← Back to IBM z/OS TSS Security Technical Implementation Guide

V-223886

CAT II (Medium)

The CA-TSS NEWPW control options must be properly set.

Rule ID

SV-223886r998487_rule

STIG

IBM z/OS TSS Security Technical Implementation Guide

Version

V9R8

CCIs

CCI-004066 CCI-002361 CCI-004065 CCI-004061

Discussion

If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Satisfies: SRG-OS-000071-GPOS-00039, SRG-OS-000072-GPOS-00040, SRG-OS-000075-GPOS-00043, SRG-OS-000480-GPOS-00225, SRG-OS-000266-GPOS-00101, SRG-OS-000279-GPOS-00109

Check Content

From the ISPF Command Shell enter:
TSS MODIFY STATUS

If the NEWPW Control Option values conform to the following requirements, this is not a finding.

NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC)

NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide.

NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Fix Text

Note: Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK.

Configure the NEWPW Control Option values conform to the following requirements:

NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC)

NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide.

NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.