RHEL-09-211055 - RHEL 9 debug-shell systemd service must be disabled.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227


Configure RHEL 9 to mask the debug-shell systemd service with the following command:

$ sudo systemctl disable --now debug-shell.target
$ sudo systemctl mask --now debug-shell.target

See Also


Item Details

References: CAT|II, CCI|CCI-000366, CCI|CCI-002235, Rule-ID|SV-257786r925345_rule, STIG-ID|RHEL-09-211055, Vuln-ID|V-257786

Plugin: Unix

Control ID: b59b7c36743b5526d52120fcc24fd27fa9cc6f6036edc6e743a07ae578dd6c60