写点什么

Linux system hardening: adding hidepid to /proc mount point

用户头像
卓丁
关注
发布于: 刚刚
Linux system hardening: adding hidepid to /proc mount point

原文:Linux system hardening: adding hidepid to /proc mount point


When looking in /proc you will discover a lot of files and directories. Many of them are just numbers, which represent the information about a particular process ID (PID). By default, Linux systems are deployed to allow all local users to see this all information. This includes process information from other users. This could include sensitive details that you may not want to share with other users. By applying some file system configuration tweaks, we can change this behavior and improve the security of the system.


Hiding processes for other users

Since Linux kernel 3.3 there are two new mount options for the Proc pseudo-filesystem. The first one is hidepid, to hide process IDs. The second one is gid, to allow some users to see information, even though it is blocked with the previous hidepid.

Normal users can see all process IDs

In this example, we can see that a non-privileged user can see all process identifiers (PIDs). If you would like to see what process is involved, simply use the cat command.

cat /proc/[ID]/cmdline

This command will display the related binary that called to start the related process. It will also include the parameters that were provided. As you may have expected, this is also how the ps command is able to show this information.


Hardening /proc with hidepid

To dynamically test the impact of the hidepid mount option, you can remount the /proc partition. This needs to be done as the root user or by using sudo.

mount -o remount,rw,hidepid=2 /proc

When the same non-privileged user tries to display the information now, only process IDs of his own user will show up.


/proc mount is now hardened with hidepid=2 option

Also using utilities like ps and top will now only show your own processes. A great way to prevent sharing a lot of information about the system and the processes running on it.

If you like to make the change permanent, change your /etc/fstab file and reboot the system.

proc    /proc        proc        defaults,hidepid=2    0 0
复制代码

Values of hidepid

By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.

Giving some users permission to see all processes

You may want to use the hidepid option, but have software which depends on seeing all the processes. In that case, you can add the gid mount option. This tells the kernel that users in that group (and root) can still see the information. The group itself is referenced by its group number. For example, you could create a group monitoring, and then allow this group to see all processes.

groupadd -g 1500 monitoring

Did you learn something from this article? Great! Share it with others, like your favorite website or social media. Got some additional tips? Share it in the comments.


发布于: 刚刚阅读数: 2
用户头像

卓丁

关注

鸟过无痕 2017.12.10 加入

泰戈尔:虽然天空没有留下我的痕迹,但我已飞过。

评论

发布
暂无评论
Linux system hardening: adding hidepid to /proc mount point