For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Aug 25, 2015

Run Bash script from iRule

I have built a process on the Big-IP to create CSRs for mobile devices in order to request and obtain certificates signed by our internal CA. I start with registration where the employee connects to a particular URI on the Big-IP with his/her mobile device and then proceeds to authenticate. Using a combination of two factor authentication, AD authentication, AD lookups and device checks I gather all of the information necessary to create a CSR specific to this user and device combination. I then have the Big-IP email me the formatted openssl command to create the CSR. All of this is done directly in the VPE.

 

The next step is a manual process where I have to copy/paste the openssl commands from the email into bash in order to create the CSR which I can email to be signed.

 

All of this works just fine except that I would now like to automate the last step in the process. I know that bash commands can be called from an iRule but I haven’t been able to figure out the mechanics. I have seen example using Virtuals and Sideband connections (which I have done in the past to query external servers), however I can’t seem to figure out how to simply call a bash script and pass it some parameters.

 

The script itself would run a couple openssl commands using passed variables and then email the resulting CSR to our CA admin. I think I can figure out the script piece but I can’t figure out how to call it from the VPE (probably a dream) or from an iRule (using an iRule event I presume).

 

Can someone point me in the right direction?

 

Thanks

 

APM 11.5.1

 

BIG-IP Access Policy Manager (APM)
security

2 Replies

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Aug 25, 2015

    You can run a bash script from a monitor, not an iRule. You can use a sideband connection to run something from a different device but not the F5. iRules are performance orientated and dealing with the bash shell in the Linux system is slow.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 25, 2015

    You can technically call into Bash from an iRule in a number of ways actually, but as Mr. Davies expresses, you're calling a management plane function from the data plane. You could potentially overwhelm the management plane if you attempt to send too much traffic, or present a security risk to the system if you don't properly validate what you're sending. That said, there are at least three ways to send information to the management plane for the purposes of launching a Bash script:

     

    1. Syslog - you can simply configure syslogng to listen for a specific message or log facility and launch some Linux process.

       

    2. iCall - similar to the syslog approach but much more flexible.

       

      https://devcentral.f5.com/wiki/iCall.HomePage.ashx

       

    3. iControlREST call via iRules sideband call - I should note here that this is the only method that can actually receive a response from the Bash command.

       

      https://devcentral.f5.com/questions/icontrolrest-115-execute-bash-command

       

    I suppose for what you want to do, the third option is probably your best bet, and you can definitely run that from an iRule event agent in the VPE.