Ubuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274863 | UBTU-22-254025 | SV-274863r1107271_rule | Low |
| Description |
| If cached authentication information is out of date, the validity of the authentication information may be questionable. |
| STIG | Date |
| Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide | 2025-05-16 |
Details
| Check Text (C-78964r1101719_chk) |
| Note: If smart card authentication is not being used on the system, this is not applicable. Verify that PAM prohibits the use of cached authentications after one day with the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding. |
| Fix Text (F-78869r1101720_fix) |
| Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": offline_credentials_expiration = 1 Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file. |