UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.


Overview

Finding ID Version Rule ID IA Controls Severity
V-238362 UBTU-20-010441 SV-238362r853437_rule Low
Description
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
STIG Date
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide 2022-09-07

Details

Check Text ( C-41572r654259_chk )
If smart card authentication is not being used on the system, this s Not Applicable.

Verify that PAM prohibits the use of cached authentications after one day with the following command:

$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf

offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.
Fix Text (F-41531r654260_fix)
Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]":

offline_credentials_expiration = 1

Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.