Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Ubuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-260581 | UBTU-22-631015 | SV-260581r953556_rule | Low |
| Description |
|---|
| If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
| STIG | Date |
|---|---|
| Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide | 2024-03-21 |
Details
| Check Text ( C-64310r953554_chk ) |
|---|
| Verify that PAM prohibits the use of cached authentications after one day by using the following command: Note: If smart card authentication is not being used on the system, this requirement is not applicable. $ sudo grep -i '^\s*offline_credentials_expiration' /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/sssd/sssd.conf:offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to "1", is commented out, is missing, or conflicting results are returned, this is a finding. |
| Fix Text (F-64218r953555_fix) |
|---|
| Configure PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file. |