Re: Preventing ptrace()

> You have to remove the CAP_SYS_PTRACE to all processes running in the

You could easily remove this capability globally using LCAP[1], which modifies /proc/sys/kernel/cap-bound to remove it directly.

Alternatively, you could use an LKM[2] to capture and refuse any use of the ptrace syscall itself.

These have the benifit of being non-kernel specific - no patches are needed. If you have a security-enhanced kernel such as grsecurity, then you should use it's built in capabilities limiting functionality though.

[1] The original page seems to have gone AWOL, but you can find

    it in RPM form or as source here and there, such as from     SecurityFocus. Do a google.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

[2] For example http://www.hackinglinuxexposed.com/tools/p/noptrace.c.html

--
Brian Hatch                  Never knock on Death's door.
   Systems and                Ring the doorbell and run.
   Security Engineer          He hates that.
http://www.ifokr.org/bri/

Every message PGP signed