Forum Discussion

Eroc_371693's avatar
Eroc_371693
Icon for Nimbostratus rankNimbostratus
Sep 11, 2018

Skybox wants Admin rights on f5

The company has procured Skybox and in order to use f5 information, the System is requesting for Admin rights. No matter the size of the risk, why take any if there is no need to?

 

According to the Skybox user guide they run the following commands on f5 (TMOS version 12 & 13): › tmsh show /sys version | grep ' Version'\r › tmsh save /sys config file bigip.conf no-passphrase\r › netstat -nr › tmsh modify /cli preference pager disabled › tmsh show running-config › tmsh show /net route › bigpipe

 

I have three questions: 1) Which commands herre above need to be run as Admin to get the correct output? 2) For the commands that need Admin rights, are there other commands that we can suggest to Skybox so that they put us at less risk. 3) Is bigpipe really a V12+ command?

 

admin rights
LTM
security
skybox

1 Reply

Sort By
  • crodriguez's avatar
    crodriguez
    Ret. Employee
    Sep 11, 2018

    Currently, many of the commands you reference can be executed by any role, including a "guest," believe it or not:

     

    • tmsh show /sys version | grep Version
    • tmsh save /sys config (without the file option though)
    • tmsh modify /cli preference pager disabled
    • tmsh show running-config...
    • tmsh show /net route

    The tmsh save /sys config file bigip.conf command (with the file option) can only be executed by an Administrator or Resource Administrator. Same for the netstat command as that requires Advanced shell access which is available only to Administrators and Resource Administrators.

     

    As you noted, bigpipe is deprecated and replaced with other TMSH commands. Depending on what the customer is currently doing with bigpipe, they may require the Admin or Resource Admin role to do the same thing in tmsh.