TOSS 5 must prohibit the use of cached authenticators after one day.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282597TOSS-05-000368SV-282597r1200771_ruleCCI-002007medium
Description
If cached authentication information is out of date, the validity of the authentication information may be questionable.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282597r1200771_chk)

Verify the System Security Services Daemon (SSSD) prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system, this requirement is not applicable. Check that SSSD allows cached authentications using the following command: $ sudo grep cache_credentials /etc/sssd/sssd.conf cache_credentials = true If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required. If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day using the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding.

Fix Text (F-87063r1200770_fix)

Configure the SSSD to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line [pam]: offline_credentials_expiration = 1