Restrict usage of ptrace to descendant processes
An XCCDF Rule
Description
To set the runtime status of the kernel.yama.ptrace_scope
kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: kernel.yama.ptrace_scope = 1
Rationale
Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/