Add hidepid Option to /proc

An XCCDF Rule

Description

The hidepid mount option is applicable to /proc and is used to control who can access the information in /proc/[pid] directories. The option can have one of the following values:

0: Everybody may access all /proc/[pid] directories.
1: Users may not access files and subdirectories inside any /proc/[pid] directories
   but their own. The /proc/[pid] directories themselves remain visible.
2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other
   users become invisible.

For example, if you choose the value 2: Add the hidepid=2 option to the fourth column of /etc/fstab for the line which controls mounting of /proc.

warning alert: Functionality Warning

Hiding the pid of processes may lead to problems with PolicyKit and D-Bus, it may also convey a false sense of security. Proceed to https://access.redhat.com/solutions/6704531 for more details.

Rationale

Users should not be able to see and access directories within /proc, which are not related to their own processes in a system. Otherwise, sensitive information from other users could be seem.

ID: xccdf_org.ssgproject.content_rule_mount_option_proc_hidepid
Severity: Low
References: CCE-85882-9
Updated: over 1 year ago

# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then

function perform_remediation {
    

    var_mount_option_proc_hidepid='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mount_option_proc_hidepid" use="legacy"/>'

    mountoption="hidepid=$var_mount_option_proc_hidepid"
    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /proc)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|$mountoption)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type="proc"
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo "proc /proc proc defaults,${previous_mount_opts}$mountoption 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "$mountoption"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,$mountoption|" /etc/fstab
    fi


    if mkdir -p "/proc"; then
        if mountpoint -q "/proc"; then
            mount -o remount --target "/proc"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-85882-9
  - configure_strategy  - high_disruption
  - low_complexity
  - low_severity
  - mount_option_proc_hidepid
  - no_reboot_needed
- name: XCCDF Value var_mount_option_proc_hidepid # promote to variable
  set_fact:
    var_mount_option_proc_hidepid: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mount_option_proc_hidepid" use="legacy"/>
  tags:
    - always

- name: 'Add hidepid Option to /proc: Check information associated to mountpoint'
  command: findmnt  '/proc'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  tags:
  - CCE-85882-9
  - configure_strategy
  - high_disruption
  - low_complexity
  - low_severity
  - mount_option_proc_hidepid
  - no_reboot_needed

- name: 'Add hidepid Option to /proc: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-85882-9
  - configure_strategy
  - high_disruption
  - low_complexity
  - low_severity
  - mount_option_proc_hidepid
  - no_reboot_needed

- name: 'Add hidepid Option to /proc: If /proc not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /proc
    - proc
    - proc
    - defaults
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - ("" | length == 0)
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length == 0)
  tags:
  - CCE-85882-9
  - configure_strategy
  - high_disruption
  - low_complexity
  - low_severity
  - mount_option_proc_hidepid
  - no_reboot_needed

- name: 'Add hidepid Option to /proc: Make sure hidepid option is part of the to /proc
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',hidepid=''~var_mount_option_proc_hidepid~''''
      }) }}'
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - mount_info is defined and "hidepid" not in mount_info.options
  tags:
  - CCE-85882-9
  - configure_strategy
  - high_disruption
  - low_complexity
  - low_severity
  - mount_option_proc_hidepid
  - no_reboot_needed

- name: 'Add hidepid Option to /proc: Ensure /proc is mounted with hidepid option'
  mount:
    path: /proc
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - mount_info is defined
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
    length == 0)
  tags:
  - CCE-85882-9
  - configure_strategy
  - high_disruption
  - low_complexity
  - low_severity
  - mount_option_proc_hidepid
  - no_reboot_needed

Add hidepid Option to /proc

Description

Rationale

Remediation - Shell Script

Remediation - Ansible