Document ptrace hardening

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
2024-12-04 15:13:58 +01:00 · 2023-01-21 19:22:55 -05:00 · 2023-01-21 19:22:55 -05:00 · cfcdf7dd88
commit cfcdf7dd88
parent 79469f4ffe
1 changed files with 9 additions and 0 deletions
--- a/Home.md
+++ b/Home.md
@ -124,6 +124,15 @@ HardenedBSD does not permit such behavior.
 jemalloc in HardenedBSD has been set to zero new allocations by
 default.

+Process tracing (`ptrace`) is hardened:
+
+* Process tracing facility itself is disabled by default
+  (`security.bsd.allow_ptrace=0`).
+* Unpriviledged process debugging is prohibited by default
+  (`security.bsd.unprivileged_proc_debug=0`).
+* Remote syscall functionality (`ptrace(PT_SC_REMOTE)`) is prohibited by
+  default.
+
 ## Modified sysctl Nodes

 These are the nodes that are modified from their original defaults