Check: RACF-ES-000820
IBM z/OS RACF STIG:
RACF-ES-000820
(in versions v8 r14 through v7 r1)
Title
NIST FIPS-validated cryptography must be used to protect passwords in the security database. (Cat I impact)
Discussion
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000074-GPOS-00042, SRG-OS-000120-GPOS-00061
Check Content
From the ISPF Command Shell enter: SETRopts List If the following is specified under PASSWORD PROCESSING OPTIONS: THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES, this is not a finding.
Fix Text
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Set the passwords option for algorithm to KDFAES. Sample syntax to activate: SETRopts PASSWORD(ALGORITHM(KDFAES))
Additional Identifiers
Rule ID: SV-223729r877397_rule
Vulnerability ID: V-223729
Group Title: SRG-OS-000073-GPOS-00041
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
| CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
| CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |