Linux system hardening: adding hidepid to /proc mount point
原文:Linux system hardening: adding hidepid to /proc mount point
When looking in /proc you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some file system configuration tweaks, we can change this behavior and improve the security of the system.
Hiding processes for other users
Since Linux kernel 3.3 there are two new mount options for the Proc pseudo-filesystem. The first one is hidepid, to hide process IDs. The second one is gid, to allow some users to see information, even though it is blocked with the previous hidepid.
Normal users can see all process IDs
In this example, we can see that a non-privileged user can see all process identifiers (PIDs). If you would like to see what process is involved, simply use the cat command.
cat /proc/[ID]/cmdline
This command will display the related binary that called to start the related process. It will also include the parameters that were provided. As you may have expected, this is also how the ps command is able to show this information.
Hardening /proc with hidepid
To dynamically test the impact of the hidepid mount option, you can remount the /proc partition. This needs to be done as the root user or by using sudo.
mount -o remount,rw,hidepid=2 /proc
When the same non-privileged user tries to display the information now, only process IDs of his own user will show up.
/proc mount is now hardened with hidepid=2 option
Also using utilities like ps and top will now only show your own processes. A great way to prevent sharing a lot of information about the system and the processes running on it.
If you like to make the change permanent, change your /etc/fstab file and reboot the system.
Values of hidepid
By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.
Giving some users permission to see all processes
You may want to use the hidepid option, but have software which depends on seeing all the processes. In that case, you can add the gid mount option. This tells the kernel that users in that group (and root) can still see the information. The group itself is referenced by its group number. For example, you could create a group monitoring, and then allow this group to see all processes.
groupadd -g 1500 monitoring
Did you learn something from this article? Great! Share it with others, like your favorite website or social media. Got some additional tips? Share it in the comments.
版权声明: 本文为 InfoQ 作者【卓丁】的原创文章。
原文链接:【http://xie.infoq.cn/article/e6fb82cd7248e0902f120312a】。文章转载请联系作者。
评论