Check: RACF-ES-000790
IBM z/OS RACF STIG:
RACF-ES-000790
(in versions v9 r5 through v7 r1)
Title
The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1. (Cat II impact)
Discussion
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Check Content
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(MINCHANGE) value shows PASSWORD MINIMUM CHANGE INTERVAL IS <1> DAYS, this is not a finding.
Fix Text
Configure PASSWORD(MINCHANGE) SETROPTS value number to "1". This specifies the number of days that must pass before a user can change their password. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD MINCHANGE. Use the following command as an example command: SETROPTS PASSWORD(MINCHANGE(1))
Additional Identifiers
Rule ID: SV-223726r998350_rule
Vulnerability ID: V-223726
Group Title: SRG-OS-000075-GPOS-00043
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |