NIST FIPS-validated cryptography must be used to protect passwords in the security database.

An XCCDF Rule

Description

<VulnDiscussion>Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000074-GPOS-00042, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-223729r877397_rule
Severity: High
References: CCI-000196 CCI-000197 CCI-000803
Updated: 8 months ago

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below:

For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied.

Set the passwords option for algorithm to KDFAES.
Sample syntax to activate:
SETRopts PASSWORD(ALGORITHM(KDFAES))

NIST FIPS-validated cryptography must be used to protect passwords in the security database.

Description

Remediation - Manual Procedure