Title

IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days. (Cat II impact)

Discussion

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. INTERVAL specifies the maximum number of days that each user's password is valid. When a user logs on to the system, RACF compares the system password interval value specified in the user profile. RACF uses the lower of the two values to determine if the users password has expired.

Check Content

From the ISPF Command Shell enter: SETRopts List If the PASSWORD(INTERVAL) value is set properly and the message is PASSWORD CHANGE INTERVAL IS 060 DAYS, this is not a finding.

Fix Text

Configure PASSWORD(INTERVAL) SETROPTS value to "060" days. This specifies the maximum number of days that each user's password is valid. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL. Setting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60)).

Additional Identifiers

Rule ID: SV-223727r868826_rule

Vulnerability ID: V-223727

Group Title: SRG-OS-000076-GPOS-00044

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.