Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-248872 | OL08-00-040180 | SV-248872r780182_rule | Low |
Description |
---|
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
STIG | Date |
---|---|
Oracle Linux 8 Security Technical Implementation Guide | 2023-06-02 |
Check Text ( C-52306r780180_chk ) |
---|
Verify OL 8 is configured to mask the "debug-shell systemd" service with the following command: $ sudo systemctl status debug-shell.service debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding. |
Fix Text (F-52260r780181_fix) |
---|
Configure the system to mask the "debug-shell systemd" service with the following command: $ sudo systemctl mask debug-shell.service Created symlink /etc/systemd/system/debug-shell.service -> /dev/null Reload the daemon to take effect: $ sudo systemctl daemon-reload |