Amazon Linux 2023 must prohibit the use of cached authenticators after one day.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-274062 | SRG-OS-000383-GPOS-00166 | AZLX-23-001305 | SV-274062r1120174_rule | 2025-11-20 | 1 |
| Description |
|---|
| If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
| ℹ️ Check |
|---|
| Verify Amazon Linux 2023 is configured so that the System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day. Note: Cached authentication settings should be configured even if smart card authentication is not used on the system. Check that SSSD allows cached authentications with the following command: $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/ /etc/sssd/sssd.conf:cache_credentials = true If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required. If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command: $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/ /etc/sssd/sssd.conf:offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding. |
| ✔️ Fix |
|---|
| Configure Amazon Linux 2023 SSSD service to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]: offline_credentials_expiration = 1 |