STIG compliance exceptions

Review the list of DISA STIG compliance exceptions for Cloud Pak for Data System.

Note: The settings listed below should not be changed. Changing them may adversely affect the operation of your Cloud Pak for Data System environment.
  • TFTP configuration in /etc/xinetd.d/tftp. TFTP is required during system provisioning. Do not remove or uninstall TFTP package.
  • Time-out setting (TMOUT) in /etc/profile. Changing TMOUT setting may impact Cloud Pak for Data System system management activities.
  • The IP forwarding setting in /etc/sysctl.conf. IP forwarding is required for containers to run. Do not turn it off by setting net.ipv4.ip_forward to 0.
  • USELDAPAUTH setting in /etc/sysconfig/authconfig. Cloud Pak for Data System uses SSSD for authentication and not LDAP. Do not set USELDAPAUTH to yes. Setting it to yes will enable LDAP authentication instead of SSSD authentication.
  • NOPASSWD option in /etc/sudoersand /etc/sudoers.d/* files. This option is required for Cloud Pak for Data System ibmapadmins group users to run appliance commands which need root user privileges.
  • RhostsRSAAuthentication no cannot be used in /etc/ssh/sshd_config since the parameter operations were deprecated by Red Hat.
  • The pam_pwquality.so should not be included in /etc/pam.d/passwd file, the operation of pam_pwquality.so has been included in system-auth substack. The substack covers the operation of pam_pwquality.so at /etc/pam.d/system-auth-ac file.
  • Except for the root user, the password policy of all the platform users are managed via the freeIPA server running in the control nodes. You can set the required password policy for all users using the tools provided. Using pam_faillock.so in /etc/pam.d/system-auth-ac and /etc/pam.d/password-authac will adversely affect the working of the password policy of the users.
  • Cloud Pak for Data System does not support any SmartCard reader hence it cannot be configured for multi factor authentication using SmartCard.
  • Rate-limiting measures on interfaces cannot be implemented, as by rate limiting connections the system might run into the risk of bottle-necking an appliance with high usage.
  • STIG compliance requires that files/directories are not modified after the installation as this might lead to cryptographic hash mismatch. However, the RPMs listed below update the mentioned files as part of the installation process. Only the files listed below should show the cryptographic hash mismatch.
    file /usr/bin/ofed_info                   from ofed-scripts-4.6-OFED.4.6.1.0.1.x86_64.rpm
file /etc/apache2/conf.d/xcat.conf                 from xCAT-2.14.5-snap201812062220.x86_64.rpm
file /etc/httpd/conf.d/xcat.conf                   from xCAT-2.14.5-snap201812062220.x86_64.rpm
file /etc/apache2/conf.d/xcat-ws.conf              from xCAT-server-2.14.5-snap201812062220.noarch.rpm
file /etc/httpd/conf.d/xcat-ws.conf                from xCAT-server-2.14.5-snap201812062220.noarch.rpm
file /usr/lib/systemd/system/docker.service        from docker-1.13.1-104.git4ef4b30.el7.x86_64.rpm