diff --git a/etc/sysctl.d/00-ptrace-restricted.conf b/etc/sysctl.d/00-ptrace-restricted.conf
new file mode 100644
index 00000000..b352ab7c
--- /dev/null
+++ b/etc/sysctl.d/00-ptrace-restricted.conf
@@ -0,0 +1,3 @@
+# Only let debugging child processes
+# https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html
+kernel.yama.ptrace_scope = 1
diff --git a/etc/sysctl.d/60-mikaela.conf b/etc/sysctl.d/60-mikaela.conf
index 106a4e5e..8ed27554 100644
--- a/etc/sysctl.d/60-mikaela.conf
+++ b/etc/sysctl.d/60-mikaela.conf
@@ -21,3 +21,7 @@ net.ipv6.conf.all.use_tempaddr=2
 ## Enable the Magic SysRq key
 ## https://en.wikipedia.org/wiki/Magic_SysRq_key
 kernel.sysrq = 1
+
+# Only let debugging child processes
+# https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html
+kernel.yama.ptrace_scope = 1