UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The debug-shell systemd service must be disabled on TOSS.


Overview

Finding ID Version Rule ID IA Controls Severity
V-252936 TOSS-04-010340 SV-252936r824132_rule Medium
Description
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.
STIG Date
Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide 2022-08-29

Details

Check Text ( C-56389r824130_chk )
Verify TOSS is configured to mask the debug-shell systemd service with the following command:

$ sudo systemctl status debug-shell.service

debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)

If the "debug-shell.service" is loaded and not masked, this is a finding.
Fix Text (F-56339r824131_fix)
Configure the system to mask the debug-shell systemd service with the following command:

$ sudo systemctl mask debug-shell.service

Created symlink /etc/systemd/system/debug-shell.service -> /dev/null

Reload the daemon to take effect.

$ sudo systemctl daemon-reload