UCF STIG Viewer Logo

IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223727 RACF-ES-000800 SV-223727r604139_rule Medium
Description
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. INTERVAL specifies the maximum number of days that each user's password is valid. When a user logs on to the system, RACF compares the system password interval value specified in the user profile. RACF uses the lower of the two values to determine if the users password has expired.
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2021-07-05

Details

Check Text ( C-25400r514869_chk )
From the ISPF Command Shell enter:
SETRopts List

If the PASSWORD(INTERVAL) value is set properly then the message PASSWORD CHANGE INTERVAL IS 060 DAYS, this is not a finding.
Fix Text (F-25388r514870_fix)
Configure PASSWORD(INTERVAL) SETROPTS value is set to "060" days. This specifies the maximum number of days that each user’s password is valid.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL.

Setting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60)).