Title

The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. (Cat III impact)

Discussion

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Check Content

If smart card authentication is not being used on the system this item is Not Applicable. Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. Check that PAM prohibits the use of cached authentications after one day with the following command: # sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", in /etc/sssd/sssd.conf or in a file with a name ending in .conf in the /etc/sssd/conf.d/ directory, this is a finding.

Fix Text

Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]". offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the /etc/sssd/conf.d/ directory instead of the /etc/sssd/sssd.conf file.

Additional Identifiers

Rule ID: SV-219163r853368_rule

Vulnerability ID: V-219163

Group Title: SRG-OS-000383-GPOS-00166

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.