The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223462	ACF2-ES-000430	SV-223462r958736_rule		Medium

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

STIG	Date
IBM z/OS ACF2 Security Technical Implementation Guide	2025-03-11

Details

Check Text (C-25135r500518_chk)

From an ACF command screen enter:
SET CONTROL(GSO)
SHOW PSwdopts

If "MAXTRY" is set to "3", this is not a finding.

If "PASSLMT" is set to "3", this is not a finding.

Fix Text (F-25123r500519_fix)

Configure the GSO option "MAXTRY" to equal "3".
Configure the GSO option "PASSLMT" to equal "3".

STIG VIEWER