Creating a non-root user in a STIG-compliant environment

Create a non-root user before running the STIG hardening script.

On each host in the QRadar deployment, create a non-root user who has sudo access and choose a non-root user name such as stiguser.

Important: Administration and maintenance actions typically require elevated permissions and should be run as root, not a non-root account. After logging in as a non-root account (stiguser), elevate to root prior to running the administrative or maintenance command(s).

Elevate to root from a non-root account: sudo su -

Procedure

  1. To create the non-root user, type the following commands: 
    useradd -c 'Admin User' -d /home/stiguser -m -s /bin/bash stiguser

    passwd stiguser
    The password must follow these guidelines:
    • Consist of 15 or more characters.
    • Not repeat the same character consecutively more than two times.
    • Not repeat the same character type consecutively more than two times.
    • Have at least one uppercase character.
    • Have at least one numerical character.
    • Have at least one special character.
    Tip: These new password requirements are enforced when the STIG script is run. If your root password doesn't meet these requirements, you can change it now.
  2. Edit the /etc/sudoers file.
    1. At the end of the file, type the following line:

      stiguser ALL=(ALL) ALL

      Note: It is conventional to use tabs for white space but it's not a requirement; for example:

      stiguser ALL=(ALL) ALL

    2. Use the # symbol to comment out any lines that contain NOPASSWD.
      Tip: If you use the Vim text editor, type :/NOPASSWD in command mode to search for any instances of NOPASSWD.
  3. Verify that the new user can log in from a remote host and use the sudo command to become a root user.
    For example, use an SSH client such as PuTTY to log in to IBM QRadar as stiguser, and then run a command by using sudo.
    sudo cat /etc/shadow
    On each host in the QRadar deployment, create a non-root user who has sudo access and choose a non-root user name such as stiguser.
  4. For only Managed Hosts (MH), create SSH keys to allow stiguser to use SSH from the console to the Managed Host.
    1. Use SSH to connect to the console as stiguser.
      ssh stiguser@<console_IP>
    2. Generate an SSH key.
      ssh-keygen -b 4096 -t rsa
    3. Copy the stiguser key to the MH.
      ssh-copy-id stiguser@<MH_IP> -o StrictHostKeyChecking=no
    4. Verify that the SSH, using SSH keys, is working for stiguser.

      From the console, use SSH to connect to the MH using stiguser.

      ssh stiguser@<MH_IP>

What to do next

Run the hardening script on the QRadar console.