Navigate

Check: RACF0460

zOS RACF STIG: RACF0460 (in versions v6 r43 through v6 r30)

Title

The PASSWORD(RULEn) SETROPTS value(s) must be properly set. (Cat II impact)

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The PASSWORD SETROPTS value(s) specify the rules that RACF will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

Check Content

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0460) If the following options are specified, this is not a finding. ___ Verify at least one PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below: RULE 1 LENGTH(8) xxxxxxxx ___ Verify the following options are in effect under "PASSWORD PROCESSING OPTIONS": “MIXED CASE PASSWORD SUPPORT IS IN EFFECT” “SPECIAL CHARACTERS ARE ALLOWED.”

Fix Text

The ISSO will evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.13 and 1.14 PTF UA90720 must be applied. For z/OS Release 2.1 PTF UA90721 must be applied. The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs. Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands: setr password(mixedcase) setr password(specialchars) setr password(rule1(length(8) mixedall(1:8))

Additional Identifiers

Rule ID: SV-274r4_rule

Vulnerability ID: V-274

Group Title: RACF0460

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000192	The information system enforces password complexity by the minimum number of upper case characters used.
CCI-000193	The information system enforces password complexity by the minimum number of lower case characters used.
CCI-000194	The information system enforces password complexity by the minimum number of numeric characters used.
CCI-000195	The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
CCI-000205	The information system enforces minimum password length.
CCI-001619	The information system enforces password complexity by the minimum number of special characters used.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (1)	Password-Based Authentication