RHEL 10 must prohibit the use of cached authenticators after one day.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281331 | RHEL-10-701290 | SV-281331r1167143_rule | CCI-002007 | medium |
| Description | ||||
| If cached authentication information is out of date, the validity of the authentication information may be questionable. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Details
Check Text (C-281331r1167143_chk)
Verify RHEL 10 System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day with the following command:
Note: Cached authentication settings should be configured even if smart card authentication is not used on the system.
Determine if SSSD allows cached authentications with the following command:
$ sudo grep -irs cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#"
cache_credentials = true
If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required.
If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command:
$ sudo grep -irs offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#"
offline_credentials_expiration = 1
If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Fix Text (F-85797r1167142_fix)
Configure RHEL 10 SSSD to prohibit the use of cached authentications after one day.
Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line just below the line [pam]:
offline_credentials_expiration = 1
Restart the "sssd" service with the following command for the changes to take effect:
$ sudo systemctl restart sssd.service