The hidepid mount option is applicable to /proc and is used to
control who can access the information in /proc/[pid] directories.
The option can have one of the following values:
0: Everybody may access all /proc/[pid] directories.
1: Users may not access files and subdirectories inside any /proc/[pid] directories
but their own. The /proc/[pid] directories themselves remain visible.
2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other
users become invisible.
For example, if you choose the value 2:
Add the hidepid=2 option to the fourth column of
/etc/fstab for the line which controls mounting of
/proc.
warning alert:
Functionality Warning
Hiding the pid of processes may lead to problems with PolicyKit and D-Bus,
it may also convey a false sense of security.
Rationale
Users should not be able to see and access directories within /proc, which are not
related to their own processes in a system. Otherwise, sensitive information from
other users could be seem.
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation {
var_mount_option_proc_hidepid='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mount_option_proc_hidepid" use="legacy"/>'
mountoption="hidepid=$var_mount_option_proc_hidepid"
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /proc)"
# If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
# runtime opts without some automatic kernel/userspace-added defaults
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
| sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//")
[ "$previous_mount_opts" ] && previous_mount_opts+=","
# In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
# fstab as "block". The next variable is to satisfy shellcheck SC2050.
fs_type="proc"
if [ "$fs_type" == "iso9660" ] ; then
previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
fi
echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab
# If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$mountoption"; then
previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab
fi
if mkdir -p "/proc"; then
if mountpoint -q "/proc"; then
mount -o remount --target "/proc"
fi
fi
}
perform_remediation
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- configure_strategy
- high_disruption
- low_complexity
- low_severity
- mount_option_proc_hidepid
- no_reboot_needed
- name: XCCDF Value var_mount_option_proc_hidepid # promote to variable
set_fact:
var_mount_option_proc_hidepid: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mount_option_proc_hidepid" use="legacy"/>
tags:
- always
- name: 'Add hidepid Option to /proc: Check information associated to mountpoint'
command: findmnt '/proc'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
tags:
- configure_strategy
- high_disruption
- low_complexity
- low_severity
- mount_option_proc_hidepid
- no_reboot_needed
- name: 'Add hidepid Option to /proc: Create mount_info dictionary variable'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- '{{ device_name.stdout_lines[0].split() | list | lower }}'
- '{{ device_name.stdout_lines[1].split() | list }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length > 0)
tags:
- configure_strategy
- high_disruption
- low_complexity
- low_severity
- mount_option_proc_hidepid
- no_reboot_needed
- name: 'Add hidepid Option to /proc: If /proc not mounted, craft mount_info manually'
set_fact:
mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
with_together:
- - target
- source
- fstype
- options
- - /proc
- proc
- proc
- defaults
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- ("" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- configure_strategy
- high_disruption
- low_complexity
- low_severity
- mount_option_proc_hidepid
- no_reboot_needed
- name: 'Add hidepid Option to /proc: Make sure hidepid option is part of the to /proc
options'
set_fact:
mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',hidepid=''~var_mount_option_proc_hidepid~''''
}) }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined and "hidepid" not in mount_info.options
tags:
- configure_strategy
- high_disruption
- low_complexity
- low_severity
- mount_option_proc_hidepid
- no_reboot_needed
- name: 'Add hidepid Option to /proc: Ensure /proc is mounted with hidepid option'
mount:
path: /proc
src: '{{ mount_info.source }}'
opts: '{{ mount_info.options }}'
state: mounted
fstype: '{{ mount_info.fstype }}'
when:
- ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
in ["docker", "lxc", "openvz", "podman", "container"] ) )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
length == 0)
tags:
- configure_strategy
- high_disruption
- low_complexity
- low_severity
- mount_option_proc_hidepid
- no_reboot_needed