STIG configuration

Use the following procedure to configure Cloud Pak for Data System in accordance with STIG.

Before you begin

Make sure you stop the applications on Cloud Pak for Data System by running apstop. Log in as apadmin or an equivalent user to perform the following task.


  1. STIG compliance requires more than one DNS server to be configured. You can configure more than one DNS server by following the steps at Node side network configuration.
  2. Set up the banner file according to your company requirements. Information in the banner file is displayed whenever a user logs in to the Cloud Pak for Data System nodes via console or SSH.
  3. Run the apstop command.
    [root@gt15-node1 ~]# apstop
    Successfully deactivated system
  4. Run the security_compliance_manager command with any of the following options in order to prepare the system for STIG hardening.
    • --stigAll: Use this option to apply hardening on all applicable files.
    • --stigSingleFile: Use this option to apply hardening for mentioned file only.
    security_compliance_manager --stigAll
    For more details about the security_compliance_manager command, see Security hardening with the security_compliance_manager tool.
  5. Run the apstart command to reactivate the platform.
    [root@gt15-node1 ~]# apstart
    Successfully activated platform, appliance activation request sent