More IBM QRadar users are creating Linux® non-privileged accounts to use in their QRadar environments. The user then needs to sudo or su to root in order to perform administrative tasks.
When using sudo, you need to use the "-i" parameter. So you would log in as your non-privileged user, and then run "sudo -i", NOT "sudo -s". That gives your root user the root environment. This gives you the PATH necessary to run the QRadar Admin commands. For instance, if you log in with "sudo -s" you are able to install an RPM, but you do not have the PATH and permissions to update the QRadar database. The RPM is installed, but is not usable by the QRadar Software.
Some signs that you are not properly using su or sudo, would be file permissions errors when you install an RPM. You install a DSM and Protocol, but the Protocol or DSM is not available in QRadar. That is because the QRadar Database was not updated, as your root user did not have the proper PATH in its environment.
Similarly, if you use "su", you cannot simply "su root". Again, your root user does not get the proper environment. You need to use "su -"; note the space and the dash after the su command. So the command would be "su - root"
Reminder: Creating users from the command line on QRadar appliances is not supported. If you have security requirements related to adding new users and providing those accounts sudo, you should review STIG compliance or contact IBM Security Expert labs.
Was this topic helpful?
14 September 2021