STIG exceptions

Due to technical limitations, application requirements, or both, not all STIG items can be implemented. The following STIG items cannot be made compliant for IBM QRadar.

V-230559

Finding ID: For more information, see V-230559.

Version: RHEL-08-040370

Rule ID: xccdf_org.ssgproject.content_rule_package_gssproxy_removed

Title: Uninstall gssproxy Package

Justification: The nfs-utils package depends on gssproxy package and the nfs-utils package is required for product functionality.

V-230560

Finding ID: For more information, see V-230560.

Version: RHEL-08-040380

Rule ID: xccdf_org.ssgproject.content_rule_package_iprutils_removed

Title: Uninstall iprutils Package

Justification: The iprutils package is a dependency that is needed to manage the RAID controllers.

V-204620

Finding ID: For more information, see V-204620.

Version: RHEL-07-040690

Rule ID: xccdf_org.ssgproject.content_rule_package_vsftpd_removed

Title: The Red Hat® Enterprise Linux® operating system must not have a File Transfer Protocol (FTP) server package that is installed unless needed.

Justification: When the FTP server package is enabled it uses TLS authentication, and Chroot to restrict access. The FTP daemon only runs when QRadar® Incident Forensics is being used.
Important: You can remove the FTP package but it might impact future product upgrades and cause them to fail.

V-204392

Finding ID: For more information, see V-204392.

Version: RHEL-07-010010

Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_ownership

Title: RHEL OS must be configured so that attributes of system files and commands match vendor rules.

Justification: Specific permissions are required for the correct operation of QRadar.

V-204625

Finding ID: For more information, see V-204625.

Version: RHEL-07-040740

Rule ID: xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward

Title: The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.

Justification: Docker containers that run on QRadar hosts use bridged interfaces for connecting and routing to the host. You can't disable forwarding (routing) on a QRadar host because it might block communication with the containers. To limit the risk with forwarding, use iptables firewall filtering instead.

V-214799

Finding ID: For more information, see V-214799.

Version: RHEL-07-010020

Rule ID: xccdf_org.ssgproject.content_rule_rpm_verify_hashes

Title: The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.

Justification: The use of yum to install/reinstall/upgrade is not allowed in QRadar.

V-204444

Finding ID: For more information, see V-204444.

Version: RHEL-07-020020

Rule ID: xccdf_org.ssgproject.content_rule_selinux_user_login_roles

Title: The Red Hat Enterprise Linux operating system must prevent nonprivileged users from running privileged functions to include disabling, circumventing, or altering implemented security safeguards and countermeasures.

Justification: If you enable SELinux in enforcement mode, the QRadar performance is significantly impacted. An alternative template for QRadar hosts is not available. You must protect your privileged user passwords so that access to the operating system is restricted.

V-204453

Finding ID: For more information, see V-204453.

Version: RHEL-07-020210

Rule ID: xccdf_org.ssgproject.content_rule_selinux_state

Title: The Red Hat Enterprise Linux operating system must enable SELinux.

Justification: If you enable SELinux in enforcement mode, the QRadar performance is significantly impacted. An alternative template for QRadar hosts is not available. You must protect your privileged user passwords so that access to the operating system is restricted.

V-204454

Finding ID: For more information, see V-204454.

Version: RHEL-07-020220

Rule ID: xccdf_org.ssgproject.content_rule_selinux_policytype

Title: The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.

Justification: If you enable SELinux in enforcement mode, the QRadar performance is significantly impacted. An alternative template for QRadar hosts is not available. You must protect your privileged user passwords so that access to the operating system is restricted.

V-204479

Finding ID: For more information, see V-204479.

Version: RHEL-07-020900

Rule ID: xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled

Title: The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

Justification: The use of yum to install/reinstall/upgrade is not allowed in QRadar.

V-204459

Finding ID: For more information, see V-204459.

Version: RHEL-07-020260

Rule ID: xccdf_org.ssgproject.content_rule_security_patches_up_to_date

Title: The Red Hat Enterprise Linux operating system security updates must be installed and up to date.

Justification: IBM® regularly provides software fixes and updates for product defects and known vulnerabilities within QRadar and Red Hat Enterprise Linux. All Rational® Portfolio Manager (RPM) software fixes and updates must be provided only by IBM.

V-250314

Finding ID: For more information, see V-250314.

Version: RHEL-07-020023

Rule ID: xccdf_org.ssgproject.content_rule_selinux_context_elevation_for_sudo

Title: The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

Justification: If you enable SELinux in enforcement mode, the QRadar performance is significantly impacted. An alternative template for QRadar hosts is not available. You must protect your privileged user passwords so that access to the operating system is restricted.

V-204452

Finding ID: For more information, see V-204452.

Version: RHEL-07-020200

Rule ID: xccdf_org.ssgproject.content_rule_clean_components_post_updating

Title: The Red Hat Enterprise Linux operating system must remove all software components after updated versions are installed.

Justification: IBM makes every possible effort to ensure software components are added and/or removed when appropriate. Enabling this setting might result in issues when you update your software.

V-204426

Finding ID: For more information, see V-204426.

Version: RHEL-07-010310

Rule ID: xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration

Title: The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices), if the password expires.

Justification: Availability of accounts and services is an overriding concern for IBM QRadar.

V-204592

Finding ID: For more information, see V-204592.

Version: RHEL-07-040370

Rule ID: xccdf_org.ssgproject.content_rule_sshd_disable_root_login

Title: The Red Hat Enterprise Linux operating system must not permit direct logins to the root account using remote access via SSH.

Justification: The root account is required for some QRadar services and deployment communication. A non-root user should be created and used instead.