UBTU-18-010030 – The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day – /etc/sssd/sssd.conf

Details

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Solution

Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in ‘/etc/sssd/sssd.conf’ just below the line ‘[pam]’.

offline_credentials_expiration = 1

Note: It is valid for this configuration to be in a file with a name that ends with ‘.conf’ and does not begin with a ‘.’ in the /etc/sssd/conf.d/ directory instead of the /etc/sssd/sssd.conf file.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_LTS_V2R4_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

800-53|IA-5(13)
CAT|III
CCI|CCI-002007
Rule-ID|SV-219163r610963_rule
STIG-ID|UBTU-18-010030
STIG-Legacy|SV-109657
STIG-Legacy|V-100553
Vuln-ID|V-219163

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles