F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Aurel's avatar
Aurel
Icon for Cirrus rankCirrus
Dec 11, 2013

Backup user account for pull backup ?

Hi,

 

I'm trying to consider backup of my Bigips, allowing a remote machine to pull ucs archives. I'm trying to setup an account with specific privileges, not to allow full system access but i cannot find anything about it. I'm finding out that only root or admin account are necessary. This means that if the remote backup server is compromised, then the Bigips could be.

 

Did someone experienced creating linux system accounts on the Bigips ?

 

thank you for any thought about it Aurel

 

14 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Dec 11, 2013
    that might be tricky, why not have the big-ip push the ucs archive somewhere?
  • Aurel's avatar
    Aurel
    Icon for Cirrus rankCirrus
    Dec 11, 2013
    I would prefer the push method in many ways, but it's a design rule as we have a machine who's pulling all configurations to her. Then i have to provide like root access to my machine, and i don't like so much, but i'm afraid that would be the only way.
    • adrock_1854's avatar
      adrock_1854
      Icon for Nimbostratus rankNimbostratus
      Dec 16, 2013
      Does the remote account need the ability to generate the archive itself, or will it simply be pulling archives already created by some other method?
    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus
      Dec 26, 2013
      They choose to generate themself the archive. That means their machine have full access with the root account. Until the machine is not compromised, it should be ok. That's definitely not the way i would choose, but they know about my opinion and will assume any further issue.
    • dirtycache's avatar
      dirtycache
      Icon for Nimbostratus rankNimbostratus
      Dec 16, 2013
      Does the remote account need the ability to generate the archive itself, or will it simply be pulling archives already created by some other method?
    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus
      Dec 26, 2013
      They choose to generate themself the archive. That means their machine have full access with the root account. Until the machine is not compromised, it should be ok. That's definitely not the way i would choose, but they know about my opinion and will assume any further issue.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 27, 2013

    there are request for enhancements regarding custom defined user role but they have not been implemented yet. you may open a support case to see if it can be expedited.

     

    ID273333 - AuthZ: User-definable roles

     

    ID382849 - RFE: Custom Defined User Roles/Permissions on LTMs Similar to EM

     

    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus
      Dec 28, 2013
      Thanks for your reply Nitass. That would be definitely a good thing, but i have to confess that's not a high priority issue.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Dec 27, 2013

    there are request for enhancements regarding custom defined user role but they have not been implemented yet. you may open a support case to see if it can be expedited.

     

    ID273333 - AuthZ: User-definable roles

     

    ID382849 - RFE: Custom Defined User Roles/Permissions on LTMs Similar to EM

     

    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus
      Dec 28, 2013
      Thanks for your reply Nitass. That would be definitely a good thing, but i have to confess that's not a high priority issue.