Title

IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set. (Cat II impact)

Discussion

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000078-GPOS-00046

Check Content

From the ISPF Command Shell enter: SETRopts If the following options are specified, this is not a finding. Every PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below: RULE n LENGTH(8) xxxxxxxx The following options are in effect under "PASSWORD PROCESSING OPTIONS": "MIXED CASE PASSWORD SUPPORT IS IN EFFECT" "SPECIAL CHARACTERS ARE ALLOWED."

Fix Text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.13 and 1.14 PTF UA90720 must be applied. For z/OS Release 2.1 PTF UA90721 must be applied. The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs. Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands: setr password(mixedcase) setr password(specialchars) setr password(rulen(length(8) mixedall(1:8))

Additional Identifiers

Rule ID: SV-223724r944322_rule

Vulnerability ID: V-223724

Group Title: SRG-OS-000069-GPOS-00037

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.