Logging into big-ip using Chef Inspec script

amyG123 · ‎26-Jan-2023

I've been having a look on GitHub at the f5devcentral/big-ip-atc-ready repository. I'm trying to develop some Inspec scripts that will test a big-ip to make sure the correct CIS F5 Networks Benchmarks security standards are configured.

I've hit my first hurdle, how do I connect to the device and successfully login so I can run API calls to view sensitive info?

Mark_Menger · ‎31-Jan-2023

Hi @amyG123 ,

The biggest difference between the controls evaluated in big-ip-atc-ready and the controls found in an implementation of the CIS F5 Networks Benchmarks is where they are executed. big-ip-atc-ready treats the BIG-IP as a black box evaluating the configuration by the responses provided by the BIG-IPs REST API. This is why the backend parameter is set to local in the example kitchen-terraform-inspec configuration below.

suites:
  - name: bigip
    excludes:
      - aws-tunnel
    verifier:
      systems:
      - name: local
        backend: local
        profile_locations:
          - https://github.com/f5devcentral/big-ip-atc-ready.git
          - test/integration/bigip
        controls:
          - bigip-postbuildconfig-do-self
          - bigip-postbuildconfig-do-dns
          - bigip-postbuildconfig-do-vlan
          - bigip-postbuildconfig-do-provision
          - bigip-connectivity        
          - bigip-declarative-onboarding
          - bigip-declarative-onboarding-version
          - bigip-application-services
          - bigip-application-services-version
          - bigip-telemetry-streaming
          - bigip-telemetry-streaming-version
          - bigip-licensed

For controls that are evaluated from a shell on the BIG-IP, the backend parameter must be set to ssh. The following is an example.

    verifier:
      systems:
      - name: remote
        backend: ssh
        profile_locations:
          - test/integration/gre
        controls:
          - bigip-gre-tunnel
        hosts_output: bigip_mgmt_public_ips
        user: admin
        key_files:
          - test/fixtures/aws_tunnel/kitchen-terraform-kitchen-terraform-bigip-tunnel-aws-tunnel.pem

For inspec to successfully connect to the BIG-IP, the user account used by inspec must have its default shell set to bash. You can use F5 Declarative Onboarding to make that configuration adjustment.

The yaml examples above are from an automated test harness that uses Kitchen and Terraform to instantiate a BIG-IP and run some tests using the big-ip-atc-ready inspec profile.

You can also use inspec directly from the command line

inspec exec /path/to/your/cisprofile --target=ssh://bigipuser:bigippassword@bigiphost:22

The inspec documentation provides more detail about options for the exec command.

I hope this is of use.

If I misunderstood your question, please let me know and I'll see if I have a more appropriate answer.

View solution in original post

JRahm · ‎31-Jan-2023

Hi @amyG123, I'm reaching out on this...hold tight.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

Mark_Menger · ‎31-Jan-2023