Profile Applicability:
• Level 1
Description:
The ptrace system call allows one process to observe and control another, which can be exploited to inspect or manipulate processes. The ptrace_scope kernel parameter controls the restrictions on the ptrace system call. Restricting ptrace_scope limits this capability to enhance security.
Rationale:
Setting ptrace_scope to a restrictive value prevents unauthorized processes from tracing or attaching to other processes, mitigating the risk of privilege escalation or information leakage.
Impact:
Pros:
Reduces the risk of malicious process inspection or manipulation.
Enhances overall system security posture.
Cons:
May interfere with legitimate debugging or monitoring tools that rely on ptrace.
Default Value:
On many systems, ptrace_scope is set to 0 (unrestricted) or 1 (restricted to parent processes), depending on the distribution.
Pre-requisites:
Root or sudo privileges to read and modify kernel parameters.
Remediation:
Test Plan:
Using Linux command line:
- Check the current value of ptrace_scope:
cat /proc/sys/kernel/yama/ptrace_scope
Confirm the value is set to 1 or higher (restricted).
- Check if the setting persists across reboots:
grep ptrace_scope /etc/sysctl.d/* /etc/sysctl.conf
Implementation Plan:
Using Linux command line:
1. Temporarily set ptrace_scope to 1:
echo 1 > /proc/sys/kernel/yama/ptrace_scope
2. Make the change persistent by adding or updating the following line in /etc/sysctl.d/10-ptrace.conf or /etc/sysctl.conf:
kernel.yama.ptrace_scope = 1
3. Reload sysctl settings:
sysctl -p /etc/sysctl.d/10-ptrace.conf
Backout Plan:
Using Linux command line:
1. Revert ptrace_scope to previous value, e.g., 0:
echo 0 > /proc/sys/kernel/yama/ptrace_scope
2. Remove or comment out the ptrace_scope setting in sysctl configuration files.
3. Reload sysctl settings.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Kernel Yama Documentation
Linux man ptrace