Hi. On Thu, Sep 28, 2017 at 10:22:10AM +0200, Brent Clark wrote: > Good day Guys > > I came across this document: > > https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/ > > The idea is to increase security by hiding the display of running > processes, and their arguments, which belong to other users. This helps > avoid problems if users enter passwords on the command-line, and similar. > > Its suggesting mount /proc with the option hidepid=2. > > I would like to ask: > > 1) is it safe?
Did not prevent boot for me (stretch, amd64, sysvinit). Which means even if it breaks something - it should be possible to fix without resorting to LiveCD booting and/or having console access. > 2) did you incur any issues? Nothing that catched my eye. > 3) what are your thoughts If that measure is your only defence against users that "enter passwords on the commandline" (meaning actually that said users pass usernames/passwords as commandline arguments so they are visible via ps(1)) - you're doing it wrong as it's those commandline tools are broken, not OS itself. One should not tweak OS in such radical way without attempting to fix those tools first. Or educating users. Or both. > The security audit tool, Lynis, also checks to see if /proc is mounted > hidepid? I'm not familiar with this tool. Yet another thing I should research once I have free time. Reco
