IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.

An XCCDF Rule

Description

<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. INTERVAL specifies the maximum number of days that each user's password is valid. When a user logs on to the system, RACF compares the system password interval value specified in the user profile. RACF uses the lower of the two values to determine if the users password has expired.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-223727r868826_rule
Severity: Medium
References: CCI-000199
Updated: 8 months ago

Configure PASSWORD(INTERVAL) SETROPTS value to "060" days. This specifies the maximum number of days that each user's password is valid.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL. 
Setting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60)).

IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.

Description

Remediation - Manual Procedure