Title

Ubuntu OS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. (Cat II impact)

Discussion

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Check Content

Verify PAM prohibits the use of cached authentications after one day by using the following command: Note: If smart card authentication is not being used on the system, this requirement is not applicable. $ sudo grep -i '^\s*offline_credentials_expiration' /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/sssd/sssd.conf:offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to "1", is commented out, is missing, or conflicting results are returned, this is a finding.

Fix Text

Configure PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.

Additional Identifiers

Rule ID: SV-275668r1148054_rule

Vulnerability ID: V-275668

Group Title: SRG-OS-000383-GPOS-00166

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.