{"description": "SystemD's <tt>debug-shell</tt> service is intended to\ndiagnose SystemD related boot issues with various <tt>systemctl</tt>\ncommands. Once enabled and following a system reboot, the root shell\nwill be available on <tt>tty9</tt> which is access by pressing\n<tt>CTRL-ALT-F9</tt>. The <tt>debug-shell</tt> service should only be used\nfor SystemD related issues and should otherwise be disabled.\n<br /><br />\nBy default, the <tt>debug-shell</tt> SystemD service is already disabled.\n\nThe <code>debug-shell</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now debug-shell.service</pre>", "rationale": "This prevents attackers with physical access from trivially bypassing security\non the machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.", "severity": "medium", "references": {"cui": ["3.4.5"], "hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "nist": ["CM-6"], "ospp": ["FIA_UAU.1"], "srg": ["SRG-OS-000324-GPOS-00125", "SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"debug-shell\" is loaded and not masked", "ocil": "To check that the <code>debug-shell</code> service is disabled in system boot configuration,\nrun the following command:\n<pre>$ sudo systemctl is-enabled <code>debug-shell</code></pre>\nOutput should indicate the <code>debug-shell</code> service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>debug-shell</code><br/> disabled</pre>\n\nRun the following command to verify <code>debug-shell</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active debug-shell</pre>\n\nIf the service is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe service will also be masked, to check that the <code>debug-shell</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>debug-shell</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the service is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "The Ubuntu 22.04 service debug-shell must be disabled.", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 service debug-shell must be disabled.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 debug-shell systemd service must be disabled.", "vuldiscussion": "The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.", "checktext": "Verify Ubuntu 22.04 is configured to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl status debug-shell.service\n\ndebug-shell.service\nLoaded: masked (Reason: Unit debug-shell.service is masked.)\nActive: inactive (dead)\n\nIf the \"debug-shell.service\" is loaded and not masked, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl disable --now debug-shell.service\n$ sudo systemctl mask --now debug-shell.service"}}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_debug-shell_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_debug-shell_disabled.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable debug-shell SystemD Service", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "debug-shell", "packagename": "systemd"}, "backends": {}}}