STIG compliance
You can make Cloud Pak for Data System fully STIG compliant.
The Security Technical Implementation Guides (STIGs) are the configuration standards that are created by the Defense Information Systems Agency (DISA) for Department of Defence systems. The STIGs contain technical guidance to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. Cloud Pak for Data System has been designed and configured to conform to most of the STIG rules during manufacturing and install process. If you want to make Cloud Pak for Data System system fully STIG compliant, you can use a tool that is called security_compliance_manager that is provided in the system.
The STIG compliance verification on applying the STIG configuration can be verified with Nessus scanner or similar scanning tool.
- STIG version
- For Cloud Pak for Data System versions 1.0.7.8 to 1.0.8x, the STIG version is V3R9. For more information about STIG V3R9, see.
- Security provided as a part of STIG
-
Table 1. Default security provided to all customers File Setting Reason /etc/grub.d/40_custom Randomly generated value No ability to boot time-edit grub config. grub nousb Disabled USB at grub level. /etc/httpd/conf.d/nss.conf N/A Disable TLS 1.0. /etc/sysctl.conf/ kernel.randomize_va_space = 2 Randomize kernel VA space. sysctl net.ipv4.conf.default.accept_redirects = 0 Do not send/allow TCP redirection. sysctl net.ipv4.conf.all.accept_source_route = 0 Do not accept source-routed traffic. modprobe.conf dccp
blacklistDisable dccp
driver.modprobe.conf usb-storage
blacklistDisable usb-storage
driver./etc/profile #TMOUT Disabled profile timeouts. /etc/audit.conf -b 8192 Rate limit audit events burst rate. /etc/postfix/main.cf N/A Limits postfiix
to internal networks./etc/exports N/A Disables nfs
exports and hardens exported private shares. - Additional Security
- You can opt for additional security by running security_compliance_manager.
For more information, see Security hardening with the
security_compliance_manager tool.
Table 2. Additional security details File Setting Reason '/etc/issue' STIG required banner Notice shown on login '/etc/login.defs' Min/Max age, min len, UID/GID values User password requirement '/etc/aide.conf' N/A Configures enabled signature-based intrusion detection '/etc/libuser.conf' N/A Delegates to logins.def
'/etc/pam_ldap.conf' N/A or dumps a dummy file to satisfy scanner. '/etc/audisp/audisp-remote.conf' N/A Drops to single-user mode on logging failure '/etc/pam.d/postlogin-ac'] N/A Showfail value