© Copyright IBM Corporation 2016, 2017. Product information · PDF fileAbout this Common...

IBM QRadar Common Criteria for NIAPVersion 7.2.7 Release 1.0

QRadar National Information AssurancePartnership (NIAP) Admin Guide -August 2017

IBM

NoteBefore you use this information and the product that it supports, read the information in “Notices” on page 47.

Product information

This document applies to IBM QRadar Security Intelligence Platform V7.2.7 and subsequent releases unlesssuperseded by an updated version of this document.

© Copyright IBM Corporation 2016, 2017.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this Common Criteria configuration for QRadar guide . . . . . . . . . . . . . v

Chapter 1. Configuration of Common Criteria on a QRadar All-in-one system . . . . . . 1QRadar and Common Criteria acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 2Evaluated capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Cryptographic module identification . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Common Criteria mode configuration . . . . . . . . . . . . . . . . . . 5

Chapter 3. Installing QRadar in a STIG environment overview . . . . . . . . . . . . 7Preparing to install QRadar and RHEL in a STIG environment . . . . . . . . . . . . . . . . . . 7Installing QRadar and RHEL in a STIG environment . . . . . . . . . . . . . . . . . . . . . . 7Creating a non-root user in a STIG-compliant environment . . . . . . . . . . . . . . . . . . . . 8Running the hardening script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Editing scripts to configure QRadar in STIG environments . . . . . . . . . . . . . . . . . . . . 9Installing software update for QRadar Common Criteria . . . . . . . . . . . . . . . . . . . . 10

Chapter 4. Secure communication configuration . . . . . . . . . . . . . . . . . . 13Configuring SSH to use public key authentication only . . . . . . . . . . . . . . . . . . . . . 13

Log in remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Configuring the SSHD_config file . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14TLS configuration in QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring QRadar as a TLS client . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configuring data forwarding destinations and adding TLS client authentication keys to the keystore . . . 15Configuring routing rules for event forwarding . . . . . . . . . . . . . . . . . . . . . 16

Configuring QRadar as a TLS server . . . . . . . . . . . . . . . . . . . . . . . . . . 18Creating an SSL certificate request with 2048-bit Diffie-Hellman keys . . . . . . . . . . . . . . 18Replacing the default SSL certificate . . . . . . . . . . . . . . . . . . . . . . . . . 19

QRadar truststore and trusted certificates . . . . . . . . . . . . . . . . . . . . . . . . . 20Certification Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Troubleshooting certificate setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Supported Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 5. QRadar system configuration . . . . . . . . . . . . . . . . . . . . . 23Configuring the system time manually . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring an NTP server to maintain system time. . . . . . . . . . . . . . . . . . . . . 23Creating a QRadar login message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Administrative logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Password recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring the minimum password length . . . . . . . . . . . . . . . . . . . . . . . . 25Accessing QRadar RESTful API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26QRadar self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 6. Verifying secure updates . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 7. Audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Viewing the audit log file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Logged actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Terms and conditions for product documentation. . . . . . . . . . . . . . . . . . . . . . . 49IBM Online Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

© Copyright IBM Corp. 2016, 2017 iii

About this Common Criteria configuration for QRadar guide

This documentation includes the requirements and procedures for configuringNational Information Assurance Partnership (NIAP) Common Criteria on IBM®

Security QRadar®.

Intended audience

The intended audience for this guide is system administrators or developers whoare configuring Common Criteria for IBM Security QRadar.

Technical documentation

To find IBM Security QRadar product documentation in the QRadar productslibrary, see Accessing IBM Security Documentation Technical Note(www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).

Contacting customer support

For information about contacting customer support, see the Support andDownload Technical Note (http://www.ibm.com/support/docview.wss?uid=swg21616144).

Statement of good security practices

IT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a lawful comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including thoserelated to privacy, data protection, employment, and electronic communicationsand storage. IBM Security QRadar may be used only for lawful purposes and in alawful manner. Customer agrees to use this Program pursuant to, and assumes allresponsibility for complying with, applicable laws, regulations and policies.Licensee represents that it will obtain or has obtained any consents, permissions, orlicenses required to enable its lawful use of IBM Security QRadar.

© Copyright IBM Corp. 2016, 2017 v

http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644

http://www.ibm.com/support/docview.wss?uid=swg21616144

http://www.ibm.com/support/docview.wss?uid=swg21616144

Chapter 1. Configuration of Common Criteria on a QRadarAll-in-one system

The Common Criteria configuration guide for IBM Security QRadar providesrequirements and procedures for configuring Common Criteria by using prescribedNIAP methodology on a QRadar All-in-One system. The QRadar All-in-Onesystem is a network device that detects potential threats through the review ofevent data and flow data that is collected from network sources.

What product is being evaluated?

The evaluated product is IBM Security QRadar SIEM V7.2.7, which runs on a Dell3128-C (All-in-One) appliance that uses the x86-64 CPU architecture.

You install the ISO image that includes QRadar and RHEL 6.7 on the Dell 3128-C(All-in-One) appliance.

The QRadar All-in-One is the Target of Evaluation (TOE). The TOE can beadministered either locally or remotely.

Communication with network peers for either inbound or outbound audit or eventlog transmissions is accomplished by using TLS protected communicationchannels. QRadar can authenticate inbound peers by using X.509v3 certificates, orby providing an X.509v3 certificate to authenticate itself as part of an outboundTLS connection.

About QRadar

The QRadar product consolidates log source event and audit data from multipledevices, endpoints, and applications distributed throughout a network.

QRadar consolidates log source event and audit data from device endpoints andapplications that are distributed throughout a network. QRadar performsnormalization and correlation activities on this raw data and can forward data toanother network server when data forwarding is configured.

NDcPP requirements

The following features are required for QRadar to satisfy NDcPP (Network DeviceCollaborative Protection Profile) requirements:v Certificate Revocation is required for all certificates that are used by QRadar.v TLS protection is needed for inbound and outbound audit or event log

transmissions.v QRadar must offer and demand X.509 certificate authentication for TLS

protected communications.v QRadar must be able to configure specific cryptographic cipher suites that are

used with all TLS protected communications.v QRadar must accept TLS connections only by using TLS version 1.1 or higher.v QRadar must use a strong entropy source such as Jitter or HAVEGED.

© Copyright IBM Corp. 2016, 2017 1

v QRadar must have Cryptographic Algorithm Validation Program (CAVP)certificates for all cryptographic algorithms that are claimed in the security target(ST).

QRadar and Common Criteria acronymsSeveral acronyms for QRadar and Common Criteria testing are used in this guide.

The following table describes the acronyms that are used in this guide.

Table 1. QRadar and Common Criteria acronyms

Acronym Description

CC Common Criteria

CCEVS Common Criteria Evaluation and Validation Scheme

DSM Device Support Module

EC Event Collector

EP Event Processor

NIAP National Information Assurance Partnership

NDcPP Network Device Collaborative Protection Profile

NTP Network Time Protocol

TOE Target of evaluation

TSF TOE Security Functionality

Evaluated capabilitiesThe Common Criteria configuration adds support for security capabilities inQRadar.

The Common Criteria configuration on a QRadar system adds support for thefollowing security capabilities:v Protected transport of event audit datav Secure communication by using TLS 1.1 or higher

An overview of QRadar Architecture

An All-in-One system incorporates many of the components and functionality thatyou get in a distributed QRadar deployment but it operates at a reduced capacity.

IBM Security QRadar architecture supports deployments of varying sizes andtopologies, from a single host deployment, where all the software components runon a single system, to multiple hosts where appliances such as Event Collectors,Flow Collectors, Data Nodes, Event Processors, and Flow Processors have specificroles.

The following diagram shows the QRadar components that are used to collect,process, and store event and flow data in a QRadar deployment. An All-in-Oneappliance includes the data collection, processing, storage, monitoring, searching,reporting, and offense management capabilities.

2

The Event Collector collects event data from log sources in your network, and thensends the event data to the Event Processor. The Flow Collector collects flow datafrom network devices such as a switch SPAN port, and then sends the data to theFlow Processor. Both processors process the data from the collectors and providedata to the QRadar Console. The processor appliances can store data but they canalso use the Data Nodes to store data. The QRadar Console appliance is used formonitoring, data searches, reporting, offense management, and administration ofyour QRadar deployment.

Cryptographic module identificationCrypto modules that are used in the product are identified along with any specificconfiguration that is needed to use evaluated modules and algorithms only.

The TOE version of QRadar runs in FIPS mode or at a minimum has all the FIPScrypto controls such as QCrypto, FIPS, and OpenSSL in place. FIPS modeenablement is part of the STIG hardening process.

IBM Security QRadar uses the FIPS 140-2 approved cryptographic provider(s) forcryptography. The approved Cryptographic Security Kernel is Q1 Labs, an IBMCompany, or IBM Corp.

The certificates are listed on the NIST website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm).

QRadar provides its cryptographic features through a Java implementation, whichuses bridge software to invoke OpenSSL cryptographic function (also known as theCryptographic Security Kernel). Thus, all cryptographic functions are provided bythe OpenSSL library 1.0.1f , unless changed by CSK v1.0.

Figure 1. QRadar event and flow components

Chapter 1. Configuration of Common Criteria on a QRadar All-in-one system 3

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm

Communication with network peers for either inbound or outbound log event datais accomplished by using TLS protected communication channels. QRadar canauthenticate inbound peers by using X.509v3 certificates, or by providing anX.509v3 certificate to authenticate itself as part of an outbound TLS connection.

4

Chapter 2. Common Criteria mode configuration

Follow the specified procedures to configure QRadar into Common Criteria Mode.

Configure into Common Criteria Mode:1. Install QRadar V.7.2.7 and RHEL 6.7.2. Complete STIG hardening process.3. Install the 727_QRadar_patchupdate-7.2.7.20170906173639NIAP.sh.sfs software

update (patch) file.4. Configure SSH.5. Configure TLS and data forwarding on the QRadar All-in-One system.


Chapter 3. Installing QRadar in a STIG environment overview

The Security Technical Implementation Guide (STIG) is used for guidance onimplementing security standards for IBM Security QRadar deployments that meetthe requirements set by the Defense Information Systems Agency (DISA).Hardening of the operating system is part of the common criteria configuration.

About this task

To configure the TOE (Target of Evaluation) into its common criteria evaluatedconfiguration, you must complete the following steps from the Security TechnicalImplementation Guide (STIG). The STIG scripts are added when you install theQRadar and RHEL software.

Procedure1. Install the QRadar software and RHEL.2. Create a non-root user.3. Run the scripts that automate hardening of the operating system.4. Edit the STIG scripts.

Preparing to install QRadar and RHEL in a STIG environmentPreparation steps are required before you install QRadar and RHEL, on the Dell3128-C All-in-One appliance.

Procedure1. Install RHEL and QRadar.2. Configure the QRadar Console root user timeout in the etc/profile file by

adding the following line:[ $UID -eq 0 ] && TMOUT=600

The /tmp directory must be in its own partition.

Installing QRadar and RHEL in a STIG environmentInstall IBM Security QRadar on the Dell 3128-C All-in-One appliance.

Before you begin

Ensure that the following requirements are met:v The required hardware is installed.v A keyboard and monitor are connected by using the VGA connection.v The activation key is available.

Procedure1. Type setup to proceed and log in as root.2. Accept the Internal Program License Agreement.

Tip: Press the Space bar key to advance through the document.


3. When you are prompted for the activation key, enter the 24-digit, 4-part,alphanumeric string that you received from IBM.The letter I and the number 1 (one) are treated the same. The letter O and thenumber 0 (zero) are also treated the same.

4. For the type of setup, select normal, Enterprise model, and set up the time.5. Select the Internet Protocol version:

Select No to configure an IP address manually QRadar for IPv4. IPv6 is notsupported.

6. Select the bonded interface set up if required.7. Select the management interface.8. In the wizard, enter a fully qualified domain name in the Hostname field.9. In the IP address field, enter a static IP address, or use the assigned IP

address.10. If you do not have an email server, enter localhost in the Email server name

field.11. In the Root password field, create a password that meets the following

criteria:v Contains at least 15 characters.v Contains no spaces.v Contains at least one uppercase and one lowercase character.v Contains at least one number.v You can include the following special characters: @, #, ^, and * in the

password.

When STIG is implemented, the root password is more secure.12. Click Finish.13. Follow the instructions in the installation wizard to complete the installation.

Note: The installation process might take several minutes.14. Apply your license key:

a. Log in to QRadar:https://IP_Address_QRadar

The default user name is admin. The password is the password of the rootuser account.

b. Click Login To QRadar.c. Click the Admin tab.d. In the navigation pane, click System Configuration.e. Click the System and License Management icon.f. From the Display list box, select Licenses, and upload your license key.g. Select the unallocated license and click Allocate System to License.h. From the list of systems, select a system, and click Allocate System to

License.

Creating a non-root user in a STIG-compliant environmentYou can't log in remotely as the root user in a STIG-compliant environment. Youmust create a non-root user who has sudo access. You can choose the non-root username such as stiguser.

8

Procedure1. To create the non-root user, type the following commands:

useradd -c 'Admin User' -d /home/stiguser -m -s /bin/bash stiguser

passwd stiguser

echo "stiguser ALL=(ALL) ALL" >> /etc/sudoers

Tip: If you copy and paste text that includes single quotation marks, you mightneed to retype the quotation marks to avoid getting the curly quotation marks.The password must follow these guidelines.v Consist of 15 or more characters.v Do not use the same character consecutively more that once.v Have at least one uppercase character.v Have at least one numerical character.

2. Verify that the new user can log in from a remote host and use the sudocommand to become root.

Running the hardening scriptTo help secure the system, the STIG user must run hardening scripts on the IBMSecurity QRadar All-in-One appliance.

Procedure1. Go to the hardening directory by typing the following command:

cd /opt/qradar/bin/hardening

2. Uncompress the hardening script by typing the following command:tar -xzf qradar-hardening.tar.gz

3. Run the STIG hardening script by typing the following command:./stig_harden.sh -h

Note: You must run the script only one time.4. Restart the appliance when the script finishes.5. Verify that the stiguser can log in remotely while you are logged in as a root

user.

Editing scripts to configure QRadar in STIG environmentsExtra configuration tasks, such as updating iptables and changing the backup logdirectory location, are required when you configure QRadar in STIG environments.

Procedure1. Change iptables and set the default INPUT policy to DROP:

a. Make a backup copy of the /opt/qradar/bin/iptables_update.pl file.b. Edit the /opt/qradar/bin/iptables_update.pl file and change INPUT ACCEPT

[0:0] to INPUT DROP [0:0].c. Run the /opt/qradar/bin/iptables_update.pl script.

2. Change the backup log directory:a. Check to see whether the /var/log/backup.log log file exists.

A fresh install won't have a backup.log file.b. If the/var/log/backup.log exists, move the file to /store/LOGS.

Chapter 3. Installing QRadar in a STIG environment overview 9

c. Make a backup copy of the /opt/qradar/bin/backup.sh file.d. Edit the /opt/qradar/bin/backup.sh file

by changing the InitLog /var/log/$(basename ${0} .sh).log || ErrorExit'Failed to initialize logging' in /opt/qradar/bin/backup.shto InitLog /store/LOGS/$(basename ${0} .sh).log || ErrorExit 'Failedto initialize logging'.

3. Create an aide baseline and schedule integrity checks, disable falsePRELINKING, and create the baseline and schedule updates:a. In the /etc/sysconfig/prelink file, change PRELINKING=yes to

PRELINKING=no.b. Run the /etc/cron.daily/prelink script.c. As a root user, initialize the aide database by typing:

aide --init

d. Create a bash script that contains the following commands, and then createa cron job to run that script daily by typing:mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

e. Run the aide --update after you run a QRadar deployment action. Thecontent in the monitored fields changes when configuration changes aremade following a deployment.

4. Reboot the QRadar appliance.

Installing software update for QRadar Common CriteriaInstall the software update (patch) on the IBM Security QRadar All-in-Oneappliance.

Procedure1. Download the software update (patch) file for QRadar Common Criteria from

IBM Fix Central (http://www.ibm.com/support/fixcentral).2. Log in to your system as the root user by using SSH.3. Copy the 727_QRadar_patchupdate-7.2.7.20170906173639NIAP.sh software

update (patch) file to the /tmp directory on the QRadar All-in-One appliance.4. Run the ./727_QRadar_patchupdate-7.2.7.<Patch_number>.sh patch file script,

and select y for OK to proceed when the system prompts you.The update is not installed successfully if the signature validation fails.The following output is an example of what you might see:Extracting and validating update ...

Checking signature ...gpg: Signature made Tue 04 Apr 2017 11:52:46 AM EDTusing RSA key ID CEE75643 gpg: checking the trustdb gpg:3 marginal(s) needed, 1 complete(s) needed,PGP trust model gpg: depth:0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg:Good signature from "Secure Patch (Validate QRadar Patch)"

OK to proceed (y/n)?y

The signature for./727_QRadar_patchupdate-7.2.7.20170906173639NIAP.sh.sfs is valid.

A new file that is called 727_QRadar_patchupdate-7.2.7.20170906173639NIAP.sh.sfs is created in the /tmp directory.

5. Mount the patch file to the /media/updates directory, by typing the followingcommand:

10

http://www.ibm.com/support/fixcentral

mount -o loop -t squashfs 727_QRadar_patchupdate-7.2.7.20170906173639NIAP.sh.sfs /media/updates

6. To install the patch, type the following command:/media/updates/installer

7. Select the All-in-One appliance.If your Secure Shell (SSH) session is disconnected while the upgrade is inprogress, the upgrade continues.When you reopen your SSH session and rerun the installer, the patchinstallation resumes.

8. After the patch is installed and you exit the installer, type the followingcommand:umount /media/updates

9. Clear your browser cache before you log in to the All-in-One appliance.

Chapter 3. Installing QRadar in a STIG environment overview 11

Chapter 4. Secure communication configuration

IBM Security QRadar is Public Key Enabled (PKE) to support Public KeyInfrastructures (PKI).

After you've hardened the QRadar system by using the STIG scripts, you mustprepare for configuring secure communication by using TLS.1. Configure SSH to use public key authentication only.2. Configure the SSHD_config file.3. Configure QRadar to use TLS connection to the audit server.

Configuring SSH to use public key authentication onlyConfigure SSH authentication on QRadar All-in-One to accept public keyauthentication and RSA authentication only.

Before you begin

Copy the SSH public key from your remote machine that is used to connect toQRadar to the ~/.ssh/authorized_keys folder on the QRadar All-in-One.

Procedure1. At the command line on the QRadar All-in-One, edit the /etc/ssh/sshd_config

file by typing the following command:vi /etc/ssh/sshd_config

2. Ensure that both the KeyBoardInteractive and password authentication typesare disabled.

3. Restart SSHD by typing the following command:Restart SSHD

Log in remotelyYou can log in remotely to your QRadar All-in-One by using a browser.

When you access the QRadar system, you are prompted for a user name and apassword. Log in remotely by using your user account to access the QRadarAll-in-One from your browser by typing https://<IP_Address>.

The following table lists the supported versions of web browsers.

Table 2. Supported web browsers for QRadar products

Web browser Supported versions

Mozilla Firefox 38.0 Extended Support Release

32-bit Microsoft Internet Explorer, withdocument mode and browser mode enabled

11.0

Google Chrome Version 46


Configuring the SSHD_config fileEdit the /etc/ssh/sshd_config file to control the ciphers that are available.

Procedure1. In the /etc/ssh/sshd_config file, uncomment the HostKey line that references

the RSA key. Leave the other HostKey lines commented out.

Note: The supported TLS cipher suites include the sha-1 and sha-256algorithms.The following example shows what the file looks like when you uncommentthe HostKeys line that references the RSA key.# HostKey for protocol version 1

# HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

# HostKey /etc/ssh/ssh_host_dsa_key

2. Replace the Ciphers aes128-ctr,aes192-ctr,aes256-ctr line near the bottomof the file with the following two lines:Ciphers aes128-cbc,aes256-cbc

KexAlgorithms diffie-hellman-group14-sha1

3. Stop and restart SSHD by typing the following commands:/etc/init.d/sshd stop

/etc/init.d/sshd start

Note: The SSH session rekey is hardcoded to rekey after one hour or followingthe exchange of one GB of data, whichever comes first.

TLS configuration in QRadarIn QRadar TLS connections can be used to perform full-chain validation, includingrevocation checks and certificate usage checks.

The TLS event forwarding connections in QRadar are capable of using X.509validation.

During the STIG hardening the TOE is configured to use TLS protocol version 1.1and 1.2 and to use the supported cipher suites.

Configure TLS and full X.509 validation by completing the following tasks:1. Place valid CA certificates in the trusted_certificates folder and ensure that

they have read permission.2. Add the private and public key pairs for client authentication and then create a

forwarding destination.3. Configure routing of events to the target device.

Configuring QRadar as a TLS clientConfigure TLS using X.509 certificates for QRadar (TOE) as a TLS client withmutual authentication to enable the transmission of audit records from QRadar toa syslog server for secure external storage.

14

Procedure1. On QRadar, copy your CA certificates to the /opt/qradar/conf/

trusted_certificates folder, change the folder ownership, and then restartTomcat and hostcontext by typing the following commands:chown -R nobody:nobody /opt/qradar/conf/trusted_certificates

service hostcontext restart

service tomcat restart

2. Create the /opt/qradar/conf/TLSClientAuthKeystores folder and assignownership by typing the following commands:mkdir /opt/qradar/conf/TLSClientAuthKeystores

chown -R nobody:nobody /opt/qradar/conf/TLSClientAuthKeystores

3. Use a Python script to import the public and private key pairs for TLS clientauthentication to the keystore when you add the forwarding destination for thesyslog server.The Python script that adds public and private key pairs to the TLS clientauthentication keystore is available in the Forwarding Destination window. Thescript takes the path of the .key file, the path of the .crt file, the alias of thisentry as input, and then imports them into the keystore.

What to do next1. Add the private and public key pairs for client authentication and then create a

forwarding destination.2. Create a routing rule by using the forwarding destination.

Configuring data forwarding destinations and adding TLS clientauthentication keys to the keystoreBefore you can configure data forwarding to the syslog server, you must add thesyslog server destination, and add the TLS client authentication keys to thekeystore. The target system must listen on a port through the TLS connection.

Procedure1. Click the Admin tab.2. In the navigation pane, click System Configuration, and then click the

Forwarding Destinations icon.3. On the toolbar, click Add.4. To import new key pairs into the keystore so that the key set is available for

selection from the Private and public key pair alias menu, click the help iconon the Forwarding Destinations Properties dialog box to access the publicand private keys python import script to import the public and private keypairs for TLS client authentication to the following keystore:/opt/qradar/conf/TLSClientAuthKeystores/event_forwarding_client_auth.p12

Run the newTLSClientAuthentication.py script from the /opt/qradar/bindirectory.To get more information, run the following command:python /opt/qradar/bin/newTLSClientAuthentication.py --help

The script takes the path of the .key file, the path of the .crt file, the alias ofthis entry as input and then imports them into the keystore.After you import the public and client key pairs, the Client Private andPublic key set menu contains the list of aliases of the private and public keypairs, which are stored in

Chapter 4. Secure communication configuration 15

/opt/qradar/conf/TLSClientAuthKeystores/event_forwarding_client_auth.p12

You must include both the private key and the public key in a keystore forclient authentication.

5. Enter a name for the forwarding destination.6. Enter the host name of the vendor system that you want to forward data to in

the Destination field.The host name must match the common name(CN) or Subject Alternate Name(SAN) fields in the certificate of the vendor system, and must be resolvable byTOE's naming service.

7. Select Payload, which is the default option for the Event Format menu.8. Enter a destination port.9. Select TCP over TLS 1.1 or above from the Protocol menu.

10. Select the Enable client authentication check box.11. Select the key pairs that you want to use for the forwarding destination from

the Private and public key pair alias list. The list contains the aliases of theentries that store the private and public key pairs, which are used for TLSclient authentication, and are stored in the following keystore./opt/qradar/conf/TLSClientAuthKeystores/event_forwarding_client_keystore.jks

12. Leave the Prefix a syslog header if it is missing or invalid checked.13. In the Forwarding Destinations window, enter values for the parameters.

If a valid syslog header is not detected on the original syslog message andthis check box is selected, the prefixed syslog header includes the originatingIP address from the packet that IBM Security QRadar received in theHostname field of the syslog header. If this check box is not selected, the datais sent unmodified.

14. Click Save.If a secure connection that uses TLS is broken, reconnect and resend events.

What to do next

Configure routing rules for the data forwarding.

Configuring routing rules for event forwardingAfter you added one or more forwarding destinations, you can create filter-basedrouting rules to forward event data.

About this task

You can configure routing rules to forward data in either online or offline mode:v In Online mode, your data remains current because forwarding is performed in

real time. If the forwarding destination becomes unreachable, data canpotentially be lost.

v In Offline mode, all data is stored in the database and then sent to theforwarding destination. This assures that no data is lost, however, there might bedelays in data forwarding.

The following table describes some of the Routing Rules parameters:

16

Table 3. Routing Rules window parameters

Parameter Description

Forwarding Event Collector This option is displayed when you select theOnline option.

Specifies the Event Collector that you wantthis routing rule to process data from.

Forwarding Event Processor This option is displayed when you select theOffline option.

Specifies the Event Processor that you wantthis routing rule to process data from.Restriction: This option is not available ifDrop is selected from the Routing Optionspane.

Routing Options v The Forward option specifies that data isforwarded to the specified forwardingdestination. Data is also stored in thedatabase and processed by the CustomRules Engine (CRE).

v The Drop option specifies that data isdropped. The data is not stored in thedatabase and is not processed by the CRE.This option is not available if you selectthe Offline option.

v The Bypass Correlation option specifiesthat data bypasses CRE, but it is stored inthe database. This option is not availableif you select the Offline option.

You can combine two options:

v Forward and Drop

Data is forwarded to the specifiedforwarding destination. Data is not storedin the database and is not processed bythe CRE.

v Forward and Bypass Correlation

Data is forwarded to the specifiedforwarding destination. Data is also storedin the database, but it is not processed bythe CRE. The CRE at the forwardeddestination processes the data.

If data matches multiple rules, the safestrouting option is applied. For example, ifdata that matches a rule that is configured todrop and a rule to bypass CRE processing,the data is not dropped. Instead, the databypasses the CRE and is stored in thedatabase.

All events are counted against the EPSlicense.


Procedure1. Click the Admin tab.2. In the navigation pane, click System Configuration.3. Click the Routing Rules icon.4. On the toolbar, click Add.5. In the Routing Rules window, enter values for the parameters:

a. Type a name and description for your routing rule.b. From the Mode field, select Online.c. From the Forwarding Event Collector or Forwarding Event Processor list,

select the event collector you want to forward data from.d. From the Data Source field in the Event Filters section, select Events.e. Select the Match All Incoming Events check box.f. To forward log data that matches the current filters, select the Forward check

box, and then select the check box for each forwarding destination.

Restriction: If you select the Forward check box, you can also select eitherthe Drop or Bypass Correlation check boxes, but not both of them.

6. To add, edit, or delete a forwarding destination, click the Manage Destinationslink, and then clickSave.

Configuring QRadar as a TLS serverConfigure QRadar as a TLS server by installing a TLS certificate.

Creating an SSL certificate request with 2048-bit Diffie-HellmankeysUse OpenSSL to generate an SSL certificate request from your QRadar All-in-One.

Procedure1. Use an SSH client to log in QRadar All-in-One.2. To generate a 2048-bit Diffie-Hellman private key, type one of the following

commands:a. To generate the key for the first time, type the following command:

openssl dhparam -out /etc/httpd/conf/certs/dh.tmp 2048 cp -p/etc/httpd/conf/certs/cert.cert /etc/httpd/conf/certs/cert.orig cat/etc/httpd/conf/certs/cert.orig /etc/httpd/conf/certs/dh.tmp >/etc/httpd/conf/certs/cert.cert

b. To generate the key subsequent times, for example, you want to updateparameters, type the following command:openssl dhparam -out /etc/httpd/conf/certs/dh.tmp 2048cat/etc/httpd/conf/certs/cert.orig /etc/httpd/conf/certs/dh.tmp >/etc/httpd/conf/certs/cert.cert

Note: Do not use the private encryption options because of compatibilityissues.

3. Restart Apache by typing the following command:service tomcat restart

4. Generate the certificate signing request (CSR) file by typing the command:openssl req -new -key qradar.key -out qradar.csr

The qradar.csr file is created for a certificate authority such as Verisign orComodo.

18

5. Provide the following information when prompted at the command-line:v Country Name (2 letter code)

v State or Province Name

v Locality Name

v Organization Name

v Organizational Unit Name

v Common Name

v Email Address

6. If the command line prompts for more properties, leave the fields empty. If youenter a password for the Challenge Password property and you forget the entry,you might not be able to use the CSR. The certificate authority might notsupport a challenge password.

7. To verify the information in the CSR before you send it, type the command:openssl req -noout -text -in qradar.csr

8. Use Secure File Transfer Protocol or another program to securely copy the CSRfile to your computer.

9. Submit the CSR to the certificate authority in accordance with their instructions.The CSR is identified as a certificate in Apache format.

Replacing the default SSL certificateReplace the untrusted SSL certificate in IBM Security QRadar with either aself-signed certificate or a certificate that is issued by a trusted third-partycertificate authority.

SSL certificates that are issued from some vendors, such as VeriSign, require anintermediate certificate. You must download the intermediate certificate from thevendor and use it during the configuration.

About this task

All trusted certificates for QRadar must meet the following requirements:v The certificate must be an X.509 certificate and have PEM base64 encoding.v The certificate must have a .cert, .crt, or .der file extension.v Keystore files that contain certificates must have the .truststore file extension.v The certificate file must be stored in the /opt/qradar/conf/

trusted_certificates directory.

Procedure1. Obtain a certificate from a trusted certificate authority.2. Use SSH to log in to your QRadar Console as the root user.3. To install the certificate, type the following command:

/opt/qradar/bin/install_ssl_cert.sh -i

4. Type the location of your private key file.Do not encrypt the private key when you install or replace an SSL certificate.

5. If you are using an intermediate certificate, type the location of your public keyfile and the location of your intermediate certificate.

6. To continue, type Y and press Enter.


QRadar truststore and trusted certificatesClient certificates that are used for authentication must be saved in a truststore.

All clients must have a truststore to store client certificates and keys. Serversrequire the truststore for client authentication. The truststore file contains thecertificates that are provided by a client to a server.

By default, the trust manager creates the truststore and uses the certificates in thatfolder.

Copy the Certificate Authority (CA) (.crt) files to the /opt/qradar/conf/trusted_certificates to validate other parties' and QRadar's (the TOE's)certificates.

Note: When you copy files to /opt/qradar/conf/trusted_certificates, you mustchange the folder ownership by typing the following command:

chown -R nobody:nobody /opt/qradar/conf/trusted_certificates

Validation of client certificates is enforced. Only valid client certificates areavailable when you configure data forwarding from QRadar to the audit server.

Certification Revocation ListThe IBM Security QRadar cryptographic system uses a Certificate Revocation List(CRL), which lists digital certificates that are revoked by the issuing certificateauthority (CA) before their scheduled expiration date. Any certificates that arelisted in the CRL are not trusted.

The cryptographic system determines the certificate revocation status by using oneor more CRL Distribution Points (CRLDP) that are embedded within the certificatethat is checked.

Troubleshooting certificate setupUse troubleshooting steps to help in resolving any setup issues.

Certificate chaining error

Check the client certificate by looking for the X509v3 Authority Key Identifier:keyid:<keyid> and then check that this keyid is present under/opt/qradar/conf/trusted_certificates.

Complete the same checks on the server side.

Verify that certificates loaded properly

Type the following command to verify that the certificates loaded:

grep X509 qradar.log

20

Supported Cipher SuitesQRadar supports multiple TLS cipher suites.

The following TLS cipher suites are supported:v TLS_RSA_WITH_AES_128_CBC_SHA

This is the mandatory cipher.v TLS_RSA_WITH_AES_256_CBC_SHAv TLS_DHE_RSA_WITH_AES_128_CBC_SHAv TLS_DHE_RSA_WITH_AES_256_CBC_SHAv TLS_RSA_WITH_AES_128_CBC_SHA256v TLS_RSA_WITH_AES_256_CBC_SHA256v TLS_DHE_RSA_WITH_AES_128_CBC_SHA256v TLS_DHE_RSA_WITH_AES_256_CBC_SHA256


Chapter 5. QRadar system configuration

Follow the guidelines that are provided to configure system settings.

Complete the following tasks:v Configure time settings.v Create a login banner.v Log in by using the different system access methods.v Configure the minimum password length.v Create passwords by using the guidelines.

Configuring the system time manuallySet system time on your IBM Security QRadar Console manually.

About this task

Before you manually adjust the system time, stop the QRadar services, then usethe date command to change the system time and date.

Procedure1. Use SSH to log in to the QRadar All-in-One as the root user.2. Stop QRadar services by typing the following commands:

service hostcontext stop

service tomcat stop

service hostservices stop

3. Type the date command with time parameters:date <MMddhhmm><YYYY>For example, if you want to set the time to December 13, 2018, 5:24 PM, typethe following command:date 121317242018

4. Synchronize the system hardware clock to the current time./sbin/hwclock --systohc

5. Restart QRadar services by typing the following comands:service hostservices start

service tomcat start

service hostcontext start

Configuring an NTP server to maintain system timeConfigure the QRadar All-in-One to use a Network Time Protocol (NTP) server tomaintain the time on the All-in-One appliance.

Before you begin

Complete these procedures during scheduled maintenance. QRadar services arerestarted when you update the time server setting, which causes users to be loggedoff, and event and flow collection are interrupted until services resume.


Procedure1. Use SSH to log in to the QRadar All-in-One as the root user.2. Edit the ntp.conf file.

vi /etc/ntp.conf

3. In the server section of the ntp.conf file, leave the existing server entries orreplace them with your own internal (Network Time Protocol) NTP server.Server entries in the ntp.conf file begin with 'server'.You can use public servers from the NTP project at (http://www.ntp.org/).server 0.rhel.pool.ntp.org iburstserver 1.rhel.pool.ntp.org iburstserver 2.rhel.pool.ntp.org iburstserver 3.rhel.pool.ntp.org iburst

If you use public NTP servers, check that your firewall allows outbound NTPrequests.

4. Save changes and close the file.5. Enable the ntpd service to run at run level 3.

chkconfig --level 3 ntpd on

6. Verify that the ntpd service is enabled to run at restart.chkconfig --list ntpd

Verify that 3:on is visible in the output.ntpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off

7. To prevent data collection errors when you change the system time, stopQRadar services.service hostcontext stop

service tomcat stop

service hostservices stop

8. Synchronize the time with your NTP server.ntpdate <ntp.server.address>

9. Start the ntpd service.service ntpd start

10. Restart QRadar services.service hostservices start

service tomcat start

service hostcontext start

Creating a QRadar login messageYou can add a login message to your QRadar All-in-One.

Before you begin

To create a login message file, you must have root access and experience withediting files in Linux or UNIX.

Procedure1. Log in to IBM Security QRadar as the root user.2. Go to the /etc/ directory.3. In a Linux or UNIX text editor, create a file without special characters in the

file name. For example, create a file that is named loginMSG.

24

http://www.ntp.org/

4. Type your message in the loginMsg file and save it.5. Go to the /etc/ directory and change the permissions for the /etc/loginMsg

file by typing the following command:chmod 0644 /etc/loginMsg

6. To enable your login banner, go to Admin > System Settings.7. Click Authentication Settings.8. In the Login Message File field, type the following file path:

/etc/loginMsg

9. Click Save.10. On the Admin tab menu, click Deploy Changes.11. Log out of QRadar to see the new login message.

Administrative loginsYou can't log in remotely as the root user in a STIG-compliant environment. Youmust create a non-root user who has sudo access for remote access.

You can define user roles, security profiles, and user accounts to control who hasaccess to IBM Security QRadar, which tasks they can perform, and which data theyhave access to. Use the User Management feature in the Admin tab in QRadar toconfigure and manage user accounts. When you initially configure QRadar, youmust create user accounts for all users that require access to QRadar.Related tasks:“Creating a non-root user in a STIG-compliant environment” on page 8You can't log in remotely as the root user in a STIG-compliant environment. Youmust create a non-root user who has sudo access. You can choose the non-root username such as stiguser.

Password recommendationsObserve the password recommendations such as length, composition, andcomplexity before you set your password.

Use the following guidelines when you set the password:v Use a password that is significantly different from previous passwords.

Do not append a symbol or character to a previously used password becausethis change is not sufficiently different.

v Use a minimum of 15 characters.v Do not use complete words that are listed in a dictionary.v Do not repeat characters consecutively more than once.v Use a mixture of uppercase letters, lowercase letters, digits, and symbols.v Do not use personal information that is known about you; for example, pets

names, your name, kids names, or any information that is available in the publicdomain.

Configuring the minimum password lengthThe QRadar All-in-One system enforces a minimum password length.

Chapter 5. QRadar system configuration 25

Procedure1. Click the Admin tab.2. On the navigation menu, click System Configuration.3. Click the System Settings icon.4. Select the Minimum User Password Length in the Authentication Settings

section.5. On the Admin tab menu, select Advanced > Deploy Full Configuration.

Accessing QRadar RESTful APIUse the representational state transfer (REST) application programming interface(API) to make HTTPS queries and integrate IBM® Security QRadar® with othersolutions. REST API communication is protected by using TLS via the Apacheserver, where each request is authenticated individually.

Procedure1. Enter the following URL in your web browser to access the technical

documentation interface: https://QRadar_All_in_one_IPaddress/api_doc.2. Click the header for the API that you want to access; for example, /ariel.3. Click the subhead for the endpoint that you want to access, for

example,/databases.4. Click the Experimental or Provisional sub header.

Note:

The API endpoints are annotated as either experimental or stable.

ExperimentalIndicates that the API endpoint might not be fully tested and mightchange or be removed in the future without any notice.

Stable Indicates that the API endpoint is fully tested and supported.5. Click Try it out to receive properly formatted HTTPS responses.6. Review and gather the information that you need to implement in your

third-party solution.

QRadar self-testQRadar runs a self-test on startup.

QRadar self-test

For integrity tests, the Advanced Intrusion Detection Environment tool (AIDE) isrun and the logs are updated.

Cryptographic known answer tests are run during startup. You can view the statusof the cryptographic known answer tests during system init.

Use the Redhat utility fipscheck to verify the integrity of the crypto libraries andrelated files. The following files are checked:/lib64/libcryptsetup.so.1/lib64/libcryptsetup.so.1.1.0/lib64/libfipscheck.so.1/lib64/libfipscheck.so.1.1.0/lib64/libgcrypt.so.11

26

/usr/bin/fipscheck/usr/bin/ssh/usr/lib/libcrypto.so.10/usr/lib/libcrypto.so.1.0.1e/usr/lib/libssl.so.10/usr/lib/libssl.so.1.0.1e/usr/lib64/libcrypto.so.10/usr/lib/libcrypto.so.1.0.1e/usr/lib64/libssl.so.10/usr/lib64/libssl.so.1.0.1e/usr/sbin/sshd

The fipscheck is a manual check, but it can be automated by using cron. If any ofthe crypto files fail the check, it's likely that the crypto is compromised, and asystem reinstall might be required.

Test procedure

1. Run the following command after you install QRadar:

fipshmac /lib64/libcryptsetup.so.1 /lib64/libcryptsetup.so.1.1.0/lib64/libfipscheck.so.1 /lib64/libfipscheck.so.1.1.0 /lib64/libgcrypt.so.11 /usr/bin/fipscheck /usr/bin/ssh /usr/lib/libcrypto.so.10/usr/lib/libcrypto.so.1.0.1e /usr/lib/libssl.so.10 /usr/lib/libssl.so.1.0.1e /usr/lib64/libcrypto.so.10 /usr/lib/libcrypto.so.1.0.1e/usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1e /usr/sbin/sshd

2. To run the test, type the following command:

fipscheck /lib64/libcryptsetup.so.1 /lib64/libcryptsetup.so.1.1.0/lib64/libfipscheck.so.1 /lib64/libfipscheck.so.1.1.0 /lib64/libgcrypt.so.11 /usr/bin/fipscheck /usr/bin/ssh /usr/lib/libcrypto.so.10/usr/lib/libcrypto.so.1.0.1e /usr/lib/libssl.so.10 /usr/lib/libssl.so.1.0.1e /usr/lib64/libcrypto.so.10 /usr/lib/libcrypto.so.1.0.1e/usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1e /usr/sbin/sshd; echo $?

3. Check the result. If the result is not equal to 0, then the integrity of the cryptolibs is compromised, and the administrator must make a system image of the Boxfor later investigation, and then reinstall the Box.

Chapter 5. QRadar system configuration 27

Chapter 6. Verifying secure updates

You must manually update your configuration files to ensure that they contain themost recent network security information.

About this task

When IBM releases software updates, these files are available for manualdownload from IBM Fix Central (http://www.ibm.com/support/fixcentral). Tomaintain the integrity of your current configuration and information, either replaceyour existing configuration files or integrate the updated files with your existingfiles.

The audit log contains information about the most recent update that was run onyour system.

Procedure1. Download the software update from IBM Fix Central (http://www.ibm.com/

support/fixcentral) to /store/tmp on the system that hosts your QRadarAll-in-One.

2. Run the downloaded update file.Before you can install the software update successfully, the digital signature isvalidated. The update is not installed if the signature validation fails.At the start of the update process, the signature in the update script is checkedagainst the signature on the TOE, and if the signature matches, then the updateis installed.

3. Click Deploy Changes on the Admin tab.




Chapter 7. Audit logs

Changes that are made by QRadar users are recorded in the audit logs.

You can view the audit logs to monitor changes to QRadar and the users whochange settings.

Audit logs are stored in plain text and are archived and compressed when theaudit log file size reaches 200 MB. The current log file is named audit.log. Whenthe file reaches 200 MB, the file is compressed and renamed to audit.log.1.gz.The file number increments each time that a log file is archived. QRadar stores upto 50 archived log files.

The following warning is issued by the TOE (Target of Evaluation) before the localstorage space for the audit log is full:

"Audit log rotation event. The audit.log file has reached maximum capacityand will be overwritten."

The log file rotation settings are controlled by server configuration files that are notavailable in the QRadar configuration settings, and they do not depend onretention settings. The rotation works by renaming files in order. Theaudit.log.1.gz is always the newest file. Files are renamed as they are rotated,and when audit.log.50.gz exists, it is deleted in the next rotation.

To get a list of log files, go to /var/log/audit and type the following command:

ls -lt audit.log*

Here's an example of the output for the audit files:

-rw------- 1 root root 19156930 May 30 16:22 audit.log

-rw------- 1 root root 4422772 May 30 05:00 audit.log.1.gz



Viewing the audit log fileUse Secure Shell (SSH) to log in to your IBM Security QRadar system and monitorchanges to your system.

About this task

You can use Log Activity tab to view normalized audit log events.

The maximum size of any audit message, excluding date, time, and host name, is1024 characters.

Each entry in the log file displays by using the following format:


<date_time> <host name> <user>@<IP address> (thread ID) [<category>][<sub-category>] [<action>] <payload>

The following table describes the log file format options.

Table 4. Description of the parts of the log file format

File format part Description

date_time The date and time of the activity in theformat: Month Date HH:MM:SS

host name The host name of the Console where thisactivity was logged.

user The name of the user who changed thesettings.

IP address The IP address of the user who changed thesettings.

(thread ID) The identifier of the Java™ thread thatlogged this activity.

category The high-level category of this activity.

sub-category The low-level category of this activity.

action The activity that occurred.

payload The complete record, which might includethe user record or event rule, that changed.

The following table describes other logs and the log formats that are used to recordQRadar log messages:

Table 5. Other audit log files

Other audit log files Message format and examples

/var/log/secure is the primary logfor SSH-related messages.

To log some messages that areidentified in the "Audit Events inEvaluation" table, you must set theLogLevel in the/etc/ssh/ssh_config file toDEBUG.

The message typically includes the date and time,success or failure reason, user, and the IP address.This log is enabled by default.

Here's some examples:

Aug 1 09:52:58 vmesx186 sshd[11578]: Failedpublickey for root from 9.85.203.59 port 53274ssh2

Aug 1 09:35:39 vmesx186 sshd[17432]: Failedpassword for root from 9.33.203.59 port 52957ssh2

32

Table 5. Other audit log files (continued)

Other audit log files Message format and examples

/var/log/setup-7.2.7.20170717170209/patches.loglogs activity that relates to patches(software updates) that are installedin QRadar.

Includes information that relates to the success orfailure of a patch update.

setup-7.2.7.20170717170209 refers to the patchversion.

Here's a message example:

Aug 23 11:39:40 qradar [email protected] 59736 22 | [Backend][Command] [CommandExecuted] : mount -o loop./727_QRadar_patchupdate-7.2.7.20170717181218.sh.sfs /mnt

This log is enabled by default.

/var/log/qradar.log is the primarylog for QRadar applicationmessages.

To log some messages that areidentified in the "Audit Events inEvaluation" table, you must set theLogLevel in the/etc/ssh/ssh_config file toDEBUG.

Typically includes the QRadar error message andcause.


/var/log/qradar.error.log is theprimary log for QRadar errormessages.

Records QRadar errors.


Procedure1. Using SSH, log in to QRadar as the root user.2. Go to the following logs to view the messages:v /var/log/audit/audit.log

v /var/log/qradar.log

v /var/log/secure

v /var/log/qradar.error.log

v /var/log/<patch_reference>/patches.log

Logged actionsThe audit log file contains logged actions and is stored in the /var/log/auditdirectory.

The following table describes the audit events that are generated to meet the auditrequirements for the common criteria evaluation. This list is a subset of thepossible audit events that can be generated by the TOE (Target of Evaluation). Theformat of the audit messages for the common criteria evaluation might vary fromthe typical format for QRadar messages in the audit.log file. Audit messages arealso generated in the /var/log/secure, /var/log/qradar.log, /var/log/qradar.error.log, and patches.log files.

Chapter 7. Audit logs 33

Table 6. Audit Events in EvaluationAudit Event Additional information Syslog audit messages

Failure to establishan HTTPS session.

Failure reason Aug 1 09:28:02 ::ffff:127.0.0.1 [email protected] (Session)| [Authentication] [User] [LoginAttempt] Login failed!

Failure to establishan SSH session.

Failed SSH login message in/var/log/secure because aninvalid password is used.

Aug 1 09:35:39 vmesx186 sshd[17432]: Failed password forroot from 9.33.203.59 port 52957 ssh2

Apr 25 20:20:26 127.0.0.1 [email protected]: (Session)[Authentication] [User] [Loginttempt] Login failed forstiguser on host qradar

Failed SSH public keyauthentication message in/var/log/secure because aninvalid public key is used.You must set the LogLevelin the /etc/ssh/ssh_configfile to DEBUG.

Aug 1 09:52:58 vmesx186 sshd[11578]: Failed publickey forroot from 9.33.203.59 port 53274 ssh2

May 10 10:41:49 127.0.0.1 [email protected]: (Session)[Authentication] [User] [LoginAttempt] Login failed forstiguser on host qradar

Failed to establish an SSHsession because an SSH v1client is used to connect tothe QRadar box.

Aug 1 11:06:56 vmesx186 sshd[8801]: Did not receiveidentification string from 9.33.203.59


Jul 6 17:59:37 vmibm9043audispd:node=vmibm9043.canlab.ibm.com type=USER_AUTHmsg=audit(1499378377.743:860351): user pid=32097 uid=0auid=501 ses=40588 msg='op=PAM:authenticationacct="stiguser" exe="/usr/sbin/sshd" hostname=9.85.177.180addr=9.85.177.180 terminal=ssh res=failed'

34

Table 6. Audit Events in Evaluation (continued)Audit Event Additional information Syslog audit messages

SSH protocolfailures

Encryption algorithm that isnot supported by the TOE,for example, 3DES.

For example, the followingcommand is run:

ssh [email protected] -c3des

You must set the LogLevelin the /etc/ssh/ssh_conffile to DEBUG, and thenrestart the SSHD service.

Aug 14 10:57:26 vmesx186 sshd[19800]:Connection from 9.21.118.186 port 40540Aug 14 10:57:26 vmesx186 sshd[19800]:debug1: Client protocol version 2.0;client software version OpenSSH_5.3Aug 14 10:57:26 vmesx186 sshd[19800]:debug1: match: OpenSSH_5.3 pat OpenSSH*Aug 14 10:57:26 vmesx186 sshd[19800]:debug1: Enabling compatibility modefor protocol 2.0sAug 14 10:57:26 vmesx186 sshd[19800]:debug1: Local version stringSSH-2.0-OpenSSH_5.3Aug 14 10:57:26 vmesx186 sshd[19801]:debug1: permanently_set_uid: 74/74Aug 14 10:57:26 vmesx186 sshd[19801]:debug1: list_hostkey_types: ssh-rsa,ssh-dssAug 14 10:57:26 vmesx186 sshd[19801]:debug1: SSH2_MSG_KEXINIT sentAug 14 10:57:26 vmesx186 sshd[19801]:debug1: SSH2_MSG_KEXINIT receivedAug 14 10:57:26 vmesx186 sshd[19801]:fatal: no matching cipher found:client 3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour



Integrity algorithm that isnot supported by the TOE,for example, hmac-md5.


ssh [email protected] -mhmac-md5


Aug 14 10:47:38 vmesx186 sshd[11991]:Connection from 9.80.195.66 port 50913Aug 14 10:47:38 vmesx186 sshd[11991]:debug1: Client protocol version 2.0;client software version OpenSSH_6.9Aug 14 10:47:38 vmesx186 sshd[11991]:debug1: match: OpenSSH_6.9 pat OpenSSH*Aug 14 10:47:38 vmesx186 sshd[11991]:debug1: Enabling compatibilitymode for protocol 2.0Aug 14 10:47:38 vmesx186 sshd[11991]:debug1: Local version string SSH-2.0-OpenSSH_5.3Aug 14 10:47:38 vmesx186 sshd[11992]:debug1: permanently_set_uid: 74/74Aug 14 10:47:38 vmesx186 sshd[11992]:debug1: list_hostkey_types: ssh-rsa,ssh-dssAug 14 10:47:38 vmesx186 sshd[11992]:debug1: SSH2_MSG_KEXINIT sentAug 14 10:47:38 vmesx186 sshd[11992]:debug1: SSH2_MSG_KEXINIT receivedAug 14 10:47:38 vmesx186 sshd[11992]:fatal: no matching mac found:client hmac-md5 server hmac-sha1,hmac-ripemd160





SSH protocolfailures (continued)

Unsupported key exchangeis used. SSH client is onlyallowed to use thediffiehellman-group1-sha1key exchange.


ssh [email protected]=ecdh-sha2-nistp256


Aug 14 10:58:43 vmesx186 sshd[20748]:Connection from 9.80.195.66 port 51006Aug 14 10:58:43 vmesx186 sshd[20748]:debug1: Client protocol version 2.0;client software version OpenSSH_6.9Aug 14 10:58:43 vmesx186 sshd[20748]:debug1: match: OpenSSH_6.9 pat OpenSSH*Aug 14 10:58:43 vmesx186 sshd[20748]:debug1: Enabling compatibility modefor protocol 2.0Aug 14 10:58:43 vmesx186 sshd[20748]:debug1: Local version string SSH-2.0-OpenSSH_5.3Aug 14 10:58:43 vmesx186 sshd[20749]:debug1: permanently_set_uid: 74/74Aug 14 10:58:43 vmesx186 sshd[20749]:debug1: list_hostkey_types: ssh-rsa,ssh-dssAug 14 10:58:43 vmesx186 sshd[20749]:debug1: SSH2_MSG_KEXINIT sentAug 14 10:58:44 vmesx186 sshd[20749]:debug1: SSH2_MSG_KEXINIT receivedAug 14 10:58:44 vmesx186 sshd[20749]:debug1: kex: client->server aes128-ctrhmac-sha1 noneAug 14 10:58:44 vmesx186 sshd[20749]:debug1: kex: server->client aes128-ctrhmac-sha1 noneAug 14 10:58:44 vmesx186 sshd[20749]:fatal: Unable to negotiate a key exchange method



36


SSH protocolfailures (continued)

Unsupported host keyalgorithm is used.


ssh [email protected][email protected]


Aug 14 11:31:43 vmesx186 sshd[15644]:Connection from 9.80.195.66 port 51397Aug 14 11:31:43 vmesx186 sshd[15644]:debug1: Client protocol version 2.0;client software version OpenSSH_6.9Aug 14 11:31:43 vmesx186 sshd[15644]:debug1: match: OpenSSH_6.9 pat OpenSSH*Aug 14 11:31:43 vmesx186 sshd[15644]:debug1: Enabling compatibilitymode for protocol 2.0Aug 14 11:31:43 vmesx186 sshd[15644]:debug1: Local version string SSH-2.0-OpenSSH_5.3Aug 14 11:31:43 vmesx186 sshd[15645]:debug1: permanently_set_uid: 74/74Aug 14 11:31:43 vmesx186 sshd[15645]:debug1: list_hostkey_types: ssh-rsa,ssh-dssAug 14 11:31:43 vmesx186 sshd[15645]:debug1: SSH2_MSG_KEXINIT sentAug 14 11:31:43 vmesx186 sshd[15645]:debug1: SSH2_MSG_KEXINIT receivedAug 14 11:31:43 vmesx186 sshd[15645]:debug1: kex: client->serveraes128-ctr hmac-sha1 noneAug 14 11:31:43 vmesx186 sshd[15645]:debug1: kex: server->clientaes128-ctr hmac-sha1 noneAug 14 11:31:43 vmesx186 sshd[15645]:fatal: no hostkey alg



Connection is droppedwhen the TOE receives apacket that is over 256Kb.

You must set the LogLevelin the /etc/ssh/ssh_configfile to DEBUG.

Aug 14 11:38:36 vmesx186 sshd[22809]:Accepted password for rootfrom 9.80.195.66 port 51486 ssh2Aug 14 11:38:36 vmesx186 sshd[22809]:debug1: monitor_child_preauth: root has beenauthenticated by privileged processAug 14 11:38:36 vmesx186 sshd[22809]:debug1: SELinux support disabledAug 14 11:38:36 vmesx186 sshd[22809]:debug1: PAM: establishing credentialsAug 14 11:38:36 vmesx186 sshd[22809]:pam_unix(sshd:session): session openedfor user root by (uid=0)Aug 14 11:38:36 vmesx186 sshd[22809]:debug1: Entering interactive session for SSH2.Aug 14 11:38:36 vmesx186 sshd[22809]:debug1: server_init_dispatch_20Aug 14 11:38:37 vmesx186 sshd[22809]:error: buffer_get_ret: trying to getmore bytes 1 than in buffer 0





Successful SSHrekey

Non-TOE endpoint IPaddress of connection


The message is saved in/var/log/secure.

Jul 6 16:11:17 vmibm9043 sshd[17280]: debug1: set_newkeys:rekeying

Jul 6 16:11:17 vmibm9043 sshd[17280]: debug1:SSH2_MSG_NEWKEYS sent

Jul 6 16:11:17 vmibm9043 sshd[17280]: debug1: expectingSSH2_MSG_NEWKEYS

Jul 6 16:11:17 vmibm9043 sshd[17280]: debug1: set_newkeys:rekeying

Jul 6 16:11:17 vmibm9043 sshd[17280]: debug1:SSH2_MSG_NEWKEYS received

Aug 21 23:31:51 qradar audispd: node=qradar.example.comtype=CRYPTO_KEY_USER msg=audit(1503372711.839:89491): userpid=128890 uid=0 auid=0 ses=8001 msg='op=destroykind=serverfp=1b:bf:32:b2:de:a1:e6:6c:62:cb:ed:d4:04:aa:bf:67direction=? spid=128890 suid=0 exe="/usr/sbin/sshd"hostname=? addr=192.168.0.231 terminal=? res=success'

Aug 21 23:31:51 qradar audispd: node=qradar.example.comtype=CRED_REFR msg=audit(1503372711.839:89492): userpid=128890 uid=0 auid=0 ses=8001 msg='op=PAM:setcredacct="root" exe="/usr/sbin/sshd" hostname=192.168.0.231addr=192.168.0.231 terminal=ssh res=success'

Aug 21 23:32:01 qradar audispd: node=qradar.example.comtype=LOGIN msg=audit(1503372721.428:89495): pid=128953uid=0 old auid=4294967295 new auid=0 old ses=4294967295 newses=

Failure to establisha TLS session.

Failure reason Aug 17 11:47:18 ::ffff:192.168.0.120 [ecs-ec][SelectiveForwardingCommunictorThread_71]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector:[WARN] [NOT:0000004000][192.168.0.120/- -] [-/- -]Unable to connect over SSL

Aug 17 09:28:11 ::ffff:192.168.0.120 [ecs-ec][SelectiveForwardingCommunictorThread_1531]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector:[WARN] [NOT:0000004000][192.168.0.120/- -] [-/- -]Unable to connect to channel[192.168.0.123:6514]

38


All uses ofidentification andauthenticationmechanism.

Web user interface inaudit.log.

Successful: Login:Apr 25 20:54:42 [email protected] (Session) | [Authentication] [User][UserLogin] admin

Failed: Aug 1 09:28:02 ::ffff:127.0.0.1 [email protected](Session) | [Authentication] [User] [LoginAttempt] Loginfailed

SSH successful: password isvalid

Apr 25 21:10:22 127.0.0.1 [email protected]: (Session)[Authentication] [User] [UserLgin] stiguser on host qradar

SSH failed

Failed SSH login because ofan invalid password. Themessage is saved in/var/log/secure.



Failed SSH public keyauthentication.

The message is located in/var/log/secure.




Local console

The message is saved in/var/log/secure.

Success: Aug 1 11:28:31 vmesx186 login: ROOT LOGIN ON tty1

Fail: Aug 1 11:29:10 vmesx186 login: FAILED LOGIN 1 FROM(null) FOR root, Authentication failure

May 1 10:43:21 127.0.0.1 [email protected]: (Session)[Authentication] [User] [UserLogin] root on host qradar

May 2 23:42:07 127.0.0.1 [email protected]: (Session)[Authentication] [User] [LoginAttempt] Login failed forroot on host qradar

Modification of thebehavior of thetransmission ofaudit data to anexternal IT entity.

You can use the 'ausearch'utility to make the logmessage easier to read. Forexample, the followingcommand is used:

ausearch -fetc/syslog.conf -i | less

The second message isformatted by usingausearch.

Aug 3 13:54:19 620210210 audispd:node=620210210.canlab.ibm.com type=PATHmsg=audit(1501782859.670:116177): item=1name="/etc/syslog.conf~" inode=141623 dev=08:07mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE

Aug 3 13:54:19 620210210 audispd:node=620210210.canlab.ibm.com type=EOEmsg=audit(1501782859.670:116177):

Aug 3 13:54:19 620210210 audispd:node=620210210.canlab.ibm.com type=SYSCALLmsg=audit(1501782859.671:116178): arch=c000003e syscall=93success=yes exit=0 a0=5 a1=0 a2=0 a3=22 items=1 ppid=32587pid=18057 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0sgid=0 fsgid=0 tty=pts1 ses=10183 comm="vim"exe="/usr/bin/vim" key="perm_mod"



Modification of thebehavior of thehandling of auditdata.

You can use the 'ausearch'utility to make the logmessage easier to read, asshown in this example.Note: The ouid=0 in thefirst message is converted toouid=root when ausearch isused to make the messageeasier to read.

Aug 3 13:59:16 620210210 audispd:node=620210210.canlab.ibm.com type=PATHmsg=audit(1501783156.073:116383): item=0name="/etc/audit/audit.rules~" inode=141623 dev=08:07mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

The ouid in the message represents the user ID. You can use the'ausearch' utility to make the message easier to read, forexample, type the following command:

ausearch -f /etc/audit/audit.rules -i | less

You get the following message output:

type=PATH msg=audit(08/02/2017 16:09:18.689:65006) : item=0name=/etc/audit/audit.rules inode=133151 dev=08:07mode=file,640 ouid=root ogid=root rdev=00:00nametype=NORMAL


Aug 3 13:59:16 620210210 audispd:node=620210210.canlab.ibm.com type=SYSCALLmsg=audit(1501783156.078:116384): arch=c000003e syscall=188success=yes exit=0 a0=1e732d0 a1=38b3805db7 a2=1e77230a3=1c items=1 ppid=32587 pid=14623 auid=501 uid=0 gid=0euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1ses=10183 comm="vim" exe="/usr/bin/vim" key="perm_mod"

Modification of thebehavior of theaudit functionswhen the localaudit storage spaceis full.

You can use the 'ausearch'utility to make the logmessage easier to read, asshown in the "Modificationof the behavior of thehandling of audit data"event message. Forexample, the followingcommand was used:

ausearch -f/etc/audit/audit.rules -i| less

Aug 3 14:03:14 620210210 audispd:node=620210210.canlab.ibm.com type=PATHmsg=audit(1501783394.488:116627): item=1name="/etc/logrotate.d/qradar~" inode=141623 dev=08:07mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE


Aug 3 14:03:14 620210210 audispd:node=620210210.canlab.ibm.com type=SYSCALLmsg=audit(1501783394.488:116628): arch=c000003e syscall=93success=yes exit=0 a0=5 a1=0 a2=0 a3=22 items=1 ppid=32587pid=1105 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0sgid=0 fsgid=0 tty=pts1 ses=10183 comm="vim"exe="/usr/bin/vim" key="perm_mod"

40


Managementactivities of TSF(TOE securityfunctions)

Configure session inactivity. Aug 3 09:35:41 ::ffff:127.0.0.1 [email protected] (5472)/console/JSON-RPC/QRadar.saveChanges QRadar.saveChanges |[Action] [QRadarSystemSettings] [SystemSettingsChange]admin changed 'Inactivity Timeout (in minutes)' from '1' to'10' ( initiating-user="admin" )

Configure access banner. Aug 3 09:56:27 ::ffff:127.0.0.1 [email protected] (7293)/console/JSON-RPC/QRadar.saveChanges QRadar.saveChanges |[Action] [QRadarSystemSettings] [SystemSettingsChange]admin changed 'Login Terms and Conditions' from 'false' to'true' ( initiating-user="admin" )

Aug 3 09:56:59 ::ffff:127.0.0.1 [email protected] (7304)/console/JSON-RPC/QRadar.saveChanges QRadar.saveChanges |[Action] [QRadarSystemSettings] [SystemSettingsChange]admin changed 'Login Message File' from '' to'/opt/qradar/conf/logintext.txt' ( initiating-user="admin")

Configure session timeout. Aug 3 09:35:41 ::ffff:127.0.0.1 [email protected] (5472)/console/JSON-RPC/QRadar.saveChanges QRadar.saveChanges |[Action] [QRadarSystemSettings] [SystemSettingsChange]admin changed 'Inactivity Timeout (in minutes)' from '1' to'10' ( initiating-user="admin" )

Create or modify users,such as an adding account,modifying an account, ordeleting an account.

Aug 3 10:21:24 ::ffff:127.0.0.1 [email protected] (8635)/console/JSON-RPC/QRadar.saveUser QRadar.saveUser |[Configuration] [UserAccount] [AccountAdded] ID: 3 |Username: test | Email: [email protected] | Locale: null| Timezone: null | Description: | Role ID: 3 | Role Name:All | Security Profile ID: 1 | Security Profile Name: Admin| Tenant ID: 0

Aug 3 10:21:42 ::ffff:127.0.0.1 [email protected] (8647)/console/JSON-RPC/QRadar.saveUser QRadar.saveUser |[Configuration] [UserAccount] [AccountModified] User testmodified. Previous state: [ ID: 3 | Username: test | Email:[email protected] | Locale: null | Timezone: null |Description: | Role ID: 3 | Role Name: All | SecurityProfile ID: 1 | Security Profile Name: Admin | Tenant ID: 0]. Current state: [ ID: 3 | Username: test | Email:[email protected] | Locale: null | Timezone: null |Description: test | Role ID: 3 | Role Name: All | SecurityProfile ID: 1 | Security Profile Name: Admin | Tenant ID: 0].

Aug 3 10:22:13 ::ffff:127.0.0.1 [email protected] (8660)/console/JSON-RPC/QRadar.deleteUser QRadar.deleteUser |[Configuration] [UserAccount] [AccountDeleted] ID: 3 |Username: test | Email: [email protected] | Locale: null| Timezone: null | Description: test | Role ID: 3 | RoleName: All | Security Profile ID: 1 | Security Profile Name:Admin | Tenant ID: 0



Managementactivities of TSF(continued)

Configure password policy. Aug 3 10:29:15 ::ffff:127.0.0.1 [email protected] (8923)/console/JSON-RPC/QRadar.saveChanges QRadar.saveChanges |[Action] [QRadarSystemSettings] [SystemSettingsChange]admin changed '' from '5' to '10' ( initiating-user="admin")

Change time. Aug 3 10:38:09 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : date -s "ThuAug 3 10:38:09 EDT 2017"

Configure cryptographicfunctions.

Aug 3 11:41:42 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : ssh-keygen -trsa

Aug 3 11:41:42 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : ssh-keygen -trsa

Configure certificates andsettings.

Aug 3 11:15:22 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : openssl genrsa-out qradar.key 2048

Aug 3 11:17:29 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : openssl req-new -key qradar.key -out qradar.csr

Aug 3 11:17:48 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : openssl req-noout -text -in qradar.csr

When you receive a signedcertificate from a CA, runthe following command:

/opt/qradar/bin/install_ssl_cert.sh -iand then follow theprompts. A log is created in/var/log/setup-7.2.7.xxxxxxxxxxxxxx/ssl_setup.log. At the endof the file, the following textis displayed:

OK:Successfully appliedcustom SSL certificate.

Aug 3 11:31:43 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] :/opt/qradar/bin/install_ssl_cert.sh -i

Configure TLS/HTTPS Aug 3 12:06:37 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : vim/etc/httpd/conf/httpd.conf

Configure SSH Aug 3 12:07:52 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : vim/etc/ssh/ssh_config

Managementactivities of TSF(continued)

Configure local audit. Youcan use the 'ausearch' utilityto make the log messageeasier to read, as shown inthe "Modification of thebehavior of the handling ofaudit data" event message.For example, the followingcommand was used:

ausearch -f/etc/audit/audit.rules -i| less

The second message isformatted by using theausearch utility.

Aug 3 13:59:16 620210210 audispd:node=620210210.canlab.ibm.com type=PATHmsg=audit(1501783156.073:116383): item=0name="/etc/audit/audit.rules~" inode=141623 dev=08:07mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL


Aug 3 13:59:16 620210210 audispd:node=620210210.canlab.ibm.com type=SYSCALLmsg=audit(1501783156.078:116384): arch=c000003e syscall=188success=yes exit=0 a0=1e732d0 a1=38b3805db7 a2=1e77230a3=1c items=1 ppid=32587 pid=14623 auid=501 uid=0 gid=0euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1ses=10183 comm="vim" exe="/usr/bin/vim" key="perm_mod"

Configure Syslog Aug 3 12:10:04 vmesx186 127.0.0.1 [email protected] 5273422 | [Backend] [Command] [CommandExecuted] : vim/etc/syslog.conf

42


Changes to systemtime.

The old and new values forthe time. Origin of theattempt to change time forsuccess and failure, such asthe IP address. The time isin UNIX epoch time.

The old time is referred toin epoch format and can beconverted to a readableformat by using thefollowing command: date-d @1501608510. The newtime Aug 1 13:28:30 isreferenced at the beginningof the message.

Aug 1 13:28:30 620210210 audispd:node=620210210.cclab.ibm.com type=SYSCALLmsg=audit(1501608510.902:157): arch=c000003e syscall=159success=yes exit=0 a0=7f6ca52c6740 a1=dd2b38bea2=7f6ca52c6740 a3=0 items=0 ppid=1 pid=2731auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd"exe="/usr/sbin/ntpd" key="audit_time_rules"

Initiation of update. When the patch is installedsuccessfully,/var/log/setup-7.2.7.20170717170209/patches.log is updated.

Jul 31 18:37:18 2017: Jul 31 18:37:18 2017:[INFO](-ni-testmode) Applying 30 test patches.

Aug 23 11:39:40 qradar 127.0.0.1 [email protected] 5973622 | [Backend] [Command] [CommandExecuted] : mount -o loop./727_QRadar_patchupdate-7.2.7.20170717181218.sh.sfs /mnt

Failure of update. When the patch installationfails, /var/log/setup-7.2.7.20170717170209/patches.log is updated.

Aug 3 14:21:34 2017: [ERROR] (patchmode) Error running 1:/media/updates/scripts/727_patch_150287.install --modemainpatch

Aug 23 11:39:40 qradar 127.0.0.1 [email protected] 5973622 | [Backend] [Command] [CommandExecuted] : mount -o loop./727_QRadar_patchupdate-7.2.7.20170717181218.sh.sfs /mnt

The termination ofa remote session bythe session-lockingmechanism.

GUI session termination

QRadar sends a logoutrequest to tomcat when asession reaches an inactivitytimeout.

[AdminSesJul 6 17:47:16 ::ffff:[email protected] (1442) /console/JSON-RPC/QRadar.logoutQRadar.logout | [Authentication] [Session] sionDestroyed]UserName=admin, SessionToken=94549a9a-23b0-4c77-8b02-30e2c16f03e4, AuthorizedService=false

Jul 6 17:47:16 ::ffff:127.0.0.1 [email protected](Session) | [Authentication] [User] [UserLogout] admin

SSH session timeout Aug 3 12:24:32 vmesx186 sshd[790]: Timeout, client notresponding.

Aug 3 12:24:32 vmesx186 sshd[790]: pam_unix(sshd:session):session closed for user root

May 10 12:24:20 127.0.0.1 [email protected]: (Session)[Authentication] [User] [UserLogout] stiguser on hostqradar

REST session termination Aug 2 11:07:25 ::ffff:127.0.0.1 [email protected](4216) /console/restapi/api/config/access/users |[Authentication] [Session] [SessionDestroyed]UserName=configservices, SessionToken=3eba7253-8e1e-4dfd-a954-efddc0aab181, AuthorizedService=false

Attempts atunlocking aninteractive session.

GUI Login Apr 25 20:54:42 127.0.0.1 [email protected] (Session) |[Authentication] [User] [UserLogin] admin

REST API authentication Aug 2 11:07:25 ::ffff:127.0.0.1 [email protected](Session) | [Authentication] [Session] [SessionCreated]UserName=configservices

SSH Login Aug 2 11:20:41 vmesx186 sshd[13022]: Accepted password forroot from 9.21.118.186 port 39270 ssh2

Aug 2 11:20:41 vmesx186 sshd[13022]:pam_unix(sshd:session): session opened for user root by(uid=0)

May 10 12:24:14 127.0.0.1 [email protected]: (Session)[Authentication] [User] [UserLogin] stiguser on host qradar



Trusted channel Initiation of the TLSconnection with the ITentity (a successful TLSconnection). The message issaved in/var/log/qradar.log.

Failure to establish a TLSconnection with the ITentity (multiple auditrecords might be generatedfor the various connectionfailure reasons, such asprotocol failures).

Aug 3 15:17:40 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]com.q1labs.frameworks.crypto.Q1X509CertificateManager: [INFO][NOT:0000006000][9.21.118.186/- -][-/- -]Added X.509 certificateto white list: subject = CN=tserver.q1labs.lab,OU=Security Posture QA, O=q1labs.lab,L=Fredericton, ST=New Brunswick, C=CA

Aug 3 15:17:40 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector:[INFO] [NOT:0000006000][9.21.118.186/- -][-/- -]Set enabledprotocols to TLSv1.1 and TLSv1.2

Aug 3 15:17:40 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector:[INFO] [NOT:0000006000][9.21.118.186/- -][-/- -]The enabled protocols are: TLSv1.1, TLSv1.2,

Failed to load the trustmanager when the cert isinvalid and cannot beloaded.

Aug 3 14:20:12 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]com.q1labs.frameworks.crypto.Q1NiapX509TrustManager:[ERROR] [NOT:0000003000][9.21.118.186/- -][-/- -]Failed to get Q1X509 Trust Manager Instance

Failed to connect Aug 3 15:17:36 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector:[WARN][NOT:0000004000][9.21.118.186/- -][-/- -]Unable to connectto channel[172.16.88.124:9443]

Termination of the TLSconnection with the ITentity (termination of anestablished TLS connectionbetween the TOE and theaudit server). This messageindicates that the connectionwas terminated from theremote server.

Aug 3 15:04:12 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector:[WARN] [NOT:0000004000][9.21.118.186/- -] [-/- -]Unable to connect over SSL.

Aug 3 15:04:12 ::ffff:9.21.118.186 [ecs-ec][SelectiveForwardingCommunictorThread_4581]java.io.IOException: Connection reset by peer

44


Trusted path Initiation of the SSH remoteadmin connection with theTOE (usually a successfulconnection, such as asuccessful login).

Aug 2 11:20:41 vmesx186 sshd[13022]: Accepted password forroot from 9.21.118.186 port 39270 ssh2

Aug 2 11:20:41 vmesx186 sshd[13022]:pam_unix(sshd:session): session opened for user root by(uid=0)

May 10 12:24:14 127.0.0.1 [email protected]: (Session)[Authentication] [User] [UserLogin] stiguser on host qradar

Initiation of the HTTPS/TLSremote admin connectionwith the TOE (usually asuccessful connection, suchas a successful login).

Apr 25 20:54:42 127.0.0.1 [email protected] (Session) |[Authentication] [User] [UserLogin] admin

Failure to establish an SSHremote admin connectionwith the TOE (failed SSHlogin for both password andpublic key).





Failure to establish anHTTPS/TLS remote adminconnection with the TOE(failed web UI login).

Aug 1 09:28:02 ::ffff:127.0.0.1 [email protected] (Session)| [Authentication] [User] [LoginAttempt] Login failed

Termination of an SSHremote admin connectionwith the TOE (logout andsession termination becauseof inactivity).

Aug 2 10:51:07 vmesx186 sshd[16343]: Received disconnectfrom 9.33.153.130: 11: disconnected by user

Aug 2 10:51:07 vmesx186 sshd[16343]:pam_unix(sshd:session): session closed for user root

May 10 12:24:20 127.0.0.1 [email protected]: (Session)[Authentication] [User] [UserLogout] stiguser on hostqradar

Termination of anHTTPS/TLS remote adminconnection with the TOE(logout and sessiontermination because ofinactivity).

Jul 6 17:47:16 ::ffff:127.0.0.1 [email protected] (1442)/console/JSON-RPC/QRadar.logout QRadar.logout |[Authentication] [Session] [AdminSessionDestroyed]UserName=admin, SessionToken=94549a9a-23b0-4c77-8b02-30e2c16f03e4, AuthorizedService=false

Jul 6 17:47:16 ::ffff:127.0.0.1 [email protected](Session) | [Authentication] [User] [UserLogout] admin

Initiation of the REST APIconnection with the TOE.

Aug 2 11:07:25 ::ffff:127.0.0.1 [email protected](Session) | [Authentication] [Session] [SessionCreated]UserName=configservices

Trusted path(continued)

Termination of the RESTAPI connection with theTOE

Aug 2 11:07:25 ::ffff:[email protected] (4216)/console/restapi/api/config/access/users |[Authentication] [Session] [SessionDestroyed]UserName=configservices,SessionToken=3eba7253-8e1e-4dfd-a954-efddc0aab181,AuthorizedService=false

Startup andshutdown of theaudit functions.

Startup and shutdownentries

Jul 6 10:52:10 [email protected] 61102 22 | [Backend] [Command][CommandExecuted] : service auditd stop

Jul 6 10:52:15 vmesx-119159 [email protected] 61102 22 | [Backend][Command] [CommandExecuted] :service auditd start

Warning about lowstorage space foraudit events.

Low storage space warning Aug 1 14:01:01 620210210root: Audit log rotation event.The audit.log file has reachedmaximum capacity and will be overwritten.



Unsuccessfulattempt to validatea certificate and thefailure reason.

Event and reason are inqradar.log

ssl.SSLError:[SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN]qradar.error on the qradar VMshould havejava.security.cert.CertificateExpiredException:NotAfter: xxxxx

Aug 17 09:28:11 ::ffff:192.168.0.120[ecs-ec] [SelectiveForwardingCommunictorThread_1531]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector: [WARN][NOT:0000004000][192.168.0.120/- -] [-/- -]Unable to connect to channel[192.168.0.123:6514]

Jul 6 09:34:56 ::ffff:127.0.0.1SelectiveForwardingCommunictorThread_64 | [Configuration][TrustManager] [ServerNotTrusted] Server Not Trusted CRL athttp://qradar.lab/ca/tls-ca.crl expired.

Revoked certificates Certificate is revoked. Aug 9 16:00:45 ::ffff:127.0.0.1SelectiveForwardingCommunictorThread_4581 |[Configuration] [TrustManager] [ServerNotTrusted]Server Not Trusted The certificate with subject(CN=spooky.q1labs.lab, OU=Security Posture QA,O=q1labs.lab, L=Fredericton, ST=New Brunswick,C=CA) has been revoked for an unspecified reason.

Aug 17 09:28:11 ::ffff:192.168.0.120[ecs-ec] [SelectiveForwardingCommunictorThread_1531]com.q1labs.semsources.forwarding.network.ForwardingTCPoverSSLConnector: [WARN][NOT:0000004000][192.168.0.120/- -] [-/- -]Unable to connect to channel[192.168.0.123:6514]

No OCSP signingpurpose or CRLsign

OCSP error message Aug 10 16:15:13 ::ffff:127.0.0.1SelectiveForwardingCommunictorThread_80 | [Configuration][TrustManager] [ServerNotTrusted] Server Not Trusted Issuer[CN=pki.q1labs.lab CA, OU=q1labs.lab Root CA, O=q1labs.lab,C=CA] does not have crlSigning usage in its certificate

Invalid certificate Certificate is invalidbecause of a modificationsuch as an alteration to abyte in the public key.

Aug 10 16:18:13 ::ffff:127.0.0.1SelectiveForwardingCommunictorThread_80 | [Configuration][TrustManager] [ServerNotTrusted] Server Not Trusted Thecertificate is not a CA certificate.

ssl.SSLError:[SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN]qradar.error on the qradar VM should havecom.ibm.jsse2.util.j:PKIX path validation failed:java.security.cert.CertPathValidatorException:The certificate is not a CA certificate.

TLS protocolfailures

TLS protocol failuremessages.

[Thu Aug 10 11:06:47 2017] [info] [client 172.16.88.142]SSL library error 1 in handshake (servervmb219.q1labs.inc:443)

[Thu Aug 10 11:06:47 2017] [info] SSL Library Error:336109761 error:1408A0C1:SSLroutines:SSL3_GET_CLIENT_HELLO:no shared cipher Toorestrictive SSLCipherSuite or using DSA server certificate?

46

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement maynot apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of thosewebsites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

The performance data and client examples cited are presented for illustrativepurposes only. Actual performance results may vary depending on specificconfigurations and operating conditions..

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

Statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to actual people or business enterprises is entirelycoincidental.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at www.ibm.com/legal/copytrade.shtml.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

48

http://www.ibm.com/legal/copytrade.shtml

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the followingterms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBMwebsite.

Personal use

You may reproduce these publications for your personal, noncommercial useprovided that all proprietary notices are preserved. You may not distribute, displayor make derivative work of these publications, or any portion thereof, without theexpress consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within yourenterprise provided that all proprietary notices are preserved. You may not makederivative works of these publications, or reproduce, distribute or display thesepublications or any portion thereof outside your enterprise, without the expressconsent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses orrights are granted, either express or implied, to the publications or anyinformation, data, software or other intellectual property contained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in itsdiscretion, the use of the publications is detrimental to its interest or, asdetermined by IBM, the above instructions are not being properly followed.

You may not download, export or re-export this information except in fullcompliance with all applicable laws and regulations, including all United Statesexport laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESEPUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

Notices 49

Depending upon the configurations deployed, this Software Offering may usesession cookies that collect each user’s session id for purposes of sessionmanagement and authentication. These cookies can be disabled, but disabling themwill also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details thesection entitled “Cookies, Web Beacons and Other Technologies” and the “IBMSoftware Products and Software-as-a-Service Privacy Statement” athttp://www.ibm.com/software/info/product-privacy.

50

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/software/info/product-privacy

Notices 51

IBM®

Printed in USA

© Copyright IBM Corporation 2016, 2017. Product information · PDF fileAbout this Common...

Documents

Transcript of © Copyright IBM Corporation 2016, 2017. Product information · PDF fileAbout this Common...