STIG compliance exceptions
Review the list of DISA STIG compliance exceptions for Cloud Pak for Data System.
- TFTP configuration in /etc/xinetd.d/tftp. TFTP is required during system provisioning. Do not remove or uninstall TFTP package.
- Time-out setting (TMOUT) in /etc/profile. Changing TMOUT setting may impact Cloud Pak for Data System system management activities.
- The IP forwarding setting in /etc/sysctl.conf. IP forwarding is required
for containers to run. Do not turn it off by setting
- USELDAPAUTH setting in /etc/sysconfig/authconfig. Cloud Pak for Data System uses SSSD for authentication and not LDAP. Do not set USELDAPAUTH to yes. Setting it to yes will enable LDAP authentication instead of SSSD authentication.
- NOPASSWD option in /etc/sudoersand /etc/sudoers.d/* files. This option is
required for Cloud Pak for Data System
ibmapadminsgroup users to run appliance commands which need root user privileges.
RhostsRSAAuthentication nocannot be used in /etc/ssh/sshd_config since the parameter operations were deprecated by Red Hat.
- The pam_pwquality.so should not be included in /etc/pam.d/passwd file, the operation of pam_pwquality.so has been included in system-auth substack. The substack covers the operation of pam_pwquality.so at /etc/pam.d/system-auth-ac file.
- Except for the root user, the password policy of all the platform users are managed via the freeIPA server running in the control nodes. You can set the required password policy for all users using the tools provided. Using pam_faillock.so in /etc/pam.d/system-auth-ac and /etc/pam.d/password-authac will adversely affect the working of the password policy of the users.
- Cloud Pak for Data System does not support any SmartCard reader hence it cannot be configured for multi factor authentication using SmartCard.
- Rate-limiting measures on interfaces cannot be implemented, as by rate limiting connections the system might run into the risk of bottle-necking an appliance with high usage.
- STIG compliance requires that files/directories are not modified after the installation as this
might lead to
cryptographic hash mismatch. However, the RPMs listed below update the mentioned files as part of the installation process. Only the files listed below should show the
cryptographic hash mismatch.
file /usr/bin/ofed_info from ofed-scripts-4.6-OFED.220.127.116.11.1.x86_64.rpm file /etc/apache2/conf.d/xcat.conf from xCAT-2.14.5-snap201812062220.x86_64.rpm file /etc/httpd/conf.d/xcat.conf from xCAT-2.14.5-snap201812062220.x86_64.rpm file /etc/apache2/conf.d/xcat-ws.conf from xCAT-server-2.14.5-snap201812062220.noarch.rpm file /etc/httpd/conf.d/xcat-ws.conf from xCAT-server-2.14.5-snap201812062220.noarch.rpm file /usr/lib/systemd/system/docker.service from docker-1.13.1-104.git4ef4b30.el7.x86_64.rpm