Since ptrace is not commonly used by non-developers and non-admins, system builders should be allowed the option to disable this debugging system.
According NSA recomendation and Unified Compliance recommended settings for DoD on rhel8 systems, that place it in medium category
Production systems rarely need to use debugging utilities. For this reason, it is often safe to remove the ability to perform ptrace-related functions, at least in normal operational mode. The YAMA Linux Security Module, included in most Linux distributions, can be used to remove the ability for any process to ptrace another. To configure systems to automatically do this on boot, create a service file in
/etc/systemd/systemwith the following contents:
[Unit]
Description=Removes, system-wide, the ability to ptrace
ConditionKernelCommandLine=!maintenance
[Service]
Type=forking
Execstart=/bin/bash –c “sysctl -w kernel.yama.ptrace_scope=3”
Execstop=
[Install]
WantedBy=default.target
Check owner and group permissions, then run systemctl daemon-reload and on the next boot, tracing will be completely disabled.
To re-enable debugging utilities, initiate a reboot. During boot. in grub menu select kernel and press e to edit the kernel arguments to include the value maintenance. Then Ctrl + X system should then reboot. Configuring kernel parameters at runtime
Once troubleshooting is finished, disable it by running sysctl -w kernel.yama.ptrace_scope=3
Protect against ptrace of processes: kernel.yama.ptrace_scope
RHEL 8 must restrict usage of ptrace to descendant processes Unified Compliance Framework