ansible/roles/common/tasks/kernel_hidepid.yml

---

# protecting process list of users different than root
# Source: https://wiki.archlinux.org/index.php/Security#hidepid

- name: Configure group for reading other processes
  group:
    state: present
    name: proc
    system: yes

- name: Configure proc mounting in fstab
  lineinfile:
    path: "{{ global_fstab_file }}"
    regexp: '^\S+\s+/proc\s+proc\s+'
    line: >-
      proc /proc proc
      nosuid,nodev,noexec,hidepid=2,gid=proc
      0 0

- name: Ensure configuration directory for whitelisted services exist
  file:
    state: directory
    path: "{{ global_systemd_configuration_directory }}/{{ item }}.d"
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  loop: "{{ global_proc_hidepid_service_whitelist }}"

- name: Configure whitelisted services to adapt to hidepid setting
  copy:
    content: |
      [Service]
      SupplementaryGroups=proc
    dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf"
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  loop: "{{ global_proc_hidepid_service_whitelist }}"
Hide running processes from users other than root 3 years ago			`---`

			`# protecting process list of users different than root`
			`# Source: https://wiki.archlinux.org/index.php/Security#hidepid`

			`- name: Configure group for reading other processes`
			`group:`
			`state: present`
			`name: proc`
			`system: yes`

			`- name: Configure proc mounting in fstab`
			`lineinfile:`
			`path: "{{ global_fstab_file }}"`
			`regexp: '^\S+\s+/proc\s+proc\s+'`
			`line: >-`
			`proc /proc proc`
			`nosuid,nodev,noexec,hidepid=2,gid=proc`
			`0 0`

Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service 3 years ago			`- name: Ensure configuration directory for whitelisted services exist`
Hide running processes from users other than root 3 years ago			`file:`
			`state: directory`
Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service 3 years ago			`path: "{{ global_systemd_configuration_directory }}/{{ item }}.d"`
Hide running processes from users other than root 3 years ago			`owner: root`
			`group: root`
			`mode: u=rwx,g=rx,o=rx`
Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service 3 years ago			`loop: "{{ global_proc_hidepid_service_whitelist }}"`
Hide running processes from users other than root 3 years ago
Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service 3 years ago			`- name: Configure whitelisted services to adapt to hidepid setting`
Hide running processes from users other than root 3 years ago			`copy:`
			`content: \|`
			`[Service]`
			`SupplementaryGroups=proc`
Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service 3 years ago			`dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf"`
Hide running processes from users other than root 3 years ago			`owner: root`
			`group: root`
			`mode: u=rw,g=r,o=r`
Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service 3 years ago			`loop: "{{ global_proc_hidepid_service_whitelist }}"`