Question & Answer
Question
Can the new QRadar accounts customactionuser, vis, mysql or openvpn be modified, deleted or expired?
Answer
As of QRadar version 7.2.6, new system accounts were added. These accounts are not standard Linux accounts. They are separate system accounts integrated with the QRadar application.
These accounts should not be deleted, modified, assign password (some of the accounts do not have passwords set), change passwords, or expired. Any modifications to those accounts could potentially have a negative impact during a patch update or upgrade to a newer release.
If you are not using certain components of QRadar, you should be able to disable some accounts. We would not recommend deleting them, in case it is decided later on that another product/feature might be added to the environment using one ore more of these accounts.
The QRadar system is shipped as secured and tuned for QRadar operations.
Here is a function summary for these accounts (openvpn account was present in the previous QRadar versions):
These accounts should not be deleted, modified, assign password (some of the accounts do not have passwords set), change passwords, or expired. Any modifications to those accounts could potentially have a negative impact during a patch update or upgrade to a newer release.
If you are not using certain components of QRadar, you should be able to disable some accounts. We would not recommend deleting them, in case it is decided later on that another product/feature might be added to the environment using one ore more of these accounts.
The QRadar system is shipped as secured and tuned for QRadar operations.
Here is a function summary for these accounts (openvpn account was present in the previous QRadar versions):
- mysql account is required, and is SSL enabled for Forensics. If the Forensics feature is not used, it could be disabled.
- openvpn account allows for connectivity between VPN servers and clients. If is disabled, anyone administering through OpenVPN will not be able to establish a connection to the appliance.
- customactionuser account is used for running scripts in the backend within rules.
- vis account is used for scanners. If you are using a scanner, this account is required for backend functionality.
For more information on the Vulnerability Scanner (vis user), and Custom Actions (customactionuser user) see the linked documentation.
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21985258