NixOS must prohibit the use of cached authenticators after one day.

An XCCDF Rule

Description

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

ID: SV-268178r1039543_rule
Version: ANIX-00-002050
Severity: Medium
References: CCI-002007
Updated: about 2 months ago

Remediation Templates

Configure /etc/nixos/configuration.nix to prohibit the use of cached credentials older than one day by adding the following configuration settings. Note that the entire sssd.conf must be entered in this option:

 services.sssd.config = ''
  ...
  [pam]
  offline_credentials_expiration = 1  ...
 '';

Rebuild the system with the following command:

$ sudo nixos-rebuild switch