Interactive USERIDs defined to RACF must have the required fields completed.

From z/OS RACF STIG

Part of RACF0580

Associated with IA controls: DCCS-1, DCCS-2

SV-285r2_rule Interactive USERIDs defined to RACF must have the required fields completed.

Vulnerability discussion

Interactive users must have a password change interval set to 60 days, must have a valid "Last Accessed" date set to a value other than UNKNOWN, and TSO interactive users must have an assigned logon proc.

Check content

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0580) Verify that the interactive userids are properly defined. If the following guidance is true, this is not a finding. ___ Ensure that each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN. ___ Ensure that PASS-INTERVAL is set to a value of 1 to 60 days. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process/server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process. Additionally these users must change their passwords on an annual basis. ___ For TSO interactive users, ensure that users are assigned a default TSO logon procedure. This will be indicated by the PROC field in the TSO Information segment. This does NOT apply to userids defined with the PROTECTED attribute which may need a TSO segment but do not require a default logon proc.

Fix text

The IAO will review all interactive USERID definitions to ensure required information is provided. Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. The PASSWORD-INTERVAL for an interactive user must be set no higher than 60 days. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process/server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process. Additionally, these users must change their passwords on an annual basis or less. A sample command to accomplish this is shown here: PW USER() INTERVAL(60). The LAST-ACCESS date must be set to a valid date and not to the value UNKNOWN. A sample command to accomplish this is shown here: ALU RESUME. For TSO interactive users, a default logon proc must be set. A sample command to accomplish this is shown here: ALU TSO(PROC()

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer