The PASSWORD(RULEn) SETROPTS value(s) specified is/are improperly set.

From z/OS RACF STIG

Part of RACF0460

Associated with IA controls: DCCS-1, DCCS-2, COBR-1

SV-274r1_rule The PASSWORD(RULEn) SETROPTS value(s) specified is/are improperly set.

Vulnerability discussion

In accordance with DODI 8500.2 for DOD information systems processing sensitive informationand above, and CJCSM 6510.01, the following recommendations concerning passwordrequirements are mandatory and apply equally to both classified and unclassified systems:(1) Passwords are to be eight (8) characters in length.(2) Passwords are to be a mix of alphabetic, numeric, and special characters, including at leastone of each. Special characters include the national characters (i.e., @, #, and $) and othernon-alphabetic and non-numeric characters typically found on a keyboard. However at thistime RACF only supports the national characters.The following set represents the complete list of characters currently supported by RACF:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@#$(3) Each character of the password is to be unique, prohibiting the use of repeating characters.(4) Passwords are to contain no consecutive characters (e.g., 12, AB).(5) Passwords are not to include the user’s name, telephone number, userid, or any standarddictionary word.The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Check content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0460) b) If the PASSWORD(RULEn) values shown under "INSTALLATION PASSWORD SYNTAX RULES" are as follows, there is NO FINDING: RULE 1 LENGTH(8) $mmmmmmm RULE 2 LENGTH(8) m$mmmmmm RULE 3 LENGTH(8) mm$mmmmm RULE 4 LENGTH(8) mmm$mmmm RULE 5 LENGTH(8) mmmm$mmm RULE 6 LENGTH(8) mmmmm$mm RULE 7 LENGTH(8) mmmmmm$m RULE 8 LENGTH(8) mmmmmmm$ c) If the "MIXED CASE PASSWORD SUPPORT IS IN EFFECT" is shown under "PASSWORD PROCESSING OPTIONS", there is NO FINDING. d) If this is set to any other values, this is a FINDING.

Fix text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs. (1) Setting the password syntax to all Mixed Case AlphaNumerics is activated with the commands: setr password(mixedcase) setr password(rule1(length(8) national(1) mixednum(2:8)) setr password(rule2(length(8) national(2) mixednum(1,3:8)) setr password(rule3(length(8) national(3) mixednum(1:2,4:8)) setr password(rule4(length(8) national(4) mixednum(1:3,5:8)) setr password(rule5(length(8) national(5) mixednum(1:4,6:8)) setr password(rule6(length(8) national(6) mixednum(1:5,7:8)) setr password(rule7(length(8) national(7) mixednum(1:6,8)) setr password(rule8(length(8) national(8) mixednum(1:7))

Pro Tips

Powered by sagemincer