{"description": "SSSD should be configured to expire offline credentials after 1 day.\n\nTo configure SSSD to expire offline credentials, set\n<tt>offline_credentials_expiration</tt> to <tt>1</tt> under the <tt>[pam]</tt>\nsection in <tt>/etc/sssd/sssd.conf</tt>. For example:\n<pre>[pam]\noffline_credentials_expiration = 1\n</pre>", "rationale": "If cached authentication information is out-of-date, the validity of the\nauthentication information may be questionable.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-6(a)", "IA-5(13)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000383-GPOS-00166"], "stigid": ["UBTU-22-631015"], "stigref": ["SV-260581r958828_rule"]}, "control_references": {"stigid": ["UBTU-22-631015"]}, "components": [], "identifiers": {}, "ocil_clause": "it does not exist or is not configured properly", "ocil": "\nTo verify that SSSD expires offline credentials, run the following command:\n<pre>$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf</pre>\nIf configured properly, output should be\n<pre>offline_credentials_expiration = 1</pre>", "oval_external_content": null, "fixtext": "Configure the SSSD to prohibit the use of cached authentications after one day.\nAdd or change the following line in \"/etc/sssd/sssd.conf\" just below the line \"[pam]\".\noffline_credentials_expiration = 1", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must prohibit the use of cached authentications after one day.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prohibit the use of cached authenticators after one day.", "vuldiscussion": "If cached authentication information is out-of-date, the validity of the authentication information may be questionable.", "checktext": "Verify that the System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day.\n\nNote: Cached authentication settings should be configured even if smart card authentication is not used on the system.\n\nCheck that SSSD allows cached authentications with the following command:\n\n$ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/\n\ncache_credentials = true\n\nIf \"cache_credentials\" is set to \"false\" or missing from the configuration file, this is not a finding and no further checks are required.\n\nIf \"cache_credentials\" is set to \"true\", check that SSSD prohibits the use of cached authentications after one day with the following command:\n\n$ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/\n\noffline_credentials_expiration = 1\n\nIf \"offline_credentials_expiration\" is not set to a value of \"1\", this is a finding.", "fixtext": "Configure the SSSD to prohibit the use of cached authentications after one day.\n\nEdit the file \"/etc/sssd/sssd.conf\" or a configuration file in \"/etc/sssd/conf.d\" and add or edit the following line just below the line [pam]:\n\noffline_credentials_expiration = 1"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[sssd]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_sssd"], "bash_conditional": null, "fixes": {}, "title": "Configure SSSD to Expire Offline Credentials", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml", "template": null}