RACF exit ICHPWX01 must be installed and properly configured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-59477	RACF0462	SV-73907r3_rule		Medium

Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The RACF exit ICHPWX01 will allow for additional checks not available in RACF SETROPTS whenever a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

Description

Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The RACF exit ICHPWX01 will allow for additional checks not available in RACF SETROPTS whenever a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-60267r3_chk )
From a system console screen issue the following modify command: F AXR,IRRPWREX LIST Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0462) Review the results of the modify command. If the following options are listed, this is not a finding. The number of required character types is 4 (assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password) The user's name cannot be contained in the password Only 3 consecutive characters of the user's name are allowed The minimum word length checked is 8 The user ID cannot be contained in the password Only 3 consecutive characters of the user ID are allowed Only 3 unchanged positions of the current password are allowed These positions need to be consecutive to cause a failure This check is not case sensitive No more than 0 pairs of repeating characters are allowed This check is not case sensitive A minimum list of 33 restricted prefix strings is being checked: APPL APR AUG ASDF BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234 If the modify command fails or returns the following message in the system log, this is a finding. IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPWREX.

Check Text ( C-60267r3_chk )

From a system console screen issue the following modify command:

F AXR,IRRPWREX LIST

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0462)

Review the results of the modify command. If the following options are listed, this is not a finding.

The number of required character types is 4

(assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password)

The user's name cannot be contained in the password
Only 3 consecutive characters of the user's name are allowed
The minimum word length checked is 8

The user ID cannot be contained in the password
Only 3 consecutive characters of the user ID are allowed

Only 3 unchanged positions of the current password are allowed
These positions need to be consecutive to cause a failure
This check is not case sensitive

No more than 0 pairs of repeating characters are allowed
This check is not case sensitive

A minimum list of 33 restricted prefix strings is being checked:
APPL APR AUG ASDF BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL
JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO
VALID VTAM XXX 1234

If the modify command fails or returns the following message in the system log, this is a finding.

IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPWREX.

Fix Text (F-64889r3_fix)
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Install exit IRRPWREX according to instructions in z/OS Security Server RACF System Programmer's Guide. Note: RACF exit ICHPWX01 is coded to call a System REXX named IRRPWREX, so the name cannot be changed without a corresponding change to ICHPWX01. System REXX requires that this exec (IRRPWREX) reside in the REXXLIB concatenation. Update parameters in IRRPWREX according to table Parameters for RACF IRRPWREX in the z/OS STIG Addendum.

Fix Text (F-64889r3_fix)

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied.

Install exit IRRPWREX according to instructions in z/OS Security Server RACF System Programmer's Guide.

Note: RACF exit ICHPWX01 is coded to call a System REXX named IRRPWREX, so the name cannot be changed without a corresponding change to ICHPWX01.

System REXX requires that this exec (IRRPWREX) reside in the REXXLIB concatenation.

Update parameters in IRRPWREX according to table Parameters for RACF IRRPWREX in the z/OS STIG Addendum.