Skip to content

1.5.2 Ensure ptrace_scope is restricted

Audit#

Run the following script to verify the following kernel parameter is set in the running configuration and correctly loaded from a kernel parameter configuration file: - kernel.yama.ptrace_scope is set to a value of: 1, 2, or 3*

#!/usr/bin/env bash
{
a_output=(); a_output2=(); a_parlist=("kernel.yama.ptrace_scope=(1|2|3)")
l_ufwscf="$([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
f_kernel_parameter_chk()
{
l_running_parameter_value="$(sysctl "$l_parameter_name" | awk -F='{print $2}' | xargs)" # Check running configuration
if grep -Pq -- '\b'"$l_parameter_value"'\b' <<< "$l_running_parameter_value"; then
a_output+=(" - \"$l_parameter_name\" is correctly set to \"$l_running_parameter_value\"" \"in the running configuration")
else
a_output2+=(" - \"$l_parameter_name\" is incorrectly set to \"$l_running_parameter_value\"" \"in the running configuration" \"and should have a value of: \"$l_value_out\"")
fi
unset A_out; declare -A A_out # Check durable setting (files)
while read -r l_out; do
if [ -n "$l_out" ]; then
if [[ $l_out =~ ^\s*# ]]; then
l_file="${l_out//# /}"
else
l_kpar="$(awk -F= '{print $1}' <<< "$l_out" | xargs)"
[ "$l_kpar" = "$l_parameter_name" ] && A_out+=(["$l_kpar"]="$l_file")
fi
fi
done < <("$l_systemdsysctl" --cat-config | grep -Po '^\h*([^#\n\r]+|#\h*\/[^#\n\r\h]+\.conf\b)')
if [ -n "$l_ufwscf" ]; then # Account for systems with UFW (Not covered by systemd-sysctl --cat-config)
l_kpar="$(grep -Po "^\h*$l_parameter_name\b" "$l_ufwscf" | xargs)"
l_kpar="${l_kpar//\//.}"
[ "$l_kpar" = "$l_parameter_name" ] && A_out+=(["$l_kpar"]="$l_ufwscf")
fi
if (( ${#A_out[@]} > 0 )); then # Assess output from files and generate output
while IFS="=" read -r l_fkpname l_file_parameter_value; do
l_fkpname="${l_fkpname// /}";
l_file_parameter_value="${l_file_parameter_value// /}"
if grep -Pq -- '\b'"$l_parameter_value"'\b' <<< "$l_file_parameter_value"; then
a_output+=(" - \"$l_parameter_name\" is correctly set to \"$l_file_parameter_value\"" \"in \"$(printf '%s' "${A_out[@]}")\"")
else
a_output2+=(" - \"$l_parameter_name\" is incorrectly set to \"$l_file_parameter_value\"" \"in \"$(printf '%s' "${A_out[@]}")\"" \"and should have a value of: \"$l_value_out\"")
fi
done < <(grep -Po -- "^\h*$l_parameter_name\h*=\h*\H+" "${A_out[@]}")
else
a_output2+=(" - \"$l_parameter_name\" is not set in an included file" \"** Note: \"$l_parameter_name\" May be set in a file that's ignored by load procedure **")
fi
}
l_systemdsysctl="$(readlink -f /lib/systemd/systemd-sysctl)"
while IFS="=" read -r l_parameter_name l_parameter_value; do # Assess and check parameters
l_parameter_name="${l_parameter_name// /}";
l_parameter_value="${l_parameter_value// /}"
l_value_out="${l_parameter_value//-/ through }";
l_value_out="${l_value_out//|/ or }"
l_value_out="$(tr -d '(){}' <<< "$l_value_out")"
f_kernel_parameter_chk
done < <(printf '%s\n' "${a_parlist[@]}")
if [ "${#a_output2[@]}" -le 0 ]; then
printf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}" ""
else
printf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}" ""
fi
}

Remediation#

Set the kernel.yama.ptrace_scope parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in .conf to a value of 1, 2, or 3: 

kernel.yama.ptrace_scope = 1
- OR -
kernel.yama.ptrace_scope = 2
- OR -
kernel.yama.ptrace_scope = 3

Example: 

# printf "%s\n" "kernel.yama.ptrace_scope = 1" >> /etc/sysctl.d/60-kernel_sysctl.conf

Run the following command to set the active kernel parameter: 

# sysctl -w kernel.yama.ptrace_scope=1

Default Value:
kernel.yama.ptrace_scope = 0