p>
In this chrooted shell the script can be run locally using one of:
- <o:p></o:p>/bin/bash /custom_action_scripts/customaction_1.script parm_1 "parm 2"
- <o:p></o:p>/usr/bin/perl /custom_action_scripts/customaction_2.script parm_1 "parm 2"
- <o:p></o:p>/usr/bin/python /custom_action_scripts/customaction_3.script parm_1 "parm 2"<o:p></o:p>
Paul
------------------------------
Paul Ford-Hutchinson
Original Message:
Sent: Thu November 30, 2023 10:20 PM
From: QRD
Subject: custom action script that calls ms api
Thanks, Dont see any dns resolv issues in the logs. could there be anything else preventing the script from calling the API?
Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] executeAction(): Attempting to execute action [CustomActionDTO [id=351, name=365Action, description=, script=ScriptMetadataDTO [id=351, name=365Action_v2.sh, path=/custom_action_scripts/customaction_351.script], interpreter=CustomActionInterpreterDTO [id=1, name=Bash, path=/bin/bash], parameters=[CustomActionParameterDTO [id=451, name= Inc ID, parameterType=dynamic, value=Def incidentId, encrypted=false], CustomActionParameterDTO [id=501, name=inc id, parameterType=fixed, value=11066, encrypted=false]]]] for client [qradar.admin].Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] buildCommandLine(): Attempting to build command line for action [CustomActionDTO [id=351, name=365Action, description=, script=ScriptMetadataDTO [id=351, name=365Action_v2.sh, path=/custom_action_scripts/customaction_351.script], interpreter=CustomActionInterpreterDTO [id=1, name=Bash, path=/bin/bash], parameters=[CustomActionParameterDTO [id=451, name= Inc ID, parameterType=dynamic, value=Def incidentId, encrypted=false], CustomActionParameterDTO [id=501, name=inc id, parameterType=fixed, value=11066, encrypted=false]]]] with values [{inc id={}, Inc ID={}}]Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] buildCommandLine(): Chroot is enabled. Generating command line with jail [/opt/qradar/bin/ca_jail] and user [customactionuser]Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] buildChrootEnv(): Building chroot env...Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] buildChrootEnv(): Returning chroot env command [[/usr/bin/env, RULE_ID=null, RULE_NAME=null]].Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.parameter.ParameterResolverFactory: [DEBUG] getResolver(): Attempting to get resolver for parameter type [dynamic]..Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.parameter.DynamicParameterResolver: [DEBUG] resolveParameter(): Attempting to resolve parameter [CustomActionParameterDTO [id=451, name= Inc ID, parameterType=dynamic, value=Def incidentId, encrypted=false]] with values [{inc id={}, Inc ID={}}]Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.parameter.DynamicParameterResolver: [DEBUG] resolveParameter(): Successfully resolved parameter [ Inc ID] to [null].Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.parameter.ParameterResolverFactory: [DEBUG] getResolver(): Attempting to get resolver for parameter type [fixed]..Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.parameter.FixedParameterResolver: [DEBUG] resolveParameter(): Attempting to resolve parameter [CustomActionParameterDTO [id=501, name=inc id, parameterType=fixed, value=11066, encrypted=false]] with values [{inc id={}, Inc ID={}}]Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.parameter.FixedParameterResolver: [DEBUG] resolveParameter(): Successfully resolved parameter [inc id].Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] buildCommandLine(): Successfully built command line.Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] executeAction(): Starting execution for action [351].Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [Thread-2070808] com.q1labs.core.shared.cre.custom.executor.CustomActionResultHandler: [DEBUG] onProcessComplete(): Invoked with exit value [0] by process [CustomActionProcessId [trackingId=qradar.admin, customActionId=351]].Dec 1 15:11:10 ::ffff:127.0.0.1 [hostcontext.hostcontext] [pool-2-thread-4] com.q1labs.core.shared.cre.custom.executor.CustomActionExecutorImpl: [DEBUG] executeAction(): Finished executing action [351].
