Check: ACF0400
zOS ACF2 STIG:
ACF0400
(in versions v6 r43 through v6 r30)
Title
The PWPHRASE GSO record must be properly defined. (Cat II impact)
Discussion
Sites may opt to use passphrases in lieu of passwords for authentication. A passphrase must nevertheless be constrained by certain complexity parameters to assure appropriate strength. The GSO PWPHRASE record specifies the rules that ACF2 will apply when a user selects a new password phrase. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any one of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during a migration process or contingency plan activation.
Check Content
Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0400) Note: Current DoD policy has changed requiring that the password change interval be at the most 60 days. Ensure that this is in effect. The GSO PWPHRASE record will conform to the following requirements. ALPHA(1 or greater) HISTORY(10-32) MAXDAYS(1-60) MINDAYS(1) MINLEN(15-100) NUMERIC(1 or greater) SPECIAL(1 or greater) SPECLIST() or SPECLIST(character list) WARNDAYS(1-10) Note: The SPECLIST special characters will be specified at a minimum. Characters will conform to the allowable list defined in CA ACF2 for z/OS Administration Guide.
Fix Text
The IAO will ensure that the PWPHRASE GSO values are set to the values specified. Note: Current DoD policy has changed requiring that the password change interval be at the most 60 days. Ensure the GSO PWPHRASE record values conform to the following requirements. ALPHA(1 or greater) HISTORY(10-32) MAXDAYS(1-60) MINDAYS(1) MINLEN(15-100) NUMERIC(1 or greater) SPECIAL(1 or greater) SPECLIST() or SPECLIST(character list) WARNDAYS(1-10) Note: The SPECLIST special characters will be specified at a minimum. Characters will conform to the allowable list defined in CA ACF2 for z/OS Administration Guide. Example: SET C(GSO) INSERT PWPHRASE NOALLOW ALPHA(1) HISTORY(10) MAXDAYS(60) MINDAYS(1) MINLEN(15) NUMERIC(1) SPECIAL(1) SPECLIST(& * =) WARNDAYS(10) F ACF2,REFRESH(PWPHRASE)
Additional Identifiers
Rule ID: SV-48576r3_rule
Vulnerability ID: V-145
Group Title: ACF0400
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
| CCI-000205 |
The information system enforces minimum password length. |
| CCI-001395 |
The information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user^s account that occur during the organization-defined time period. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |