STIG compliance exceptions

Deployment options: Netezza Performance Server for Cloud Pak for Data System

Review the list of DISA STIG compliance exceptions for the Netezza Performance Server container.

You are strongly advised against changing any of the following items. Changing them might adversely affect the operation of your Netezza Performance Server environment.

  • TFTP is required for Netezza Performance Server operations.
  • Do not remove or uninstall the TFTP package.
  • IP forwarding is required for containers to run on Cloud Pak for Data System. Do not turn it off by setting net.ipv4.ip_forward to 0.
  • Reverse-path filter for IPv4 network traffic must be disabled on Cloud Pak for Data System. Do not turn it on by setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1.
  • For upstream DNS resolution Netezza Performance Server uses at least two name server IPs. Single name server is used for SPU name resolution only.
  • Firewall, auditing, and file integrity checks are provided by the underlying Cloud Pak for Data System platform.
  • Any grub.cfg-related STIG rules are applicable to the only underlying Cloud Pak for Data System platform.
  • SELinux must be enabled on underlying the underlying Cloud Pak for Data System platform. SELinux in enforcing mode on the underlying platform properly contains the application running in the Netezza Performance Server container.
  • The NOPASSWD option in the /etc/sudoers file is required for the nz user to run selected commands, which need root user privileges.
  • You cannot implement any rate-limiting measures on interfaces. If you implement rate limiting connections, the system might run into the risk of bottle-necking the platform.
  • Netezza Performance Server does not support multi factor authentication.
  • The use of separate file systems for var, tmp, home, and so on, is not applicable to containers.
  • pam_pwquality.so is not to be included in the /etc/pam.d/passwd file. The operation of pam_pwquality.so is in the system-auth substack. The substack covers the operation of pam_pwquality.so in the /etc/pam.d/system-auth-ac file.