OL 8 must disable the debug-shell systemd service.

An XCCDF Rule

Description

<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-248872r780182_rule
Severity: Low
References: CCI-000366
Updated: 8 months ago

Configure the system to mask the "debug-shell systemd" service with the following command: 
 
$ sudo systemctl mask debug-shell.service 
 
Created symlink /etc/systemd/system/debug-shell.service -> /dev/null 
 Reload the daemon to take effect: 
 
$ sudo systemctl daemon-reload

OL 8 must disable the debug-shell systemd service.

Description

Remediation - Manual Procedure