Navigate

Check: TSS0-ES-000130

IBM z/OS TSS STIG: TSS0-ES-000130 (in versions v9 r2 through v7 r1)

Title

The CA-TSS NEWPW control options must be properly set. (Cat II impact)

Discussion

If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Satisfies: SRG-OS-000071-GPOS-00039, SRG-OS-000072-GPOS-00040, SRG-OS-000075-GPOS-00043, SRG-OS-000480-GPOS-00225, SRG-OS-000266-GPOS-00101, SRG-OS-000279-GPOS-00109

Check Content

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NEWPW Control Option values conform to the following requirements, this is not a finding. NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Fix Text

Note: Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK. Configure the NEWPW Control Option values conform to the following requirements: NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Additional Identifiers

Rule ID: SV-223886r998487_rule

Vulnerability ID: V-223886

Group Title: SRG-OS-000071-GPOS-00039

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000194	The information system enforces password complexity by the minimum number of numeric characters used.
CCI-000195	The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
CCI-000198	The information system enforces minimum password lifetime restrictions.
CCI-000366	Implement the security configuration settings.
CCI-001619	The information system enforces password complexity by the minimum number of special characters used.
CCI-002361	Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
CCI-004061	For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
CCI-004065	For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.
CCI-004066	For password-based authentication, enforce organization-defined composition and complexity rules.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-12	Session Termination
CM-6	Configuration Settings
IA-5(1)	Password-based Authentication