OL 8 must disable the debug-shell systemd service.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-248872	SRG-OS-000480-GPOS-00227	OL08-00-040180	SV-248872r991589_rule	2025-02-20	2

Description
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Description

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds a layer of assurance that it will not be enabled via a dependency in "system". This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

ℹ️ Check
Verify OL 8 is configured to mask the "debug-shell systemd" service with the following command: $ sudo systemctl status debug-shell.service debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding.

✔️ Fix
Configure the system to mask the "debug-shell systemd" service with the following command: $ sudo systemctl mask debug-shell.service Created symlink /etc/systemd/system/debug-shell.service -> /dev/null Reload the daemon to take effect: $ sudo systemctl daemon-reload