Disable the usage of ptrace() by all processes

README.md

@@ -58,9 +58,8 @@ configuration file and significant hardening is applied to a myriad of component
 
 #### User space
 
-- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
-  enables programs to inspect and modify other active processes. Optional - Disable
-  usage of `ptrace()` by all processes.
+- Disable the usage of `ptrace()` by all processes as it enables programs to inspect
+  and modify other active processes
 
 - Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
 
@@ -273,23 +272,15 @@ there are a few cases of partial or non-compliance due to technical limitations.
 More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
 the KSPP's recommendations.
 
-**Partial compliance:**
-
-1. `sysctl kernel.yama.ptrace_scope=3`
-
-Completely disables `ptrace()`. Can be enabled easily if needed.
-
-* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
-
 **Non-compliance:**
 
-2. `sysctl user.max_user_namespaces=0`
+1. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
 
-3. `sysctl fs.binfmt_misc.status=0`
+2. `sysctl fs.binfmt_misc.status=0`
 
 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.

usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared

@@ -0,0 +1,24 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Diable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
+## Prevents native code debugging which some programs use as a method to detect tampering.
+## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
+## https://en.wikipedia.org/wiki/Ptrace
+## https://grapheneos.org/features#attack-surface-reduction
+## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
+## https://github.com/netblue30/firejail/issues/2860
+##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
+kernel.yama.ptrace_scope=3

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -227,8 +227,8 @@ kernel.io_uring_disabled=2
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 
-## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
-## Limit ptrace() as it enables programs to inspect and modify other active processes.
+## Diable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
 ##
@@ -238,13 +238,12 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
-## KSPP=partial
-## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
+## KSPP=yes
+## KSPP sets the sysctl.
 ##
-## It is possible to harden further by disabling ptrace() for all users, see documentation.
-## https://github.com/Kicksecure/security-misc/pull/242
+## See /usr/lib/sysctl.d/30_security_misc-ptrace-disable.conf for implementation.
 ##
-kernel.yama.ptrace_scope=2
+#kernel.yama.ptrace_scope=3
 
 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).