The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-98099 | RACF-ES-000490 | SV-107203r1_rule | Medium |
| Description |
|---|
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. |
| STIG | Date |
|---|---|
| IBM z/OS RACF Security Technical Implementation Guide | 2020-06-29 |
Details
| Check Text ( C-96935r1_chk ) |
|---|
| From the ISPF Command Shell enter: SETRopts List If the PASSWORD(REVOKE) value shows "AFTER If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding. |
| Fix Text (F-103775r1_fix) |
|---|
| Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: NOTE: In order to set or list the SAUDIT value, the RACF AUDITOR attribute is required. Reference the documentation for the SETROPTS command in the RACF Command Language Reference. The RACF Command SETR LIST will show the status of RACF Controls including the value for SAUDIT. SAUDIT is activated and set to the required value by issuing the command SETR SAUDIT. |