From 875170f2d9c8a6e4080fb56552b61369c88bf61e Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@telekom.de>
Date: Sun, 24 May 2026 15:06:28 +0200
Subject: [PATCH 1/3] Restrict ptrace attach to privileged users

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---
 controls/sysctl_spec.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb
index 3cc9f34..93bf492 100644
--- a/controls/sysctl_spec.rb
+++ b/controls/sysctl_spec.rb
@@ -432,3 +432,13 @@
     its(:value) { should eq 1 }
   end
 end
+
+control 'sysctl-35' do
+  impact 1.0
+  title 'Restrict ptrace attach to privileged users'
+  desc 'Ensure kernel.yama.ptrace_scope is set to at least 2 so unprivileged users cannot attach ptrace to arbitrary processes.'
+  only_if { !container_execution }
+  describe kernel_parameter('kernel.yama.ptrace_scope') do
+    its(:value) { should >= 2 }
+  end
+end

From f0a3f60d0761e306bcf08898e18bbbe556715ae8 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@telekom.de>
Date: Mon, 25 May 2026 07:53:32 +0200
Subject: [PATCH 2/3] Add exception for SuSE Linus

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---
 controls/sysctl_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb
index 93bf492..a664c8e 100644
--- a/controls/sysctl_spec.rb
+++ b/controls/sysctl_spec.rb
@@ -439,6 +439,6 @@
   desc 'Ensure kernel.yama.ptrace_scope is set to at least 2 so unprivileged users cannot attach ptrace to arbitrary processes.'
   only_if { !container_execution }
   describe kernel_parameter('kernel.yama.ptrace_scope') do
-    its(:value) { should >= 2 }
+    its(:value) { should eq(2).or eq(3).or eq(nil) } # include nil because SuSE does not have this parameter
   end
 end

From 9f4f071f82914a2350e2051ca1e21033584f6b55 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@telekom.de>
Date: Tue, 26 May 2026 13:03:26 +0200
Subject: [PATCH 3/3] Move condition to only_if

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---
 controls/sysctl_spec.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb
index a664c8e..de4bc3c 100644
--- a/controls/sysctl_spec.rb
+++ b/controls/sysctl_spec.rb
@@ -437,8 +437,9 @@
   impact 1.0
   title 'Restrict ptrace attach to privileged users'
   desc 'Ensure kernel.yama.ptrace_scope is set to at least 2 so unprivileged users cannot attach ptrace to arbitrary processes.'
-  only_if { !container_execution }
+  # exclude SuSE because it does not have this parameter
+  only_if { !(container_execution || os.suse?) }
   describe kernel_parameter('kernel.yama.ptrace_scope') do
-    its(:value) { should eq(2).or eq(3).or eq(nil) } # include nil because SuSE does not have this parameter
+    its(:value) { should >= 2 }
   end
 end