{"description": "To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
\nTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1
", "rationale": "Unrestricted usage of ptrace allows compromised binaries to run ptrace\non another processes of the user. Like this, the attacker can steal\nsensitive information from the target processes (e.g. SSH sessions, web browser, ...)\nwithout any additional assistance from the user (i.e. without resorting to phishing).\n", "severity": "medium", "references": {"nist": ["SC-7(10)"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000132-GPOS-00067", "SRG-OS-000480-GPOS-00227"], "anssi": ["R11"], "cis": ["1.5.2"], "ism": ["1409"]}, "control_references": {"anssi": ["R11"], "cis": ["1.5.2"], "ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried\nby running the following command:\n$ sysctl kernel.yama.ptrace_scope
\n1.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to restrict usage of ptrace to descendant processes.\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nkernel.yama.ptrace_scope = 1\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must restrict usage of ptrace to descendant processes.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must restrict usage of ptrace to descendant processes.", "vuldiscussion": "Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing).", "checktext": "Verify Ubuntu 22.04 restricts the usage of ptrace to descendant processes with the following commands:\n\n$ sysctl kernel.yama.ptrace_scope\n\nkernel.yama.ptrace_scope = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.yama.ptrace_scope| tail -1\n\nkernel.yama.ptrace_scope = 1\n\nIf the network parameter \"kernel.yama.ptrace_scope\" is not equal to \"1\", or nothing is returned, this is a finding.", "fixtext": "Configure the currently loaded kernel parameter to the secure setting:\n\n$ sudo sysctl -w kernel.yama.ptrace_scope=1\n\nConfigure Ubuntu 22.04 to restrict usage of ptrace to descendant processes by adding the following line to a file in the \"/etc/sysctl.d\" directory:\n\nkernel.yama.ptrace_scope = 1\n\nThe system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_kernel_yama_ptrace_scope.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_kernel_yama_ptrace_scope.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Restrict usage of ptrace to descendant processes", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "kernel.yama.ptrace_scope", "sysctlval": "1", "datatype": "int"}, "backends": {}}}