Protect against ptrace of processes: kernel.yama.ptrace_scope

Hardening the kernel with kernel.yama.ptrace_scope

Ptrace is a great troubleshooting tool for developers to determine how a process functions. It can be used to find programming flaws, like memory leakage. On the other hand, the tool also be used by people with malicious intent. For example to debug a process as a non-privileged user and find the contents of application memory.

Yama

Linux has the ability to include Linux Security Modules, to provide additional features with the means of a module. Yama does Discretionary Access Control of some kernel related functions, like defining if process tracing (ptrace) is allowed.

kernel.yama.ptrace_scope

The parameter kernel.yama.ptrace_scope helps system administrators to select what processes can be debugged with ptrace.

We can determine the active value with sysctl or using the pseudo file system /proc and find the related key.

# sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 1

Or query the /proc file system.

# cat /proc/sys/kernel/yama/ptrace_scope
1

For this particular key there are four valid options: 0-3

kernel.yama.ptrace_scope valueMeaning
0All processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
1Only a parent process can be debugged.
2Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
3No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.

Using Ptrace - Advice

Screenshot showing the sandbox options of Google, with Yama LSM being enforced.

Yama LSM enforcing enabled

google-sandbox-with-yama-lsm-enforcing.png

Servers

If your system is running in the DMZ and processes high sensitive data, there is usually no reason to allow ptrace at all. Best is to disable it completely (kernel.yama.ptrace_scope = 3).

For servers in general you might want to apply rule, or choose a slightly less restrictive value (2 or 1).

Desktops

On desktop systems where you are the only user, can have a less restricted option (2, 1 or even disabled).

The Yama LSM is also used in Google Chrome, as can been seen in the related screenshot.

If you want to dive deeper into the details of this LSM, have a look at Yama Linux Security Module.

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux security expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page
Screenshot of Lynis security tool