The Photon operating system must disable the debug-shell service.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256546 | PHTN-30-000076 | SV-256546r991589_rule | CCI-000366 | medium |
| Description | ||||
| The debug-shell service is intended to diagnose systemd-related boot issues with various "systemctl" commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide | 2024-12-16 | |||
Details
Check Text (C-256546r991589_chk)
At the command line, run the following command:
# systemctl status debug-shell.service|grep -E --color=always disabled
If the debug-shell service is not disabled, this is a finding.
Fix Text (F-60164r887311_fix)
At the command line, run the following commands:
# systemctl stop debug-shell.service
# systemctl disable debug-shell.service
Reboot for changes to take effect.