Check: ACF2-ES-000890
IBM z/OS ACF2 STIG:
ACF2-ES-000890
(in versions v9 r2 through v8 r2)
Title
ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction. (Cat II impact)
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Check Content
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDMAX" is set to "60", this is not a finding.
Fix Text
Configure Password option "PSWDMAX" to "60" days.
Additional Identifiers
Rule ID: SV-223506r1001115_rule
Vulnerability ID: V-223506
Group Title: SRG-OS-000076-GPOS-00044
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |