STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-219163r610963_rule
V-219163
SRG-OS-000383-GPOS-00166
UBTU-18-010030
CAT III
10
Configure Pluggable Authentication Module (PAM) to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]".
offline_credentials_expiration = 1
Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the /etc/sssd/conf.d/ directory instead of the /etc/sssd/sssd.conf file.
If smart card authentication is not being used on the system this item is Not Applicable.
Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
Check that PAM prohibits the use of cached authentications after one day with the following command:
# sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
offline_credentials_expiration = 1
If "offline_credentials_expiration" is not set to a value of "1", in /etc/sssd/sssd.conf or in a file with a name ending in .conf in the /etc/sssd/conf.d/ directory, this is a finding.
V-219163
False
UBTU-18-010030
If smart card authentication is not being used on the system this item is Not Applicable.
Verify that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
Check that PAM prohibits the use of cached authentications after one day with the following command:
# sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
offline_credentials_expiration = 1
If "offline_credentials_expiration" is not set to a value of "1", in /etc/sssd/sssd.conf or in a file with a name ending in .conf in the /etc/sssd/conf.d/ directory, this is a finding.
M
4055