Professional Documents
Culture Documents
PDF B Fips Siem Inst Compress
PDF B Fips Siem Inst Compress
Version 7.2.4
Note
Before using this information and the product that it supports, read the information in “Notices” on page 29.
Product information
This document applies to IBM QRadar Security Intelligence Platform V7.2.4 and subsequent releases unless
superseded by an updated version of this document.
© Copyright IBM Corporation 2013, 2014.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Introduction to QRadar FIPS installations . . . . . . . . . . . . . . . . . . . . . v
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Privacy policy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
For information about IBM security products that are FIPS certified, see the IBM
Security FIPS 140 Security Policy documents. Find these documents on the
National Institute of Standards and Technology (NIST) web site, in the Module
Validation Lists section: NIST (http://csrc.nist.gov/groups/STM/cmvp/
index.html).
To install or recover a high-availability (HA) system, see the IBM Security QRadar
High Availability Guide.
Intended audience
Technical documentation
To find IBM Security QRadar product documentation on the web, including all
translated documentation, access the IBM Knowledge Center (http://
www.ibm.com/support/knowledgecenter/SS42VS/welcome).
For information about how to access more technical documentation in the QRadar
products library, see Accessing IBM Security Documentation Technical Note
(www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).
For information about contacting customer support, see the Support and
Download Technical Note (http://www.ibm.com/support/
docview.wss?uid=swg21616144).
Use of this Program may implicate various laws or regulations. including those
related to privacy, data protection, employment, and electronic communications
and storage. IBM Security QRadar may be used only for lawful purposes and in a
lawful manner. Customer agrees to use this Program pursuant to, and assumes all
responsibility for complying with, applicable laws, regulations and policies.
Licensee represents that it will obtain or has obtained any consents, permissions, or
licenses required to enable its lawful use of IBM Security QRadar.
FIPS overview
IBM Security QRadar uses the FIPS 140-2 approved cryptographic provider(s) for
cryptography. The approved Cryptographic Security Kernel is Q1 Labs or Q1 Labs,
an IBM Company, or IBM Corp.
Appliance restrictions
Some restrictions apply to IBM Security QRadar FIPS appliances.
Table 2. Restrictions for the default license key for QRadar Log Manager installations
Usage Limit
Active log source limit 750
Events per second threshold 5000
User limit 10
Network object limit 300
To configure Integrated Management Module, you must access the system BIOS
settings by pressing F1 when the IBM splash screen is displayed. For more
information about configuring Integrated Management Module, see the Integrated
Management Module User's Guide on the CD that is shipped with your appliance.
Related concepts:
“Prerequisite hardware accessories and desktop software for QRadar installations”
on page 4
Before you install IBM Security QRadar products, ensure that you have access to
the required hardware accessories and desktop software.
QRadar components
IBM Security QRadar consolidates event data from log sources that are used by
devices and applications in your network.
For more information about each component, see the Administration Guide.
Hardware accessories
Ensure that you have access to the following hardware components:
v Monitor and keyboard, or a serial console
v Uninterrupted Power Supply (UPS) for all systems that store data, such as
QRadar Console, Event Processor components, or QRadar QFlow Collector
components
v Null modem cable if you want to connect the system to a serial console
Ensure that following applications are installed on all desktop systems that you
use to access the QRadar product user interface:
v Java™ Runtime Environment (JRE) version 1.7 or IBM 64-bit Runtime
Environment for Java V7.0
v Adobe Flash version 10.x
Related tasks:
Chapter 2, “Installing a QRadar Console or managed host,” on page 13
Install IBM Security QRadar Console or a managed host on the QRadar appliance
or on your own appliance.
If your appliance did not include labels for FIPS physical security or did not
contain a sufficient number of labels, you must contact your sales representative to
receive additional labels.
Two sets of tamper-proof labels are included with your IBM Security QRadar FIPS
appliance for a total of forty (40) tamper-proof labels. These labels are numbered
with a 7-digit code for your appliance.
Attach the tamper-proof labels firmly in the locations illustrated in the following
graphic:
When you access the QRadar system, you are prompted for a user name and a
password. The user name and password must be configured in advance by the
administrator.
Procedure
1. In your Internet Explorer web browser, press F12 to open the Developer Tools
window.
2. Click Browser Mode and select the version of your web browser.
3. Click Document Mode.
v For Internet Explorer V9.0, select Internet Explorer 9 standards.
v For Internet Explorer V10.0, select Internet Explorer 10 standards.
Related concepts:
“Prerequisite hardware accessories and desktop software for QRadar installations”
on page 4
Before you install IBM Security QRadar products, ensure that you have access to
the required hardware accessories and desktop software.
USB flash drive installations are full product installations. You cannot use a USB
flash drive upgrade or to apply product patches. For information about applying
fix packs, see the fix pack Release Notes.
Supported versions
The following appliances or operating systems can be used to create a bootable
USB flash drive:
v A QRadar v7.2.1 appliance or later
v A Linux system that is installed with Red Hat Enterprise Linux 6.4
v Microsoft Windows Vista
v Microsoft Windows 7
v Microsoft Windows 2008
v Microsoft Windows 2008R2
Installation overview
Follow this procedure to install QRadar software from a USB flash drive:
1. Create the bootable USB flash drive.
2. Install the software for your QRadar appliance.
Before you can create a bootable USB flash drive from a QRadar appliance, you
must have access to the following items:
v A 8 GB USB flash drive
v A QRadar V7.2.1 or later ISO image file
v A physical QRadar appliance
If your QRadar appliance does not have Internet connectivity, you can download
the QRadar ISO image file to a desktop computer or another QRadar appliance
with Internet access. You can then copy the ISO file to the QRadar appliance where
you install the software.
When you create a bootable USB flash drive, the contents of the flash drive are
deleted.
Procedure
1. Download the QRadar ISO image file.
a. Access the IBM Support website (www.ibm.com/support).
b. Locate the IBM Security QRadar ISO file that matches the version of the
QRadar appliance.
c. Copy the ISO image file to a /tmp directory on your QRadar appliance.
2. Using SSH, log in to your QRadar system as the root user.
3. Insert the USB flash drive in the USB port on your QRadar system.
It might take up to 30 seconds for the system to recognize the USB flash drive.
4. Type the following command to mount the ISO image:
mount -o loop /tmp/<name of the ISO image>.iso /media/cdrom
5. Type the following commend to copy the USB creation script from the
mounted ISO to the /tmp directory.
cp /media/cdrom/post/create-usb-key.py /tmp/
6. Type the following command to start the USB creation script:
/tmp/create-usb-key.py
7. Press Enter.
8. Press 1 and type the path to the ISO file. For example,
/tmp/<name of the iso image>.iso
9. Press 2 and select the drive that contains your USB flash drive.
10. Press 3 to create your USB key.
The process of writing the ISO image to your USB flash drive takes several
minutes to complete. When the ISO is loaded onto the USB flash drive, a
confirmation message is displayed.
11. Press q to quit the USB key script.
12. Remove the USB flash drive from your QRadar system.
Chapter 1. QRadar deployment overview 7
13. To free up space, remove the ISO image file from the /tmp file system.
What to do next
If your connection to the appliance is keyboard and mouse (VGA), see Installing
QRadar with a USB flash drive.
You must download the following files from the IBM Support website
(www.ibm.com/support).
v QRadar V7.2.1 or later Red Hat 64-bit ISO image file
v Create-USB-Install-Key (CUIK) tool.
Tip: Search the web for Peazip Portal v4.8.1 and Syslinux to find the download
files.
When you create a bootable USB flash drive, the contents of the flash drive are
deleted.
Procedure
1. Extract the Create-USB-Install-Key (CUIK) tool to the c:\cuik directory.
2. Copy the .zip files for PeaZip Portable 4.8.1 and SYSLINUX 4.06 to the
cuik\deps folder.
For example, c:\cuik\deps\peazip_portable-4.8.1.WINDOWS.zip and
c:\cuik\deps\syslinux-4.06.zip.
You do not need to extract the .zip files. The files need only to be available in
the cuik/deps directory.
3. Insert the USB flash drive into the USB port on your computer.
4. Verify that the USB flash drive is listed by drive letter and that it is accessible
in Microsoft Windows.
What to do next
If your connection to the appliance is keyboard and mouse (VGA), see Installing
QRadar with a USB flash drive.
When you create a bootable USB flash drive, the contents of the flash drive are
deleted.
Procedure
1. Download the QRadar ISO image file.
a. Access the IBM Support website (www.ibm.com/support).
b. Locate the IBM Security QRadar ISO file.
c. Copy the ISO image file to a /tmp directory on your QRadar appliance.
2. Update your Linux- based system to include these packages.
v syslinux
v mtools
v dosfstools
v parted
For information about the specific package manager for your Linux system,
see the vendor documentation.
3. Log in to your system as the root user.
What to do next
If your connection to the appliance is keyboard and mouse (VGA), see Installing
QRadar with a USB flash drive.
This procedure is not required if you have a keyboard and mouse that is connected
to your appliance.
Procedure
1. Insert the bootable USB flash drive into the USB port of your appliance.
2. On your USB flash drive, locate the syslinux.cfg file.
3. Edit the syslinux configuration file to change the default installation from
default linux to default serial.
4. Save the changes to the syslinux configuration file.
What to do next
You are now ready to install QRadar with the USB flash drive.
You must create the bootable USB flash drive before you can use it to install
QRadar software.
This procedure provides general guidance on how to use a bootable USB flash
drive to install QRadar software.
Procedure
1. Install all necessary hardware.
2. Choose one of the following options:
v Connect a notebook to the serial port at the back of the appliance.
v Connect a keyboard and monitor to their respective ports.
3. Insert the bootable USB flash drive into the USB port of your appliance.
4. Restart the appliance.
Most appliances can boot from a USB flash drive by default. If you are
installing QRadar software on your own hardware, you might have to set the
device boot order to prioritize USB.
After the appliance starts, the USB flash drive prepares the appliance for
installation. This process can take up to an hour to complete.
5. When the Red Hat Enterprise Linux menu is displayed, select one of the
following options:
v If you connected a keyboard and monitor, select Install or upgrade using
VGA console.
v If you connected a notebook with a serial connection, select Install or
upgrade using Serial console.
6. Type SETUP to begin the installation.
7. When the login prompt is displayed, type root to log in to the system as the
root user.
The user name is case-sensitive.
8. Press Enter and follow the prompts to install QRadar.
The complete installation process is documented in the product Installation
Guide.
Software versions for all IBM Security QRadar appliances in a deployment must be
same version and fix level. Deployments that use different versions of software is
not supported.
If you use a notebook to connect to the system, you must use a terminal program,
such as HyperTerminal. Ensure that you set Connect Using option to the
appropriate COM port of the serial connector. Ensure that you also set the
following properties:
Table 4. Terminal connection properties
Property Setting
Bits per second 9600
Stop Bits 1
Data bits 8
Parity None
Procedure
1. If you are using your own appliance, mount the QRadar ISO image
a. Create the /media/cdrom directory by typing the following command:
mkdir /media/cdrom
b. Obtain the QRadar software.
c. Mount the QRadar ISO image by typing the following command:
mount -o loop <path to the QRadar ISO> /media/cdrom
d. To begin the installation, type the following command:
/media/cdrom/setup
2. Accept the End User License Agreement (EULA).
Important: If you are configuring this host as a primary host for a high
availability (HA) cluster, and you selected Yes for auto-configure, you must
record the automatically-generated IP address. The generated IP address is
entered during HA configuration.
For more information, see the IBM Security QRadar High Availability Guide.
8. If you do not have an email server, enter localhost in the Email server name
field.
9. Click Finish.
10. In the Root password field, create a password that meets the following
criteria:
v Contains at least 5 characters
v Contains no spaces
v Can include the following special characters: @, #, ^, and *.
11. Follow the instructions in the installation wizard to complete the installation.
The installation process might take several minutes.
12. Apply your license key.
a. Log in to QRadar:
https://IP_Address_QRadar
The default Username is admin. The Password is the password of the root
user account.
b. Click the login.
c. Click the Admin tab.
d. In the navigation pane, click System Configuration.
e. Click the System and License Management icon.
f. From the Display list box, select Licenses, and upload you license key.
g. Select the unallocated license and click Allocate System to License.
h. From the list of licenses, select and license, and click Allocate License to
System.
You must enable FIPS in the following order for your appliances:
1. Managed Hosts
2. QRadar Console
Procedure
1. Use SSH to log in to QRadar as a root user.
2. Enter the following command:
/opt/qradar/fips/setup/fips_setup.py --enable
If any required cryptographic files are missing, the output alerts you to the
missing files.
3. Type Yes to enable FIPS mode.
4. Enter a password for the crypto user account. The password must meet the
following criteria:
contain at least 6 characters.
include one special character such as a period, comma, $, !, %, ^, or *.
5. Re-enter the crypto password to confirm.
6. Enter a password for the admin user account. The password must meet the
following criteria:
contain at least 6 characters
include one special character such as a period, comma, $, !, %, ^, or *.
7. Re-enter the admin password to confirm.
8. Type reboot to restart your QRadar appliance.
After the appliance restarts services, FIPS mode is enabled.
Repeat this process to enable FIPS mode on each additional managed host in
your deployment. The QRadar Console is the final appliance that you enable in
FIPS mode.
What to do next
You are now ready to disable automatic updates on your FIPS appliances. For
more information, see “Disabling automatic updates.”
The FIPS specification requires that you install FIPS-certified and tested software.
However, Device Support Modules (DSMs), protocols, and scanner updates are
allowed.
Procedure
1. Open your web browser.
2. Log in to QRadar:
https://<IP address>
Username: admin
Password: <root password>
Where <IP address> is the IP address of the QRadar Console.
3. Click Log in To QRadar.
A default license key provides you access to QRadar for five weeks. For more
information about updating your license key, see the IBM Security QRadar
Administration Guide.
4. Click the Admin tab.
5. On the navigation menu, click System Configuration.
6. Click the Auto Update icon.
7. On the navigation menu, click Change Settings.
8. From the Major Updates list box, select Disable.
9. From the Minor Updates list box, select Disable.
10. Click Save.
The installation process is complete. You are now ready to use your QRadar
appliance with FIPS enabled.
Crypto user accounts can enable FIPS mode, verify FIPS status on an appliance, or
disable FIPS mode by using shell commands. Crypto users are also allowed all of
the commands provided to admin users for QRadar maintenance.
Procedure
1. Use SSH to log in to QRadar as the FIPS crypto user.
Username: crypto
Password: <password>
2. Enter one of the following admin commands:
Table 5. Supported FIPS crypto commands
Command Description
commit Apply any changes made to a system file of
your FIPS enabled system.
Admin user accounts cannot disable FIPS mode, verify FIPS mode, or enable FIPS
mode. Admin users can use a specific set of command line options to maintain a
FIPS enabled system.
Procedure
1. Use SSH to log in to IBM Security QRadar as the FIPS admin user.
2. Enter one of the following admin commands:
FIPS self-check
You can use the command-line interface to verify whether FIPS is enabled on your
appliance.
Procedure
1. Use SSH to log in to IBM Security QRadar as the crypto user.
2. Type fips_self_check.
The output displays the status of your FIPS appliance.
Verifying Operating System ... (OK)
Verifying installed RPMs: - kernel ... (OK) - dracut-fips ... (OK) -
libgcrypt... (OK) - openssl ... (OK) - nss ... (OK) - fipscheck-lib ...
(OK)
Verifying Ariel Log Hashing Setting ... (OK)
FIPS mode: ON
Disabling FIPS
You can use the command-line interface and crypto user account to disable FIPS
mode on an IBM Security QRadar appliance.
Procedure
1. Use SSH to log in to the QRadar FIPS appliance as a crypto user.
2. Enter the following command:
disable_fips
3. Type Yes to disable FIPS mode.
4. Type reboot to restart your QRadar appliance.
After the appliance restarts services, FIPS mode is disabled. To disable FIPS
mode, repeat this process on each additional appliance that is added to the
Console as a managed host.
Procedure
1. Use SSH to log in to QRadar as the FIPS admin or crypto user.
2. Type shell.
3. Enter edit <file name> to start editing a system configuration file.
edit /store/configservices/staging/globalconfig/apps.conf
4. Save your changes.
5. Type exit to exit the command shell.
6. Type commit --changes <file name> to view the changes that are made to your
configuration file.
Example: In the following example, changes to the apps.conf file are viewed.
changes /store/configservices/staging/globalconfig/apps.conf
7. Type commit to apply the configuration file changes to your FIPS enabled
appliance.
The file is updated on your FIPS appliance when you see the following
message.
Committed changes for /store/configservices/staging/globalconfig/
apps.conf \
Procedure
1. Log in as the crypto user and disable FIPS mode on all appliances in your
deployment by typing the following command:
disable_fips
Note: For information about managing your NATed networks, see the QRadar
Administration Guide.
8. Click Next.
9. Click Finish.
A system message informs you that the deployment editor is adding the
managed host. When this process is complete, you are returned to the Admin
tab.
10. On the Admin tab menu, click Deploy Changes.
11. Use SSH to log in to your QRadar appliances as the crypto user.
a. Type the following command to enable FIPS mode:
/opt/qradar/fips/setup/fips_setup.py --enable
You must enable FIPS mode in the following order:
v Managed hosts
v QRadar Console
b. Enter Yes to enable FIPS mode.
c. Type a password for the crypto user account.
The password must contain at least one special character, such as a period,
comma, $ ! % ^ or *.
d. Re-enter the crypto password to confirm.
e. Enter a password for the admin user role.
The password must contain at least one special character, such as a period,
comma, $ ! % ^ or *.
f. Re-enter the admin password to confirm.
g. Type reboot to restart your QRadar appliance.
If you must disable FIPS mode, see “Disabling automatic updates” on page 15.
Procedure
1. Log in as the root user.
2. Type the following command:
qchange_netsetup
3. Follow the instructions in the wizard to complete the configuration.
The following table contains descriptions and notes to help you configure the
network settings.
Table 7. Description of network settings for an all-in-one QRadar Console
Network Setting Description
Host name Fully qualified domain name
Secondary DNS server address Optional
Public IP address for networks that use Optional
Network Address Translation (NAT)
Used to access the server, usually from a
different network or the Internet.
Procedure
1. To remove managed hosts, log in to QRadar:
https://IP_Address_QRadar
The Username is admin.
a. Click the Admin tab.
b. Click the Deployment Editor icon.
c. In the Deployment Editor window, click the System View tab.
d. For each managed host in your deployment, right-click the managed host
and select Remove host.
e. On the Admin tab, click Deploy Changes.
2. To change network settings on the QRadar Console, use SSH to log in to
QRadar as the root user.
The user name is root.
a. Type the following command: qchange_netsetup.
b. Follow the instructions in the wizard to complete the configuration,
The following table contains descriptions and notes to help you configure
the network settings.
Table 8. Description of network settings for a multi-system QRadar Console deployment
Network Setting Description
Host name Fully qualified domain name
Secondary DNS server address Optional
Public IP address for networks that use Optional
Network Address Translation (NAT)
Used to access the server, usually from a
different network or the Internet.
The network settings file contains one pair of lines for each NIC that is installed
and one pair of lines for each NIC that was removed. You must remove the lines
for the NIC that you removed and then rename the NIC that you installed.
Your network settings file might resemble the following example, where
NAME="eth0" is the NIC that was replaced and NAME="eth4" is the NIC that was
installed.
# PCI device 0x14e4:0x163b (bnx2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="78:2a:cb:23:1a:2f", ATTR{type}=="1",
KERNEL=="eth*", NAME="eth0"
Procedure
1. Use SSH to log in to the IBM Security QRadar product as the root user.
The user name is root.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
170 Tracer Lane,
Waltham MA 02451, USA
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or ™), these symbols
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks
of others.
Depending upon the configurations deployed, this Software Offering may use
session cookies that collect each user’s session id for purposes of session
management and authentication. These cookies can be disabled, but disabling them
will also eliminate the functionality they enable.
If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.
For more information about the use of various technologies, including cookies, for
these purposes, See IBM’s Privacy Policy at http://www.ibm.com/privacy and
Notices 31
IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details the
section entitled “Cookies, Web Beacons and Other Technologies” and the “IBM
Software Products and Software-as-a-Service Privacy Statement” at
http://www.ibm.com/software/info/product-privacy.
browser mode I
Internet Explorer web browser 6 installing
managed host 13 S
QRadar Console 13 software requirements
C using USB flash drive 6
Integrated Management Module
description 4
components
See also Integrated Management
description 3
Console
Module T
overview 3 technical library
components 3
installing 13 location v
crypto account shell commands 17
Cryptographic Module Validation L
Program (CMVP) 1 license keys U
Cryptographic Security Kernel 1 description 1 USB flash drive installations 6
customer support creating a bootable USB drive 7
contact information v installing 11
M with Microsoft Windows 8
Magistrate with Red Hat Linux 9
D component description 3 with serial-only appliances 10
disable automatic updates 15 managed hosts use cases 21
document mode installing 13
Internet Explorer web browser 6
documentation V
technical library v N verify FIPS mode 21
network administrator
description v
E network settings W
enable FIPS mode 15 all-in-one Console 25 web browser
changing 25 supported versions 5
multi-system deployment 26