# The PTRACE system is used for debugging. With it, a single user process # can attach to any other dumpable process owned by the same user. In the # case of malicious software, it is possible to use PTRACE to access # credentials that exist in memory (re-using existing SSH connections, # extracting GPG agent information, etc). # # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits # PTRACE only to direct child processes (e.g. "gdb name-of-program" and # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so # "sudo strace -fp $PID" will work as before. For more details see: # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace # # For applications launching crash handlers that need PTRACE, exceptions can # be registered by the debugee by declaring in the segfault handler # specifically which process will be using PTRACE on the debugee: # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); # # In general, PTRACE is not needed for the average running Ubuntu system. # To that end, the default is to set the PTRACE scope to "1". This value # may not be appropriate for developers or servers with only admin accounts. kernel.yama.ptrace_scope = 1
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| 10-console-messages.conf | File | 77 B | 0644 |
|
| 10-ipv6-privacy.conf | File | 490 B | 0644 |
|
| 10-kernel-hardening.conf | File | 726 B | 0644 |
|
| 10-link-restrictions.conf | File | 257 B | 0644 |
|
| 10-lxd-inotify.conf | File | 153 B | 0644 |
|
| 10-magic-sysrq.conf | File | 1.16 KB | 0644 |
|
| 10-network-security.conf | File | 509 B | 0644 |
|
| 10-ptrace.conf | File | 1.26 KB | 0644 |
|
| 10-zeropage.conf | File | 506 B | 0644 |
|
| 99-cloudimg-ipv6.conf | File | 185 B | 0644 |
|
| 99-sysctl.conf | File | 2.62 KB | 0644 |
|
| README | File | 519 B | 0644 |
|