OL 8 must prohibit the use of cached authentications after one day.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-248710 | OL08-00-020290 | SV-248710r958828_rule | CCI-002007 | medium |
| Description | ||||
| If cached authentication information is out of date, the validity of the authentication information may be questionable. OL 8 includes multiple options for configuring authentication, but this requirement will focus on the System Security Services Daemon (SSSD). By default, SSSD does not cache credentials. | ||||
| STIG | Date | |||
| Oracle Linux 8 Security Technical Implementation Guide | 2025-05-13 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
IA-5(13)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002007
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-248710r958828_chk)
Verify that the SSSD prohibits the use of cached authentications after one day.
Note: If smart card authentication is not being used on the system, this item is not applicable.
Check that SSSD allows cached authentications with the following command:
$ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
cache_credentials = true
If "cache_credentials" is set to "false" or is missing from the configuration file, this is not a finding and no further checks are required.
If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command:
$ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
offline_credentials_expiration = 1
If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Fix Text (F-52098r943100_fix)
Configure the SSSD to prohibit the use of cached authentications after one day.
Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]".
offline_credentials_expiration = 1