UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day.


Overview

Finding ID Version Rule ID IA Controls Severity
V-75553 UBTU-16-010690 SV-90233r2_rule Medium
Description
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
STIG Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide 2018-07-18

Details

Check Text ( C-75257r2_chk )
Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.

Note: If smart card authentication is not being used on the system this item is Not Applicable.

Check that PAM prohibits the use of cached authentications after one day with the following command:

# sudo grep -i "timestamp_timeout" /etc/pam.d/*

timestamp_timeout=86400

If "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.
Fix Text (F-82181r2_fix)
Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day.

Add or change the following line in "/etc/pam.d/common-auth" or "/etc/pam.d/common-session" just below the line "[pam]".

timestamp_timeout = 86400