STIG ID - BACF0024: Define the GSO PWPHRASE Record

Define password phrases in place of passwords.
Severity:
2 - Medium
Your organization may use password phrases in place of passwords for authentication. Password phrases are a sequence of words or other text considered more secure than a regular 8-character password. The GSO PWPHRASE record specifies rules when a user selects a new password phrase such as minimum number of special characters and valid non-alphanumeric characters.
Your organization will ensure the use of password phrases in place of passwords, providing a more secure authentication process.
This STIG article addresses GSO PWPHRASE record fields to consider when implementing password phrase in your environment.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the GSO PWPHRASE record to identify the following fields and values:
    • ALLOW|
      ALLOW
      Specifies whether all users on the system are allowed to authenticate using a password phrase.
      Default:
      NOALLOW, indicating authentication with a password phrase is not allowed.
    • ALPHA(
      0
      |
      nnn
      )
      Specifies the minimum number of alphabetic characters (a-z or A-Z) required in a new password phrase. Valid values are 0 - 100. Changes to this parameter take effect at the next password phrase change of the user.
      Default
      : 0, indicating
      ACF2
      will not validate the password phrase for alphabetic characters
    • CMD-CHG
      |NOCMD-CHG
      Specifies if password phrase changes are allowed with the ACF CHANGE command.
      Default:
      CMD-CHG, which permits password phrase changes through the ACF CHANGE command.
    • HISTORY(
      0
      |
      nnnn
      )
      Specifies the number of previous password phrases to be checked to prevent reuse of a password phrase. Valid values are 0 to 32. A value of 0 or 1 indicates that no previous password phrases are checked; only the current password phrase is checked. For example, specifying HISTORY(2) indicates that the current password phrase and the previous password phrase are checked. HISTORY(32) indicates that the current password phrase and the last 31 previous password phrases are checked.
      Default
      : 0
    • LID|
      NOLID
      Specifies that a logonid cannot be contained in any part of a new password phrase.
      Default
      : NOLID, indicating
      ACF2
      does not check for a logonid in a new password phrase.
    • MAXDAYS(
      0
      |
      nnn
      )
      Specifies the global value for the maximum number of days permitted between password phrase changes before the password phrase expires. This is based on the date specified in the PWP-TOD field in the User PWPHRASE Profile record. Valid values are 0-255.
      Default
      : 0, indicating there is no value set, in which case, the value in the PWP-MAXD field of the User PWPHRASE Profile record will be used for validations.
    • MAXLEN(
      100
      |
      nnn
      )
      Specifies the global maximum number of characters allowed in a new password phrase. Valid values are 9-100.
      Default
      : 100
    • MINDAYS(
      0
      |
      nnn
      )
      Specifies the global value for the minimum number of days that must elapse before a password phrase can be changed. Valid values are 0-254.
      Default
      : 0, indicating that there is no value set
    • MINLEN(
      9
      |
      nnn
      )
      Specifies the global minimum number of characters required in a new password phrase. Valid values are 9-100.
      Default
      : 9
    • MINWORD(
      1
      |
      nnn
      )
      Specifies the global minimum number of words required in a new password phrase. Words are delimited by one or more spaces (x'40'). Valid values are 1-50. Changes to this parameter take effect at the next password phrase change.
      Default
      : 1
    • NUMERIC(
      0
      |
      nnn
      )
      Specifies the minimum number of numeric characters (0-9) required in a new password phrase. Valid values are 0 - 100.
      Default:
      0, indicating
      ACF2
      will not validate the new password phrase for numeric characters.
    • PWPLC|
      NOPWPLC
      Specifies that at least one character (a-z) is required in a new password phrase.
      Default:
      : NOPWPLC, indicating
      ACF2
      does not validate the password phrase that contains only lowercase characters.
    • PWPUC|
      NOPWPUC
      Specifies that at least one character (A-Z) is required in a new password phrase. The default is NOPWPUC, which indicates that
      ACF2
      does not validate the password phrase that contains only uppercase characters.
    • REPCHAR(
      null
      |0|
      nn
      )
      Specifies the number of consecutively repeating pairs of characters allowed in a new password phrase. Valid values are 0-99.
      Default
      : Null-specified as REPCHAR(), indicating
      ACF2
      will not validate the new password phrase for consecutively repeating pairs of characters.
    • SPECIAL(
      0
      |
      nnn
      )
      Specifies the minimum number of special characters required in a new password phrase. Special characters include: characters listed in the SPECLIST() field of this record, national characters (@ # $), and blanks (spaces). Valid values are 0-100.
      Default:
      0, indicating no special characters are required.
    • SPECLIST()
      Specifies the list of valid, non-alphanumeric characters that may be contained in a new password phrase in addition to default alphanumeric (a z, A-Z, 0-9), national (@ # $) characters and blanks (spaces).
    • TEMP-AGE
      |NOTEMP-AGE
      Specifies whether temporary password phrases will be included in the password phrase history. A "temporary password phrase" is a new password phrase that is immediately expired at the time it is set.
      Default:
      TEMP AGE, temporary password phrases will be aged.
    • WARNDAYS(
      1
      |
      nnn
      )
      Specifies the number of days a warning message is issued before the password phrase expires.
    SET CONTROL(GSO) CONTROL LIST PWPHRASE XXXX / PWPHRASE LAST CHANGED BY USER01 ON 12/02/19-09:20
    NOALLOW ALPHA(5) CMD-CHG HISTORY(5) NOLID MAXDAYS(60) MAXLEN(100) MINDAYS(1) MINLEN(15) MINWORD(0) NUMERIC(1) PWPLC PWPUC SPECIAL(1) SPECLIST(&,*,X'5F',:,=!,-,%,.,?_,|) TEMP-AGE(NO) WARNDAYS(10)
    CONTROL
    In this example, HISTORY(5) and NOLID are defined but differ from the suggested values of HISTORY(10) and LID.
  2. If the GSO PWPHRASE record fields match the values in the following table,
    your organization does not have an audit finding.
    ALLOW
    MAXLEN(100)
    PWPUC
    ALPHA(1 or greater)
    MINDAYS(1)
    REPCHAR(1)
    CMD-CHG
    MINLEN(15)
    SPECIAL(1)
    HISTORY(10)
    MINWORD(0)
    SPECLIST(&,*,X'5F',:,=!,-,%,.,?_,|)
    LID
    NUMERIC(1)
    TEMP-AGE(NO)
    MAXDAYS(60)
    PWPLC
    WARNDAYS(10)
  3. If the GSO PWPHRASE record fields
    do not
    match the values listed in the table in step 2,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO PWPHRASE record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
  1. Configure the GSO PWPHRASE record HISTORY(10) and LID field values to provide stronger password phrase protection:
    SET CONTROL CONTROL CHANGE PWPHRASE HISTORY(10) LID F ACF2,REFRESH(PWPHRASE) CONTROL
  2. Verify the GSO PWPHRASE record field values changed:
    SET CONTROL(GSO) CONTROL LIST PWPHRASE XXXX / PWPHRASE LAST CHANGED BY USER01 ON 12/02/19-09:20 NOALLOW ALPHA(5) CMD-CHG
    HISTORY(10) LID
    MAXDAYS(60) MAXLEN(100) MINDAYS(1) MINLEN(15) MINWORD(0) NUMERIC(1) PWPLC PWPUC SPECIAL(1) SPECLIST(&,*,X'5F',:,=!,-,%,.,?_,|) TEMP-AGE(NO) WARNDAYS(10) CONTROL
Password phrase is now implemented, providing a more secure authentication process for your organization.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000192, CCI-000193, CCI-000194, CCI-000195, CCI-000198, CCI-000199, CCI-000200, CCI-000205, CCI-001395, CCI-001619
CCI
:
CCI-000044
Published Date
:
2009-09-14
Definition
:
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-7 a
NIST: NIST SP 800-53 Revision 4 (v4): AC-7 a
NIST: NIST SP 800-53A (v1): AC-7.1 (ii)
CCI
:
CCI-000192
Published Date
:
2009-09-15
Definition
:
The information system enforces password complexity by the minimum number of upper case characters used.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000193
Published Date
:
2009-09-15
Definition
:
The information system enforces password complexity by the minimum number of lower case characters used.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000194
Published Date
:
2009-09-15
Definition
:
The information system enforces password complexity by the minimum number of numeric characters used.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000195
Published Date
:
2009-09-15
Definition
:
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (b)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (b)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000198
Published Date
:
2009-09-15
Definition
:
The information system enforces minimum password lifetime restrictions.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (b)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (b)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000199
Published Data
:
2009-09-15
Definition
:
The information system enforces minimum password lifetime restrictions.
Type
:
technical
References:
NIST: NIST SP 800-53 (v3): IA-5 (1) (b)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (b)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000200
Published Date
:
2009-05-22
Definition
:
The information system prohibits password reuse for the organization-defined number of generations.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3) IA-5 (1) (e)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (e)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000205
Published Date
:
2009-05-22
Definition
:
The information system enforces minimum password length.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (i)
CCI
:
CCI-001395
Published Date
:
2009-09-22
Definition
:
The information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user's account that occur during the organization-defined time period..
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-9 (3)
NIST: NIST SP 800-53 Revision 4 (v4): AC-9 (3)
NIST: NIST SP 800-53A (v1): AC-9 (3).1 (ii)
CCI
:
CCI-001619
Published Date
:
2010-05-12
Definition
:
The information system enforces password complexity by the minimum number of special characters used.
Type
:
Technical
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)