Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
RHEL 8 must prohibit the use of cached authentications after one day.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-230376 | RHEL-08-020290 | SV-230376r942948_rule | Medium |
| Description |
|---|
| If cached authentication information is out-of-date, the validity of the authentication information may be questionable. RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 8 Security Technical Implementation Guide | 2023-12-01 |
Details
| Check Text ( C-33045r942946_chk ) |
|---|
| Verify that the SSSD prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system this item is Not Applicable. Check that SSSD allows cached authentications with the following command: $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf cache_credentials = true If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required. If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command: $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding. |
| Fix Text (F-33020r942947_fix) |
|---|
| Configure the SSSD to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]". offline_credentials_expiration = 1 |