The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.
An XCCDF Rule
Description
<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-223726r998350_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure PASSWORD(MINCHANGE) SETROPTS value number to "1". This specifies the number of days that must pass before a user can change their password.
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:
The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD MINCHANGE. Use the following command as an example command:
SETROPTS PASSWORD(MINCHANGE(1))