RHEL 10 must prohibit the use of cached authenticators after one day.

STIG ID: RHEL-10-701290  |  SRG: SRG-OS-000383-GPOS-00166 |  Severity: medium (CAT II)  |  CCI: CCI-002007 |  Vulnerability Id: V-281331

Vulnerability Discussion

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Check

Verify RHEL 10 System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day with the following command:

Note: Cached authentication settings should be configured even if smart card authentication is not used on the system.

Determine if SSSD allows cached authentications with the following command:

$ sudo grep -irs cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#"
cache_credentials = true

If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required.

If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command:

$ sudo grep -irs offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#"
offline_credentials_expiration = 1

If "offline_credentials_expiration" is not set to a value of "1", this is a finding.

Fix

Configure RHEL 10 SSSD to prohibit the use of cached authentications after one day.

Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line just below the line [pam]:

offline_credentials_expiration = 1

Restart the "sssd" service with the following command for the changes to take effect:

$ sudo systemctl restart sssd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.