diff --git a/etc/sysctl.d/00-ptrace-restricted.conf b/etc/sysctl.d/00-ptrace-restricted.conf
index face8980..ba302322 100644
--- a/etc/sysctl.d/00-ptrace-restricted.conf
+++ b/etc/sysctl.d/00-ptrace-restricted.conf
@@ -1,5 +1,8 @@
 # Only let child processes to be debugged
 # https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html
 #kernel.yama.ptrace_scope = 1
-# Disable debuggers entirely
-kernel.yama.ptrace_scope = 3
+# Only processes with CAP_SYS_PTRACE capability are allowed unless children
+# call PTRACE_TRACEME.
+kernel.yama.ptrace_scope = 2
+# Disable debuggers entirely. Cannot be unset [without reboot].
+#kernel.yama.ptrace_scope = 3