As Security and IT professionals at a company delivering endpoint solutions, we’re keen on experimentation. Automox is a fantastic platform for this and has a robust API to support our internal experiments. One area, in particular, we’ve been working on is “DevOps on the Endpoint”, where we take many of the hard lessons learned in the DevOps revolution and apply that to how we manage endpoints. To this end, we created “Worklet Warden” a simple Python script that mimics some of the utility you will find in infrastructure as code tools. This allows us to experiment with DevOps workflows using the Automox API.
What is an Automox Worklet Automation Script?
Automox Worklet automation scripts empower SecOps and ITOps to create, automate, and enforce any custom task on endpoints. Based on PowerShell and Bash scripting, Worklets are reusable units of work that can be applied across Windows, Linux, and macOS devices irrespective of location or domain membership.
Worklet automation scripts consist of two code blocks that have an if-then relationship. The first block is called “evaluation,” and the second is designated “remediation.” If the evaluation code block fails (returns non-zero), then the remediation block is run. The evaluation code executes every time an endpoint in an applicable group runs a scan. The remediation code runs according to the Worklet policy schedule after the evaluation code has flagged the device as needing remediation.
Worklet Warden
Worklet Warden is a simple Python script that uses the Automox Python SDK to gather, store, and manage Worklets. It has a few operating modes: diff, sync, and update. The code and some examples of what we’ve done can be found here.
Sync Mode
When running in Sync mode it will create a local copy of all the Worklets in your Automox account. The Worklet is stored in a folder with the name of the Worklet. It also separates the bash or powershell script stored within the Worklet in a separate file for easier editing.
Diff Mode
When running in Diff mode the script will show you the difference between what is stored locally and what is stored remotely. It tracks the JSON payloads in the “state” folder. This hacky code solution works similarly to many other infrastructures as code providers.
Remember we are experimenting!
Update Mode
When running in Update mode, local changes will be applied to your remote Automox environment.
Worklet Backups
One area we were keen on developing was a simple backup solution for our Worklets. We have in the past accidentally deleted Worklets, or made changes that didn’t go as expected. This was accomplished via Github Actions. The flow works like this:
1. Create Github Backup Repo
Since these are scripts, we thought GitHub would be the best location to store them for backup.
Be careful with secrets in Worklet code!
They are best moved to our Secrets Storage Service
Create one environment variable and one environment secret
2. Setup a CronJob in Github Actions
This CronJob will run every 15 mins.
4. On execution, the job will check for changes done remotely and sync them to local
This is done using a simple GitHub action.
5. Below is the YAML for our GitHub action.
name: Automox Backup Flow
on:
schedule:
- cron: '*/15 ' # Run every 30 minutes
jobs:
backup:
runs-on: ubuntu-latest
container:
image: python:3.9
environment: Backup
steps:
- name: Check out repository
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Run Worklet Warden Script
run: |
export AUTOMOX_ORG=${{ vars.AUTOMOX_ORG }}
export AUTOMOX_API_KEY=${{ secrets.AUTOMOX_API_KEY }}
python3 worklet_warden.py sync --mode full --debug
- name: Check for modifications and new files
id: git-check
run: |
# Update the below line with the correct safe directory in Github Actions
git config --system --add safe.directory /__w/axit-worklets/axit-worklets
# Check for modified files
modified=$(git diff --name-only)
# Check for new (untracked) files
untracked=$(git ls-files --others --exclude-standard)
# Combine checks
if [[ -n "$modified" ]] || [[ -n "$untracked" ]]; then
echo "Changes or new files detected."
echo "::set-output name=changes::true"
else
echo "No changes detected."
echo "::set-output name=changes::false"
fi
shell: bash
- name: Commit and Push if Changes
if: steps.git-check.outputs.changes == 'true'
run: |
# Update the below line with the correct safe directory in Github Actions
git config --system --add safe.directory /__w/axit-worklets/axit-worklets
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add .
git commit -m "Automated update by GitHub Actions"
git push
shell: bash
Worklet Restoration
Restoring a previous version of a Worklet becomes simple once you've established the backup solution outlined above.
You just need to checkout the repository from the state before the unintended changes were introduced, review the code to ensure everything is in order, and then apply the differential changes.
python3 worklet_warden.py update
Areas of Further Experimentation
Support multiple accounts
It’s likely that eventually, we will work on doing a full release process for our Worklets. This can be done using “Dev” accounts in Automox with Global Zone Management. Worklet Warden will need to be extended to support multiple accounts.
Support more than 500 Worklets
Worklet Warden needs some additional work to support more than 500 Worklets.
Start your free trial now.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
