1.4.2 Ensure ptrace_scope is restricted

Information

The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers.

If one application is compromised, it would be possible for an attacker to attach to other running processes (e.g. Bash, Firefox, SSH sessions, GPG agent, etc) to extract additional credentials and continue to expand the scope of their attack.

Enabling restricted mode will limit the ability of a compromised process to PTRACE_ATTACH on other processes running under the same user. With restricted mode, ptrace will continue to work with root user.

Solution

Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending inconf :

- kernel.yama.ptrace_scope = 1

Example:

# printf '%s
' "kernel.yama.ptrace_scope = 1" >> /etc/sysctl.d/60-kernel_sysctl.conf

Run the following command to set the active kernel parameter:

# sysctl -w kernel.yama.ptrace_scope=1

Note: If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten

See Also

https://workbench.cisecurity.org/benchmarks/15964