STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223695r604139_rule
V-223695
SRG-OS-000021-GPOS-00005
RACF-ES-000480
CAT II
10
Ensure that PASSWORD(REVOKE) SETROPTS value is set to "1" or "2". This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If you specify REVOKE, ensure INITSTATS are in effect.
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:
The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE.
Setting the password REVOKE to "2" invalid attempts activated with the command SETR PASSWORD(REVOKE(2)).
From the ISPF Command Shell enter:
SETRopts List
If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding.
If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.
V-223695
False
RACF-ES-000480
From the ISPF Command Shell enter:
SETRopts List
If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding.
If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.
M
4101