sptrace is a tool that allows you to limit the access to ptrace() call in Linux. It has the ability to trace and debug software on servers is not needed for most users. Giving them right to trace processes may leak information and if ptrace() is vulnerable lead to more problems.
sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. It can disable strace (and ltrace) altogether, or if you add a ptrace group to your system, only users in that group will be able to use ptrace() call.
When someone not allowed to trace processes uses program that call ptrace() current and parent processes names, pids, uids and euids are logged, e.g.:
Dec 29 00:39:27 techie kernel: sptrace: ptrace() DENIED for (strace:28733) UID(1000) EUID(1000), parent (strace:28732) UID(1000) EUID(1000)
Dec 29 00:39:40 techie kernel: sptrace: ptrace() DENIED for (ltrace:28745) UID(1000) EUID(1000), parent (ltrace:28744) UID(1000) EUID(1000)
- The module has been updated to work with the latest Linux kernel versions and tested with 2.6.26.