STIG compliance exceptions

Review the list of DISA STIG compliance exceptions for Cloud Pak for Data System.

Note: The settings that are listed below should not be changed. Changing them may adversely affect the operation of your Cloud Pak for Data System environment.
  • TFTP configuration in /etc/xinetd.d/tftp. TFTP is required during system provisioning. Do not remove or uninstall TFTP package.
  • Timeout setting (TMOUT) in /etc/profile. Changing TMOUT setting may impact Cloud Pak for Data System system management activities.
  • The IP forwarding setting in /etc/sysctl.conf. IP forwarding is required for containers to run. Do not turn it off by setting net.ipv4.ip_forward to 0.
  • USELDAPAUTH setting in /etc/sysconfig/authconfig. Cloud Pak for Data System uses SSSD for authentication and not LDAP. Do not set USELDAPAUTH to yes. Setting it to yes will enable LDAP authentication instead of SSSD authentication.
  • NOPASSWD option in /etc/sudoersand /etc/sudoers.d/* files. This option is required for Cloud Pak for Data System ibmapadmins group users to run appliance commands, which need root user privileges.
  • RhostsRSAAuthentication no cannot be used in /etc/ssh/sshd_config since the parameter operations were deprecated by Red Hat.
  • The pam_pwquality.so should not be included in /etc/pam.d/passwd file. The operation of pam_pwquality.so has been included in system-auth substack. The substack covers the operation of pam_pwquality.so at /etc/pam.d/system-auth-ac file.
  • Except for the root user, the password policy of all the platform users are managed via the freeIPA server running in the control nodes. You can set the required password policy for all users by using the tools provided. Using pam_faillock.so in /etc/pam.d/system-auth-ac and /etc/pam.d/password-authac will adversely affect the working of the password policy of the users. Do not change password lifetime for platuser and platadmin OS users.
    Draft comment: arun.c.r@ibm.com
    https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4120
  • Cloud Pak for Data System does not support any SmartCard reader hence it cannot be configured for multi factor authentication by using SmartCard.
  • Rate-limiting measures on interfaces cannot be implemented, as by rate limiting connections the system might run into the risk of bottle-necking an appliance with high usage.
  • The reverse-path filter must be disabled for policy-based routing. Do not enable them by setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter.
    Draft comment: arun.c.r@ibm.com
    https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4169
  • PermitRootLogin yes is required for root lock down operation. Change of this parameter to set 'no' will cause severe impact on root lock down user.
  • ClientAliveInterval 14400 is required for upgrades. Do not change this value in /etc/ssh/sshd_config.
  • GSSAPIAuthentication must be enabled for configuring LDAP.
    Draft comment: arun.c.r@ibm.com
    https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4166
  • False Positive: RHEL-07-010483 BIOS must have a unique name for the grub superusers account. The solution has been implemented.
    Draft comment: arun.c.r@ibm.com
    https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4123
  • McAfee installation is not supported on the appliance as it has restrictions on SELINUX enabled system.
    Draft comment: arun.c.r@ibm.com
    https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4125
  • sssd.conf is configured specifically for IPA. Adding cryptography changes affect IPA installation.
    Draft comment: arun.c.r@ibm.com
    https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4165
  • STIG compliance requires that files/directories are not modified after the installation as this might lead to cryptographic hash mismatch. However, the RPMs listed below update the mentioned files as part of the installation process. Only the files that are listed below should show the cryptographic hash mismatch.
    file /usr/bin/ofed_info                   from ofed-scripts-4.6-OFED.4.6.1.0.1.x86_64.rpm
file /etc/apache2/conf.d/xcat.conf                 from xCAT-2.14.5-snap201812062220.x86_64.rpm
file /etc/httpd/conf.d/xcat.conf                   from xCAT-2.14.5-snap201812062220.x86_64.rpm
file /etc/apache2/conf.d/xcat-ws.conf              from xCAT-server-2.14.5-snap201812062220.noarch.rpm
file /etc/httpd/conf.d/xcat-ws.conf                from xCAT-server-2.14.5-snap201812062220.noarch.rpm
file /usr/lib/systemd/system/docker.service        from docker-1.13.1-104.git4ef4b30.el7.x86_64.rpm
Applicable only for version 1.0.8.x and later
The following settings are only applicable for version 1.0.8.x and later.
  • The reverse-path filter must be disabled for policy-based routing. Do not enable them by setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter.
  • PermitRootLogin yes is required for root lock-down operation. Change of this parameter to set 'no' will cause severe impact on root lock down user.
  • ClientAliveInterval 14400 is required for upgrades. Do not change this value in /etc/ssh/sshd_config.
  • GSSAPIAuthentication must be enabled for configuring LDAP.
  • False Positive: RHEL-07-010483 BIOS must have a unique name for the grub superusers account. The solution has been implemented.
  • sssd.conf is configured specifically for IPA. Adding cryptography changes affect IPA installation.
Applicable only for version 1.0.9 and later
The following settings are only applicable for version 1.0.9 and later.
  • Do not uninstall the following packages from the system:
    • gssproxy
    • krb5-workstation
    • tuned package
    • iprutils package
  • Do not enable the sticky bit for the following directories. They are associated with containers and mellanox, and permissions are set based on their usage:
    /opt/ibm/appliance/storage/head
/var/lib/containers/storage/overlay
/var/opt/mellanox
  • Partition changes and the creation of new ones are not supported.
  • Certificate status checking for multifactor authentication is not supported; updating the certificate_verification = ocsp_dgst=sha1 in file /etc/sssd/sssd.conf causes IPA failures.
  • Do not change file permissions for the following files; it leads to user login failure:
    /root/.bash_logout
/root/.bash_profile
/root/.bashrc
/root/.cshrc
/root/.systemtap
/root/.tcshrc
/var/lib/nfs/.etab.lock
/home/platadmin/.mozilla
/home/platuser/.mozilla
/root/.ansible
/root/.dogtag
/root/.ipa
  • Enabling the kernel.kexec_load_disabled parameter disables the loading of the new kernel, which can slow down the restart process during the appliance upgrade.
  • To run containers, IP forwarding need to be enabled. Do not disable it by setting the values for the parameters net.ipv4.conf.all.forwarding and net.ipv6.conf.all.forwarding to 0 in any of the files that follow:
    /run/sysctl.d/.conf
/usr/local/lib/sysctl.d/.conf
/usr/lib/sysctl.d/.conf
/lib/sysctl.d/.conf
/etc/sysctl.conf
/etc/sysctl.d/*.conf
  • The parameter user.max_user_namespaces is used by containers in the system. Do not modify its value to 0 or disable it. If you do, it can affect the functions of containers.
  • Do not change the UMASK parameter to 077 in the files /etc/bashrc, /etc/csh.cshrc, and /etc/profile. Changing of this parameter creates restrictions on the copying or creation of the files or dirs and cause failures in multiple places during and after the appliance upgrade.
  • The platform user lock is controlled by the IPA server. Therefore, pam_faillock is deactivated in Cloud Pak for Data System.
  • Do not add the timeout session to /etc/systemd/logind.conf or /etc/tmux.conf. If you do, the apupgrade and any other task might fail.
  • Cloud Pak for Data System has a custom firewall zone setup; hence, creating a drop zone is not required.
  • Applying the following changes to fapolicy is not recommended. If you do, it might affect the callhome functions:
    • Enable the fapolicy
    • Set fapolicy to the enforcing mode
  • It is not recommended to enable the tmux terminal multiplexer. If you do, it might lead to failures during appliance upgrades.
  • Kernel core dumps are necessary for troubleshooting in the event of a system crash, therefore it is not suggested to disable kernel.core_pattern = |/bin/false.
  • It is recommended to disable net.ipv4.conf.all.rp_filter as enabling or setting it to 1 can prevent policy-based routing from functioning correctly.
  • The appliance firewall rules are based on the iptables and while reload those rules during house network setup we need iptables as default FirewallBackend. So, if we try to edit /etc/firewalld/firewalld.conf and make "FirewallBackend=nftables" then it will create issue during house network setup for firewall reload.
  • The directories /install/bundle.copied_from_provisioning_system/upgrade/ and /opt/ibm/appliance/platform/hpi/firmware/ are not world-writable or shared, so the sticky bit is not required. Setting it may interfere with system or firmware operations and should be avoided.
  • kdump.service must remain enabled to capture kernel crash dumps (vmcore) for root-cause analysis. Disabling it would result in no memory dumps.
  • Do not change group ownership or permissions for files under /usr/lib/python3.12/site-packages/*, as these are managed by the Python package manager. Altering them may result in service failure, broken dependencies, or security regressions.
Exceed the requirement
maxpoll 4: The polling interval is more frequent than the requirement. Changing this to a different value is not recommended.
Draft comment: arun.c.r@ibm.com
https://github.ibm.com/privatecloud-ap/cpds-issues/issues/4167