The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223695	RACF-ES-000480	SV-223695r1050760_rule	CCI-000044	medium
Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
STIG			Date
IBM z/OS RACF Security Technical Implementation Guide			2025-06-24

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

AC-7

1.00

DISA · 9 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.1.8

1.00

DISA · 9 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000044

1.00

DISA · 9 · disa_xccdf · related

Details

Check Text (C-223695r1050760_chk)

From the ISPF Command Shell enter: SETRopts List If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding. If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.

Fix Text (F-25356r1050759_fix)

Ensure that PASSWORD(REVOKE) SETROPTS value is set to "1" or "2". This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If REVOKE is specified, ensure INITSTATS are in effect. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE. Set the password REVOKE to "2" invalid attempts activated with the command SETR PASSWORD(REVOKE(2)).