Navigate

Check: ACF2-ES-000590

IBM z/OS ACF2 STIG: ACF2-ES-000590 (in versions v9 r2 through v7 r2)

Title

CA-ACF2 must prevent the use of dictionary words for passwords. (Cat II impact)

Discussion

If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Check Content

From the ISPF Command Shell enter: ACF to enter ACF2 Command shell enter SHOW STATE If "PSWDRSV = NO", this is a finding. If "PSWDRSVW = NO", this is a finding. SHOW PSwdopts Reserved Words and Prefixes APPL APR ASDF AUG BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234

Fix Text

Configure the GSO record to include PSWDRSV and PSWDRSVW.

Additional Identifiers

Rule ID: SV-223477r1001097_rule

Vulnerability ID: V-223477

Group Title: SRG-OS-000480-GPOS-00225

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	Implement the security configuration settings.
CCI-004061	For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
CCI-004065	For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-6	Configuration Settings