mediumaccess-controlverified ✓
Prohibit use of cached authenticators after one day
sssd-offline-cred-expiry · RHEL ≥ 8 · 1 impl
Description
RHEL 9 must be configured to prohibit the use of cached authenticators after one day to ensure revoked credentials are not usable offline.
Rationale
Cached credentials allow users to authenticate when the authentication server is unavailable. If credentials are revoked (e.g., account terminated), cached credentials could still allow access for an extended period. Limiting cached credential lifetime to one day reduces this window of unauthorized access.
Check → Remediate
Checkcommand
# Check sssd.conf for offline_credentials_expiration
if ! grep -qrE '^\s*offline_credentials_expiration\s*=' /etc/sssd/sssd.conf /etc/sssd/conf.d/ 2>/dev/null; then
echo "FAIL: offline_credentials_expiration not configured in SSSD"
exit 1
fi
value=$(grep -rE '^\s*offline_credentials_expiration\s*=' /etc/sssd/sssd.conf /etc/sssd/conf.d/ 2>/dev/null | \
awk -F'=' '{print $2}' | tr -d ' ' | tail -1)
if [ "$value" -ge 1 ] 2>/dev/null && [ "$value" -le 1 ] 2>/dev/null; then
echo "OK: offline_credentials_expiration=$value"
exit 0
fi
echo "FAIL: offline_credentials_expiration=$value (must be 1)"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to the [domain/<domain>] section in /etc/sssd/sssd.conf: offline_credentials_expiration = 1 Then restart SSSD: systemctl restart sssd
Framework references
STIG
V-281331 / RHEL-10-701290V-258133 / RHEL-09-631020V-230376
NIST 800-53
IA-5(13)CM-6
Live verification
rhel8:checkrhel9:check
#sssd#authentication#credentials#caching#security