The Photon operating system must disable the debug-shell service.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258873	PHTN-40-000210	SV-258873r991589_rule		Medium

Description

The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.

STIG	Date
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide	2024-07-11

Details

Check Text (C-62613r933678_chk)

At the command line, run the following command to verify the debug-shell service is disabled:

# systemctl status debug-shell.service

If the debug-shell service is not stopped and disabled, this is a finding.

Fix Text (F-62522r933679_fix)

At the command line, run the following commands:

# systemctl stop debug-shell.service
# systemctl disable debug-shell.service