STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

The CA-TSS NEWPW control options must be properly set.

DISA Rule

SV-223886r561402_rule

Vulnerability Number

V-223886

Group Title

SRG-OS-000071-GPOS-00039

Rule Version

TSS0-ES-000130

Severity

CAT II

CCI(s)

• CCI-000194 - The information system enforces password complexity by the minimum number of numeric characters used.
• CCI-000195 - The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
• CCI-000198 - The information system enforces minimum password lifetime restrictions.
• CCI-001619 - The information system enforces password complexity by the minimum number of special characters used.
• CCI-000366 - The organization implements the security configuration settings.
• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Note: Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK.

Configure the NEWPW Control Option values conform to the following requirements:

NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC)

NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide.

NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Check Contents

From the ISPF Command Shell enter:
TSS MODIFY STATUS

If the NEWPW Control Option values conform to the following requirements, this is not a finding.

NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC)

NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide.

NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Vulnerability Number

V-223886

Documentable

False

Rule Version

TSS0-ES-000130

Severity Override Guidance

From the ISPF Command Shell enter:
TSS MODIFY STATUS

If the NEWPW Control Option values conform to the following requirements, this is not a finding.

NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC)

NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide.

NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Check Content Reference

M

Target Key

4102

Comments