Navigate

Check: ACF0390

zOS ACF2 STIG: ACF0390 (in versions v6 r43 through v6 r30)

Title

The PSWD GSO record values must be set to the values specified in the checks portion below. (Cat II impact)

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The PSWD GSO record values specify the rules that ACF2 will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

Check Content

Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0390) Note: Current DoD policy has changed requiring that the password change interval be at the most 60 days. Ensure that this is in effect. The GSO PSWD record will conform to the following requirements. MAXTRY(3) MINPSWD(8) PASSLMT(3) PSWDALPH PSWDALT PSWDFRC PSWDHST PSWDJES PSWDLC PSWDLID PSWDMAX(1-60) PSWDMIN(1) PSWDMIXD PSWDNAME(4) PSWDNCH PSWDNMIC PSWDNUM PSWDPAIR(0) PSWDPLID PSWDPLST(Special character list as defined in CA ACF2 for z/OS Administration Guide) PSWDREQ PSWDRSV (Reserve list is located in the addendum Section 5.1.3 ) PSWDSIM(3) PSWDSPLT PSWDUC PSWDVOWL NOPSWDXTR PSWXHIST PSWXHST#(10-64) WRNDAYS(10)

Fix Text

Ensure that the PSWD GSO values are set to the values specified. Note: Current DoD policy has changed requiring that the password change interval be at the most 60 days. Ensure the GSO PSWD record values conform to the following requirements. MAXTRY(3) MINPSWD(8) PASSLMT(3) PSWDALPH PSWDALT PSWDFRC PSWDHST PSWDJES PSWDLC PSWDLID PSWDMAX(1-60) PSWDMIN(1) PSWDMIXD PSWDNAME(4) PSWDNCH PSWDNMIC PSWDNUM PSWDPAIR(0) PSWDPLID PSWDPLST(special character list as defined in CA ACF2 for z/OS Administration Guide) PSWDREQ PSWDRSV (Reserve list is located in the addendum Section 5.1.3) PSWDSIM(3) PSWDSPLT PSWDUC PSWDVOWL NOPSWDXTR PSWXHIST PSWXHST#(10-64) WRNDAYS(10) Example: SET C(GSO) INSERT PSWD MAXTRY(3) MINPSWD(8) PASSLMT(3) PSWDALPH PSWDALT PSWDFRC PSWDHST PSWDJES PSWDLC PSWDLID PSWDMAX(60) PSWDMIN(1) PSWDMIXD PSWDNAME(4) PSWDNCH PSWDNMIC PSWDNUM PSWDPAIR(0) PSWDPLID PSWDPLST() PSWDREQ PSWDRSV PSWDSIM(3) PSWDSPLT PSWDUC NOPSWDVFY PSWDVOWL NOPSWDXTR NOPSWNAGE PSWXHIST PSWXHST#(10) WRNDAYS(10) F ACF2,REFRESH(PSWD)

Additional Identifiers

Rule ID: SV-144r3_rule

Vulnerability ID: V-144

Group Title: ACF0390

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000044	The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
CCI-000192	The information system enforces password complexity by the minimum number of upper case characters used.
CCI-000193	The information system enforces password complexity by the minimum number of lower case characters used.
CCI-000194	The information system enforces password complexity by the minimum number of numeric characters used.
CCI-000195	The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
CCI-000198	The information system enforces minimum password lifetime restrictions.
CCI-000199	The information system enforces maximum password lifetime restrictions.
CCI-000200	The information system prohibits password reuse for the organization-defined number of generations.
CCI-000205	The information system enforces minimum password length.
CCI-001619	The information system enforces password complexity by the minimum number of special characters used.
CCI-002238	The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts
IA-5 (1)	Password-Based Authentication