Ensure debug-shell service is not enabled in zIPL

An XCCDF Rule

Description

systemd's debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for systemd related issues and should otherwise be disabled.

By default, the debug-shell systemd service is already disabled. Ensure the debug-shell is not enabled by the systemd.debug-shel=1 boot paramenter option. Check that not boot entries in /boot/loader/entries/*.conf have systemd.debug-shell=1 included in its options.
To ensure that new kernels and boot entries don't enable the debug-shell, check that systemd.debug-shell=1 is not present in /etc/kernel/cmdline.

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

ID: xccdf_org.ssgproject.content_rule_zipl_systemd_debug-shell_argument_absent
Severity: Medium
References: FIA_UAU.1
Updated: about 1 month ago

Remediation Templates

- name: Ensure BLS boot entries options contain systemd.debug-shell
  block:
  - name: Check how many boot entries set systemd.debug-shell
    find:
      paths: /boot/loader/entries/
      contains: ^options .*systemd\.debug-shell.*$      patterns: '*.conf'
    register: n_entries

  - name: Remove systemd.debug-shell from boot entries
    command: grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
    when: n_entries is defined and n_entries.matched >= 1

  - name: Check if /etc/kernel/cmdline exists
    stat:
      path: /etc/kernel/cmdline
    register: cmdline_stat

  - name: Check if /etc/kernel/cmdline contains systemd.debug-shell
    find:
      paths: /etc/kernel/
      patterns: cmdline
      contains: ^.*systemd\.debug-shell.*$
    register: cmdline_find

  - name: Remove systemd.debug-shell from /etc/kernel/cmdline
    lineinfile:
      path: /etc/kernel/cmdline
      backrefs: true
      regexp: ^(.*)\s*systemd.debug-shell\b\S*(.*)$
      line: \1\2
    when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is
      defined and cmdline_find.matched >= 1
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - configure_strategy
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - zipl_systemd_debug-shell_argument_absent

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --remove-args="systemd.debug-shell"

# Ensure new kernels and boot entries retain the boot optionif grep -q '\bsystemd.debug-shell\b' /etc/kernel/cmdline; then
    sed -Ei 's/^(.*)\s*systemd.debug-shell\b\S*(.*)/\1\2/' /etc/kernel/cmdline
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure debug-shell service is not enabled in zIPL

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script