UCF STIG Viewer Logo

The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223726 RACF-ES-000790 SV-223726r604139_rule Medium
Description
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2022-01-05

Details

Check Text ( C-25399r514866_chk )
From the ISPF Command Shell enter:
SETRopts List

If the PASSWORD(MINCHANGE) value shows PASSWORD MINIMUM CHANGE INTERVAL IS <1> DAYS, this is not a finding.
Fix Text (F-25387r514867_fix)
Configure PASSWORD(MINCHANGE) SETROPTS value number to "1". This specifies the number of days that must pass before a user can change their password.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD MINCHANGE. Use the following command as an example command:
SETROPTS PASSWORD(MINCHANGE(1))