Ensure debug-shell service is not enabled during boot
An XCCDF Rule
Description
systemd's debug-shell
service is intended to
diagnose systemd related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9
which is access by pressing
CTRL-ALT-F9
. The debug-shell
service should only be used
for systemd related issues and should otherwise be disabled.
By default, the debug-shell
systemd service is already disabled.
Ensure the debug-shell is not enabled by the systemd.debug-shel=1
boot paramenter option.
Check that the line
GRUB_CMDLINE_LINUX="..."within
/etc/default/grub
doesn't contain the argument systemd.debug-shell=1
.
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
- ID
- xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_systemd_debug-shell_argument_absent
- low_disruption
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --remove-args=systemd.debug-shell --env=/boot/grub2/grubenv
else