The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.

An XCCDF Rule

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

ID: SV-223695r1050760_rule
Version: RACF-ES-000480
Severity: Medium
References: CCI-000044 CCI-002238
Updated: about 2 months ago

Remediation Templates

Ensure that PASSWORD(REVOKE) SETROPTS value is set to "1" or "2". This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If REVOKE is specified, ensure INITSTATS are in effect.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE. 

Set the password REVOKE to "2" invalid attempts activated with the command SETR PASSWORD(REVOKE(2)).

The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.

Description

Remediation Templates

A Manual Procedure