Protect against ptrace of processes: kernel.yama.ptrace_scope

Protect against the usage of Ptrace

Hardening the kernel with kernel.yama.ptrace_scope

Ptrace is a great troubleshooting tool for developers to determine how a process functions. It can be used to find programming flaws, like memory leakage. On the other hand, the tool also be used by people with malicious intent. For example to debug a process as a non-privileged user and find the contents of application memory.


Linux has the ability to include Linux Security Modules, to provide additional features with the means of a module. Yama does Discretionary Access Control of some kernel related functions, like defining if process tracing (prace) is allowed.


The parameter kernel.yama.ptrace_scope helps system administrators to select what processes can be debugged with ptrace.

We can determine the active value with sysctl or using the pseudo file system /proc and find the related key.

$ sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 1


$ cat /proc/sys/kernel/yama/ptrace_scope

For this particular key there are four valid options: 0-3

  • kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
  • kernel.yama.ptrace_scope = 1: only a parent process can be debugged.
  • kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
  • kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.

Using Ptrace – Advice

Screenshot showing the sandbox options of Google, with Yama LSM being enforced.

Yama LSM enforcing enabled


If your system is running in the DMZ and processes high sensitive data, there is usually no reason to allow ptrace at all. Best is to disable it completely (kernel.yama.ptrace_scope = 3).

For servers in general you might want to apply rule, or choose a slightly less restrictive value (2 or 1).


On desktop systems where you are the only user, can have a less restricted option (2, 1 or even disabled).

The Yama LSM is also used in Google Chrome, as can been seen in the related screenshot.

If you want to dive deeper into the details of this LSM, have a look at Yama Linux Security Module.

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *