Linux system hardening: adding hidepid to /proc
Hiding processes for other users
The pseudo-filesystem /proc contains a lot of useful information for the system administrator. It also shares a lot to normal users on the system. We can change what can be seen by using the right mount options.
When looking in /proc you will discover a lot of files and directories. A lot of these directories are just numbers and represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this information. This includes process information from other users.
Hardening /proc partition
Since Linux kernel 3.3 there are two new mount options for the Proc pseudo-filesystem. The first one is hidepid, to hide process IDs. The second one is gid, to allow some users to see information, even though it is blocked with the previous hidepid.
In this example we can see that a non-privileged user can see all all process IDs. If you would like to see what process is involved, simply use the cat command.
This will display the related binary involved during startup of the process.
Hardening /proc with hidepid
To dynamically test the hidepid mount option, remount the /proc partition.
mount -o remount,rw,hidepid=2 /proc
When the same non-privileged user tries to display the information now, only process IDs of his own user will show up.
Also using utilities like ps and top will now only show your own processes. A great way to prevent sharing a lot of information about the system and the processes running on it.
If you like to make the change permanent, change your /etc/fstab file and reboot the system.
Values of hidepid
By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.
Giving some users permission to see all processes
You may want to use the hidepid option, but have software which depends on seeing all the processes. In that case, you can add the gid mount option. This tells the kernel that users in that group (and root) can still see the information. The group itself is referenced by its group number. You could for example create a group monitor, and then allow that group to see all processes.
groupadd -g 1500 monitoring
Got some additional tips? Share it in the comments.