Forum Discussion

amyG123's avatar
amyG123
Icon for Nimbostratus rankNimbostratus
Jan 26, 2023

Logging into big-ip using Chef Inspec script

I've been having a look on GitHub at the f5devcentral/big-ip-atc-ready repository. I'm trying to develop some Inspec scripts that will test a big-ip to make sure the correct CIS F5 Networks Benchmarks security standards are configured. 

I've hit my first hurdle, how do I connect to the device and successfully login so I can run API calls to view sensitive info?

  • Hi amyG123 ,

    The biggest difference between the controls evaluated in big-ip-atc-ready and the controls found in an implementation of the CIS F5 Networks Benchmarks is where they are executed. big-ip-atc-ready treats the BIG-IP as a black box evaluating the configuration by the responses provided by the BIG-IPs REST API. This is why the backend parameter is set to local in the example kitchen-terraform-inspec configuration below.

    suites:
      - name: bigip
        excludes:
          - aws-tunnel
        verifier:
          systems:
          - name: local
            backend: local
            profile_locations:
              - https://github.com/f5devcentral/big-ip-atc-ready.git
              - test/integration/bigip
            controls:
              - bigip-postbuildconfig-do-self
              - bigip-postbuildconfig-do-dns
              - bigip-postbuildconfig-do-vlan
              - bigip-postbuildconfig-do-provision
              - bigip-connectivity        
              - bigip-declarative-onboarding
              - bigip-declarative-onboarding-version
              - bigip-application-services
              - bigip-application-services-version
              - bigip-telemetry-streaming
              - bigip-telemetry-streaming-version
              - bigip-licensed

     For controls that are evaluated from a shell on the BIG-IP, the backend parameter must be set to ssh. The following is an example.

        verifier:
          systems:
          - name: remote
            backend: ssh
            profile_locations:
              - test/integration/gre
            controls:
              - bigip-gre-tunnel
            hosts_output: bigip_mgmt_public_ips
            user: admin
            key_files:
              - test/fixtures/aws_tunnel/kitchen-terraform-kitchen-terraform-bigip-tunnel-aws-tunnel.pem

    For inspec to successfully connect to the BIG-IP, the user account used by inspec must have its default shell set to bash. You can use F5 Declarative Onboarding to make that configuration adjustment.

    The yaml examples above are from an automated test harness that uses Kitchen and Terraform to instantiate a BIG-IP and run some tests using the big-ip-atc-ready inspec profile. 

    You can also use inspec directly from the command line

    inspec exec /path/to/your/cisprofile --target=ssh://bigipuser:bigippassword@bigiphost:22

    The inspec documentation provides more detail about options for the exec command. 

    I hope this is of use. 

    If I misunderstood your question, please let me know and I'll see if I have a more appropriate answer.

  • Hi amyG123 ,

    The biggest difference between the controls evaluated in big-ip-atc-ready and the controls found in an implementation of the CIS F5 Networks Benchmarks is where they are executed. big-ip-atc-ready treats the BIG-IP as a black box evaluating the configuration by the responses provided by the BIG-IPs REST API. This is why the backend parameter is set to local in the example kitchen-terraform-inspec configuration below.

    suites:
      - name: bigip
        excludes:
          - aws-tunnel
        verifier:
          systems:
          - name: local
            backend: local
            profile_locations:
              - https://github.com/f5devcentral/big-ip-atc-ready.git
              - test/integration/bigip
            controls:
              - bigip-postbuildconfig-do-self
              - bigip-postbuildconfig-do-dns
              - bigip-postbuildconfig-do-vlan
              - bigip-postbuildconfig-do-provision
              - bigip-connectivity        
              - bigip-declarative-onboarding
              - bigip-declarative-onboarding-version
              - bigip-application-services
              - bigip-application-services-version
              - bigip-telemetry-streaming
              - bigip-telemetry-streaming-version
              - bigip-licensed

     For controls that are evaluated from a shell on the BIG-IP, the backend parameter must be set to ssh. The following is an example.

        verifier:
          systems:
          - name: remote
            backend: ssh
            profile_locations:
              - test/integration/gre
            controls:
              - bigip-gre-tunnel
            hosts_output: bigip_mgmt_public_ips
            user: admin
            key_files:
              - test/fixtures/aws_tunnel/kitchen-terraform-kitchen-terraform-bigip-tunnel-aws-tunnel.pem

    For inspec to successfully connect to the BIG-IP, the user account used by inspec must have its default shell set to bash. You can use F5 Declarative Onboarding to make that configuration adjustment.

    The yaml examples above are from an automated test harness that uses Kitchen and Terraform to instantiate a BIG-IP and run some tests using the big-ip-atc-ready inspec profile. 

    You can also use inspec directly from the command line

    inspec exec /path/to/your/cisprofile --target=ssh://bigipuser:bigippassword@bigiphost:22

    The inspec documentation provides more detail about options for the exec command. 

    I hope this is of use. 

    If I misunderstood your question, please let me know and I'll see if I have a more appropriate answer.

    • amyG123's avatar
      amyG123
      Icon for Nimbostratus rankNimbostratus

      Thank you Mark_Menger! Your advice makes sense, I'll go away and try this solution out. Appreciate it 😊