STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269143

CAT II (Medium)

The AlmaLinux OS 9 debug-shell systemd service must be disabled.

Rule ID

SV-269143r1050025_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-002235

Discussion

The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from easily bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

Check Content

Verify AlmaLinux OS 9 is configured to mask the debug-shell systemd service with the following command:

$ systemctl status debug-shell.service

debug-shell.service
Loaded: masked (Reason: Unit debug-shell.service is masked.)
Active: inactive (dead)

If the "debug-shell.service" is loaded and not masked, this is a finding.

Fix Text

Configure AlmaLinux OS 9 to mask the debug-shell systemd service with the following command:

$ systemctl mask --now debug-shell.service