UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RHEL 9 must prohibit the use of cached authenticators after one day.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258133 RHEL-09-631020 SV-258133r958828_rule Medium
Description
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
STIG Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide 2024-06-04

Details

Check Text ( C-61874r926384_chk )
Verify that the System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day.

Note: If smart card authentication is not being used on the system, this requirement is Not Applicable.

Check that SSSD allows cached authentications with the following command:

$ sudo grep cache_credentials /etc/sssd/sssd.conf

cache_credentials = true

If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required.

If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command:

$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf

offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Fix Text (F-61798r926385_fix)
Configure the SSSD to prohibit the use of cached authentications after one day.

Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]:

offline_credentials_expiration = 1