Check: UBTU-20-010441
Canonical Ubuntu 20.04 LTS STIG:
UBTU-20-010441
(in versions v1 r12 through v1 r1)
Title
The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. (Cat III impact)
Discussion
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
Check Content
If smart card authentication is not being used on the system, this s Not Applicable. Verify that PAM prohibits the use of cached authentications after one day with the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.
Fix Text
Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.
Additional Identifiers
Rule ID: SV-238362r853437_rule
Vulnerability ID: V-238362
Group Title: SRG-OS-000383-GPOS-00166
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002007 |
The information system prohibits the use of cached authenticators after an organization-defined time period. |
Controls
Number | Title |
---|---|
IA-5 (13) |
Expiration Of Cached Authenticators |