Linux system hardening: adding hidepid to /proc mount point

When looking in /proc you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some file system configuration tweaks, we can change this behavior and improve the security of the system.

Hiding processes for other users

Since Linux kernel 3.3 there are two new mount options for the Proc pseudo-filesystem. The first one is hidepid, to hide process IDs. The second one is gid, to allow some users to see information, even though it is blocked with the previous hidepid.

Proc directory entries for processes

Normal users can see all process IDs

In this example, we can see that a non-privileged user can see all process identifiers (PIDs). If you would like to see what process is involved, simply use the cat command.

cat /proc/[ID]/cmdline

This command will display the related binary that called to start the related process. It will also include the parameters that were provided. As you may have expected, this is also how the ps command is able to show this information.

 

Hardening /proc with hidepid

To dynamically test the impact of the hidepid mount option, you can remount the /proc partition. This needs to be done as the root user or by using sudo.

mount -o remount,rw,hidepid=2 /proc

When the same non-privileged user tries to display the information now, only process IDs of his own user will show up.

Proc directory hardened with hidepid option

/proc mount is now hardened with hidepid=2 option

Also using utilities like ps and top will now only show your own processes. A great way to prevent sharing a lot of information about the system and the processes running on it.

If you like to make the change permanent, change your /etc/fstab file and reboot the system.

Values of hidepid

By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.

Giving some users permission to see all processes

You may want to use the hidepid option, but have software which depends on seeing all the processes. In that case, you can add the gid mount option. This tells the kernel that users in that group (and root) can still see the information. The group itself is referenced by its group number. For example, you could create a group monitoring, and then allow this group to see all processes.

groupadd -g 1500 monitoring

 

Did you learn something from this article? Great! Share it with others, like your favorite website or social media. Got some additional tips? Share it in the comments.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.