Interactive USERIDs defined to RACF must have the required fields completed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-285	RACF0580	SV-285r6_rule		Medium

Description
Improper assignments of attributes in the LOGONID record may allow users excessive privileges resulting in unauthorized access.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-38886r6_chk )
Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0580) Verify that the interactive userids are properly defined. If the following guidance is true, this is not a finding. ___ Ensure that each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN. ___ Ensure that PASS-INTERVAL is set to a value of 1 to 60 days. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally these users must change their passwords on an annual basis.

Check Text ( C-38886r6_chk )

Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(LISTUSER)

Automated Analysis requires Additional Analysis.
Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0580)

Verify that the interactive userids are properly defined. If the following guidance is true, this is not a finding.

___ Ensure that each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN.

___ Ensure that PASS-INTERVAL is set to a value of 1 to 60 days.

Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect.

Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally these users must change their passwords on an annual basis.

Fix Text (F-34056r7_fix)
The IAO will review all interactive USERID definitions to ensure required information is provided. Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. The PASSWORD-INTERVAL for an interactive user must be set no higher than 60 days. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis or less. A sample command to accomplish this is shown here: PW USER() INTERVAL(60). The LAST-ACCESS date must be set to a valid date and not to the value UNKNOWN. A sample command to accomplish this is shown here: ALU RESUME

Fix Text (F-34056r7_fix)

The IAO will review all interactive USERID definitions to ensure required information is provided. Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes.

The PASSWORD-INTERVAL for an interactive user must be set no higher than 60 days.

Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect.

Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis or less.

A sample command to accomplish this is shown here:

PW USER() INTERVAL(60).

The LAST-ACCESS date must be set to a valid date and not to the value UNKNOWN. A sample command to accomplish this is shown here:

ALU RESUME