1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
documentation_complete: true
title: 'Disable debug-shell SystemD Service'
description: |-
SystemD's <tt>debug-shell</tt> service is intended to
diagnose SystemD related boot issues with various <tt>systemctl</tt>
commands. Once enabled and following a system reboot, the root shell
will be available on <tt>tty9</tt> which is access by pressing
<tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used
for SystemD related issues and should otherwise be disabled.
<br /><br />
By default, the <tt>debug-shell</tt> SystemD service is already disabled.
{{{ describe_service_disable(service="debug-shell") }}}
rationale: |-
This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted.
severity: medium
identifiers:
cce@rhcos4: CCE-82496-1
cce@rhel8: CCE-80876-6
cce@rhel9: CCE-90724-6
cce@rhel10: CCE-90212-2
cce@sle15: CCE-91421-8
references:
cui: 3.4.5
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
nist: CM-6
ospp: FIA_UAU.1
srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-040180
ocil_clause: |-
{{{ ocil_clause_service_disabled(service="debug-shell") }}}
ocil: |-
{{{ ocil_service_disabled(service="debug-shell") }}}
fixtext: '{{{ srg_requirement_service_disabled("debug-shell") }}}'
srg_requirement: '{{{ srg_requirement_service_disabled("debug-shell") }}}'
template:
name: service_disabled
vars:
servicename: debug-shell
packagename: systemd
|
