UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The PASSWORD(RULEn) SETROPTS value(s) must be properly set.


Overview

Finding ID Version Rule ID IA Controls Severity
V-274 RACF0460 SV-274r4_rule Medium
Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The PASSWORD SETROPTS value(s) specify the rules that RACF will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.
STIG Date
z/OS RACF STIG 2017-03-22

Details

Check Text ( C-17989r5_chk )
Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0460)

If the following options are specified, this is not a finding.

___ Verify at least one PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below:

RULE 1 LENGTH(8) xxxxxxxx

___ Verify the following options are in effect under "PASSWORD PROCESSING OPTIONS":

“MIXED CASE PASSWORD SUPPORT IS IN EFFECT”
“SPECIAL CHARACTERS ARE ALLOWED.”
Fix Text (F-17225r4_fix)
The ISSO will evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

For z/OS release 1.13 and 1.14 PTF UA90720 must be applied.
For z/OS Release 2.1 PTF UA90721 must be applied.

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs.

Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands:

setr password(mixedcase)
setr password(specialchars)
setr password(rule1(length(8) mixedall(1:8))