An error occurred:

Check: UBTU-16-010690

Canonical Ubuntu STIG: UBTU-16-010690 (in version v1 r2)

Title

Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day. (Cat II impact)

Discussion

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Check Content

Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system this item is Not Applicable. Check that PAM prohibits the use of cached authentications after one day with the following command: # sudo grep -i "timestamp_timeout" /etc/pam.d/* timestamp_timeout=86400 If "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.

Fix Text

Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/pam.d/common-auth" or "/etc/pam.d/common-session" just below the line "[pam]". timestamp_timeout = 86400

Additional Identifiers

Rule ID: SV-90233r2_rule

Vulnerability ID: V-75553

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002007

The information system prohibits the use of cached authenticators after an organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (13)

Expiration Of Cached Authenticators