STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM interactive USERIDs defined to RACF must have the required fields completed.

DISA Rule

SV-223718r604139_rule

Vulnerability Number

V-223718

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

RACF-ES-000710

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Review all interactive USERID definitions to ensure required information is provided. Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes.

The PASSWORD-INTERVAL for an interactive user must be set to 60 days.

Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis or less.

A sample command to accomplish this is shown here:
PW USER(<userid>) INTERVAL(60).

The LAST-ACCESS date must be set to a valid date and not to the value UNKNOWN. A sample command to accomplish this is shown here:
ALU <userid> RESUME

Check Contents

From a z/OS command screen enter:
ListUser *

Examine each user entry that has either TSO, CICS, ROSCOE, IMS, or any other products that support logging on at a terminal.

If every user is fully identified with all of the following condition, this is not a finding.

-Each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN.
-Each interactive userid has PASS-INTERVAL define and set to a value of 60 days.

Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally these users must change their passwords on an annual basis.

Vulnerability Number

V-223718

Documentable

False

Rule Version

RACF-ES-000710

Severity Override Guidance

From a z/OS command screen enter:
ListUser *

Examine each user entry that has either TSO, CICS, ROSCOE, IMS, or any other products that support logging on at a terminal.

If every user is fully identified with all of the following condition, this is not a finding.

-Each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN.
-Each interactive userid has PASS-INTERVAL define and set to a value of 60 days.

Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally these users must change their passwords on an annual basis.

Check Content Reference

M

Target Key

4101

Comments