Configure SSSD to Expire Offline Credentials

An XCCDF Rule

Description

SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:

[pam]
offline_credentials_expiration = 1

Rationale

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

ID: xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
Severity: Medium
References: 1 12 15 16 5

DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

CCI-002007

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) IA-5(13)

PR.AC-1 PR.AC-6 PR.AC-7

SRG-OS-000383-GPOS-00166
Updated: about 1 year ago