Navigate

Check: ACF2-ES-000890

IBM z/OS ACF2 STIG: ACF2-ES-000890 (in versions v8 r15 through v8 r2)

Title

ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction. (Cat II impact)

Discussion

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Check Content

From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDMAX" is set to "60", this is not a finding.

Fix Text

Configure Password option "PSWDMAX" to "60" days.

Additional Identifiers

Rule ID: SV-223506r695437_rule

Vulnerability ID: V-223506

Group Title: SRG-OS-000076-GPOS-00044

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000199	The information system enforces maximum password lifetime restrictions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (1)	Password-Based Authentication