Title

Amazon Linux 2023 debug-shell systemd service must be disabled. (Cat II impact)

Discussion

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Check Content

Verify Amazon Linux 2023 is configured to mask the debug-shell systemd service with the following command: $ sudo systemctl status debug-shell.service O debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding.

Fix Text

Configure Amazon Linux 2023 to mask the debug-shell systemd service with the following command: $ sudo systemctl disable --now debug-shell.service $ sudo systemctl mask --now debug-shell.service

Additional Identifiers

Rule ID: SV-274173r1120507_rule

Vulnerability ID: V-274173

Group Title: SRG-OS-000324-GPOS-00125

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.