STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM RACF exit ICHPWX11 must be installed and properly configured.

DISA Rule

SV-230210r695460_rule

Vulnerability Number

V-230210

Group Title

SRG-OS-000070-GPOS-00038

Rule Version

RACF-ES-000785

Severity

CAT II

CCI(s)

CCI-000193 - The information system enforces password complexity by the minimum number of lower case characters used.

Weight

Fix Recommendation

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied.

Install exit IRRPHREX according to the following guidelines:
REXX Parameter Setting

/* DISA Modifications: */
/* 15DEC2017 HC: Added "special = '$@#.|&!*-%_:='" */
/* : Changed Phr_minlen = 9 to Phr_minlen = 15 */
/* : Turned on options to disallow leading and trailing */
/* : blanks. */
/* : Added check to ensure 1 of each Upper Lower Numeric */
/* : and Special ... NOTE THAT an imbedded blank is */
/* : considered a Special character */
/* : Added check for repeating characters, no more than */
/* : one occurrence in any case e.g. aa aA AA */
/* : Added check to ensure userid is not contained */
/* : anywhere in the phrase */
Phr_minlen = 15 /* Minimum length is
Phr_maxlen = 100 /* Maximum length
numbers = '0123456789'
letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
special = '$@#.|&!*-%_:='"
Phr_allowed_chars = numbers||letters||special
Phr_leading_blanks = 'no'
Phr_trailing_blanks = 'no'
Phr_name_allowed = 'no'
Phr_name_minlen = 3
Phr_repeat_chars_chk = 'yes'
Phr_repeat_chars = 1
Phr_userid_allowed = 'no'
Phr_req_types = 4
Phr_triviality = 'yes’
Phr_min_unique = 7
Phr_min_unique_norm = 'yes'
Phr_word_unique = 0
Phr_word_unique_upper = 'yes'
Phr_word_minlen = 4
Phr_dict.1 = 'IBM'
Phr_dict.2 = 'RACF'
Phr_dict.3 = 'PASSWORD'
Phr_dict.4 = 'PHRASE'
Phr_dict.5 = 'PASSPHRAS
Phr_dict.6 = 'SECRET'
Phr_dict.7 = 'IBMUSER'
Phr_dict.8 = 'SYS1'

Note: RACF exit ICHPHX11 is coded to call a System REXX named IRRPHREX, so the name cannot be changed without a corresponding change to ICHPWX11.

System REXX requires that this exec (IRRPHREX) reside in the REXXLIB concatenation.

Update parameters in IRRPHREX according to table Parameters for RACF IRRPWREX as listed above.

Check Contents

From a system console screen issue the following modify command:
F AXR,IRRPHREX LIST

Review the results of the modify command.

If the following options are listed, this is not a finding.

-The number of required character types is 4
(assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password phrase)

-The user's name cannot be contained in the password phrase
(Only 3 consecutive characters of the user's name are allowed)

-The minimum password phrase length checked is 15

-The user ID cannot be contained in the password phrase
(Only 3 consecutive characters of the user ID are allowed)

-At least half of unchanged positions of the current password phrase are allowed
(These positions need to be consecutive to cause a failure and this check is not case sensitive)

-A minimum list of 8 restricted prefix strings is being checked:
'IBM' ,'RACF','PASSWORD','PHRASE','PASSPHRAS’,'SECRET','IBMUSER','SYS1'

If the modify command fails or returns the following message in the system log, this is a finding.

IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPHREX.

IBM RACF exit ICHPWX11 must be installed and properly configured.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments