Title

ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database. (Cat I impact)

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000074-GPOS-00042

Check Content

From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If the "GSO PSWD" record option "PSWDENCT" is set to "XDES" or null, this is a finding. SET MSYSID(-) LIST PSWD For CA-ACF2 R16 and above: If option "NOONEPWALG" is specified, and there is no transition plan with a definite completion date filed with the ISSM, this is a finding.

Fix Text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: Configure the "GSO PSWD" record option "PSWDENCT" to "AES1". For CA-ACF2 Release16 and above: Configure "GSO PSWD" record option "PSWDENCT" to "AES1" or "AES2". Configure the "GSO PSWD" to "ONEPWALG". Note: If you are using VM Database Synchronization you cannot use "ONEPWALG". VM does not support the AES algorithms. Develop a transition plan with a definite completion date for z/VM; file with the ISSM. If all systems that are sharing the logonid or infostorage databases are not running with the same "PSWDENCT" value you cannot use "ONEPWALG". Develop a transition plan that contains a definite completion date to migrate all logonid and infostorage databases to one "PSWDENCT" value; file with the ISSM. Consult the CA-ACF2 administration guide for converting to "AES1" or "AES2" and using "ONEPWALG".

Additional Identifiers

Rule ID: SV-223505r877397_rule

Vulnerability ID: V-223505

Group Title: SRG-OS-000073-GPOS-00041

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.