Ubuntu OS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-275668 | SRG-OS-000383-GPOS-00166 | RIIM-OS-631015 | SV-275668r1148054_rule | 2025-10-02 | 1 |
| Description |
|---|
| If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
| ℹ️ Check |
|---|
| Verify PAM prohibits the use of cached authentications after one day by using the following command: Note: If smart card authentication is not being used on the system, this requirement is not applicable. $ sudo grep -i '^\s*offline_credentials_expiration' /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/sssd/sssd.conf:offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to "1", is commented out, is missing, or conflicting results are returned, this is a finding. |
| ✔️ Fix |
|---|
| Configure PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file. |