Exceptions to STIG compliance

For operational and performance reasons, full-disk encryption, SELinux (Security-Enhanced Linux), and patch maintenance are intentionally excluded from the hardening procedures for full STIG compliance.

Full-disk encryption

The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) states that you must enable LUKS (Linux Unified Key Setup-on-disk-format), which is full-disk encryption to satisfy SV-50460r2_rule. However, the performance degradation that is experienced in a QRadar® deployment prohibits this full-disk encryption.

The suggested solution is to maintain all QRadar hosts in a physically-secure environment.

SELinux considerations

If you enable SELinux in enforcement mode, the performance of QRadar is significantly impacted. An alternative template for QRadar hosts is not available.

You must protect your privileged user passwords so that access to the operating system is restricted.

Software maintenance

IBM® regularly provides software fixes and updates for product defects and known vulnerabilities within QRadar and Red Hat Enterprise Linux, whether RHEL is installed separately or not.

You must disable Red Hat Enterprise Linux subscription feeds. All RPM software fixes and updates must be provided only by IBM.

Root logins

When you run STIG on an All-in-One appliance, you can't use the SSH root account to log in remotely to the QRadar Console.

SSH access control

IP (Internet Protocol) based access controls for SSH connections are applied to managed hosts but not to Consoles.
Note: Use iptables rather than SSH configuration to restrict SSH access.
See the IBM QRadar Administration Guide for information about creating iptables rules.

Routing and Bridging

Docker containers that run on QRadar hosts use bridged interfaces for connecting and routing to the host. You can't disable forwarding (routing) on a QRadar host because it might block communication with the containers. To limit the risk with forwarding, use iptables firewall filtering instead.

FTP

An FTP server package (vsftpd) is installed on QRadar hosts but is unavailable on all QRadar hosts except for QRadar Incident Forensics hosts.

When the FTP server package is enabled it uses TLS authentication and chroot to restrict access. The FTP daemon only runs when QRadar Incident Forensics is being used.

Note: You can remove the FTP package but it might impact future product upgrades and cause them to fail.