5.3.3.6.2 Ensure SSSD prohibits the use of cached authentications after one day

Information

The operating system must prohibit the use of cached authentications after one day.

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

The operating system includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.

Solution

Configure the SSSD to prohibit the use of cached authentications after one day.

Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]".

offline_credentials_expiration = 1

Item Details

Audit Name: CIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13), CAT|II, Rule-ID|SV-230376r942948_rule, Vuln-ID|V-230376

Plugin: Unix

Control ID: a54c241506882a38cf9f065e8d7fac794f8f8ec8a0ed52c5c7d921473f962cb6

Detections

Analytics

5.3.3.6.2 Ensure SSSD prohibits the use of cached authentications after one day

Information

Solution

See Also

Item Details