Disable the usage of ptrace() by all processes

2025-05-05 01:55:02 -04:00 · 2024-07-18 11:01:41 +10:00 · 2024-07-18 11:01:41 +10:00 · b04828f858
commit b04828f858
parent d454f36c63
2 changed files with 4 additions and 7 deletions
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -128,7 +128,7 @@ kernel.io_uring_disabled=2
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace

-## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
+## Disable the usage of ptrace() system calls by all processes.
 ## Limit ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
@ -139,9 +139,7 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
-## It is possible to harden further by disabling ptrace() for all users, see documentation.
-##
-kernel.yama.ptrace_scope=2
+kernel.yama.ptrace_scope=3

 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).