Configure SSSD to Expire Offline Credentials
An XCCDF Rule
Description
SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
offline_credentials_expiration
to 1
under the [pam]
section in /etc/sssd/sssd.conf
. For example:
[pam] offline_credentials_expiration = 1
Rationale
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
- ID
- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-UBTU-20-010441
- NIST-800-53-CM-6(a)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sssd-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# sssd configuration files must be created with 600 permissions if they don't exist
# otherwise the sssd module fails to start
OLD_UMASK=$(umask)