An error occurred:

Check: UBTU-16-010690

Canonical Ubuntu 16.04 LTS STIG: UBTU-16-010690 (in versions v2 r3 through v1 r3)

Title

Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day. (Cat II impact)

Discussion

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Check Content

Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system this item is Not Applicable. Check that PAM prohibits the use of cached authentications after one day with the following command: # sudo grep -i "timestamp_timeout" /etc/pam.d/* timestamp_timeout=86400 If "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.

Fix Text

Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/pam.d/common-auth" or "/etc/pam.d/common-session" just below the line "[pam]". timestamp_timeout = 86400

Additional Identifiers

Rule ID: SV-215001r610931_rule

Vulnerability ID: V-215001

Group Title: SRG-OS-000383-GPOS-00166

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002007

The information system prohibits the use of cached authenticators after an organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (13)

Expiration Of Cached Authenticators