IBM Security QRadar

Hi Expert,

From quite sometime I am observing some disk partitions in linux when i run command df -h. Previously the output of this command didnt show anything like this. But now I can see such partitions. Can any one tell why these partition details are appearing in qradar?


/dev/dm-11 10G 71M 10G 1% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/bef43ddc3c9d1051889gb7c09bg3db09b1279be7462058ce632ase1d8

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/fgw1235v3x42g3800m12f56ba327893401c87231g2h01123463g293h13mxfg0/mounts/shm

/dev/dm-15 10G 456M 9.6G 5% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/d6b52h62g0915h034ab657ca7dca50f0de0faa9592ef03bh21cbd75ghq1305d

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/810vg45h15x24hw09l1bd4n907e76631f065d435ge443f454gj9tyw/mounts/shm

/dev/dm-17 10G 598M 9.5G 6% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/vs84fjwkenf9859nmvwn2ndfniure9823948jfwe0943ytrht

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/0dvtdfkj65909efwlkjcq309eskclm045dskc09trjnds12354/mounts/shm

BR,
MFaruqi

------------------------------
Muhammad Burhan Faruqi
------------------------------

These are docker partitions which belong specific containers.

Actually each container works on a jailed folder in the apphost's filesystem. 

For instance in this example first I discovered QVI app id and found related mount paths for my app's container. I hope it helps.

[root@IBM-QRadar ~]# psql -U qradar -c "select id, name from installed_application" |grep 'QRadar Vulnerability Insights'
1057 | QRadar Vulnerability Insights

[root@IBM-QRadar ~]# ssh 10.10.2.11
Last login: Thu Jul 8 10:44:01 2021 from 10.10.2.10
This server has QRadar 7.4.3 (Build 20210517144015) installed on Fri Jun 18 03:08:58 EDT 2021.

[root@IBM-QRadarAppHost ~]# docker ps |grep 1057
fbdcfe674dc3 console.localdeployment:5000/qapp/1057:1.1.2-20210620135250 "sh /start_container…" 2 days ago Up 2 days 0.0.0.0:32813->5000/tcp qapp-1057-FBULMbUs
[root@IBM-QRadarAppHost ~]# df -h |grep fbdcfe674dc3
shm 64M 0 64M 0% /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/mounts/shm

[root@IBM-QRadarAppHost ~]# ls /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/
checkpoints config.v2.json hostconfig.json hostname hosts mounts resolv.conf resolv.conf.hash

[root@IBM-QRadarAppHost ~]# docker inspect fbdcfe674dc3 |grep docker-data
"ResolvConfPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/resolv.conf",
"HostnamePath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hostname",
"HostsPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hosts",

------------------------------
Ali Okan Yuksel
------------------------------

Original Message:
Sent: Wed July 07, 2021 12:33 PM
From: Muhammad Burhan Faruqi
Subject: /dev/dm-xx partitions in QRadar

Hi Expert,

From quite sometime I am observing some disk partitions in linux when i run command df -h. Previously the output of this command didnt show anything like this. But now I can see such partitions. Can any one tell why these partition details are appearing in qradar?


/dev/dm-11 10G 71M 10G 1% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/bef43ddc3c9d1051889gb7c09bg3db09b1279be7462058ce632ase1d8

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/fgw1235v3x42g3800m12f56ba327893401c87231g2h01123463g293h13mxfg0/mounts/shm

/dev/dm-15 10G 456M 9.6G 5% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/d6b52h62g0915h034ab657ca7dca50f0de0faa9592ef03bh21cbd75ghq1305d

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/810vg45h15x24hw09l1bd4n907e76631f065d435ge443f454gj9tyw/mounts/shm

/dev/dm-17 10G 598M 9.5G 6% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/vs84fjwkenf9859nmvwn2ndfniure9823948jfwe0943ytrht

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/0dvtdfkj65909efwlkjcq309eskclm045dskc09trjnds12354/mounts/shm

BR,
MFaruqi

------------------------------
Muhammad Burhan Faruqi
------------------------------

Hi Ali,

Thanks for the reply. Yes these are docker partitions. I want to know why these have started appearing with the command df -h now. Please note that we have recently upgraded QRadar. Before upgrade, it was not showing. Can you please let us know how to hide these? Or is it safe or even delete these from QRadar?

Regards,
MFaruqi.

------------------------------
Muhammad Burhan Faruqi
------------------------------

Original Message:
Sent: Thu July 08, 2021 03:53 AM
From: Ali Okan Yuksel
Subject: /dev/dm-xx partitions in QRadar

These are docker partitions which belong specific containers.

Actually each container works on a jailed folder in the apphost's filesystem. 

For instance in this example first I discovered QVI app id and found related mount paths for my app's container. I hope it helps.

[root@IBM-QRadar ~]# psql -U qradar -c "select id, name from installed_application" |grep 'QRadar Vulnerability Insights'
1057 | QRadar Vulnerability Insights

[root@IBM-QRadar ~]# ssh 10.10.2.11
Last login: Thu Jul 8 10:44:01 2021 from 10.10.2.10
This server has QRadar 7.4.3 (Build 20210517144015) installed on Fri Jun 18 03:08:58 EDT 2021.

[root@IBM-QRadarAppHost ~]# docker ps |grep 1057
fbdcfe674dc3 console.localdeployment:5000/qapp/1057:1.1.2-20210620135250 "sh /start_container…" 2 days ago Up 2 days 0.0.0.0:32813->5000/tcp qapp-1057-FBULMbUs
[root@IBM-QRadarAppHost ~]# df -h |grep fbdcfe674dc3
shm 64M 0 64M 0% /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/mounts/shm

[root@IBM-QRadarAppHost ~]# ls /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/
checkpoints config.v2.json hostconfig.json hostname hosts mounts resolv.conf resolv.conf.hash

[root@IBM-QRadarAppHost ~]# docker inspect fbdcfe674dc3 |grep docker-data
"ResolvConfPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/resolv.conf",
"HostnamePath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hostname",
"HostsPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hosts",

------------------------------
Ali Okan Yuksel

Original Message:
Sent: Wed July 07, 2021 12:33 PM
From: Muhammad Burhan Faruqi
Subject: /dev/dm-xx partitions in QRadar

Hi Expert,

From quite sometime I am observing some disk partitions in linux when i run command df -h. Previously the output of this command didnt show anything like this. But now I can see such partitions. Can any one tell why these partition details are appearing in qradar?


/dev/dm-11 10G 71M 10G 1% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/bef43ddc3c9d1051889gb7c09bg3db09b1279be7462058ce632ase1d8

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/fgw1235v3x42g3800m12f56ba327893401c87231g2h01123463g293h13mxfg0/mounts/shm

/dev/dm-15 10G 456M 9.6G 5% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/d6b52h62g0915h034ab657ca7dca50f0de0faa9592ef03bh21cbd75ghq1305d

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/810vg45h15x24hw09l1bd4n907e76631f065d435ge443f454gj9tyw/mounts/shm

/dev/dm-17 10G 598M 9.5G 6% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/vs84fjwkenf9859nmvwn2ndfniure9823948jfwe0943ytrht

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/0dvtdfkj65909efwlkjcq309eskclm045dskc09trjnds12354/mounts/shm

BR,
MFaruqi

------------------------------
Muhammad Burhan Faruqi
------------------------------

Each container's storage size should be monitored by QRadar for that reason you are seeing these are saperated volumes.

------------------------------
Ali Okan Yuksel
------------------------------

Original Message:
Sent: Thu July 08, 2021 08:51 AM
From: Muhammad Burhan Faruqi
Subject: /dev/dm-xx partitions in QRadar

Hi Ali,

Thanks for the reply. Yes these are docker partitions. I want to know why these have started appearing with the command df -h now. Please note that we have recently upgraded QRadar. Before upgrade, it was not showing. Can you please let us know how to hide these? Or is it safe or even delete these from QRadar?

Regards,
MFaruqi.

------------------------------
Muhammad Burhan Faruqi

Original Message:
Sent: Thu July 08, 2021 03:53 AM
From: Ali Okan Yuksel
Subject: /dev/dm-xx partitions in QRadar

These are docker partitions which belong specific containers.

Actually each container works on a jailed folder in the apphost's filesystem. 

For instance in this example first I discovered QVI app id and found related mount paths for my app's container. I hope it helps.

[root@IBM-QRadar ~]# psql -U qradar -c "select id, name from installed_application" |grep 'QRadar Vulnerability Insights'
1057 | QRadar Vulnerability Insights

[root@IBM-QRadar ~]# ssh 10.10.2.11
Last login: Thu Jul 8 10:44:01 2021 from 10.10.2.10
This server has QRadar 7.4.3 (Build 20210517144015) installed on Fri Jun 18 03:08:58 EDT 2021.

[root@IBM-QRadarAppHost ~]# docker ps |grep 1057
fbdcfe674dc3 console.localdeployment:5000/qapp/1057:1.1.2-20210620135250 "sh /start_container…" 2 days ago Up 2 days 0.0.0.0:32813->5000/tcp qapp-1057-FBULMbUs
[root@IBM-QRadarAppHost ~]# df -h |grep fbdcfe674dc3
shm 64M 0 64M 0% /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/mounts/shm

[root@IBM-QRadarAppHost ~]# ls /store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/
checkpoints config.v2.json hostconfig.json hostname hosts mounts resolv.conf resolv.conf.hash

[root@IBM-QRadarAppHost ~]# docker inspect fbdcfe674dc3 |grep docker-data
"ResolvConfPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/resolv.conf",
"HostnamePath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hostname",
"HostsPath": "/store/docker-data/engine/VMware-56-4d-da-95-e1-ea-1a-38-7d-e0-02-29-e3-91-e2-d2/containers/fbdcfe674dc33e2836550fbbca7ec798dccbd4e33d7ab3b066347a275b0767cc/hosts",

------------------------------
Ali Okan Yuksel

Original Message:
Sent: Wed July 07, 2021 12:33 PM
From: Muhammad Burhan Faruqi
Subject: /dev/dm-xx partitions in QRadar

Hi Expert,

From quite sometime I am observing some disk partitions in linux when i run command df -h. Previously the output of this command didnt show anything like this. But now I can see such partitions. Can any one tell why these partition details are appearing in qradar?


/dev/dm-11 10G 71M 10G 1% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/bef43ddc3c9d1051889gb7c09bg3db09b1279be7462058ce632ase1d8

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/fgw1235v3x42g3800m12f56ba327893401c87231g2h01123463g293h13mxfg0/mounts/shm

/dev/dm-15 10G 456M 9.6G 5% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/d6b52h62g0915h034ab657ca7dca50f0de0faa9592ef03bh21cbd75ghq1305d

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/810vg45h15x24hw09l1bd4n907e76631f065d435ge443f454gj9tyw/mounts/shm

/dev/dm-17 10G 598M 9.5G 6% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/devicemapper/mnt/vs84fjwkenf9859nmvwn2ndfniure9823948jfwe0943ytrht

shm 64M 0 64M 0% /store/docker-data/engine/VMware-31-2d-30-17-b8-7b-cd-1z-ze-d0-0z-a3-be-7e-3d-41/containers/0dvtdfkj65909efwlkjcq309eskclm045dskc09trjnds12354/mounts/shm

BR,
MFaruqi

------------------------------
Muhammad Burhan Faruqi
------------------------------