Check: RACF-ES-000800
      
      
        
  IBM z/OS RACF STIG:
  RACF-ES-000800
  
    (in versions v9 r5 through v8 r9)
  
      
      
    
  Title
IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days. (Cat II impact)
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. INTERVAL specifies the maximum number of days that each user's password is valid. When a user logs on to the system, RACF compares the system password interval value specified in the user profile. RACF uses the lower of the two values to determine if the users password has expired.
Check Content
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(INTERVAL) value is set properly and the message is PASSWORD CHANGE INTERVAL IS 060 DAYS, this is not a finding.
Fix Text
Configure PASSWORD(INTERVAL) SETROPTS value to "060" days. This specifies the maximum number of days that each user's password is valid. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL. Setting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60)).
Additional Identifiers
Rule ID: SV-223727r1038967_rule
Vulnerability ID: V-223727
Group Title: SRG-OS-000076-GPOS-00044
Expert Comments
      
        
        
      
      
        
  CCIs
      
      
        
        
      
    
  | Number | Definition | 
|---|---|
| CCI-004066 | For password-based authentication, enforce organization-defined composition and complexity rules. | 
      
        
        
      
      
        
  Controls
      
      
        
        
      
    
  | Number | Title | 
|---|---|
| IA-5(1) | Password-based Authentication |