IBM Security QRadar

Hello everybody.
I wonder if it is possible to disable ssh access to the root account without impacting QRadar?
For example by changing the PermitRootLogin parameter to no in the sshd config file

------------------------------
Famara Bodian
------------------------------

Not completely.  You can set  PermitRootLogin to 'no' on a QRadar console (provided you have created a user with sudo access).  On managed hosts you cannot set it to 'no' because there are some operations between consoles and managed host that use ssh-as-root.  On managed hosts you can set PermitRootLogin to 'without-password' so that password based logins are disabled but key-based are still permitted.

As an aside, it is worth noting that once a managed host is added to a QRadar deployment, port 22 to access will be restricted to the console only.

------------------------------
Rory Bray
Security Architect, Security Intelligence
IBM
------------------------------

Original Message:
Sent: Wed June 03, 2020 08:47 AM
From: Famara Bodian
Subject: QRadar : disable remote root login

Hello everybody.
I wonder if it is possible to disable ssh access to the root account without impacting QRadar?
For example by changing the PermitRootLogin parameter to no in the sshd config file

------------------------------
Famara Bodian
------------------------------

Hello Rory,
Thank you for the answer, it's very clear

------------------------------
Famara Bodian
------------------------------

Original Message:
Sent: Wed June 03, 2020 10:53 AM
From: Rory Bray
Subject: QRadar : disable remote root login

Not completely.  You can set  PermitRootLogin to 'no' on a QRadar console (provided you have created a user with sudo access).  On managed hosts you cannot set it to 'no' because there are some operations between consoles and managed host that use ssh-as-root.  On managed hosts you can set PermitRootLogin to 'without-password' so that password based logins are disabled but key-based are still permitted.

As an aside, it is worth noting that once a managed host is added to a QRadar deployment, port 22 to access will be restricted to the console only.

------------------------------
Rory Bray
Security Architect, Security Intelligence
IBM

Original Message:
Sent: Wed June 03, 2020 08:47 AM
From: Famara Bodian
Subject: QRadar : disable remote root login

Hello everybody.
I wonder if it is possible to disable ssh access to the root account without impacting QRadar?
For example by changing the PermitRootLogin parameter to no in the sshd config file

------------------------------
Famara Bodian
------------------------------

Hi @Famara Bodian,

SSH access to nodes is controlled via iptables. Once you add a new node to a deployment, you will only be able to login to it via SSH via the Console, you won't be able to SSH into it via its IP. Therefore, what you want to control/monitor is SSH access to the Console, not the nodes (processors, collectors, AppHost etc).

I don't recommend you create a new user and setup sudo as I don't think that's officially supported by IBM. IBM QRadar is an appliance and, therefore, you are not meant to make changes as root. You could setup pubkey authentication for the root user in the Console, but I would still recommend you ask IBM about it.

What you should do is deploy IBM QRadar on its own zone and limit SSH access on your firewall.

Regards,
Damian

------------------------------
Cheers,
Damian Zinni
------------------------------

Original Message:
Sent: Wed June 03, 2020 08:47 AM
From: Famara Bodian
Subject: QRadar : disable remote root login

Hello everybody.
I wonder if it is possible to disable ssh access to the root account without impacting QRadar?
For example by changing the PermitRootLogin parameter to no in the sshd config file

------------------------------
Famara Bodian
------------------------------

Hello Damian,
thank you for your advice. We have not made a decision but it will be taken into account

------------------------------
Famara Bodian
------------------------------

Original Message:
Sent: Mon June 08, 2020 11:12 PM
From: Damian Zinni
Subject: QRadar : disable remote root login

Hi @Famara Bodian,

SSH access to nodes is controlled via iptables. Once you add a new node to a deployment, you will only be able to login to it via SSH via the Console, you won't be able to SSH into it via its IP. Therefore, what you want to control/monitor is SSH access to the Console, not the nodes (processors, collectors, AppHost etc).

I don't recommend you create a new user and setup sudo as I don't think that's officially supported by IBM. IBM QRadar is an appliance and, therefore, you are not meant to make changes as root. You could setup pubkey authentication for the root user in the Console, but I would still recommend you ask IBM about it.

What you should do is deploy IBM QRadar on its own zone and limit SSH access on your firewall.

Regards,
Damian

------------------------------
Cheers,
Damian Zinni

Original Message:
Sent: Wed June 03, 2020 08:47 AM
From: Famara Bodian
Subject: QRadar : disable remote root login

Hello everybody.
I wonder if it is possible to disable ssh access to the root account without impacting QRadar?
For example by changing the PermitRootLogin parameter to no in the sshd config file

------------------------------
Famara Bodian
------------------------------