documentation_complete: true


title: 'Configure SSSD to Expire Offline Credentials'

description: |-
    SSSD should be configured to expire offline credentials after 1 day.
    {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
    Check if SSSD allows cached authentications with the following command:
    <pre>
    $ sudo grep cache_credentials /etc/sssd/sssd.conf
    cache_credentials = true
    </pre>
    If "cache_credentials" is set to "false" or is missing no further checks are required.<br/>
    {{% endif %}}
    To configure SSSD to expire offline credentials, set
    <tt>offline_credentials_expiration</tt> to <tt>1</tt> under the <tt>[pam]</tt>
    section in <tt>/etc/sssd/sssd.conf</tt>. For example:
    <pre>[pam]
    offline_credentials_expiration = 1
    </pre>

rationale: |-
    If cached authentication information is out-of-date, the validity of the
    authentication information may be questionable.

severity: medium

identifiers:
    cce@rhel8: CCE-82460-7
    cce@rhel9: CCE-87996-5
    cce@rhel10: CCE-90741-0
    cce@sle12: CCE-83206-3
    cce@sle15: CCE-83296-4
    cce@slmicro5: CCE-93719-3
    cce@slmicro6: CCE-94724-2

references:
    cis-csc: 1,12,15,16,5
    cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
    iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
    nist: CM-6(a),IA-5(13)
    nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
    srg: SRG-OS-000383-GPOS-00166
    stigid@ol8: OL08-00-020290
    stigid@sle12: SLES-12-010680
    stigid@sle15: SLES-15-010500

ocil_clause: 'it does not exist or is not configured properly'

ocil: |-
    {{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}}
    Check if SSSD allows cached authentications with the following command:
    <pre>
    $ sudo grep cache_credentials /etc/sssd/sssd.conf
    cache_credentials = true
    </pre>
    If "cache_credentials" is set to "false" or is missing no further checks are required.<br/>
    {{% endif %}}
    To verify that SSSD expires offline credentials, run the following command:
    <pre>$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf</pre>
    If configured properly, output should be
    <pre>offline_credentials_expiration = 1</pre>

fixtext:
    Configure the SSSD to prohibit the use of cached authentications after one day.

    Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]".

    offline_credentials_expiration = 1

srg_requirement: '{{{ full_name }}} must prohibit the use of cached authentications after one day.'