OL 8 must disable the debug-shell systemd service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-248872 | OL08-00-040180 | SV-248872r991589_rule | CCI-000366 | low |
| Description | ||||
| The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. | ||||
| STIG | Date | |||
| Oracle Linux 8 Security Technical Implementation Guide | 2025-05-13 | |||
Details
Check Text (C-248872r991589_chk)
Verify OL 8 is configured to mask the "debug-shell systemd" service with the following command:
$ sudo systemctl status debug-shell.service
debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)
If the "debug-shell.service" is loaded and not masked, this is a finding.
Fix Text (F-52260r780181_fix)
Configure the system to mask the "debug-shell systemd" service with the following command:
$ sudo systemctl mask debug-shell.service
Created symlink /etc/systemd/system/debug-shell.service -> /dev/null
Reload the daemon to take effect:
$ sudo systemctl daemon-reload