IBM Support

QRadar: How to sudo or su to root in QRadar

How To


More IBM QRadar users are creating Linux® non-privileged accounts to use in their QRadar environments. The user then needs to sudo or su to root in order to perform administrative tasks.


These could include patching, install RPMs, or other. The "QRadar" root user needs certain environment variables in its PATH to access QRadar root configuration directories. If you log in directly to the Console as root, you automatically get those directories and permissions for your root user. However, if you use su or sudo commands, you need to use them in a particular way.


When using sudo, you need to use the "-i" parameter. So you would log in as your non-privileged user, and then run "sudo -i", NOT "sudo -s".  That gives your root user the root environment. This gives you the PATH necessary to run the QRadar Admin commands. For instance, if you log in with "sudo -s" you are able to install an RPM, but you do not have the PATH and permissions to update the QRadar database. The RPM is installed, but is not usable by the QRadar Software.

Some signs that you are not properly using su or sudo, would be file permissions errors when you install an RPM. You install a DSM and Protocol, but the Protocol or DSM is not available in QRadar. That is because the QRadar Database was not updated, as your root user did not have the proper PATH in its environment.

Similarly, if you use "su", you cannot simply "su root".  Again, your root user does not get the proper environment. You need to use "su -"; note the space and the dash after the su command. So the command would be "su - root"

Reminder: Creating users from the command line on QRadar appliances is not supported. If you have security requirements related to adding new users and providing those accounts sudo, you should review STIG compliance or contact IBM Security Expert labs.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 September 2021