1198601 – STIG: should configure kernel.yama.ptrace_scope =1 or even =2

Bug 1198601 - STIG: should configure kernel.yama.ptrace_scope =1 or even =2

Summary: STIG: should configure kernel.yama.ptrace_scope =1 or even =2

Status:	RESOLVED FIXED

Alias:	None

Product:	PUBLIC SUSE Linux Enterprise Server 15 SP4
Classification:	openSUSE
Component:	Security Certifications (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Enhancement
Target Milestone:	---
Assignee:	Anastasija Ivanovic
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-04-19 11:03 UTC by Dirk Mueller
Modified:	2023-11-16 08:15 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Mueller 2022-04-19 11:03:03 UTC

for CIS v2, the STIG hardening guide should advice how to configure kernel.yama.ptrace_scope to 1 or 2. 

this requires a few more steps to be effective, including the ability to load the yama LSM in the first place.

Comment 1 Marcus Meissner 2022-04-19 11:14:04 UTC

DISA STIG or CIS?

Comment 2 Marcus Meissner 2022-04-19 11:15:01 UTC

we can only implement rules in the STIG or CIS paperwork, not just any additional hardenings.

we can however add these to the STIG/CIS paperwork if not there yet.

Comment 3 Dirk Mueller 2022-04-19 14:22:13 UTC

where ican I can find the "latest" paperwork? https://www.cisecurity.org/benchmark/suse_linux looks like it only serves SLE11, which I'm not interested in. 

https://documentation.suse.com/sles/15-SP3/pdf/book-security_color_en.pdf 
could be a way to mention this, it already has a chapter on apparmor. yama would be an additional, orthogonal step on top of that.

Comment 4 Marcus Meissner 2022-04-19 15:03:51 UTC

one step back ...

- Do you want this as default system setting?

- Or recommended by "generic hardening documentation" for SLE?
  (It seems this is the most likely one?)

- Or included into our DISA STIG efforts?

(We are not working with CIS at this time.)

Our official DISA STIG is here, and we would be content contributors (but its a longish process to contribute content)

   https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_15_V1R5_STIG.zip

Comment 5 Rumen Chikov 2022-04-19 15:27:04 UTC

The recommended requirement / rule does not exist in any of officially supported by SUSE profiles - DISA, PCI-DSS and HIPAA.
The requirement will be include into profile according to ANSSI-BP-028 - enhanced and high versions. You can see it on this page https://confluence.suse.com/display/HASO/SCAP++ANSSI-BP-028

When we are ready with it - will be possible it to be included into PCI-DSS and HIPAA profiles. According to DISA - our profile correspond to DISA STIG i.e. it covers recommendations officially supported/provided by DISA. From development/technical point of view we can add this rule in DISA profile - but in this case we will have discrepancy with the rules officially approved by DISA.

According to our current plans this particular rule will be a part of ANSSI profiles after 2-3 months. 

Do you need it to be provided with a higher priority?

Comment 6 Anastasija Ivanovic 2022-07-19 12:40:30 UTC

Marking this as closed due to Rumen's answer, as we have not received any further reply I assume all is good. :)