Puppet Class: cis_security_hardening::rules::debug_shell

Defined in:
manifests/rules/debug_shell.pp

Summary

Ensure the operating system is configured to mask the debug- shell systemd service

Overview

The debug-shell systemd service must be disabled.

Rationale: The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Examples:

class { 'cis_security_hardening::rules::debug_shell':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'manifests/rules/debug_shell.pp', line 22

class cis_security_hardening::rules::debug_shell (
  Boolean $enforce = false,
) {
  if $enforce {
    exec { 'mask debug-shell':
      command => 'systemctl mask debug-shell.service',
      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      onlyif  => 'test -z "$(systemctl status debug-shell.service | grep -i "Loaded: masked")"',
      notify  => Exec['systemd-daemon-reload'],
    }
  }
}