The Photon operating system must disable the debug-shell service.


Finding ID Version Rule ID IA Controls Severity
V-239152 PHTN-67-000081 SV-239152r675264_rule Medium
The debug-shell service is intended to diagnose system-related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide 2022-06-17


Check Text ( C-42363r675262_chk )
At the command line, execute the following command:

# systemctl status debug-shell.service|grep -E --color=always disabled

If the debug-shell service is not disabled, this is a finding.
Fix Text (F-42322r675263_fix)
At the command line, execute the following commands:

# systemctl stop debug-shell.service
# systemctl disable debug-shell.service

Reboot for changes to take effect.