STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must prohibit the use of cached authentications after one day.

DISA Rule

SV-230376r627750_rule

Vulnerability Number

V-230376

Group Title

SRG-OS-000383-GPOS-00166

Rule Version

RHEL-08-020290

Severity

CAT II

CCI(s)

CCI-002007 - The information system prohibits the use of cached authenticators after an organization-defined time period.

Weight

Fix Recommendation

Configure the SSSD to prohibit the use of cached authentications after one day.

Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]".

offline_credentials_expiration = 1

Check Contents

Verify that the SSSD prohibits the use of cached authentications after one day.

Note: If smart card authentication is not being used on the system this item is Not Applicable.

Check that SSSD allows cached authentications with the following command:

$ sudo grep cache_credentials /etc/sssd/sssd.conf

cache_credentials = true

If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required.

If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command:

$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf

offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1", this is a finding.

Vulnerability Number

V-230376

Documentable

False

Rule Version

RHEL-08-020290

Severity Override Guidance

Check Content Reference

Target Key

2921

RHEL 8 must prohibit the use of cached authentications after one day.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments