Exceptions to STIG compliance
For operational and performance reasons, full-disk encryption, SELinux (Security-Enhanced Linux), and patch maintenance are intentionally excluded from the hardening procedures for full STIG compliance.
The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) states that you must enable LUKS (Linux Unified Key Setup-on-disk-format), which is full-disk encryption to satisfy SV-50460r2_rule. However, the performance degradation that is experienced in a QRadar® deployment prohibits this full-disk encryption.
The suggested solution is to maintain all QRadar hosts in a physically-secure environment.
If you enable SELinux in enforcement mode, the performance of QRadar is significantly impacted. An alternative template for QRadar hosts is not available.You must protect your privileged user passwords so that access to the operating system is restricted.
IBM® regularly provides software fixes and updates for product defects and known vulnerabilities within QRadar and Red Hat Enterprise Linux, whether RHEL is installed separately or not.
You must disable Red Hat Enterprise Linux subscription feeds. All RPM software fixes and updates must be provided only by IBM.
When you run STIG on an All-in-One appliance, you can't use the SSH root account to log in remotely to the QRadar Console.
SSH access control
Routing and Bridging
Docker containers that run on QRadar hosts use bridged interfaces for connecting and routing to the host. You can't disable forwarding (routing) on a QRadar host because it might block communication with the containers. To limit the risk with forwarding, use iptables firewall filtering instead.
An FTP server package (vsftpd) is installed on QRadar hosts but is unavailable on all QRadar hosts except for QRadar Incident Forensics hosts.
When the FTP server package is enabled it uses TLS authentication and chroot to restrict access. The FTP daemon only runs when QRadar Incident Forensics is being used.