Hiding process listings

April 20, 2018

We have recently been considering what might need to be done to ensure we meet the requirements of the new GDPR legislation. One question raised was whether we should be hiding process listings, whilst we don’t feel that’s going to be necessary it did get me investigating how it could be done. It turns out that this is actually very straightforward with pretty much any modern Linux kernel (probably not SL6 but certainly EL7 onwards). There is a hidepid mount option for the /proc filesystem with two possible levels of hardening, I found this article on the Linux Audit site gives a reasonable summary. Having worked out what I wanted it to do it then took me a while to work out how it could be achieved. On EL7 the /proc filesystem is mounted automatically and by default does not appear in the /etc/fstab file so I was unsure as to where the mount options could be configured. Eventually I was pointed at this helpful Redhat bug which explains that any filesystem listed in /etc/fstab which is already mounted just gets remounted with the correct options. I’ve now tried it on a couple of test machines and it seems to work as required, ps and top will only list those processes owned by the user. This would probably be a good idea on multi-user graphical login machines (e.g. our NX and RDP hosts) to protect users against leakage of personal information via process command lines so we’re going to apply the changes to those services and see how the users get on. For any other LCFG users who would like to try it out there is an lcfg/options/privacy/procfs.h header which will appear in the stable release next week.