OL 8 must disable the debug-shell systemd service.

An XCCDF Rule

Details
Profiles

Description

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

ID: SV-248872r991589_rule
Version: OL08-00-040180
Severity: Low
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure the system to mask the "debug-shell systemd" service with the following command: 
 
$ sudo systemctl mask debug-shell.service 
 
Created symlink /etc/systemd/system/debug-shell.service -> /dev/null 
 Reload the daemon to take effect: 
 
$ sudo systemctl daemon-reload

OL 8 must disable the debug-shell systemd service.

Description

Remediation Templates

A Manual Procedure