This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.

STIG ID: UBTU-20-010441  |  SRG: SRG-OS-000383-GPOS-00166 |  Severity: low (CAT III)  |  CCI: CCI-002007 |  Vulnerability Id: V-238362

Vulnerability Discussion

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Check

If smart card authentication is not being used on the system, this s Not Applicable.

Verify that PAM prohibits the use of cached authentications after one day with the following command:

$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf

offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.

Fix

Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]":

offline_credentials_expiration = 1

Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.