STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to 5 or more.

DISA Rule

SV-223728r604139_rule

Vulnerability Number

V-223728

Group Title

SRG-OS-000077-GPOS-00045

Rule Version

RACF-ES-000810

Severity

CAT II

CCI(s)

• CCI-000200 - The information system prohibits password reuse for the organization-defined number of generations.

Weight

10

Fix Recommendation

Configure the PASSWORD(HISTORY) SETROPTS value is set to a minimum of "5". This specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD HISTORY.

Setting the password history to 10 generations is activated with the command SETR PASSWORD(HISTORY(10)).

Check Contents

From the ISPF Command Shell enter:
SETRopts List

If the PASSWORD(HISTORY) value is set properly then the message x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED, where x is a minimum of "5", this is not a finding.

Vulnerability Number

V-223728

Documentable

False

Rule Version

RACF-ES-000810

Severity Override Guidance

From the ISPF Command Shell enter:
SETRopts List

If the PASSWORD(HISTORY) value is set properly then the message x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED, where x is a minimum of "5", this is not a finding.

Check Content Reference

M

Target Key

4101

Comments