F5 System Scanner - How I deployed it at scale

Does anyone uses the F5 System Scanner regularly? 

I was surprised when, a while back, one of my clients told me about this tool. I hadn't read about it anywhere before, and I thought I was pretty well-informed.

What is it?

https://my.f5.com/manage/s/article/K000160515

It is a small tool that calculates hashes from installed files and compares it with hashes provided by F5.  Basically, it's a simple host-based intrusion detection system. You can download it from myF5.

Test

I tested it the other day, and it seems to work well, except for 1 or 2 false positives because the latest Hotfix isn't supported. I simply changed the hashes in the dat file and the status was ok.

My deployment scenario

Installing the tool manually on a fleet of F5s and running the scans by hand is not my operating modal.

I implemented a Restsh function f5.system-scanner that does the heavy lifting for me in an automatable way. It uploads the f5-system-scanner binary and the dat file with the hashes to the F5. Runs the f5-system-scanner in the background and downloads the report after it finishes it. The script exits with an error code if the scanner found a hash mismatch. This is the ideal basis to put it in a pipeline and deploy it at scale.

You can download Restsh for free: https://github.com/AxiansITSecurity/Restsh

The pipeline itself is part of the Axians Automation Framework, a enterprise ready GitOps framework for F5 BIG-IP.

The Future

I hope F5 maintenance this nice small utility further and updates the hashes for future F5 releases. Has anyone more infos about it than I have?