Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
OL 8 must disable the debug-shell systemd service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-248872 | OL08-00-040180 | SV-248872r780182_rule | Low |
| Description |
|---|
| The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
| STIG | Date |
|---|---|
| Oracle Linux 8 Security Technical Implementation Guide | 2024-02-19 |
Details
| Check Text ( C-52306r780180_chk ) |
|---|
| Verify OL 8 is configured to mask the "debug-shell systemd" service with the following command: $ sudo systemctl status debug-shell.service debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding. |
| Fix Text (F-52260r780181_fix) |
|---|
| Configure the system to mask the "debug-shell systemd" service with the following command: $ sudo systemctl mask debug-shell.service Created symlink /etc/systemd/system/debug-shell.service -> /dev/null Reload the daemon to take effect: $ sudo systemctl daemon-reload |