STIG ID - BACF0034: Clear Logonid Password on TWX Devices
Control how your password displays during logon process to TWX devices.
Severity: 2 - Medium
To provide additional security during the logon process,
ACF2lets you define a cross-out mask to clear out your password while logging on to TWX devices.
Your organization will ensure additional security is provided during logon process for TWX devices.
This STIG article shows how to define the GSO TSOTWX record to control how your password displays during logon process to TWX devices.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps:
- List the GSO TSOTWX record to determine if the fields are set to the values listed in the following table:CRL(15)M2(N)IDLE(17)M3(Z)LENGTH(8)M4(M)MI(X)STRING()SET CONTROL(GSO) CONTROL LIST TSOTWX XXXX / TSOTWX LAST CHANGED BY USER01 ON 09/12/15-12:20 CR(15) IDLE(17)LENGTH(12)M1(X) M2(N) M3(Z) M4(M) STRING() CONTROLIn this example, the LENGTH field is not defined to the suggested value of eight. Ensure the GSO TSOTWX record value is set in accordance with the recommendations set forth in this article.
- CR(15|hhhh)Specifies the carriage return character in hexadecimal. Acceptable values are 15, 0D, or 0D15.Default: 15
- IDLE(17|nn)Specifies the TWX idle character in hexadecimal.Default: 17
- LENGTH(8|nn)Specifies the length of the cross-out mask. Acceptable values are 8 or 17 bytes.Default: 8
- M1(X|c)Specifies the first mask character.Default:X
- M2(N|c)Specifies the second mask character.Default: N
- M3()Z|cSpecifies the third mask character.Default: Z
- M4()M|cSpecifies the fourth mask character.Default: M
- If the GSO TSOTWX record field values of CR(15), IDLE(17), LENGTH(8), M1(X), M2(N), M3(Z), M4(M) are defined,your site does not have an audit finding.
- If the GSO TSOTWX record field values of CR(15), IDLE(17), LENGTH(8), M1(X), M2(N), M3(Z), M4(M) are not defined,your site has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO TSOTWX record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Configure the GSO TSOTWX record field LENGTH value to 8:
The cross-out mask length is now 8 characters.SET CONTROL(GSO) CONTROL CHANGE TSOTWXLENGTH(8)F ACF2,REFRESH(TSOTWX) CONTROL
- Verify the GSO TSOTWX record LENGTH field changed:SET CONTROL(GSO) CONTROL LIST TSOTWX XXXX / TSOTWX LAST CHANGED BY USER01 ON 03/25/20-10:20LENGTH(8)CONTROL
ACF2now clears out your password, providing additional security during the logon process on a TWX device.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
The feedback from the information system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.
NIST: NIST SP 800-53 (v3): IA-6
NIST: NIST SP 800-53 Revision 4 (v4): IA-6
NIST: NIST SP 800-53A (v1): IA-6.1