Restrict usage of ptrace to descendant processes

An XCCDF Rule

Description

To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:

$ sudo sysctl -w kernel.yama.ptrace_scope=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.yama.ptrace_scope = 1

Rationale

Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
Severity: Medium
References: BP28(R25)

CCI-000366

SC-7(10)

SRG-OS-000132-GPOS-00067 SRG-OS-000480-GPOS-00227

CCE-82501-8
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.yama.ptrace_scope%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
        overwrite: true

Restrict usage of ptrace to descendant processes

Description

Rationale

Remediation - Kubernetes Patch