STIG compliance exceptions for version 1.0.28.2 and earlier

Review the list of DISA STIG compliance exceptions for IIAS.

Note: The settings that are listed below should not be changed. Changing them may adversely affect the operation of your IIAS environment.
  • The TFTP configuration in /etc/xinetd.d/tftp. TFTP is necessary during system provisioning. Do not remove or uninstall TFTP package.
  • The IP forwarding setting in /etc/sysctl.conf. IP forwarding is required for Db2® Warehouse containers to run. Do not turn it off by setting net.ipv4.ip_forward to 0.
  • The Time-out setting (TMOUT) in /etc/profile. Changing the TMOUT setting may impact the IIAS management activities.
  • The USELDAPAUTH setting in /etc/sysconfig/authconfig. IIAS uses SSSD for authentication and not LDAP. Do not set USELDAPAUTH to yes. Setting it to yes will enable LDAP authentication instead of SSSD authentication.
  • The NOPASSWD option in /etc/sudoersand /etc/sudoers.d/* files. This option is required for IIAS ibmapadmin group users to run appliance commands, which need root user privileges.
  • PermitRootLogin cannot be set to No, as the root user is required for appliance upgrades. Disabling it would restrict root login on the nodes and break passwordless SSH needed for GPFS and other internal cluster mechanisms.
  • RhostsRSAAuthentication no cannot be used in /etc/ssh/sshd_config since the parameter operations were deprecated by RedHat.
  • The pam_pwquality.so should not be included in /etc/pam.d/passwd file. The operation of pam_pwquality.so has been included in the system-auth substack. The substack covers the operation of pam_pwquality.so at /etc/pam.d/system-auth-ac file.
  • The Appliance has root a lock down mechanism to root user access, hence configuring the operating system to automatically lock the root account by using pam_faillock.so in /etc/pam.d/system-auth-ac and /etc/pam.d/password-authac is not applicable.
    Attention: The root user lock-down can be disabled by raising a PMR request. On disabling root lock-down, the root user has all the privileges to update the operations on the appliance. Improper handling of the appliance by the root user might lead to system instability, downtime, or other incidents. IBM Corporation is not liable for any such incidents.
  • IIAS does not support any SmartCard reader. Therefore, it cannot be configured by using Smart Card for multi factor authentication.
  • Rate-limiting measures on interfaces cannot be implemented, as by rate limiting connections the system might run into the risk of bottle-necking an appliance with high usage.