RHEL 10 must restrict usage of ptrace to descendant processes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281316 | RHEL-10-701140 | SV-281316r1167098_rule | CCI-001082 | medium |
| Description | ||||
| Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. The attacker can then steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing). | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Details
Check Text (C-281316r1167098_chk)
Verify RHEL 10 restricts the usage of ptrace to descendant processes.
Check the status of the "kernel.yama.ptrace_scope" kernel parameter with the following command:
$ sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 1
If the network parameter "kernel.yama.ptrace_scope" is not equal to "1", or nothing is returned, this is a finding.
Fix Text (F-85782r1167097_fix)
Configure RHEL 10 to restrict the usage of ptrace to descendant processes.
Create the drop-in if it does not already exist:
$ sudo vi /etc/sysctl.d/99-kernel_yama.ptrace_scope.conf
Add the following line to the file:
kernel.yama.ptrace_scope = 1
Reload settings from all system configuration files with the following command:
$ sudo sysctl --system