KB: 07072014-001: Disabling ptrace() syscall
Keyword index
- Disabling ptrace on Debian Squeeze
- Disabling ptrace on Debian Wheezy
- Disabling ptrace on Ubuntu precise
- Disable ptrace to solve Debian DSA-2972-1
- Disable ptrace to solve CVE-2014-4699
Introduction
The following article explains how to disable system call ptrace() in various platforms (see list of supported platforms). By disabling this system call you can remove a large source of security problems and a linux kernel feature that is used by many attacks to implement hard to detect modifications like in-flight memory process modification.
The article proposes disabling the ptrace syscall by installing a kernel module that disables it.
Supported platforms
- Debian Squeeze amd64
- Debian Squeeze i686
- Debian Wheezy amd64
- Ubuntu Precise LTS 12.04 amd64
- Linux Mint 13 Maya amd64
Installing the module
To have the module installed, you have to update your /etc/apt/sources.list file to include the right apt sources. See in the following link the right one for your distribution:
https://dolphin.aspl.es/svn/publico/noptrace2/README
After that, you only have to update references and install it by running:
apt-get update apt-get install noptrace2
After that, the module will be compiled using your current server/system settings and will be loaded if no problem is found.
How do I check if the module is actually blocking ptrace() calls?
Run the following command. You should get a “No child processes”:
strace -p 1 Process 1 attached - interrupt to quit detach: ptrace(PTRACE_DETACH, ...): No child processes Process 1 detached
How do I enable/disable it temporally?
You can use the following command to stop/unload the module causing ptrace() blocking to be removed:
service noptrace2 stop
At the same time, you can use the following command to reenable the module that blocks ptrace():
service noptrace2 start
Do this generates any operation log I can inspect?
Sure, take a look at your /var/log/syslog. You should get logs like this:
Jul 7 11:14:40 vulcan kernel: [4721108.617232] [noptrace2] ptrace syscall disabled Jul 7 11:14:54 vulcan kernel: [4721122.990270] [noptrace2] ptrace() invoked against process 1 by process 20675 Jul 7 11:14:54 vulcan kernel: [4721122.990304] [noptrace2] ptrace() invoked against process 1 by process 20675 Jul 7 11:15:02 vulcan kernel: [4721130.689160] [noptrace2] ptrace() invoked against process 29912 by process 20746 Jul 7 11:15:02 vulcan kernel: [4721130.689188] [noptrace2] ptrace() invoked against process 29912 by process 20746 Jul 7 11:15:22 vulcan kernel: [4721150.219577] [noptrace2] ptrace syscall restored Jul 7 11:15:44 vulcan kernel: [4721172.921028] [noptrace2] ptrace syscall disabled Jul 7 18:11:15 vulcan kernel: [4746103.948870] [noptrace2] ptrace() invoked against process 1 by process 9821 Jul 7 18:11:15 vulcan kernel: [4746103.948897] [noptrace2] ptrace() invoked against process 1 by process 9821
Did you like the article, found it useful or something to comment?
That’s good. Please, contact us at http://www.core-admin.com/portal/about-us/contact or follow use at https://twitter.com/core_adm or https://twitter.com/aspl_es