Disable debug-shell SystemD Service
An XCCDF Rule
Description
SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following manifest:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 75-master-debug-shell-disable
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- enabled: false
name: debug-shell.service
This will disable the debug-shell service in all the
nodes labeled with the "master" role.
Note that this needs to be done for each MachineConfigPool
For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
- ID
- xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - script:ignition
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0