Title

RACF exit ICHPWX01 must be installed and properly configured. (Cat II impact)

Discussion

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The RACF exit ICHPWX01 will allow for additional checks not available in RACF SETROPTS whenever a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

Check Content

From a system console screen issue the following modify command: F AXR,IRRPWREX LIST Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0462) Review the results of the modify command. If the following options are listed, this is not a finding. The number of required character types is 4 (assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password) The user's name cannot be contained in the password Only 3 consecutive characters of the user's name are allowed The minimum word length checked is 8 The user ID cannot be contained in the password Only 3 consecutive characters of the user ID are allowed Only 3 unchanged positions of the current password are allowed These positions need to be consecutive to cause a failure This check is not case sensitive No more than 0 pairs of repeating characters are allowed This check is not case sensitive A minimum list of 33 restricted prefix strings is being checked: APPL APR AUG ASDF BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234 If the modify command fails or returns the following message in the system log, this is a finding. IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPWREX.

Fix Text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Install exit IRRPWREX according to instructions in z/OS Security Server RACF System Programmer's Guide. Note: RACF exit ICHPWX01 is coded to call a System REXX named IRRPWREX, so the name cannot be changed without a corresponding change to ICHPWX01. System REXX requires that this exec (IRRPWREX) reside in the REXXLIB concatenation. Update parameters in IRRPWREX according to table Parameters for RACF IRRPWREX in the z/OS STIG Addendum.

Additional Identifiers

Rule ID: SV-73907r3_rule

Vulnerability ID: V-59477

Group Title: RACF0462

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.