{"description": "<tt>debugfs</tt> is a virtual file system that kernel developers use to put debugging files\ninto. Enable this option to be able to read and write to these files.\n\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_DEBUG_FS</tt>, run the following command:\n    <tt>grep CONFIG_DEBUG_FS /boot/config-*</tt>\n    \n    Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n    lines should be returned.\n    ", "rationale": "To reduce the attack surface, this file system should be disabled if not in use.", "severity": "low", "references": {"anssi": ["R15"]}, "control_references": {"anssi": ["R15"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_DEBUG_FS /boot/config.*</pre>\n    \n    Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n    lines should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable kernel debugfs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_DEBUG_FS", "value": "n"}, "backends": {}}}