STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM RACF INACTIVE SETROPTS value must be set to 35 days.

DISA Rule

SV-223723r604139_rule

Vulnerability Number

V-223723

Group Title

SRG-OS-000118-GPOS-00060

Rule Version

RACF-ES-000760

Severity

CAT II

CCI(s)

• CCI-000795 - The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Configure the INACTIVE SETROPTS value to a value that is "35" or less. INACTIVE specifies the number of days that a USERID can remain unused and still be considered valid.

Check Contents

From a z/OS command input screen enter:
List SETRopts

If the INACTIVE value is set properly In the message "INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER xxx DAYS.", where xxx is a value "35" or less, this is not a finding.

Vulnerability Number

V-223723

Documentable

False

Rule Version

RACF-ES-000760

Severity Override Guidance

From a z/OS command input screen enter:
List SETRopts

If the INACTIVE value is set properly In the message "INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER xxx DAYS.", where xxx is a value "35" or less, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments