Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-230210 | RACF-ES-000785 | SV-230210r604139_rule | Medium |
Description |
---|
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
STIG | Date |
---|---|
IBM z/OS RACF Security Technical Implementation Guide | 2021-01-05 |
Check Text ( C-32543r572023_chk ) |
---|
From a system console screen issue the following modify command: F AXR,IRRPHREX LIST Review the results of the modify command. If the following options are listed, this is not a finding. -The number of required character types is 4 (assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password phrase) -The user's name cannot be contained in the password phrase (Only 3 consecutive characters of the user's name are allowed) -The minimum word length checked is 15 -The user ID cannot be contained in the password phrase (Only 3 consecutive characters of the user ID are allowed) -At least half of unchanged positions of the current password phrase are allowed (These positions need to be consecutive to cause a failure and this check is not case sensitive) -A minimum list of 8 restricted prefix strings is being checked: 'IBM' ,'RACF','PASSWORD','PHRASE','PASSPHRAS’,'SECRET','IBMUSER','SYS1' If the modify command fails or returns the following message in the system log, this is a finding. IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPHREX. |
Fix Text (F-32519r572024_fix) |
---|
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Install exit IRRPHREX according to the following guidelines: REXX Parameter Setting /* DISA Modifications: */ /* 15DEC2017 HC: Added "special = '$@#.|&!*-%_:='" */ /* : Changed Phr_minlen = 9 to Phr_minlen = 15 */ /* : Turned on options to disallow leading and trailing */ /* : blanks. */ /* : Added check to ensure 1 of each Upper Lower Numeric */ /* : and Special ... NOTE THAT an imbedded blank is */ /* : considered a Special character */ /* : Added check for repeating characters, no more than */ /* : one occurrence in any case e.g. aa aA AA */ /* : Added check to ensure userid is not contained */ /* : anywhere in the phrase */ Phr_minlen = 15 /* Minimum length is Phr_maxlen = 100 /* Maximum passwor numbers = '0123456789' letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' special = '$@#.|&!*-%_:='" Phr_allowed_chars = numbers||letters||special Phr_leading_blanks = 'no' Phr_trailing_blanks = 'no' Phr_name_allowed = 'no' Phr_name_minlen = 3 Phr_repeat_chars_chk = 'yes' Phr_repeat_chars = 1 Phr_userid_allowed = 'no' Phr_req_types = 4 Phr_triviality = 'yes’ Phr_min_unique = 7 Phr_min_unique_norm = 'yes' Phr_word_unique = 0 Phr_word_unique_upper = 'yes' Phr_word_minlen = 4 Phr_dict.1 = 'IBM' Phr_dict.2 = 'RACF' Phr_dict.3 = 'PASSWORD' Phr_dict.4 = 'PHRASE' Phr_dict.5 = 'PASSPHRAS Phr_dict.6 = 'SECRET' Phr_dict.7 = 'IBMUSER' Phr_dict.8 = 'SYS1' Note: RACF exit ICHPHX11 is coded to call a System REXX named IRRPHREX, so the name cannot be changed without a corresponding change to ICHPWX11. System REXX requires that this exec (IRRPHREX) reside in the REXXLIB concatenation. Update parameters in IRRPHREX according to table Parameters for RACF IRRPWREX as listed above. |