Skip to content

Configure SSSD to Expire Offline Credentials

An XCCDF Rule

Description

SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command:

$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true
If "cache_credentials" is set to "false" or is missing no further checks are required.
To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1

Rationale

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

ID
xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# sssd configuration files must be created with 600 permissions if they don't exist
# otherwise the sssd module fails to start
OLD_UMASK=$(umask)

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-08-020290
  - NIST-800-53-CM-6(a)