STIG ID - BACF0023: Review GSO PSWD Record Value Recommendations

Define GSO PSWD record values to add complexity to password standards.
Severity
: 2 - Medium
Password complexity is one factor of many that determines how long it takes to crack a password. Complex passwords help to increase the time and resources required to compromise the password. The GSO PSWD record defines logonid password options and controls. Improper setting of the GSO PSWD field values, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment, applications, and data.
Your organization will ensure that the GSO PSWD record values are defined to add complexity to password standards.
This STIG article addresses how to define the GSO PSWD record fields to ensure protection of logonid passwords.

Identify Audit Finding

Review the following data to determine if you should consider remediation:
  1. List the GSO PSWD record to identify and ensure the fields are set to the values shown in the following table:
    MAXTRY(3)
    PSWDMAX(1-60)
    PSWDREQ
    MINPSWD(8)
    PSWDMIN(1)
    PSWDRSV
    PASSLMT(3)
    PSWDMIXD
    PSWDSIM(3)
    PSWDALPH
    PSWDNAME(4)
    PSWDSPLT
    PSWDALT
    PSWDNCH
    PSWDUC
    PSWDFRC
    PSWDNMIC
    PSWDVOWL
    PSWDHST
    PSWDNUM
    NOPSWDXTR
    PSWDJES
    PSWDPAIR(0)
    PSWXHIST
    PSWDLC
    PSWDPLID
    PSWXHST#(10-64)
    PSWDLID
    PSWDPLST(*,&,¬, :, =, -, !, ., %, ?, _, |)*
    WRNDAYS(10)
    PSWDPLST special characters include: asterisk (*), ampersand (&), note sign (¬), colon (:), equal sign (=), hyphen (-), exclamation point (!), period (.), percent sign (%), question mark (?), underscore (_), vertical line (|).
    SET CONTROL(GSO) CONTROL LIST PSWD XE40 / PSWD LAST CHANGED BY USER01 ON 01/20/20-15:30 NOCLEARVIO
    MAXTRY(1) MINPSWD(4)
    ONEPWALG
    PASSLMT(1) PSWDALPH PSWDALT PSWDFRC
    PSWDENCT(AES2)
    PSWDFRC PSWDHST PSWDJES PSWDLC PSWDLID PSWDMAX(5) PSWDMIN(1) PSWDMIXD PSWDNAME(4)
    PSWDNCH PSWDNMIC PSWDNUM PSWDPAIR(0) PSWDPLID PSWDPLST() PSWDREQ PSWDRSV PSWDRSVW PSWDSIM(0) PSWDSPLT PSWDUC
    NOPSWDVFY
    PSWDVOWL NOPSWDXTR
    NOPSWNAGE
    PSWXHIST
    PSWXHST#(10) WRNDAYS(10)
    CONTROL
    In this example, MAXTRY, MINPSWD, PASSLMT, and PSWDSIM are defined but differ from the recommended values of MAXTRY(3), MINPSWD(8), PASSLMT(3), and PSWDSIM(3). Additionally, PSWDPLST is not properly defined with all allowable special characters.
    • MAXTRY(
      1
      |
      n
      )
      Specifies the maximum number of attempts, including the initial password entry, that are permitted before the terminal session is canceled. The maximum value is 255. If you specify MAXTRY(0), a user can still logon.
      Default
      : 1
    • MINPSWD(
      1
      |
      n
      )
      Specifies the minimum number of characters required in a new password. When
      ACF2
      is first installed, set MINPSWD to one to permit conversion of the passwords in UADS. You can raise the minimum later. The old passwords continue to be valid until they change or expire. The maximum value is eight.
      Default
      : 1
      Changes to this parameter take effect at the next password change of the user.
    • PASSLMT(
      2
      |
      nnn
      )
      Specifies the maximum number of invalid password, SAF Kerberos key and password phrase attempts permitted in a single day before
      ACF2
      denies all accesses to the system by the logonid. For example, if the maximum number of invalid password attempts is two,
      ACF2
      denies all access attempts after the second invalid attempt. If you try to log on after the PASSLMT has been reached, you receive a message that your logonid has been suspended.
      If PASSLMT(0) is specified, all user logonids are suspended at next logon attempt, regardless of any invalid access attempts
    • PSWDSIM(
      0
      |
      n
      )
      Specifies if password similarity checking is to be performed. Password similarity checking is only done when
      n
      is greater than zero. Password similarity checking is performed whenever a new password is entered at system entry validation or when a user changes their own password through the ACF command. If they have
      n
      characters in a row that match in the same positions of the old and new password, the new password is considered too similar.
      ACF2
      temporarily upper-cases the new and old passwords before checking for similarities because one or both passwords could be mixed-cased. If a user attempts to change their password through the ACF CHANGE command, in batch, or any method where prompting is not possible, the command fails. The ACF command must be prompted for the user's current password while password similarity checking is active. The value of
      n
      can be any integer from 0 to 7.
      Default
      : 0, which means no similarity checking is done.
  2. If the GSO PSWD record fields are defined to the values listed in step 1,
    your organization does not have an audit finding.
  3. If any of the the GSO PSWD record fields are not defined to the values listed in step 1,
    your organization has an audit finding.
    See Remediate Audit Finding.

Remediate Audit Finding

z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO PSWD record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
  1. Configure the GSO PSWD record fields MAXTRY(3), MINPSWD(8), PASSLMT(3), and PSWDSIM(3):
    SET CONTROL(GSO) CONTROL CHANGE PSWD MAXTRY(3) MINPSWD(8) PASSLMT(3) PSWDSIM(3) PSWDPLST(*,&,X’5F’,:,=,-,!,.,%,?,_,|) CONTROL
    The increased values on these fields provide stronger password protection.
  2. Verify the changes were made to the GSO PSWD record fields:
    SET CONTROL(GSO) CONTROL SHOW PSWD PASSWORD (PSWD) OPTIONS IN EFFECT: OPTION OPTION DESCRIPTION =============== ============================================================ ...
    MAXTRY = 3
    MAXIMUM NUMBER OF SIGN-ON ATTEMPTS ALLOWED
    MINPSWD = 8
    MINIMUM NUMBER OF CHARACTERS REQUIRED ...
    PASSLMT = 3
    MAXIMUM NUMBER OF INVALID SIGN-ON ATTEMPTS ALLOWED PER DAY ...
    PSWDPLST = 3
    . | & ! * ¬ - % ? : = ...
    PSWDSIM = 3
    NUMBER OF CONSECUTIVE SIMILAR CHARACTERS NOT ALLOWED ... CONTROL
Adding complexity to password standards reduces security risks to your organization's systems.

Control Correlation Identifier

A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000044, CCI-000192, CCI-000193, CCI-000194, CCI-000195, CCI-000198, CCI-000199, CCI-000200, CCI-000205, CCI-001519, CCI-002238
CCI
:
CCI-000044
Published Date
:
2009-09-14
Definition
:
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-7 a
NIST: NIST SP 800-53 Revision 4 (v4): AC-7 a
NIST: NIST SP 800-53A (v1): AC-7.1 (ii)
CCI
:
CCI-000192
Published Date
:
2009-09-15
Definition
:
The information system enforces password complexity by the minimum number of upper case characters used.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000193
Published Date
:
2009-09-15
Definition
:
The information system enforces password complexity by the minimum number of lower case characters used.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000194
Published Date
:
2009-09-15
Definition
:
The information system enforces password complexity by the minimum number of numeric characters used.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000195
Published Date
:
2009-09-15
Definition
:
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (b)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (b)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000198
Published Date
:
2009-09-15
Definition
:
The information system enforces minimum password lifetime restrictions.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (b)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (b)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000199
Published Data
:
2009-09-15
Definition
:
The information system enforces minimum password lifetime restrictions.
Type
:
technical
References:
NIST: NIST SP 800-53 (v3): IA-5 (1) (b)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (b)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000200
Published Date
:
2009-05-22
Definition
:
The information system prohibits password reuse for the organization-defined number of generations.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3) IA-5 (1) (e)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (e)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000205
Published Date
:
2009-05-22
Definition
:
The information system enforces minimum password length.
Type
:
technical
Parameter
:
Number of characters
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (a)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (a)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (i)
CCI
:
CCI-001519
Published Date
:
2009-11-02
Definition
:
The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): PS03 b
NIST: NIST SP 800-53 Revision 4 (v4): PS-3 b
NIST: NIST SP 800-53A (v1): PS-3.1 (ii)
CCI
:
CCI-002238
Published Date
:
2013-06-24
Definition
:
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.
Type
:
Technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-7 b