RHEL 9 debug-shell systemd service must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257786 | RHEL-09-211055 | SV-257786r1044834_rule | CCI-002235 | medium |
| Description | ||||
| The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2025-05-14 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-6(10)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.7
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002235
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-257786r1044834_chk)
Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command:
$ sudo systemctl status debug-shell.service
debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)
If the "debug-shell.service" is loaded and not masked, this is a finding.
Fix Text (F-61451r943025_fix)
Configure RHEL 9 to mask the debug-shell systemd service with the following command:
$ sudo systemctl disable --now debug-shell.service
$ sudo systemctl mask --now debug-shell.service