If you are into Linux OS hardening, then one of the ways to improve security is to hide the display of running processes and their arguments from other users. This feature is available if you are on a Linux kernel version of 3.2 or above that supports the new hidepid
mount option for procfs
or /proc
filesystem.
With this feature turned on, only the root user will be able to view all processes. Other users will only be able to view their own processes. The hidepid
option has 3 possible values:
- hidepid=0 – default behavior – anybody may read all world-readable files within the /proc/PID/ directories.
- hidepid=1 – means users may not access any /proc/PID/ directories, but their own. Sensitive pseudo-files like cmdline, sched and status are now protected against other users.
- hidepid=2 – means hidepid=1 plus all /proc/PID/ will be invisible to other users. It complicates the intruder’s task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
Changing Mount Point Options for /proc Filesystem
To change the mount point options of the /proc
filesystem on a running system, use the mount
command as the root user.
1 |
# mount -o remount,hidepid=2 /proc |
After making the changes, login to the system as a normal user and try running the following commands.
1 2 |
$ ps -ef $ ls -ld /proc/[0-9]* |
The above commands should only be listing the processes that belong to the user.
To make the changes permanent, the /etc/fstab
needs to be updated with the new hidepid=2
mount option.
1 |
proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0 |
Append “hidepid=2
” to the end of the mount options. Your mount options could be slightly different from the above.
Allowing Access to Admin Group Members
If you have a group of administrators who require access rights to view all the processes, then you will need to use the additional gid
mount option command.
First, assign these group of people to a specific group, eg. admin
group.
Next, modify the mount options in /etc/fstab
file to include this group.
1 |
proc /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2,gid=admin 0 0 |
Users who now belong to the admin
group will be allowed to view all the processes. They will not need to use the root
account.