Check: RHEL-09-211055
RHEL 9 STIG:
RHEL-09-211055
(in versions v1 r3 through v1 r1)
Title
RHEL 9 debug-shell systemd service must be disabled. (Cat II impact)
Discussion
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Check Content
Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: $ sudo systemctl status debug-shell.service debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding.
Fix Text
Configure RHEL 9 to mask the debug-shell systemd service with the following command: $ sudo systemctl disable --now debug-shell.service $ sudo systemctl mask --now debug-shell.service
Additional Identifiers
Rule ID: SV-257786r943026_rule
Vulnerability ID: V-257786
Group Title: SRG-OS-000324-GPOS-00125
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |