Protect against ptrace of processes: kernel.yama.ptrace_scope

Hardening the kernel with kernel.yama.ptrace_scope

Ptrace is a great troubleshooting tool for developers to determine how a process functions. It can be used to find programming flaws, like memory leakage. On the other hand, the tool also be used by people with malicious intent. For example to debug a process as a non-privileged user and find the contents of application memory.

Yama

Linux has the ability to include Linux Security Modules, to provide additional features with the means of a module. Yama does Discretionary Access Control of some kernel related functions, like defining if process tracing (ptrace) is allowed.

kernel.yama.ptrace_scope

The parameter kernel.yama.ptrace_scope helps system administrators to select what processes can be debugged with ptrace.

We can determine the active value with sysctl or using the pseudo file system /proc and find the related key.

# sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 1

Or query the /proc file system.

# cat /proc/sys/kernel/yama/ptrace_scope
1

For this particular key there are four valid options: 0-3

kernel.yama.ptrace_scope valueMeaning
0All processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
1Only a parent process can be debugged.
2Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
3No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.

Using Ptrace - Advice

Screenshot showing the sandbox options of Google, with Yama LSM being enforced.

Yama LSM enforcing enabled

google-sandbox-with-yama-lsm-enforcing.png

Servers

If your system is running in the DMZ and processes high sensitive data, there is usually no reason to allow ptrace at all. Best is to disable it completely (kernel.yama.ptrace_scope = 3).

For servers in general you might want to apply rule, or choose a slightly less restrictive value (2 or 1).

Desktops

On desktop systems where you are the only user, can have a less restricted option (2, 1 or even disabled).

The Yama LSM is also used in Google Chrome, as can been seen in the related screenshot.

If you want to dive deeper into the details of this LSM, have a look at Yama Linux Security Module.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is a cheat sheet available:

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon