Configure SSSD to Expire Offline Credentials
An XCCDF Rule
Description
SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command:
$ sudo grep cache_credentials /etc/sssd/sssd.conf cache_credentials = trueIf "cache_credentials" is set to "false" or is missing no further checks are required.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration
to 1
under the [pam]
section in /etc/sssd/sssd.conf
. For example:
[pam] offline_credentials_expiration = 1
Rationale
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
- ID
- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# sssd configuration files must be created with 600 permissions if they don't exist
# otherwise the sssd module fails to start
OLD_UMASK=$(umask)
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-08-020290
- NIST-800-53-CM-6(a)