STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

DISA Rule

SV-223538r533198_rule

Vulnerability Number

V-223538

Group Title

SRG-OS-000250-GPOS-00093

Rule Version

ACF2-OS-000020

Severity

CAT I

CCI(s)

CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

Weight

Fix Recommendation

Edit the SSH daemon configuration and remove any ciphers not starting with "3des" or "aes". If necessary, add a "Ciphers" line using FIPS 140-2 compliant algorithms.

Configure for message authentication to MACs "hmac-sha1" or greater.

Edit the z/OS-specific sshd server system-wide configuration file configuration as follows:
FIPSMODE=YES
CiphersSource=ICSF
MACsSource=ICSF

Check Contents

Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory.

Alternately:

From UNIX System Services ISPF Shell navigate to ribbon select tools.

Select option 1 - Work with Processes.

If SSH Daemon is not active, this is not a finding.

Examine SSH daemon configuration file.
sshd_config

If there are no "Ciphers" line or the ciphers list contains any cipher not starting with "3des" or "aes", this is a finding.

If the MACs line is not configured to "hmac-sha1" or greater, this is a finding.

Examine the z/OS-specific sshd server system-wide configuration.

zos_sshd_config

If any of the following is untrue, this is a finding.

FIPSMODE=YES
CiphersSource=ICSF
MACsSource=ICSF

IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments