Protecting Linux Devices from Debugging Approved Processes
  • 15 Oct 2021
  • 1 Minute to read
  • Dark
    Light
  • PDF

Protecting Linux Devices from Debugging Approved Processes

  • Dark
    Light
  • PDF

Devices running Linux distributions often have easy access to software development tools that include utilities such as debuggers (e.g., The GNU Project Debugger, or "gdb"). In some cases, administrators may want to prevent users from attaching debuggers to running processes, for example, to prevent unintended data exfiltration from those processes. Linux distributions also come with powerful tools for administrators to prevent these types of operations. If protection of Linux devices from debugging SecureCircle-approved processes is important for an organization, SecureCircle recommends the following best practices.

Use Yama to Prevent ptrace

Yama is a Linux Security Module that, among other things, allows administrators to disable the use of debuggers system-wide. The following setting is enough on most Linux distributions to prevent the use of debuggers.

kernel.yama.ptrace_scope = 3

Yama and it's functionality is further described here. The United States National Security Agency has also released a document containing further information regarding the subject.

Use AppArmor for Application-Specific, Fine-Grained Controls

AppArmor is a Mandatory Access Control (MAC) system which, among other things, allows for fine-grained controls to be defined on a per-application or per-path (or set of paths using globbing) basis. An example AppArmor profile that would prevent every application in a user-writable folder and its subfolders from using ptrace is as follows.

profile ptrace /path/to/user-writable/folder/** {
  capability,
  dbus,
  file,
  network,
  mount,
  pivot_root,
  remount,
  signal,
  umount,
  unix,
  deny ptrace,
}

Device Management

As with other platforms, SecureCircle recommends implementing a robust Device Management system that allows administrators to ensure that users are able to securely use Linux devices without comprimising security. Pre-provisioning Linux endpoints with secure operating systems that take advantage of hardware-based security (e.g., Trusted Platform Module, or TPM), centralized patching, profiling, device posture checks, and auditing are all key components of a Device Management system. It is recommended that SecureCircle be provisioned on devices managed in this way.


Was this article helpful?