STIGQter STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur.

DISA Rule

SV-223696r604139_rule

Vulnerability Number

V-223696

Group Title

SRG-OS-000329-GPOS-00128

Rule Version

RACF-ES-000490

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that PASSWORD(REVOKE) SETROPTS value is set to "1" or "2". This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If REVOKE is specified, ensure INITSTATS are in effect.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE.

Set the password REVOKE to "2" invalid attempts activated with the command SETR PASSWORD(REVOKE(2)).

Check Contents

From the ISPF Command Shell enter:
SETRopts List

If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding.

If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.

Vulnerability Number

V-223696

Documentable

False

Rule Version

RACF-ES-000490

Severity Override Guidance

From the ISPF Command Shell enter:
SETRopts List

If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding.

If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.

Check Content Reference

M

Target Key

4101

Comments