Pluggable Authentication Module (PAM) must prohibit the use of cached authentications after one day.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215001	UBTU-16-010690	SV-215001r610931_rule		Medium

Description
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

STIG	Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide	2020-12-09

Details

Check Text ( C-16200r284871_chk )
Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system this item is Not Applicable. Check that PAM prohibits the use of cached authentications after one day with the following command: # sudo grep -i "timestamp_timeout" /etc/pam.d/* timestamp_timeout=86400 If "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.

Check Text ( C-16200r284871_chk )

Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.

Note: If smart card authentication is not being used on the system this item is Not Applicable.

Check that PAM prohibits the use of cached authentications after one day with the following command:

# sudo grep -i "timestamp_timeout" /etc/pam.d/*

timestamp_timeout=86400

If "timestamp_timeout" is not set to a value of "86400" or less, or is commented out, this is a finding.

Fix Text (F-16198r284872_fix)
Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/pam.d/common-auth" or "/etc/pam.d/common-session" just below the line "[pam]". timestamp_timeout = 86400