STIGQter STIGQter: STIG Summary: IBM z/VM Using CA VM:Secure Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 27 Apr 2018:

IBM zVM CA VM:Secure product PASSWORD user exit must be in use.

DISA Rule

SV-93581r1_rule

Vulnerability Number

V-78875

Group Title

SRG-OS-000078-GPOS-00046

Rule Version

IBMZ-VM-000520

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure a CA VM:Secure PASSWORD user exit that enforces a minimum 8-character password length.

Ensure that the following macros are updated with proper PASSWORD user exit:

FORCEPWC
VMXCHGPW
MAINT
USE00080

Check Contents

If there is no CA VM:Secure PASSWORD user exit in use, this is a finding.

Review the CA VM:Secure Password user exit.

If there is no code that enforces a minimum 8-character password, this is a finding.

If there is no code that prohibits the use of all numbers in the new password, this is a finding.

If there is no code that prohibits the use of user name in the new password, this is a finding.

If there is no code that prohibits the use of userID in the new password, this is a finding.

If there is no code that prohibits the use of consecutive repeated characters, this is a finding.

If there is no code requiring that at least one special character be used in the new password, this is a finding.

If there is no code that enforces 24 hours/1 day as the minimum password lifetime, this is a finding.

If there is no code that enforces a minimum that at least one lowercase character is used in the new password, this is a finding.

If there is no code that enforces a minimum that at least one numeric character is used in the new password, this is a finding.

If there is no code that enforces a minimum that at least one uppercase character is used in the new password, this is a finding.

If there is no code that enforces change of at least 50% of the total number of characters when passwords are changed, this is a finding.

Vulnerability Number

V-78875

Documentable

False

Rule Version

IBMZ-VM-000520

Severity Override Guidance

If there is no CA VM:Secure PASSWORD user exit in use, this is a finding.

Review the CA VM:Secure Password user exit.

If there is no code that enforces a minimum 8-character password, this is a finding.

If there is no code that prohibits the use of all numbers in the new password, this is a finding.

If there is no code that prohibits the use of user name in the new password, this is a finding.

If there is no code that prohibits the use of userID in the new password, this is a finding.

If there is no code that prohibits the use of consecutive repeated characters, this is a finding.

If there is no code requiring that at least one special character be used in the new password, this is a finding.

If there is no code that enforces 24 hours/1 day as the minimum password lifetime, this is a finding.

If there is no code that enforces a minimum that at least one lowercase character is used in the new password, this is a finding.

If there is no code that enforces a minimum that at least one numeric character is used in the new password, this is a finding.

If there is no code that enforces a minimum that at least one uppercase character is used in the new password, this is a finding.

If there is no code that enforces change of at least 50% of the total number of characters when passwords are changed, this is a finding.

Check Content Reference

M

Target Key

3211

Comments