Check: ACF2-TN-000030
IBM z/OS ACF2 STIG:
ACF2-TN-000030
(in versions v9 r2 through v7 r1)
Title
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. (Cat II impact)
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000478-GPOS-00223
Check Content
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If the following items are in effect for the configuration specified in the TCP/IP Profile configuration file, this is not a finding. NOTE: If an INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. NOTE: FIPS 140-2 minimum encryption is the accepted level of encryption and will override this requirement if greater. The TELNETGLOBALS block that specifies an ENCRYPTION statement states one or more of the below cipher specifications. Each TELNETPARMS block that specifies the SECUREPORT statement, specifies an ENCRYPTION statement that states one or more of the below cipher specifications, and the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA
Fix Text
Configure the SECUREPORT and TELNETPARMS ENCRYPTION statements and/or the TELNETGLOBALS statement in the PROFILE.TCPIP file to conform to the requirements specified below. The TELNETGLOBALS block may specify an ENCRYPTION statement that specifies one or more of the below cipher specifications. Each TELNETPARMS block that specifies the SECUREPORT statement, an ENCRYPTION statement is coded with one or more of the below cipher specifications, and the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. To prevent the use of non FIPS 140-2 encryption, the TELNETGLOBALS block and/or each TELNETPARMS block that specifies an ENCRYPTION statement will specify one or more of the following cipher specifications: Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA Note: Always check for the minimum allowed in FIPS 140-2.
Additional Identifiers
Rule ID: SV-223610r958408_rule
Vulnerability ID: V-223610
Group Title: SRG-OS-000033-GPOS-00014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
Implement cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-001453 |
Implement cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002418 |
Protect the confidentiality and/or integrity of transmitted information. |
CCI-002420 |
Maintain the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002421 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. |
CCI-002422 |
Maintain the confidentiality and/or integrity of information during reception. |
CCI-002450 |
Implement organization-defined types of cryptography for each specified cryptography use. |
CCI-002890 |
Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
CCI-003123 |
Implement organization-defined cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
Number | Title |
---|---|
AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption |
IA-7 |
Cryptographic Module Authentication |
MA-4(6) |
Cryptographic Protection |
SC-8 |
Transmission Confidentiality and Integrity |
SC-8(1) |
Cryptographic or Alternate Physical Protection |
SC-8(2) |
Pre / Post Transmission Handling |
SC-13 |
Cryptographic Protection |