STIG ID - BACF0003: Use Validated Cryptography to Protect Passwords in the Security Database

How to define password encryption.
Severity
: 1 - High
The use of weak or untested encryption algorithms undermines the purpose of using encryption to protect data. Adhering to strong encryption standards must be considered when implementing encryption to protect your organization's sensitive data. The GSO PSWD record includes fields that define password encryption.
Your organization must ensure that strong encryption standards are implemented to provide protection of your organization's passwords in the
ACF2
security database.
This STIG article shows how to define password encryption at your organization. 
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO PSWD record to determine if the PSWDENCT(AES2) and the ONEPWALG fields are defined:
    SET CONTROL(GSO) CONTROL LIST PSWD XXXX / PSWD LAST CHANGED BY XXXXXXXX on 01/20/20-15:01 NOCLEARVIO MAXTRY(3) MINPSWD(4)
    NOONEPWALG
    PASSLMT(3) NOPSWDALPH PSWDALT
    PSWDENCT(XDES)
    PSWDFRC ... CONTROL
    In this example, the NOONEPWALG and PSWDENCT(XDES) are defined, which differs from the suggested values of PSWDENCT(AES2) and ONEPWALG.
    • PSWDENCT(
      XDES
      |null|AES1|AES2)
      Specifies which password encryption algorithm
      ACF2
      uses to encrypt user passwords and password phrases:
      • XDES
        Specifies the
        ACF2
        XDES algorithm is used for password encryption processing. (Default)
      • null
        Specifies the default (XDES).
      • AES1
        Specifies AES-CMAC using AES 128 is used.
      • AES2
        Specifies AES-CMAC using AES 256 is used.
    • ONEPWALG|NOONEPWALG
      Specifies password changes are saved under multiple algorithms:
      • If ONEPWALG is defined,
        ACF2
        saves any password change under a single algorithm as specified in the PSWDENCT field.
      • If NOONEPWALG is defined and PSWDENCT is set to AES1,
        ACF2
        saves the password encrypted under AES 128 and XDES. This option makes it easier to transition from one algorithm to another, especially in a shared database environment.
      • If NOONEPWALG is defined and PSWDENCT is set to AES2,
        ACF2
        saves the password encrypted under AES 256, AES 128, and XDES.
      Do not set ONEPWALG unless all systems sharing the logonid or infostorage database are running with the same PSWDENCT value.
  2. If the GSO PSWD record ONEPWALG and PSWDENC(AES2) field values are defined,
    your organization does not have an audit finding
    .
  3. If the GSO PSWD record NOONEPWALG and PSWDENCT(XDES) field values are defined,
    your organization has an audit finding
    .  See Remediate Audit Finding.
    • Before you complete the steps under Remediate Findings, discuss the impact of implementing the GSO PSWD control option PSWDENCT and NOONEPWALG fields with your security team.
    • If your organization uses VM Database Synchronization, VM does not support the AES algorithms, so ONEPWALG does not apply.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO PSWD control options. Limit all access to change GSO control options to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
  1. Configure the GSO PSWD record PSWDENCT field to AES2, which specifies that AES-CMAC using AES 256 is used. Also, configure the NOONEPWALG field to ONEPWALG, which specifies that
    ACF2
    saves any password change under a single algorithm.
    SET CONTROL(GS0) CONTROL CHANGE PSWD
    PSWDENCT
    (
    AES2) ONEPWALG
    F ACF2,REFRESH(PSWD) CONTROL
    The next password or password phrase is encrypted under the PSWDENCT value of AES2. Also, the product clears out the other values and the time-of-date (TOD) stamps for those values.
  2. Verify the GSO PSWD control option changed:
    SET CONTROL(GSO) CONTROL SHOW PSWD PASSWORD (PSWD) OPTIONS IN EFFECT: ...
    ONEPWALG = YES
    ONLY STORE ONE TYPE OF ENCRYPTED PASSWORD
    PSWDENCT = AES2
    PSWD ENCRYPTION ALGORITHM UTILIZED
Implementing strong encryption standards provides protection of your organization's passwords in the
ACF2
security database.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCI is related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-002450
CCI
:
CCI-002450
Published Date
:
013-07-02
Definition
:
The information system implements organization-defined cryptographic uses and type of cryptography that is required for each use in accordance with applicable federal laws, executive orders, directives, policies, regulations, and standards.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): SC-13