ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.

An XCCDF Rule

Description

<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000074-GPOS-00042</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-223505r1001113_rule
Severity: High
References: CCI-000197 CCI-004062
Updated: 17 days ago

Evaluate the impact associated with implementation of the control option.

Develop a plan of action to implement the control option as specified below:

Configure the "GSO PSWD" record option "PSWDENCT" to "AES1".
For CA-ACF2 Release16 and above:

Configure "GSO PSWD" record option "PSWDENCT" to "AES1" or "AES2".

Configure the "GSO PSWD" to "ONEPWALG".

Note: If you are using VM Database Synchronization you cannot use "ONEPWALG". VM does not support the AES algorithms.

Develop a transition plan with a definite completion date for z/VM; file with the ISSM.

If all systems that are sharing the logonid or infostorage databases are not running with the same "PSWDENCT" value you cannot use "ONEPWALG".

Develop a transition plan that contains a definite completion date to migrate all logonid and infostorage databases to one "PSWDENCT" value; file with the ISSM.

Consult the CA-ACF2 administration guide for converting to "AES1" or "AES2" and using "ONEPWALG".

ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.

Description

Remediation - Manual Procedure