NIST FIPS-validated cryptography must be used to protect passwords in the security database.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-65647 | ACF0395 | SV-80137r1_rule | High |
| Description |
|---|
| Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2016-06-30 |
Details
| Check Text ( C-67759r2_chk ) |
|---|
| From a command input screen enter: SET CONTROL(GSO) SET VERBOSE SHOW PSWDOPTS Alternately: Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0395) If the GSO PSWD record option PSWDENC is set to XDES or null this is a finding. For CA-ACF2 R16 and above: If the GSO PSWD record option PSWDENC is set to AES2 and option NOONEPWALG is specified this is a finding. |
| Fix Text (F-73271r1_fix) |
|---|
| Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: Configure the GSO PSWD record option PSWDENC to AES1. For CA-ACF2 Release16 and above: Configure GSO PSWD record option PSWENC to AES1 or AES2. Configure the GSO PSWD to ONEPWALG NOTE: Use caution when specifying ONEPWALG. Consult the CA-ACF2 administration guide for converting to AES1 or AES2 and using ONEPWALG. |