Title

The SETROPTS RVARYPW values must be properly set. (Cat II impact)

Discussion

RVARYPW specifies passwords that an operator is to use to respond with requests to approve RVARY command processing. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Check Content

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0510) If the SETROPTS RVARYPW entries conform to the following requirements, this is not a finding. ___ The "INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT" message for both the SWITCH and STATUS functions. ___ The SWITCH and STATUS password content follow the password requirements documented in RACF0460.

Fix Text

The IAO will ensure that the RVARYPW passwords are specified and conform to password requirements documented in RACF0460. The IAO will evaluate the impact associated with implementation of the control option and develop a plan of action to implement the control option as required. A sample command for setting both the SWITCH and STATUS passwords are shown here: SETR RVARYPW(SWITCH(Wxy$8Pqu) STATUS(pbZ0@wL2))

Additional Identifiers

Rule ID: SV-279r4_rule

Vulnerability ID: V-279

Group Title: RACF0510

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.