STIG ID - BACF0035: Clear Logonid Password on 2741 Devices

Control how your password displays during logon to 2741 devices.
Severity
: 2 - Medium
To provide extra security during the logon process,
ACF2
lets you define a cross-out mask to clear out your password while signing on to 2741 devices.
Your organization ensures that additional security is provided during the logon process to 2741 devices.
This STIG article shows how to define the GSO TSO2741 record to control how your password displays during the logon process to 2741 devices.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the GSO TSO2741 record to determine if the fields are set to the values listed in the following table:
    BS(16)
    M3(Z)
    LENGTH(8)
    M4(M)
    M1(X)
    STRING()
    M2(N)
    n/a
    SET CONTROL(GSO) CONTROL LIST TSO2741 XXXX / TSO2741 LAST CHANGED BY USER01 ON 09/12/15-12:20
    BS(16) LENGTH(12) M1(X) M2(N) M3(Z) M4(M) STRING()
    CONTROL
    In this example, the LENGTH field is not defined to the suggested value of eight. Ensure that the GSO TSO2741 record value is defined to the default, which is in accordance with the recommendation in this article.
    • BS(
      16
      |
      nn
      )
      Specifies the backspace character.
      Default
      : 16
    • LENGTH(
      8
      |
      nn
      )
      Specifies the length of the cross-out mask. Acceptable values are 8 or 17 bytes.
      Default
      : 8
    • M1(
      X
      |
      c
      )
      Specifies the first mask character.
      Default
      : X
    • M2(
      N
      |
      c
      )
      Specifies the second mask character.
      Default
      : N
    • M3(
      Z
      |
      c
      )
      Specifies the third mask character.
      Default
      : Z
    • M4(
      M
      |c
      )
      Specifies the fourth mask character.
      Default
      : M
  2. If the GSO TSO2741 record fields BS(16), LENGTH(8), M1(X), M2(N), M3(Z), M4(M), and STRING() values are defined,
    your site does not have an audit finding
    .
  3. If the GSO TSO2741 record fields BS(16), LENGTH(8), M1(X), M2(N), M3(Z), M4(M), and STRING() values are not defined,
    your site has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO TSO2741 record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Configure the GSO TSO2741 record field LENGTH value to 8:
    SET CONTROL(GSO) CONTROL CHANGE TSO2741
    LENGTH(8)
    F ACF2,REFRESH(TSO2741) CONTROL
    The cross-out mask length is now eight characters.
  2. Verify the GSO TS02741 record changed:
    SET CONTROL(GSO) CONTROL LIST TSO2741 XXXX / TSO2741 LAST CHANGED BY USER01 ON 03/25/20-10:20
    LENGTH(17)
    CONTROL
ACF2
now clears out your password, providing more security during the logon process on a 2741 device.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000206
CCI
:
CCI-000206
Published Date
:
2009-05-22
Definition
:
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Type
:
technical
Note
:
The feedback from the information system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.
References
:
NIST: NIST SP 800-53 (v3): IA-6
NIST: NIST SP 800-53 Revision 4 (v4): IA-6
NIST: NIST SP 800-53A (v1): IA-6.1