The PASSWORD(RULEn) SETROPTS value(s) must be properly set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-274	RACF0460	SV-274r4_rule		Medium

Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The PASSWORD SETROPTS value(s) specify the rules that RACF will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

Description

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The PASSWORD SETROPTS value(s) specify the rules that RACF will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

STIG	Date
z/OS RACF STIG	2016-06-30

Details

Check Text ( C-17989r5_chk )
Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0460) If the following options are specified, this is not a finding. ___ Verify at least one PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below: RULE 1 LENGTH(8) xxxxxxxx ___ Verify the following options are in effect under "PASSWORD PROCESSING OPTIONS": “MIXED CASE PASSWORD SUPPORT IS IN EFFECT” “SPECIAL CHARACTERS ARE ALLOWED.”

Check Text ( C-17989r5_chk )

Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0460)

If the following options are specified, this is not a finding.

___ Verify at least one PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below:

RULE 1 LENGTH(8) xxxxxxxx

___ Verify the following options are in effect under "PASSWORD PROCESSING OPTIONS":

“MIXED CASE PASSWORD SUPPORT IS IN EFFECT”
“SPECIAL CHARACTERS ARE ALLOWED.”

Fix Text (F-17225r4_fix)
The ISSO will evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.13 and 1.14 PTF UA90720 must be applied. For z/OS Release 2.1 PTF UA90721 must be applied. The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs. Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands: setr password(mixedcase) setr password(specialchars) setr password(rule1(length(8) mixedall(1:8))

Fix Text (F-17225r4_fix)

The ISSO will evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

For z/OS release 1.13 and 1.14 PTF UA90720 must be applied.
For z/OS Release 2.1 PTF UA90721 must be applied.

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs.

Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands:

setr password(mixedcase)
setr password(specialchars)
setr password(rule1(length(8) mixedall(1:8))