← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282559

CAT II (Medium)

The TOSS 5 debug-shell systemd service must be disabled.

Rule ID

SV-282559r1200657_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002235

Discussion

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Check Content

Verify TOSS 5 is configured to mask the "debug-shell systemd" service using the following command:

$ sudo systemctl status debug-shell.service

debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)

If the "debug-shell.service" is loaded and not masked, this is a finding.

Fix Text

Configure TOSS 5 to mask the "debug-shell systemd" service using the following command:

$ sudo systemctl disable --now debug-shell.service
$ sudo systemctl mask --now debug-shell.service