Disable debug-shell SystemD Service
An XCCDF Rule
Description
SystemD's debug-shell
service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9
which is access by pressing
CTRL-ALT-F9
. The debug-shell
service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell
SystemD service is already disabled.
The debug-shell
service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
- ID
- xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["debug-shell"]
Remediation - Puppet
include disable_debug-shell
class disable_debug-shell {
service {'debug-shell':
enable => false,
ensure => 'stopped',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'debug-shell.service'
"$SYSTEMCTL_EXEC" disable 'debug-shell.service'
Remediation - Ansible
- name: Block Disable service debug-shell
block:
- name: Disable service debug-shell
block: