Linux system hardening: adding hidepid to /proc

Hiding processes for other users

The pseudo-filesystem /proc contains a lot of useful information for the system administrator. It also shares a lot to normal users on the system. We can change what can be seen by using the right mount options.

When looking in /proc you will discover a lot of files and directories. A lot of these directories are just numbers and represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this information. This includes process information from other users.

Hardening /proc partition

Since Linux kernel 3.3 there are two new mount options for the Proc pseudo-filesystem. The first one is hidepid, to hide process IDs. The second one is gid, to allow some users to see information, even though it is blocked with the previous hidepid.

Proc directory entries for processes

Normal users can see all process IDs

In this example we can see that a non-privileged user can see all all process IDs. If you would like to see what process is involved, simply use the cat command.

cat /proc/[ID]/cmdline

This will display the related binary involved during startup of the process.

Hardening /proc with hidepid

To dynamically test the hidepid mount option, remount the /proc partition.

mount -o remount,rw,hidepid=2 /proc

When the same non-privileged user tries to display the information now, only process IDs of his own user will show up.

Proc directory hardened with hidepid option

/proc mount is now hardened with hidepid=2 option

Also using utilities like ps and top will now only show your own processes. A great way to prevent sharing a lot of information about the system and the processes running on it.

If you like to make the change permanent, change your /etc/fstab file and reboot the system.

Values of hidepid

By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.

Giving some users permission to see all processes

You may want to use the hidepid option, but have software which depends on seeing all the processes. In that case, you can add the gid mount option. This tells the kernel that users in that group (and root) can still see the information. The group itself is referenced by its group number. You could for example create a group monitor, and then allow that group to see all processes.

groupadd -g 1500 monitoring

Got some additional tips? Share it in the comments.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.



Leave a Reply

Your email address will not be published. Required fields are marked *