Re: System hardening: adding hidepid to /proc?
- Date: Sat, 30 Sep 2017 18:08:06 +0300
- From: Reco <recoverym4n@xxxxxxxxx>
- Subject: Re: System hardening: adding hidepid to /proc?
On Thu, Sep 28, 2017 at 10:22:10AM +0200, Brent Clark wrote:
> Good day Guys
> I came across this document:
> The idea is to increase security by hiding the display of running
> processes, and their arguments, which belong to other users. This helps
> avoid problems if users enter passwords on the command-line, and similar.
> Its suggesting mount /proc with the option hidepid=2.
> I would like to ask:
> 1) is it safe?
Did not prevent boot for me (stretch, amd64, sysvinit).
Which means even if it breaks something - it should be possible to fix
without resorting to LiveCD booting and/or having console access.
> 2) did you incur any issues?
Nothing that catched my eye.
> 3) what are your thoughts
If that measure is your only defence against users that "enter passwords
on the commandline" (meaning actually that said users pass
usernames/passwords as commandline arguments so they are visible via
ps(1)) - you're doing it wrong as it's those commandline tools are
broken, not OS itself.
One should not tweak OS in such radical way without attempting to fix
those tools first. Or educating users. Or both.
> The security audit tool, Lynis, also checks to see if /proc is mounted
I'm not familiar with this tool. Yet another thing I should research
once I have free time.