Check: TSS0480
zOS TSS STIG:
TSS0480
(in versions v6 r43 through v6 r30)
Title
NEWPW Control Options must be properly set. (Cat II impact)
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password , the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The NEWPW Control Option specifies the rules that TSS will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.
Check Content
Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(STATUS) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0480) If the NEWPW Control Option values conform to the following requirements, this is not a finding. NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the Addendum section 5.1.3.
Fix Text
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified and proceed with the change. (Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK.) Ensure the NEWPW Control Option values conform to the following requirements: NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the Addendum section 5.1.3.
Additional Identifiers
Rule ID: SV-207r3_rule
Vulnerability ID: V-207
Group Title: TSS0480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
CCI-000205 |
The information system enforces minimum password length. |
CCI-001395 |
Notify the user, upon successful logon, of changes to organization-defined security-related characteristics/parameters of the user's account during the organization-defined time-period. |
CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |