Enable Yama support

An XCCDF Rule

Details
Profiles
Prose

Description

This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use of the system call ptrace(). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_YAMA, run the following command: grep CONFIG_SECURITY_YAMA /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user.

ID: xccdf_org.ssgproject.content_rule_kernel_config_security_yama
Severity: Medium
References: BP28(R20)
Updated: about 1 year ago