STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

NIST FIPS-validated cryptography must be used to protect passwords in the security database.

DISA Rule

SV-223729r604139_rule

Vulnerability Number

V-223729

Group Title

SRG-OS-000073-GPOS-00041

Rule Version

RACF-ES-000820

Severity

CAT I

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.
• CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.
• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Weight

10

Fix Recommendation

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below:

For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied.

Set the passwords option for algorithm to KDFAES.

Sample syntax to activate:
SETRopts PASSWORD(ALGORITHM(KDFAES))

Check Contents

From the ISPF Command Shell enter:
SETRopts List

If the following is specified under PASSWORD PROCESSING OPTIONS: THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES, this is not a finding.

Vulnerability Number

V-223729

Documentable

False

Rule Version

RACF-ES-000820

Severity Override Guidance

From the ISPF Command Shell enter:
SETRopts List

If the following is specified under PASSWORD PROCESSING OPTIONS: THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments