Skip to content

Disable debug-shell SystemD Service

An XCCDF Rule

Description

SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command:

$ sudo systemctl mask --now debug-shell.service

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

ID
xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'debug-shell.service'
"$SYSTEMCTL_EXEC" disable 'debug-shell.service'

Remediation - OS Build Blueprint


[customizations.services]
disabled = ["debug-shell"]

Remediation - Puppet

include disable_debug-shell

class disable_debug-shell {
  service {'debug-shell':
    enable => false,
    ensure => 'stopped',

Remediation - Ansible

- name: Block Disable service debug-shell
  block:

  - name: Disable service debug-shell
    block: