STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Red Hat Enterprise Linux 8 Security Technical Implementation Guide

V-230532

CAT II (Medium)

The debug-shell systemd service must be disabled on RHEL 8.

Rule ID

SV-230532r1017294_rule

STIG

Red Hat Enterprise Linux 8 Security Technical Implementation Guide

Version

V2R7

CCIs

CCI-000366

Discussion

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Check Content

Verify RHEL 8 is configured to mask the debug-shell systemd service with the following command:

$ sudo systemctl status debug-shell.service

debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)

If the "debug-shell.service" is loaded and not masked, this is a finding.

Fix Text

Configure the system to mask the debug-shell systemd service with the following command:

$ sudo systemctl mask debug-shell.service

Created symlink /etc/systemd/system/debug-shell.service -> /dev/null

Reload the daemon to take effect.

$ sudo systemctl daemon-reload