STIG responsibilities and exceptions

As part of the STIG hardening, some requirements are customer-specific, site specific, or both customer and site specific and cannot be implemented ahead of time. The following sections outlines the STIG items that are the responsibility of the customer to implement according to their requirements and environment.

SELinux considerations

For operational and performance reasons, full-disk encryption, SELinux (Security-Enhanced Linux), and patch maintenance are intentionally excluded from the hardening procedures for full STIG compliance. If you enable SELinux in enforcement mode, the performance of QRadar is significantly impacted. An alternative template for QRadar hosts is not available.

You must protect your privileged user passwords so that access to the operating system is restricted.

Software maintenance

IBM regularly provides software fixes and updates for product defects and known vulnerabilities within QRadar and Red Hat Enterprise Linux, whether RHEL is installed separately or not.

You must disable Red Hat Enterprise Linux subscription feeds. All RPM software fixes and updates must be provided only by IBM.

Supported appliances

The following appliances are supported:
  • Fully supported - 31xx (consoles)
  • Supported Managed Hosts (MH) are supported with the following note:
    • MH attached to the deployment can be hardened without issue. If you wish to harden a MH prior to adding it to a deployment, after hardening, you must edit /etc/ssh/sshd_config and change PermitRootLogin to yes. Once this value is changed the MH can be successfully added to the deployment. Without changing this setting, the MH is not added to the deployment. Revert PermitRootLogin back to the original value after attaching the MH.
For more information about supported and unsupported appliances, see What systems can you run STIG scripts on?.

Root logins

When you run STIG on an All-in-One appliance, you can't use the SSH root account to log in remotely to the QRadar Console.

SSH access control

IP (Internet Protocol) based access controls for SSH connections are applied to managed hosts but not to Consoles.
Note: Use iptables rather than SSH configuration to restrict SSH access.
See the IBM QRadar Administration Guide for information about creating iptables rules.

Routing and Bridging

Docker containers that run on QRadar hosts use bridged interfaces for connecting and routing to the host. You can't disable forwarding (routing) on a QRadar host because it might block communication with the containers. To limit the risk with forwarding, use iptables firewall filtering instead.

FTP

An FTP server package (vsftpd) is installed on QRadar hosts but is unavailable on all QRadar hosts except for QRadar Incident Forensics hosts.

When the FTP server package is enabled it uses TLS authentication and chroot to restrict access. The FTP daemon only runs when QRadar Incident Forensics is being used.

Important: You can remove the FTP package but it might impact future product upgrades and cause them to fail.

Third-party software on QRadar appliances

QRadar does not require or support traditional anti-virus or malware agents, or support the installation of third-party packages or programs. As part of the STIG requirements, you may be required to install third-party packages or programs. These changes are the responsibility of the customer and are not supported by IBM.