STIG compliance

You can make Cloud Pak for Data System fully STIG compliant.

The Security Technical Implementation Guides (STIGs) are the configuration standards that are created by the Defense Information Systems Agency (DISA) for Department of Defence systems. The STIGs contain technical guidance to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. Cloud Pak for Data System has been designed and configured to conform to most of the STIG rules during manufacturing and install process. If you want to make Cloud Pak for Data System system fully STIG compliant, you can use a tool that is called security_compliance_manager that is provided in the system.

The STIG compliance verification on applying the STIG configuration can be verified with Nessus scanner or similar scanning tool.

STIG version
For Cloud Pak for Data System versions 1.0.7.8 to 1.0.8x, the STIG version is V3R9. For more information about STIG V3R9, see.
For Cloud Pak for Data System version 1.0.9x, the STIG version is V1R11. For more information about STIG V1R11, see.
Note: IBM® follows and supports DISA standards for STIG. Nessus scanner by Tenable is used for scanning. CAT I & II compliance issues reported by the scanner are prioritized.
Security provided as a part of STIG
Table 1. Default security provided to all customers
File Setting Reason
/etc/grub.d/40_custom Randomly generated value No ability to boot time-edit grub config.
grub nousb Disabled USB at grub level.
/etc/httpd/conf.d/nss.conf N/A Disable TLS 1.0.
/etc/sysctl.conf/ kernel.randomize_va_space = 2 Randomize kernel VA space.
sysctl net.ipv4.conf.default.accept_redirects = 0 Do not send/allow TCP redirection.
sysctl net.ipv4.conf.all.accept_source_route = 0 Do not accept source-routed traffic.
modprobe.conf dccp blacklist Disable dccp driver.
modprobe.conf usb-storage blacklist Disable usb-storage driver.
/etc/profile #TMOUT Disabled profile timeouts.
/etc/audit.conf -b 8192 Rate limit audit events burst rate.
/etc/postfix/main.cf N/A Limits postfiix to internal networks.
/etc/exports N/A Disables nfs exports and hardens exported private shares.
Additional Security
You can opt for additional security by running security_compliance_manager. For more information, see Security hardening with the security_compliance_manager tool.
Table 2. Additional security details
File Setting Reason
'/etc/issue' STIG required banner Notice shown on login
'/etc/login.defs' Min/Max age, min len, UID/GID values User password requirement
'/etc/aide.conf' N/A Configures enabled signature-based intrusion detection
'/etc/libuser.conf' N/A Delegates to logins.def
'/etc/pam_ldap.conf' N/A or dumps a dummy file to satisfy scanner.  
'/etc/audisp/audisp-remote.conf' N/A Drops to single-user mode on logging failure
'/etc/pam.d/postlogin-ac'] N/A Showfail value
Important: No deviation from the standard is anticipated for any impacted file.