The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to 5 or more.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-98163 | RACF-ES-000810 | SV-107267r1_rule | Medium |
| Description |
|---|
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. HISTORY specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password. |
| STIG | Date |
|---|---|
| IBM z/OS RACF Security Technical Implementation Guide | 2020-06-29 |
Details
| Check Text ( C-96999r1_chk ) |
|---|
| From the ISPF Command Shell enter: SETRopts List If the PASSWORD(HISTORY) value is set properly then the message x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED, where x is equal to "10", this is not a finding. |
| Fix Text (F-103839r1_fix) |
|---|
| Configure the PASSWORD(HISTORY) SETROPTS value is set to "10". This specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD HISTORY. Setting the password history to 10 generations is activated with the command SETR PASSWORD(HISTORY(10)). |